Phillip Wood <phillip.wood123@xxxxxxxxx> writes: > What checks do we have in place to prevent git checking out blobs and > gitlinks to paths under .git/? I'd have thought we should be applying > the same restrictions to the target of symbolic links as we do to > those. We do not even allow ".git" slip into the index (most likely from a malicious tree object), so a direct "checkout" is not much of an issue. Of course you can introduce bugs to that regular mechanism in the future but that is not the target for 2.45.1's check we are going to revert. I think what Dscho worries about in his message is that we might by mistake write via a symbolic link in the working tree. If our procedure to update a checked out blob in the working tree were open/truncate/write/close an existing file, a checkout that switches from a version with a symbolic link at path F to a version with a regular file at path F may end up overwriting the target of F. I think the idea was (Dscho can correct me if I am misleading the log messge of a33fea08 (fsck: warn about symlink pointing inside a gitdir, 2024-04-10)) that such a bug from overwriting a file in our repository if we did not allow a symbolic link F to point into our repository.
