]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/commit
Tell `git revert` not to follow renames (CVE-2016-10026)
authorSimon McVittie <smcv@debian.org>
Mon, 19 Dec 2016 13:48:56 +0000 (13:48 +0000)
committerSimon McVittie <smcv@debian.org>
Fri, 23 Dec 2016 18:44:37 +0000 (18:44 +0000)
commitbb5cf4a0940b8fd2750c6175adb15382b84c71e2
tree8f9cf6a5966b0a4f5bc7b725f2c8481d6a1ae35a
parent838c1b5aec17ad90a894f21c12bb58adb5225276
Tell `git revert` not to follow renames (CVE-2016-10026)

Otherwise, we have an authorization bypass vulnerability: rcs_preprevert
looks at what changed in the commit we are reverting, not at what would
result from reverting it now. In particular, if some files were renamed
since the commit we are reverting, a revert of changes that were within
the designated subdirectory and allowed by check_canchange() might now
affect files that are outside the designated subdirectory or disallowed
by check_canchange().

Signed-off-by: Simon McVittie <smcv@debian.org>
IkiWiki/Plugin/git.pm