submodule.c
55.2 KB
-
submodule: ignore path and url attributes if they look like options · b93e82d4
These can be used to inject options in an implementation which performs a recursive clone by executing an external command via crafted url and path attributes such that it triggers a local executable to be run. The library is not vulnerable as we do not rely on external executables but a user of the library might be relying on that so we add this protection. This matches this aspect of git's fix for CVE-2018-17456.
Carlos Martín Nieto committed