Merge branch 'icasefs-symlink-confusion'

This topic branch fixes two vulnerabilities: - Recursive clones on case-insensitive filesystems that support symbolic links are susceptible to case confusion that can be exploited to execute just-cloned code during the clone operation. - Repositories can be configured to execute arbitrary code during local clones. To address this, the ownership checks introduced in v2.30.3 are now extended to cover cloning local repositories. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
author: Johannes Schindelin <johannes.schindelin@gmx.de> 2024-03-31 00:22:41 +0100
committer: Johannes Schindelin <johannes.schindelin@gmx.de> 2024-04-17 22:30:24 +0200
commit: 86cb6a3f059968d031fdf6ed49ab38a7ae00847f (patch)
tree: 9dec3da0e9dbd56955d0a65f07016779986c88a3 /builtin/upload-pack.c
parent: 9e06401098f5f83fc9a69ab27e449ae746638892 (diff)
parent: e8d0608944486019ea0e1ed2ed29776811a565c2 (diff)
download: git-86cb6a3f059968d031fdf6ed49ab38a7ae00847f.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/builtin/upload-pack.c b/builtin/upload-pack.c
index 25b69da2bf..f446ff04f6 100644
--- a/builtin/upload-pack.c
+++ b/builtin/upload-pack.c
@@ -35,6 +35,8 @@ int cmd_upload_pack(int argc, const char **argv, const char *prefix)
 
 	packet_trace_identity("upload-pack");
 	read_replace_refs = 0;
+	/* TODO: This should use NO_LAZY_FETCH_ENVIRONMENT */
+	xsetenv("GIT_NO_LAZY_FETCH", "1", 0);
 
 	argc = parse_options(argc, argv, prefix, options, upload_pack_usage, 0);
author	Johannes Schindelin <johannes.schindelin@gmx.de>	2024-03-31 00:22:41 +0100
committer	Johannes Schindelin <johannes.schindelin@gmx.de>	2024-04-17 22:30:24 +0200
commit	86cb6a3f059968d031fdf6ed49ab38a7ae00847f (patch)
tree	9dec3da0e9dbd56955d0a65f07016779986c88a3 /builtin/upload-pack.c
parent	9e06401098f5f83fc9a69ab27e449ae746638892 (diff)
parent	e8d0608944486019ea0e1ed2ed29776811a565c2 (diff)
download	git-86cb6a3f059968d031fdf6ed49ab38a7ae00847f.tar.gz