From 466b8c4ea26f119f2b0532ece764c543e78a873e Mon Sep 17 00:00:00 2001 From: Dan Willemsen Date: Wed, 25 Nov 2015 13:26:39 -0800 Subject: [PATCH] Set GIT_ALLOW_PROTOCOL to limit dangerous protocols See git commit 33cfccbbf35a -- some protocols allow arbitrary command execution as part of the URL. Instead of blindly allowing those, whitelist the allowed URL protocols unless the user has already done so. Bug: Issue 210 Change-Id: I6bd8e721aa5e3dab53ef28cfdc8fde33eb74ef76 --- git_command.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/git_command.py b/git_command.py index 0893bff7..63b7b6f2 100644 --- a/git_command.py +++ b/git_command.py @@ -168,6 +168,9 @@ class GitCommand(object): if p is not None: s = p + ' ' + s _setenv(env, 'GIT_CONFIG_PARAMETERS', s) + if 'GIT_ALLOW_PROTOCOL' not in env: + _setenv(env, 'GIT_ALLOW_PROTOCOL', + 'file:git:http:https:ssh:persistent-http:persistent-https:sso') if project: if not cwd: