On Mon, Sep 21, 2020 at 12:39:42PM +0200, Ævar Arnfjörð Bjarmason wrote: > This series now has a fix for a remote code execution which previously > was only being discussed on the closed git-security list. Per > discussion there the issue is being made public. > > Basically, we expect that almost nobody is using this code in the > first place so there wasn't any interest in a point release, and there > wasn't any downstream interest in an embargo either. > > This v2 addresses (hopefully) all the public & git-security commends > on the v1s of this series. It all looks good to me, including the cleanup in the final commit. At that point we have no "unquoted" run_git helpers left, so possibly we could rename the "quoted" forms back to just "run_git" and "run_git_stderr", which are a little less verbose. But I don't care that much either way. Thanks again for fixing this. -Peff
