]> Kevux Git Server - rit/commit
Merge branch 'disallow-control-characters-in-credential-urls-by-default'
authorJohannes Schindelin <johannes.schindelin@gmx.de>
Tue, 29 Oct 2024 22:52:11 +0000 (23:52 +0100)
committerJohannes Schindelin <johannes.schindelin@gmx.de>
Tue, 26 Nov 2024 21:14:45 +0000 (22:14 +0100)
commit08756131a3b7038a60365ae56804cea4301082a9
tree1b1ef503233ddfcb23686e0cd415f008bf35631a
parent062d9fb033ec994305343bb28dbad3c2f799de47
parentb01b9b81d36759cdcd07305e78765199e1bc2060
Merge branch 'disallow-control-characters-in-credential-urls-by-default'

This addresses two vulnerabilities:

- CVE-2024-50349:

Printing unsanitized URLs when asking for credentials made the
user susceptible to crafted URLs (e.g. in recursive clones) that
mislead the user into typing in passwords for trusted sites that
would then be sent to untrusted sites instead.

- CVE-2024-52006

Git may pass on Carriage Returns via the credential protocol to
credential helpers which use line-reading functions that
interpret said Carriage Returns as line endings, even though Git
did not intend that.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>