doc: attacker can display a large byte set

ben-grande · Jan 18, 2024 · bab8f35 · bab8f35
1 parent fb2baa1
commit bab8f35
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/salt/sys-git/README.md b/salt/sys-git/README.md
@@ -52,7 +52,10 @@ stdout as packet information during the initial server client negotiation, the
 client will display the characters on stderr with an error message containing
 the character. Git only filters for control characters but other characters
 that are valid UTF-8 such as multibyte are not filtered. The same characters
-can be present in the git log.
+can be present in the git log. In reality, there are many other ways the
+remote can make the client display a refname with attacker controlled data
+with a much larger byte size, this cannot be solved while the remote helper
+does not verify each received reference.
 
 A remote helper that validates the data received can increase the security
 by not printing untrusted data, which is the case with