| commit | e4930e86c0d521aa6c3c3da9f590e852f6eeac21 | |
| author | Johannes Schindelin <johannes.schindelin@gmx.de> | |
| Sun, 24 Mar 2024 13:13:41 +0000 (24 14:13 +0100) | ||
| committer | Johannes Schindelin <johannes.schindelin@gmx.de> | |
| Wed, 17 Apr 2024 20:30:06 +0000 (17 22:30 +0200) | ||
| tree | 8b1ddfd1596c31f5586e0a5a172c3a1f08c46df0 | treesnapshot (tar.gz zip) |
| parent | e8d0608944486019ea0e1ed2ed29776811a565c2 | commitdiff |
t5510: verify that D/F confusion cannot lead to an RCE
The most critical vulnerabilities in Git lead to a Remote Code Execution
("RCE"), i.e. the ability for an attacker to have malicious code being
run as part of a Git operation that is not expected to run said code,
such has hooks delivered as part of a `git clone`.
A couple of parent commits ago, a bug was fixed that let Git be confused
by the presence of a path `a-` to mistakenly assume that a directory
`a/` can safely be created without removing an existing `a` that is a
symbolic link.
This bug did not represent an exploitable vulnerability on its
own; Let's make sure it stays that way.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
The most critical vulnerabilities in Git lead to a Remote Code Execution
("RCE"), i.e. the ability for an attacker to have malicious code being
run as part of a Git operation that is not expected to run said code,
such has hooks delivered as part of a `git clone`.
A couple of parent commits ago, a bug was fixed that let Git be confused
by the presence of a path `a-` to mistakenly assume that a directory
`a/` can safely be created without removing an existing `a` that is a
symbolic link.
This bug did not represent an exploitable vulnerability on its
own; Let's make sure it stays that way.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
| t/t5510-fetch.sh | diffblobblamehistory |