On Fri, Oct 21, 2022 at 12:45:02PM -0700, Glen Choo wrote: > However, if GIT_DIR is set by searching for the repo (e.g. by "git > rev-parse --git-dir"), this just disables every safe.* protection. IIRC, > you mentioned that this is exactly what Git.pm does, so as it is, yes > this does leave us in a vulnerable state. Thanks, that matches my understanding. I think Git.pm is vulnerable (but again, not in a released version because of the syntax error). > If we are using `git rev-parse --git-dir`, maybe a reasonable solution > would be to teach `rev-parse` to respect safe.* protections? e.g. `git > rev-parse --git-dir --safe` could error out just like `git` in an unsafe > repository. rev-parse does work that way. It's just that Git.pm has some oddities. More discussion (with my analysis and a patch) in this other thread: https://lore.kernel.org/git/Y1Rp+7R7e+LFa5k6@xxxxxxxxxxxxxxxxxxxxxxx/ -Peff
