Hi Junio, Le 2022-04-12 à 13:04, Junio C Hamano a écrit : > > > Security releases for the 2.30-2.35 maintenance tracks have been > tagged to address CVE-2022-24765, which allows a user to trick other > users into running a command of their choice easily on multi-user > machines with a shared "mob" directory. The fix has been also > merged to Git 2.36-rc2 and to all integration branches. > This is quite a big behaviour change for some environments [1], so I would think maybe it deserves to be fully spelled out in the release notes for 2.36.0, instead of just referring readers to the release notes for the maintenance release, where they can read a full description only in the release notes for 2.30.3 ? Thanks, Philippe. [1] the commit message for the change mentions "shared directories", but in some environments, it is quite common for each user to have read access to other uers's home directories. I'm mostly thinking about high performance computing clusters, which is the kind of systems I have experience with. This makes it really easy for local "git experts" to 'cd' into a colleague's repo and help them when they are facing a Git problem. The fact that it won't be possible to do that without manually invoking 'git config --add safe.directory $PWD' beforehand is a little sad... What were the arguments for specifically disabling 'git -c safe.directory' for this fix ?
