If I try to create a Git tag with a name beginning with `-`, Git complains. However, Git does not check that a repository does not have tags containing `-`. This almost led to a vulnerability in the QubesOS `verify-git-tag` script. Fortunately, this was not exploitable, as neither `git tag -v`, `git verify-tag --raw`, nor `git describe` have options that are useful to an attacker. Since this could cause vulnerabilities in other programs, I initially reported it as an embargoed security bug, but was told to post it publicly. The best idea I had for a fix is to print names beginning with `-` using the fully-qualified form, such as "refs/tags/-a". Also, `--` is used as a delimiter in many commands, and can’t be escaped, so disallowing it might be a good idea. In the long run, I hope to see leading dashes banned entirely, but backwards compatibility might prevent that. Sincerely, Demi
Attachment:
OpenPGP_0xB288B55FFF9C22C1.asc
Description: application/pgp-keys
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature