On Tue, 3 Sep 2013, Duy Nguyen wrote:

> On Tue, Aug 27, 2013 at 11:25 AM, Nicolas Pitre <n...@fluxnic.net> wrote:
> > This goes as follows:
> >
> > - Tree reference: either variable length encoding of the index
> >   into the SHA1 table or the literal SHA1 prefixed by 0 (see
> >   add_sha1_ref()).
> >
> > - Parent count: variable length encoding of the number of parents.
> >   This is normally going to occupy a single byte but doesn't have to.
> >
> > - List of parent references: a list of add_sha1_ref() encoded references,
> >   or nothing if the parent count was zero.
> With .pack v3 it's impossible to create delta cycles (3b910d0 add
> tests for indexing packs with delta cycles - 2013-08-23) but it is
> possible with .pack v4 (and therefore at least index-pack needs to
> detect and reject them), correct? Some malicious user can create
> commit A with parent ref 1, then make the SHA-1 table so that ref 1 is
> A. The same with the new tree representation.

pack-index should validate the SHA1 of the object being pointed at.

In that case I doubt you'll be able to actually construct an object 
which contains a SHA1 parent reference and make the SHA1 of this very 
object resolve to the same value.

To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to