changeset 34988:bd725a71f274 stable

config: add some more documentation around why svn and git subrepos are off
author Augie Fackler <augie@google.com>
date Mon, 06 Nov 2017 14:56:17 -0500
parents 846942fd6d15
children 1a314176da9c
files mercurial/help/config.txt
diffstat 1 files changed, 7 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial/help/config.txt	Sun Nov 05 21:51:42 2017 +0900
+++ b/mercurial/help/config.txt	Mon Nov 06 14:56:17 2017 -0500
@@ -1905,6 +1905,13 @@
 
     When disallowed, any commands including :hg:`update` will fail if
     subrepositories are involved.
+
+    Security note: auditing in Mercurial is known to be insufficient
+    to prevent clone-time code execution with carefully constructed
+    Git subrepos. It is unknown if a similar defect is present in
+    Subversion subrepos, so both are disabled by default out of an
+    abundance of caution. Re-enable such subrepos via this setting
+    with caution.
     (default: `hg`)
 
 ``templatealias``