diff options
| author | Johannes Sixt <j6t@kdbg.org> | 2025-05-20 08:54:24 +0200 |
|---|---|---|
| committer | Taylor Blau <me@ttaylorr.com> | 2025-05-23 17:04:30 -0400 |
| commit | a7d1716fa648f6557ea9c91e0f04bae2e8738e6a (patch) | |
| tree | 64b5354ac410b05e589830d1722b294faec3966b /git-gui/lib/tools.tcl | |
| parent | 27fbab4898620183e608865beffd960139c04d58 (diff) | |
| parent | a1ccd2512072cf52835050f4c97a4fba9f0ec8f9 (diff) | |
| download | git-a7d1716fa648f6557ea9c91e0f04bae2e8738e6a.tar.gz | |
Merge branch 'ml/replace-auto-execok'
This addresses CVE-2025-46334, Git GUI malicious command injection on
Windows.
A malicious repository can ship versions of sh.exe or typical textconv
filter programs such as astextplain. Due to the unfortunate design of
Tcl on Windows, the search path when looking for an executable always
includes the current directory. The mentioned programs are invoked when
the user selects "Git Bash" or "Browse Files" from the menu.
Signed-off-by: Johannes Sixt <j6t@kdbg.org>
Diffstat (limited to 'git-gui/lib/tools.tcl')
| -rw-r--r-- | git-gui/lib/tools.tcl | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/git-gui/lib/tools.tcl b/git-gui/lib/tools.tcl index 413f1a1700..b86f72ed16 100644 --- a/git-gui/lib/tools.tcl +++ b/git-gui/lib/tools.tcl @@ -110,14 +110,14 @@ proc tools_exec {fullname} { set cmdline $repo_config(guitool.$fullname.cmd) if {[is_config_true "guitool.$fullname.noconsole"]} { - tools_run_silent [list sh -c $cmdline] \ + tools_run_silent [list [shellpath] -c $cmdline] \ [list tools_complete $fullname {}] } else { regsub {/} $fullname { / } title set w [console::new \ [mc "Tool: %s" $title] \ [mc "Running: %s" $cmdline]] - console::exec $w [list sh -c $cmdline] \ + console::exec $w [list [shellpath] -c $cmdline] \ [list tools_complete $fullname $w] } |