Mercurial > hg
changeset 34988:bd725a71f274 stable
config: add some more documentation around why svn and git subrepos are off
author | Augie Fackler <augie@google.com> |
---|---|
date | Mon, 06 Nov 2017 14:56:17 -0500 |
parents | 846942fd6d15 |
children | 1a314176da9c |
files | mercurial/help/config.txt |
diffstat | 1 files changed, 7 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/help/config.txt Sun Nov 05 21:51:42 2017 +0900 +++ b/mercurial/help/config.txt Mon Nov 06 14:56:17 2017 -0500 @@ -1905,6 +1905,13 @@ When disallowed, any commands including :hg:`update` will fail if subrepositories are involved. + + Security note: auditing in Mercurial is known to be insufficient + to prevent clone-time code execution with carefully constructed + Git subrepos. It is unknown if a similar defect is present in + Subversion subrepos, so both are disabled by default out of an + abundance of caution. Re-enable such subrepos via this setting + with caution. (default: `hg`) ``templatealias``