From: Johannes Schindelin <johannes.schindelin@gmx.de>
Date: Tue, 29 Oct 2024 22:52:11 +0000 (+0100)
Subject: Merge branch 'disallow-control-characters-in-credential-urls-by-default'
X-Git-Tag: v2.40.4~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=08756131a3b7038a60365ae56804cea4301082a9;p=thirdparty%2Fgit.git

Merge branch 'disallow-control-characters-in-credential-urls-by-default'

This addresses two vulnerabilities:

- CVE-2024-50349:

	Printing unsanitized URLs when asking for credentials made the
	user susceptible to crafted URLs (e.g. in recursive clones) that
	mislead the user into typing in passwords for trusted sites that
	would then be sent to untrusted sites instead.

- CVE-2024-52006

	Git may pass on Carriage Returns via the credential protocol to
	credential helpers which use line-reading functions that
	interpret said Carriage Returns as line endings, even though Git
	did not intend that.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---

08756131a3b7038a60365ae56804cea4301082a9