Re: [PATCH 2/6] http: always update the base URL for redirects

2016-12-01 Thread Ramsay Jones
On 02/12/16 00:18, Jeff King wrote: > On Fri, Dec 02, 2016 at 12:07:50AM +, Ramsay Jones wrote: > In a British context "Mallory and Irvine" were two (male) climbers who died on Everest in 1924 (tales of daring...), so it's easy to expect (from this side of the pond) that

Re: [PATCH 2/6] http: always update the base URL for redirects

2016-12-01 Thread Jeff King
On Fri, Dec 02, 2016 at 12:07:50AM +, Ramsay Jones wrote: > >> In a British context "Mallory and Irvine" were two (male) climbers who > >> died on Everest in 1924 (tales of daring...), so it's easy to expect > >> (from this side of the pond) that 'Mallory' would be male. However he > >> was

Re: [PATCH 2/6] http: always update the base URL for redirects

2016-12-01 Thread Ramsay Jones
On 01/12/16 23:43, Junio C Hamano wrote: > "Philip Oakley" writes: > >>> Depends, I only know Mallorys who are women so her seems appropriate. >>> >> In a British context "Mallory and Irvine" were two (male) climbers who >> died on Everest in 1924 (tales of daring...), so

Re: [PATCH 2/6] http: always update the base URL for redirects

2016-12-01 Thread Junio C Hamano
"Philip Oakley" writes: >> Depends, I only know Mallorys who are women so her seems appropriate. >> > In a British context "Mallory and Irvine" were two (male) climbers who > died on Everest in 1924 (tales of daring...), so it's easy to expect > (from this side of the pond)

Re: [PATCH 2/6] http: always update the base URL for redirects

2016-12-01 Thread Philip Oakley
From: "Brandon Williams" On 12/01, Ramsay Jones wrote: On 01/12/16 09:04, Jeff King wrote: > If a malicious server redirects the initial ref > advertisement, it may be able to leak sha1s from other, > unrelated servers that the client has access to. For > example, imagine

Re: [PATCH 2/6] http: always update the base URL for redirects

2016-12-01 Thread Brandon Williams
On 12/01, Ramsay Jones wrote: > > > On 01/12/16 09:04, Jeff King wrote: > > If a malicious server redirects the initial ref > > advertisement, it may be able to leak sha1s from other, > > unrelated servers that the client has access to. For > > example, imagine that Alice is a git user, she has

Re: [PATCH 2/6] http: always update the base URL for redirects

2016-12-01 Thread Ramsay Jones
On 01/12/16 09:04, Jeff King wrote: > If a malicious server redirects the initial ref > advertisement, it may be able to leak sha1s from other, > unrelated servers that the client has access to. For > example, imagine that Alice is a git user, she has access to > a private repository on a server

[PATCH 2/6] http: always update the base URL for redirects

2016-12-01 Thread Jeff King
If a malicious server redirects the initial ref advertisement, it may be able to leak sha1s from other, unrelated servers that the client has access to. For example, imagine that Alice is a git user, she has access to a private repository on a server hosted by Bob, and Mallory runs a malicious