| commit | 5532ebdeb7ac56d952addb94ea9741d3c8f5b6f6 | |
| author | Johannes Schindelin <johannes.schindelin@gmx.de> | |
| Mon, 16 Sep 2019 11:26:40 +0000 (16 13:26 +0200) | ||
| committer | Johannes Schindelin <johannes.schindelin@gmx.de> | |
| Thu, 5 Dec 2019 14:37:08 +0000 (5 15:37 +0100) | ||
| tree | ecabfba07ded9ef567af1545e686b71f30cfbee0 | treesnapshot (tar.gz zip) |
| parent | 76a681ce9c20e2827ebc02ca8c29fa6a3e946190 | commitdiff |
| parent | 379e51d1ae668a1f26d50eb59b3f8befc1eb8883 | commitdiff |
Merge branch 'fix-mingw-quoting-bug'
This patch fixes a vulnerability in the Windows-specific code where a
submodule names ending in a backslash were quoted incorrectly, and that
bug could be abused to insert command-line parameters e.g. to `ssh` in a
recursive clone.
Note: this bug is Windows-only, as we have to construct a command line
for the process-to-spawn, unlike Linux/macOS, where `execv()` accepts an
already-split command line.
While at it, other quoting issues are fixed as well.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
This patch fixes a vulnerability in the Windows-specific code where a
submodule names ending in a backslash were quoted incorrectly, and that
bug could be abused to insert command-line parameters e.g. to `ssh` in a
recursive clone.
Note: this bug is Windows-only, as we have to construct a command line
for the process-to-spawn, unlike Linux/macOS, where `execv()` accepts an
already-split command line.
While at it, other quoting issues are fixed as well.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>