Hi, I'd like to report a problem with path validation for Windows, and propose a fix. Function `verify_path` first calls `has_dos_drive_prefix` in order to prevent absolute drive paths like "C:\xxx". The logic for that is implemented as follows: #define has_dos_drive_prefix(path) \ (isalpha(*(path)) && (path)[1] == ':' ? 2 : 0) The problem is that Windows will still interpret a path like this as an absolute drive path even if the first character isn't alpha, and so it should still be rejected. In fact, it's actually possible to create drives like that which bypass this filter on Windows (as Administrator), even if it's not an officially supported feature: >subst 1: C:\Users\x\Desktop >dir 1: ... Directory of 1:\ 08/06/2019 06:19 PM <DIR> . 08/06/2019 06:19 PM <DIR> .. ... With a drive like this present, a malicious server can write to wherever that drive points when you perform a git clone (to test this, just create a git repository containing :1/file): >git clone http://x/pathtest Cloning into 'pathtest'... >dir pathtest ... Directory of pathtest 08/08/2019 04:49 PM <DIR> . 08/08/2019 04:49 PM <DIR> .. 0 File(s) 0 bytes >dir C:\Users\x\Desktop ... Directory of C:\Users\x\Desktop 08/08/2019 04:49 PM 9 file If the drive doesn't exist, the clone will fail anyway: >dir 1: The system cannot find the path specified. >git clone http://x/pathtest Cloning into 'pathtest'... fatal: cannot create directory at '1:': No such file or directory warning: Clone succeeded, but checkout failed. You can inspect what was checked out with 'git status' and retry the checkout with 'git checkout -f HEAD' So I'm proposing to remove the check for the drive letter being alpha in `has_dos_drive_prefix` macro: #define has_dos_drive_prefix(path) \ ( (path)[1] == ':' ? 2 : 0) As well as being a security patch for RCE under very unlikely circumstance, this patch is also a micro performance boost! Thanks, Christopher Ertl | MSRC Vulnerabilities & Mitigations | Microsoft Limited Microsoft Limited (company number 01624297) is a company registered in England and Wales whose registered office is at Microsoft Campus, Thames Valley Park, Reading. RG6 1WG
