On Mon, Apr 21, 2014 at 03:07:28PM -0400, Richard Hansen wrote:

> Both bash and zsh subject the value of PS1 to parameter expansion,
> command substitution, and arithmetic expansion.  Rather than include
> the raw, unescaped branch name in PS1 when running in two- or
> three-argument mode, construct PS1 to reference a variable that holds
> the branch name.  Because the shells do not recursively expand, this
> avoids arbitrary code execution by specially-crafted branch names such
> as '$(IFS=_;cmd=sudo_rm_-rf_/;$cmd)'.

Cute. We already disallow quite a few characters in refnames (including
space, as you probably discovered), and generally enforce that during
ref transfer. I wonder if we should tighten that more as a precuation.
It would be backwards-incompatible, but I wonder if things like "$" and
";" in refnames are actually useful to people.

Did you look into similar exploits with completion? That's probably
slightly less dire (this one hits you as soon as you "cd" into a
malicious clone, whereas completion problems require you to actually hit
<tab>). I'm fairly sure that we miss some quoting on pathnames, for
example. That can lead to bogus completion, but I'm not sure offhand if
it can lead to execution.

To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to