diff options
| author | Ivan Frade <ifrade@google.com> | 2018-09-24 16:03:35 -0700 |
|---|---|---|
| committer | Matthias Sohn <matthias.sohn@sap.com> | 2018-10-05 21:38:22 +0200 |
| commit | db9f7b028d8086e5fc66364e9beba1e3a2b99d48 (patch) | |
| tree | c59d61cd0b329aa487d173c7dfec48e696792fd4 /org.eclipse.jgit/.settings | |
| parent | e5a4c0d17e532824e0d379cb1c322296b07c73f9 (diff) | |
| download | jgit-db9f7b028d8086e5fc66364e9beba1e3a2b99d48.tar.gz jgit-db9f7b028d8086e5fc66364e9beba1e3a2b99d48.zip | |
SubmoduleAddCommand: Reject submodule URIs that look like cli options
In C git versions before 2.19.1, the submodule is fetched by running
"git clone <uri> <path>". A URI starting with "-" would be interpreted
as an option, causing security problems. See CVE-2018-17456.
Refuse to add submodules with URIs, names or paths starting with "-",
that could be confused with command line arguments.
[jn: backported to JGit 4.7.y, bringing portions of Masaya Suzuki's
dotdot check code in v5.1.0.201808281540-m3~57 (Add API to specify
the submodule name, 2018-07-12) along for the ride]
Change-Id: I2607c3acc480b75ab2b13386fe2cac435839f017
Signed-off-by: Ivan Frade <ifrade@google.com>
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Diffstat (limited to 'org.eclipse.jgit/.settings')
| -rw-r--r-- | org.eclipse.jgit/.settings/.api_filters | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/org.eclipse.jgit/.settings/.api_filters b/org.eclipse.jgit/.settings/.api_filters index 4badd2c1c4..ed43015a39 100644 --- a/org.eclipse.jgit/.settings/.api_filters +++ b/org.eclipse.jgit/.settings/.api_filters @@ -3,7 +3,7 @@ <resource path="META-INF/MANIFEST.MF"> <filter id="924844039"> <message_arguments> - <message_argument value="4.7.4"/> + <message_argument value="4.7.5"/> <message_argument value="4.7.0"/> </message_arguments> </filter> |