global/git
1
0
Fork 0
mirror of https://github.com/git/git.git synced 2026-01-27 10:58:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d8cc5005d9b78fe94de5ade28e2a80d14112317c
git/Documentation/RelNotes/2.13.7.txt
Junio C Hamano fd5a7c532f Git 2.13.7 
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-05-18 12:49:35 +09:00

20 lines
861 B
Plaintext
Raw Blame History

Git v2.13.7 Release Notes
=========================
Fixes since v2.13.6
-------------------
* Submodule "names" come from the untrusted .gitmodules file, but
we blindly append them to $GIT_DIR/modules to create our on-disk
repo paths. This means you can do bad things by putting "../"
into the name (among other things). As these are initially taken
from the path the submodule initially bound to the project and
then serve as a constant name across moving it in the directory
structure, a submodule with a name that does not pass
verify_path() check, which rejects a string with a substring
"/../" and ".git/" etc., is now ignored.
Credit for finding this vulnerability and the proof of concept from
which the test script was adapted goes to Etienne Stalmans. Credit
for the fix goes to Jeff King, Johannes Schindelin and others.
Reference in New Issue View Git Blame Copy Permalink