]> git.ipfire.org Git - thirdparty/git.git/commit
projects / thirdparty / git.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(merge: fa28da0 aae9560)
Merge branch 'js/windows-rce'
authorPratyush Yadav <me@yadavpratyush.com>
Tue, 24 Jan 2023 13:13:46 +0000 (14:13 +0100)
committerPratyush Yadav <me@yadavpratyush.com>
Tue, 24 Jan 2023 13:14:05 +0000 (14:14 +0100)
commit1e5a89c1b4da13b89b0b66ad59d098ced832c3f0
tree228fd4a009b394c0c28a0320c79ba6965748dba9tree | snapshot
parentfa28da02024ea4858c29b7caec30a18ee2d6f404commit | diff
parentaae9560a355d4ab91385e49eae62fade2ddd27efcommit | diff
Merge branch 'js/windows-rce'

Fix a Remote Code Execution vulnerability on Windows. This is caused by
the fact that Tcl on Windows always includes the current directory when
looking for an executable. Therefore malicious repositories can ship
with an aspell.exe in their top-level directory which is executed by Git
GUI without giving the user a chance to inspect it first, i.e. running
untrusted code.

This merge fixes CVE-2022-41953.

* js/windows-rce:
  Work around Tcl's default `PATH` lookup
  Move the `_which` function (almost) to the top
  Move is_<platform> functions to the beginning
  is_Cygwin: avoid `exec`ing anything
  windows: ignore empty `PATH` elements
Unnamed repository; edit this file 'description' to name the repository.