Carlo Marcelo Arenas Belón <carenas@xxxxxxxxx> writes: > make sure that requests to this helper to get credentials return early if > there is no host ord the host is empty. > > Signed-off-by: Carlo Marcelo Arenas Belón <carenas@xxxxxxxxx> > --- > contrib/credential/osxkeychain/git-credential-osxkeychain.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/contrib/credential/osxkeychain/git-credential-osxkeychain.c b/contrib/credential/osxkeychain/git-credential-osxkeychain.c > index bcd3f575a3..2264a88c41 100644 > --- a/contrib/credential/osxkeychain/git-credential-osxkeychain.c > +++ b/contrib/credential/osxkeychain/git-credential-osxkeychain.c > @@ -69,6 +69,12 @@ static void find_internet_password(void) > UInt32 len; > SecKeychainItemRef item; > > + /* > + * Require at valid host to fix CVE-2020-11008 > + */ Just to clarify, you do not need this patch to "fix" it, as long as you are running up-to-date Git, right? In other words, this is more like a belt-and-suspender protection, isn't it? > + if (!host || !*host) > + return; > + > if (SecKeychainFindInternetPassword(KEYCHAIN_ARGS, &len, &buf, &item)) > return;
