From: Pratyush Yadav <me@yadavpratyush.com>
Date: Tue, 24 Jan 2023 13:13:46 +0000 (+0100)
Subject: Merge branch 'js/windows-rce'
X-Git-Tag: v2.43.0-rc0~123^2^2~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1e5a89c1b4da13b89b0b66ad59d098ced832c3f0;p=thirdparty%2Fgit.git

Merge branch 'js/windows-rce'

Fix a Remote Code Execution vulnerability on Windows. This is caused by
the fact that Tcl on Windows always includes the current directory when
looking for an executable. Therefore malicious repositories can ship
with an aspell.exe in their top-level directory which is executed by Git
GUI without giving the user a chance to inspect it first, i.e. running
untrusted code.

This merge fixes CVE-2022-41953.

* js/windows-rce:
  Work around Tcl's default `PATH` lookup
  Move the `_which` function (almost) to the top
  Move is_<platform> functions to the beginning
  is_Cygwin: avoid `exec`ing anything
  windows: ignore empty `PATH` elements
---

1e5a89c1b4da13b89b0b66ad59d098ced832c3f0