diff options
Diffstat (limited to 'debian/patches/0002-Revert-core.hooksPath-add-some-protection-while-cloni.diff')
-rw-r--r-- | debian/patches/0002-Revert-core.hooksPath-add-some-protection-while-cloni.diff | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/debian/patches/0002-Revert-core.hooksPath-add-some-protection-while-cloni.diff b/debian/patches/0002-Revert-core.hooksPath-add-some-protection-while-cloni.diff new file mode 100644 index 0000000..8e1c975 --- /dev/null +++ b/debian/patches/0002-Revert-core.hooksPath-add-some-protection-while-cloni.diff @@ -0,0 +1,82 @@ +From 7db946419c29e185f1cc6e544cfb47b442019ac7 Mon Sep 17 00:00:00 2001 +From: Johannes Schindelin <johannes.schindelin@gmx.de> +Date: Sat, 18 May 2024 10:32:41 +0000 +Subject: Revert "core.hooksPath: add some protection while cloning" + +commit f13e8e2ea56ceef593311b3cff1ba7ba1a493682 upstream. + +This defense-in-depth was intended to protect the clone operation +against future escalations where bugs in `git clone` would allow +attackers to write arbitrary files in the `.git/` directory would allow +for Remote Code Execution attacks via maliciously-placed hooks. + +However, it turns out that the `core.hooksPath` protection has +unintentional side effects so severe that they do not justify the +benefit of the protections. For example, it has been reported in +https://lore.kernel.org/git/FAFA34CB-9732-4A0A-87FB-BDB272E6AEE8@alchemists.io/ +that the following invocation, which is intended to make `git clone` +safer, is itself broken by that protective measure: + + git clone --config core.hooksPath=/dev/null <url> + +Since it turns out that the benefit does not justify the cost, let's revert +20f3588efc6 (core.hooksPath: add some protection while cloning, +2024-03-30). + +Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> +Signed-off-by: Junio C Hamano <gitster@pobox.com> +Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> +--- + config.c | 13 +------------ + t/t1800-hook.sh | 15 --------------- + 2 files changed, 1 insertion(+), 27 deletions(-) + +diff --git a/config.c b/config.c +index 77a0fd2d80e..ae3652b08fa 100644 +--- a/config.c ++++ b/config.c +@@ -1416,19 +1416,8 @@ static int git_default_core_config(const char *var, const char *value, + if (!strcmp(var, "core.attributesfile")) + return git_config_pathname(&git_attributes_file, var, value); + +- if (!strcmp(var, "core.hookspath")) { +- if (ctx->kvi && ctx->kvi->scope == CONFIG_SCOPE_LOCAL && +- git_env_bool("GIT_CLONE_PROTECTION_ACTIVE", 0)) +- die(_("active `core.hooksPath` found in the local " +- "repository config:\n\t%s\nFor security " +- "reasons, this is disallowed by default.\nIf " +- "this is intentional and the hook should " +- "actually be run, please\nrun the command " +- "again with " +- "`GIT_CLONE_PROTECTION_ACTIVE=false`"), +- value); ++ if (!strcmp(var, "core.hookspath")) + return git_config_pathname(&git_hooks_path, var, value); +- } + + if (!strcmp(var, "core.bare")) { + is_bare_repository_cfg = git_config_bool(var, value); +diff --git a/t/t1800-hook.sh b/t/t1800-hook.sh +index 1894ebeb0e8..8b0234cf2d5 100755 +--- a/t/t1800-hook.sh ++++ b/t/t1800-hook.sh +@@ -185,19 +185,4 @@ test_expect_success 'stdin to hooks' ' + test_cmp expect actual + ' + +-test_expect_success 'clone protections' ' +- test_config core.hooksPath "$(pwd)/my-hooks" && +- mkdir -p my-hooks && +- write_script my-hooks/test-hook <<-\EOF && +- echo Hook ran $1 +- EOF +- +- git hook run test-hook 2>err && +- test_grep "Hook ran" err && +- test_must_fail env GIT_CLONE_PROTECTION_ACTIVE=true \ +- git hook run test-hook 2>err && +- test_grep "active .core.hooksPath" err && +- test_grep ! "Hook ran" err +-' +- + test_done |