pr-1645/spectral54/bare-repo-fix-v1
tagged this
20 Jan 00:08
From: Kyle Lippincott <spectral@google.com> The safe.bareRepository setting can be set to 'explicit' to disallow implicit uses of bare repositories, preventing an attack [1] where an artificial and malicious bare repository is embedded in another git repository. Unfortunately, some tooling uses myrepo/.git/ as the cwd when executing commands, and this is blocked when safe.bareRepository=explicit. Blocking is unnecessary, as git already prevents nested .git directories. Teach git to not reject uses of git inside of the .git directory: check if cwd is .git (or a subdirectory of it) and allow it even if safe.bareRepository=explicit. [1] https://github.com/justinsteven/advisories/blob/main/2022_git_buried_bare_repos_and_fsmonitor_various_abuses.md Signed-off-by: Kyle Lippincott <spectral@google.com> Submitted-As: https://lore.kernel.org/git/pull.1645.git.1705709303098.gitgitgadget@gmail.com
Assets 2
-
2024-01-20T00:08:23Z -
2024-01-20T00:08:23Z -