tests: verify that `clone -c core.hooksPath=/dev/null` works again - user/sven/git.git

diff options

author	Johannes Schindelin <johannes.schindelin@gmx.de>	2024-05-20 20:22:03 +0000
committer	Junio C Hamano <gitster@pobox.com>	2024-05-21 12:33:08 -0700
commit	c8f64781c8b3d44ecb57d14fbffcdbf063583812 (patch)
tree	d59d36df1e6bce63313093664b19f8f2e028ab16 /builtin/commit.c
parent	75631a3cd84887657c634a35d1095f4a0884e48a (diff)

tests: verify that `clone -c core.hooksPath=/dev/null` works again

As part of the protections added in Git v2.45.1 and friends, repository-local `core.hooksPath` settings are no longer allowed, as a defense-in-depth mechanism to prevent future Git vulnerabilities to raise to critical level if those vulnerabilities inadvertently allow the repository-local config to be written. What the added protection did not anticipate is that such a repository-local `core.hooksPath` can not only be used to point to maliciously-placed scripts in the current worktree, but also to _prevent_ hooks from being called altogether. We just reverted the `core.hooksPath` protections, based on the Git maintainer's recommendation in https://lore.kernel.org/git/xmqq4jaxvm8z.fsf@gitster.g/ to address this concern as well as related ones. Let's make sure that we won't regress while trying to protect the clone operation further. Reported-by: Brooke Kuhlmann <brooke@alchemists.io> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>

Diffstat (limited to 'builtin/commit.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: