diff options
| author | Johannes Sixt <j6t@kdbg.org> | 2025-07-08 21:19:28 +0200 |
|---|---|---|
| committer | Johannes Sixt <j6t@kdbg.org> | 2025-07-08 21:20:21 +0200 |
| commit | 88125ffe702fcc3aaf5dbcd8b87f74752291f294 (patch) | |
| tree | e717dfb47119d485a59445007e708e7c12dc5090 /lib | |
| parent | Merge branch 'ob/strip-comments-on-commit' (diff) | |
| parent | git-gui: override exec and open only on Windows (diff) | |
| download | git-88125ffe702fcc3aaf5dbcd8b87f74752291f294.tar.gz git-88125ffe702fcc3aaf5dbcd8b87f74752291f294.zip | |
Merge branch 'ml/replace-auto-execok'
This addresses CVE-2025-46334, Git GUI malicious command injection on
Windows.
A malicious repository can ship versions of sh.exe or typical textconv
filter programs such as astextplain. Due to the unfortunate design of
Tcl on Windows, the search path when looking for an executable always
includes the current directory. The mentioned programs are invoked when
the user selects "Git Bash" or "Browse Files" from the menu.
* ml/replace-auto-execok:
git-gui: override exec and open only on Windows
git-gui: sanitize $PATH on all platforms
git-gui: assure PATH has only absolute elements.
git-gui: cleanup git-bash menu item
git-gui: avoid auto_execok in do_windows_shortcut
git-gui: avoid auto_execok for git-bash menu item
git-gui: remove unused proc is_shellscript
git-gui: remove special treatment of Windows from open_cmd_pipe
git-gui: use only the configured shell
git-gui: make _shellpath usable on startup
git-gui: use [is_Windows], not bad _shellpath
git-gui: _which, only add .exe suffix if not present
Signed-off-by: Johannes Sixt <j6t@kdbg.org>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/shortcut.tcl | 2 | ||||
| -rw-r--r-- | lib/sshkey.tcl | 3 | ||||
| -rw-r--r-- | lib/tools.tcl | 4 |
3 files changed, 5 insertions, 4 deletions
diff --git a/lib/shortcut.tcl b/lib/shortcut.tcl index 674a41f5e0..263f4899c9 100644 --- a/lib/shortcut.tcl +++ b/lib/shortcut.tcl @@ -12,7 +12,7 @@ proc do_windows_shortcut {} { set fn ${fn}.lnk } # Use git-gui.exe if available (ie: git-for-windows) - set cmdLine [auto_execok git-gui.exe] + set cmdLine [list [_which git-gui]] if {$cmdLine eq {}} { set cmdLine [list [info nameofexecutable] \ [file normalize $::argv0]] diff --git a/lib/sshkey.tcl b/lib/sshkey.tcl index 589ff8f78a..c0c5d1dad8 100644 --- a/lib/sshkey.tcl +++ b/lib/sshkey.tcl @@ -83,7 +83,8 @@ proc make_ssh_key {w} { set sshkey_title [mc "Generating..."] $w.header.gen configure -state disabled - set cmdline [list sh -c {echo | ssh-keygen -q -t rsa -f ~/.ssh/id_rsa 2>&1}] + set cmdline [list [shellpath] -c \ + {echo | ssh-keygen -q -t rsa -f ~/.ssh/id_rsa 2>&1}] if {[catch { set sshkey_fd [_open_stdout_stderr $cmdline] } err]} { error_popup [mc "Could not start ssh-keygen:\n\n%s" $err] diff --git a/lib/tools.tcl b/lib/tools.tcl index 413f1a1700..b86f72ed16 100644 --- a/lib/tools.tcl +++ b/lib/tools.tcl @@ -110,14 +110,14 @@ proc tools_exec {fullname} { set cmdline $repo_config(guitool.$fullname.cmd) if {[is_config_true "guitool.$fullname.noconsole"]} { - tools_run_silent [list sh -c $cmdline] \ + tools_run_silent [list [shellpath] -c $cmdline] \ [list tools_complete $fullname {}] } else { regsub {/} $fullname { / } title set w [console::new \ [mc "Tool: %s" $title] \ [mc "Running: %s" $cmdline]] - console::exec $w [list sh -c $cmdline] \ + console::exec $w [list [shellpath] -c $cmdline] \ [list tools_complete $fullname $w] } |