contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize branch names in the PS1 variable, allowing a malicious repository to cause code execution. Upstream patch: https://github.com/git/git/commit/8976500cbbb13270398d3b3e07a17b8cc7bff43f PoC repository: https://github.com/njhartwell/pw3nage
Created git tracking bugs for this issue: Affects: epel-5 [bug 1434439] Affects: fedora-24 [bug 1434438] Affects: openshift-1 [bug 1434440]
Note that there are two ways to use git-prompt.sh to add info to the shell prompt. These methods are documented at the top of the git-prompt.sh file: # 3a) Change your PS1 to call __git_ps1 as # command-substitution: # Bash: PS1='[\u@\h \W$(__git_ps1 " (%s)")]\$ ' # ZSH: setopt PROMPT_SUBST ; PS1='[%n@%m %c$(__git_ps1 " (%s)")]\$ ' # the optional argument will be used as format string. # 3b) Alternatively, for a slightly faster prompt, __git_ps1 can # be used for PROMPT_COMMAND in Bash or for precmd() in Zsh # with two parameters, <pre> and <post>, which are strings # you would put in $PS1 before and after the status string # generated by the git-prompt machinery. e.g. # Bash: PROMPT_COMMAND='__git_ps1 "\u@\h:\w" "\\\$ "' # will show username, at-sign, host, colon, cwd, then # various status string, followed by dollar and SP, as # your prompt. # ZSH: precmd () { __git_ps1 "%n" ":%~$ " "|%s" } # will show username, pipe, then various status string, # followed by colon, cwd, dollar and SP, as your prompt. # Optionally, you can supply a third argument with a printf # format string to finetune the output of the branch status This issue only affected uses with __git_ps1 used in the PROMPT_COMMAND (i.e. the 3b) configurations), it did not affect uses with __git_ps1 in PS1 (i.e. the 3a) configurations). The support for using __git_ps1 in PROMPT_COMMAND was added in git version 1.8.1 via this commit: https://github.com/git/git/commit/1bfc51ac814125de03ddf1900245e42d6ce0d250 Therefore, git 1.7.1 as shipped with Red Hat Enterprise Linux 6 was not affected.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2004 https://access.redhat.com/errata/RHSA-2017:2004