]>
Commit | Line | Data |
---|---|---|
5e0649dc JH |
1 | Git v2.7.6 Release Notes |
2 | ======================== | |
3 | ||
4 | Fixes since v2.7.5 | |
5 | ------------------ | |
6 | ||
7 | * A "ssh://..." URL can result in a "ssh" command line with a | |
8 | hostname that begins with a dash "-", which would cause the "ssh" | |
9 | command to instead (mis)treat it as an option. This is now | |
10 | prevented by forbidding such a hostname (which will not be | |
11 | necessary in the real world). | |
12 | ||
13 | * Similarly, when GIT_PROXY_COMMAND is configured, the command is | |
14 | run with host and port that are parsed out from "ssh://..." URL; | |
15 | a poorly written GIT_PROXY_COMMAND could be tricked into treating | |
16 | a string that begins with a dash "-". This is now prevented by | |
17 | forbidding such a hostname and port number (again, which will not | |
18 | be necessary in the real world). | |
19 | ||
20 | * In the same spirit, a repository name that begins with a dash "-" | |
21 | is also forbidden now. | |
22 | ||
23 | Credits go to Brian Neel at GitLab, Joern Schneeweisz of Recurity | |
24 | Labs and Jeff King at GitHub. | |
25 |