Closed
Description
Setup
-
Which version of Git for Windows are you using? Is it 32-bit or 64-bit?
Git-2.10.2-64-bit.exe -
Which version of Windows are you running? Vista, 7, 8, 10? Is it 32-bit or 64-bit?
Windows 8.1 -
What options did you set as part of the installation? Or did you choose the
defaults?
Defaults
# One of the following:
C:\>type "C:\Program Files\Git\etc\install-options.txt"
Path Option: Cmd
SSH Option: OpenSSH
CRLF Option: CRLFAlways
Bash Terminal Option: MinTTY
Performance Tweaks FSCache: Enabled
Enable Symlinks: Disabled
- Any other interesting things about your environment that might be related
to the issue you're seeing?
Don't think so. Had some buddies reproduce the issue on Windows 10
### Details
- Which terminal/shell are you running Git from? e.g Bash/CMD/PowerShell/other
Windows Explorer
- What commands did you run to trigger this issue?
Here is an example of the steps to reproduce in Windows Explorer
https://youtu.be/S7jOLv0sul0
- What did you expect to occur after running these commands?
Open Git Bash in the current folder
- What actually happened instead?
Arbitrary file named "git.exe" in the current folder was executed. This has security implications since users will not expect this behavior when using Windows context menus. For example, a security-conscious user would know not to execute EXE files included in an untrusted repository, but using Windows context menus could unexpectedly execute such untrusted code. This issue is similar to DLL hijacking if you are familiar with that. Here is a brief explanation of DLL hijacking if you're not familiar https://trustfoundry.net/what-is-dll-hijacking/