Junio C Hamano <gitster@xxxxxxxxx> writes: > Current gitweb has a possible local privilege escalation bug that allows a > malicious repository owner to run a command of his choice by specifying > diff.external configuration variable in his repository and running a > crafted gitweb query. > > Recent (post 1.4.3) gitweb itself never generates a link that would result > in such a query, and the safest and cleanest fix to this issue is to > simply drop the support for it. Maintenance release v1.6.0.6, v1.5.6.6, > v1.5.5.6 and v1.5.4.7 are already available at k.org (see the announcement > for v1.6.0.6 I sent out a few minutes ago), and the master branch and > others pushed out tonight have the same fix. >From what I have found diff.external works only since v1.5.4 (see commit cbe02100), so when gitweb started using git-diff for old legacy links to not use $tmpdir and /usr/bin/diff -u it wasn't an issue... -- Jakub Narebski Poland ShadeHawk on #git -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
