As recently seen in fail2ban's security hole (CVE-2021-32749),
piping user controlled input to mail is exploitable,
since a line starting with "~! foo" in the input will run command foo.
This example on the man page pipes to mail. It may not be exploitable.
git rev-list --pretty indents commit messages, which prevents the escape
sequence working there. It's less clear if it might be possible to embed
the escape sequence in a signed push certificate. The user reading the
man page might alter the example to do something more exploitable.
To encourage safe use of mail, add -E 'set escape'
Signed-off-by: Joey Hess <joeyh@xxxxxxxxxx>
---
Documentation/git-receive-pack.txt | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Documentation/git-receive-pack.txt b/Documentation/git-receive-pack.txt
index 014a78409b..cdaae75365 100644
--- a/Documentation/git-receive-pack.txt
+++ b/Documentation/git-receive-pack.txt
@@ -183,7 +183,7 @@ do
echo "New commits:"
git rev-list --pretty "$nval" "^$oval"
fi |
- mail -s "Changes to ref $ref" commit-list@mydomain
+ mail -E 'set escape' -s "Changes to ref $ref" commit-list@mydomain
done
# log signed push certificate, if any
if test -n "${GIT_PUSH_CERT-}" && test ${GIT_PUSH_CERT_STATUS} = G
@@ -191,7 +191,7 @@ then
(
echo expected nonce is ${GIT_PUSH_NONCE}
git cat-file blob ${GIT_PUSH_CERT}
- ) | mail -s "push certificate from $GIT_PUSH_CERT_SIGNER" push-log@mydomain
+ ) | mail -E 'set escape' -s "push certificate from $GIT_PUSH_CERT_SIGNER" push-log@mydomain
fi
exit 0
----
--
2.33.0
