diff options
| author | Johannes Sixt <j6t@kdbg.org> | 2025-07-08 21:22:00 +0200 |
|---|---|---|
| committer | Johannes Sixt <j6t@kdbg.org> | 2025-07-08 21:22:48 +0200 |
| commit | 3f072308447ed2aab0228d21a7ce334beeeca7e8 (patch) | |
| tree | c793ec4ca2df45d93e85f63f91537bf3d7243abf /lib/commit.tcl | |
| parent | 88125ffe702fcc3aaf5dbcd8b87f74752291f294 (diff) | |
| parent | a437f5bc93330a70b42a230e52f3bd036ca1b1da (diff) | |
Merge branch 'js/fix-open-exec-git'
This addresses CVE-2025-46835, Git GUI can create and overwrite a
user's files:
When a user clones an untrusted repository and is tricked into editing
a file located in a maliciously named directory in the repository, then
Git GUI can create and overwrite files for which the user has write
permission.
* js/fix-open-exec-git:
git-gui: sanitize 'exec' arguments: convert new 'cygpath' calls
git-gui: do not mistake command arguments as redirection operators
git-gui: introduce function git_redir for git calls with redirections
git-gui: pass redirections as separate argument to git_read
git-gui: pass redirections as separate argument to _open_stdout_stderr
git-gui: convert git_read*, git_write to be non-variadic
git-gui: use git_read in githook_read
git-gui: break out a separate function git_read_nice
git-gui: remove option --stderr from git_read
git-gui: sanitize 'exec' arguments: background
git-gui: sanitize 'exec' arguments: simple cases
git-gui: treat file names beginning with "|" as relative paths
git-gui: remove git config --list handling for git < 1.5.3
git-gui: remove HEAD detachment implementation for git < 1.5.3
git-gui: remove Tcl 8.4 workaround on 2>@1 redirection
Signed-off-by: Johannes Sixt <j6t@kdbg.org>
Diffstat (limited to 'lib/commit.tcl')
| -rw-r--r-- | lib/commit.tcl | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/lib/commit.tcl b/lib/commit.tcl index 0c2be6f619..37b3808f7e 100644 --- a/lib/commit.tcl +++ b/lib/commit.tcl @@ -27,7 +27,7 @@ You are currently in the middle of a merge that has not been fully completed. Y if {[catch { set name "" set email "" - set fd [git_read cat-file commit $curHEAD] + set fd [git_read [list cat-file commit $curHEAD]] fconfigure $fd -encoding binary -translation lf # By default commits are assumed to be in utf-8 set enc utf-8 @@ -234,7 +234,7 @@ A good commit message has the following format: # -- Build the message file. # set msg_p [gitdir GITGUI_EDITMSG] - set msg_wt [open $msg_p w] + set msg_wt [safe_open_file $msg_p w] fconfigure $msg_wt -translation lf setup_commit_encoding $msg_wt puts $msg_wt $msg @@ -334,7 +334,7 @@ proc commit_commitmsg_wait {fd_ph curHEAD msg_p} { proc commit_writetree {curHEAD msg_p} { ui_status [mc "Committing changes..."] - set fd_wt [git_read write-tree] + set fd_wt [git_read [list write-tree]] fileevent $fd_wt readable \ [list commit_committree $fd_wt $curHEAD $msg_p] } @@ -359,7 +359,7 @@ proc commit_committree {fd_wt curHEAD msg_p} { # -- Verify this wasn't an empty change. # if {$commit_type eq {normal}} { - set fd_ot [git_read cat-file commit $PARENT] + set fd_ot [git_read [list cat-file commit $PARENT]] fconfigure $fd_ot -encoding binary -translation lf set old_tree [gets $fd_ot] close $fd_ot @@ -397,8 +397,8 @@ A rescan will be automatically started now. foreach p [concat $PARENT $MERGE_HEAD] { lappend cmd -p $p } - lappend cmd <$msg_p - if {[catch {set cmt_id [eval git $cmd]} err]} { + set msgtxt [list <$msg_p] + if {[catch {set cmt_id [git_redir $cmd $msgtxt]} err]} { catch {file delete $msg_p} error_popup [strcat [mc "commit-tree failed:"] "\n\n$err"] ui_status [mc "Commit failed."] @@ -418,7 +418,7 @@ A rescan will be automatically started now. if {$commit_type ne {normal}} { append reflogm " ($commit_type)" } - set msg_fd [open $msg_p r] + set msg_fd [safe_open_file $msg_p r] setup_commit_encoding $msg_fd 1 gets $msg_fd subject close $msg_fd |