Version Control ssh:// URL Shell Injection Vulnerability
Junio C Hamano (via Greg Hurrell):
These contain a security fix for CVE-2017-1000117, and are released in coordination with Subversion and Mercurial that share a similar issue.
[…]
A malicious third-party can give a crafted “ssh://…” URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim’s machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running ”git clone --recurse-submodules” to trigger the vulnerability.
[…]
A “ssh://…” URL can result in a “ssh” command line with a hostname that begins with a dash “-”, which would cause the “ssh” command to instead (mis)treat it as an option.
[…]
In the same spirit, a repository name that begins with a dash “-” is also forbidden now.
