Sync with 2.31.2
* maint-2.31: Git 2.31.2 Git 2.30.3 setup_git_directory(): add an owner check for the top-level directory Add a function to determine whether a path is owned by the current user
This commit is contained in:
Johannes Schindelin
24
Documentation/RelNotes/2.30.3.txt
Normal file
24
Documentation/RelNotes/2.30.3.txt
Normal file
@ -0,0 +1,24 @@
|
||||
Git v2.30.2 Release Notes
|
||||
=========================
|
||||
|
||||
This release addresses the security issue CVE-2022-24765.
|
||||
|
||||
Fixes since v2.30.2
|
||||
-------------------
|
||||
|
||||
* Build fix on Windows.
|
||||
|
||||
* Fix `GIT_CEILING_DIRECTORIES` with Windows-style root directories.
|
||||
|
||||
* CVE-2022-24765:
|
||||
On multi-user machines, Git users might find themselves
|
||||
unexpectedly in a Git worktree, e.g. when another user created a
|
||||
repository in `C:\.git`, in a mounted network drive or in a
|
||||
scratch space. Merely having a Git-aware prompt that runs `git
|
||||
status` (or `git diff`) and navigating to a directory which is
|
||||
supposedly not a Git worktree, or opening such a directory in an
|
||||
editor or IDE such as VS Code or Atom, will potentially run
|
||||
commands defined by that other user.
|
||||
|
||||
Credit for finding this vulnerability goes to 俞晨东; The fix was
|
||||
authored by Johannes Schindelin.
|
||||
6
Documentation/RelNotes/2.31.2.txt
Normal file
6
Documentation/RelNotes/2.31.2.txt
Normal file
@ -0,0 +1,6 @@
|
||||
Git v2.31.2 Release Notes
|
||||
=========================
|
||||
|
||||
This release merges up the fixes that appear in v2.30.3 to address
|
||||
the security issue CVE-2022-24765; see the release notes for that
|
||||
version for details.
|
||||
@ -440,6 +440,8 @@ include::config/rerere.txt[]
|
||||
|
||||
include::config/reset.txt[]
|
||||
|
||||
include::config/safe.txt[]
|
||||
|
||||
include::config/sendemail.txt[]
|
||||
|
||||
include::config/sequencer.txt[]
|
||||
|
||||
21
Documentation/config/safe.txt
Normal file
21
Documentation/config/safe.txt
Normal file
@ -0,0 +1,21 @@
|
||||
safe.directory::
|
||||
These config entries specify Git-tracked directories that are
|
||||
considered safe even if they are owned by someone other than the
|
||||
current user. By default, Git will refuse to even parse a Git
|
||||
config of a repository owned by someone else, let alone run its
|
||||
hooks, and this config setting allows users to specify exceptions,
|
||||
e.g. for intentionally shared repositories (see the `--shared`
|
||||
option in linkgit:git-init[1]).
|
||||
+
|
||||
This is a multi-valued setting, i.e. you can add more than one directory
|
||||
via `git config --add`. To reset the list of safe directories (e.g. to
|
||||
override any such directories specified in the system config), add a
|
||||
`safe.directory` entry with an empty value.
|
||||
+
|
||||
This config setting is only respected when specified in a system or global
|
||||
config, not when it is specified in a repository config or via the command
|
||||
line option `-c safe.directory=<path>`.
|
||||
+
|
||||
The value of this setting is interpolated, i.e. `~/<path>` expands to a
|
||||
path relative to the home directory and `%(prefix)/<path>` expands to a
|
||||
path relative to Git's (runtime) prefix.
|
||||
Reference in New Issue
Block a user