Colon and backslash in names may be used on Windows to overwrite files outside of the working directory. Due to the file-system being case- insensitive, .git can be written as any combination of upper and lower characters, so we should check that too. Signed-off-by: Dmitry Potapov <dpotapov@xxxxxxxxx> --- In this version, I have added the check that files in .git/ will not be overwritten by checkout. Overwriting such files as .git/config is potentially exploitable. Josh, Does OS X need the same check below? I believe it has case-insensitive filesystem, so it needs that too, but I am not sure what is the right define should be used. Thanks, Dmitry read-cache.c | 19 +++++++++++++++++++ 1 files changed, 19 insertions(+), 0 deletions(-) diff --git a/read-cache.c b/read-cache.c index aff6390..7f855ee 100644 --- a/read-cache.c +++ b/read-cache.c @@ -668,10 +668,19 @@ static int verify_dotfile(const char *rest) * shares the path end test with the ".." case. */ case 'g': +#if defined(_WIN32) || defined(__CYGWIN__) + /* On Windows, file names are case-insensitive */ + case 'G': + if ((rest[1]|0x20) != 'i') + break; + if ((rest[2]|0x20) != 't') + break; +#else if (rest[1] != 'i') break; if (rest[2] != 't') break; +#endif rest += 2; /* fallthrough */ case '.': @@ -703,6 +712,16 @@ inside: } return 0; } +#if defined(_WIN32) || defined(__CYGWIN__) + /* + * There is a bunch of other characters that are not allowed + * in Win32 API, but the following two create a security hole + * by allowing to overwrite files outside of the working tree, + * therefore they are explicitly prohibited. + */ + else if (c == ':' || c == '\\') + return 0; +#endif c = *path++; } } -- 1.6.0 -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
