From: Mark Levedahl <mlevedahl@gmail.com>
To: Johannes Sixt <j6t@kdbg.org>
Cc: git@vger.kernel.org, johannes.schindelin@gmx.de
Subject: Re: [PATCH] gitk - override $PATH search only on Windows
Date: Mon, 31 Mar 2025 15:29:31 -0400 [thread overview]
Message-ID: <5b09f1c2-be58-43a2-9908-7243b5207251@gmail.com> (raw)
In-Reply-To: <58556f57-698d-4f58-bbcf-c752cba00ff7@kdbg.org>
On 3/31/25 1:12 PM, Johannes Sixt wrote:
> Am 31.03.25 um 17:12 schrieb Mark Levedahl:
>> Commit 4cbe9e0e2 was written to address problems that result from Tcl's
>> documented behavior on Windows where the current working directory and a
>> number of Windows system directories are automatically prepended to
>> $PATH when searching for executables [1]. This basic Windows behavior
>> has resulted in more than one CVE against git for Windows:
>> CVE-2023-23618, CVE-2022-41953 are listed on the git for Windows github
>> website for the Tcl components of git (gitk, git-gui).
>>
>> 4cbe9e0e2 is intended to restrict the search to looking only in
>> directories given in $PATH and in the given order, which is exactly the
>> Tcl behavior documented to exist on non-Windows platforms [1]. Thus,
>> this change could have been written to affect only Windows, leaving
>> other platforms alone.
>>
>> However, 4cbe9e0e2 implements the override for all platforms. and
>> includes specialized code for Cygwin, copied copied from git-gui prior
>> to commit 6d2f9d90 on https://github.com/j6t/git-gui.git), so targets a
> I can't find 6d2f9d90 anywhere. Do you have a URL?
Sorry about that (bad copy / paste). Should be 7145c654
https://github.com/j6t/git-gui/commit/7145c654fffecd1f3d4a2b8bf05755ce262903e8
> Now that this code is only about Windows, _search_exe is always ".exe".
> It would be great if we could remove it as well.
>
Will do for v2.
Mark
next prev parent reply other threads:[~2025-03-31 19:29 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-28 12:34 git v2.49.0 - gitk regression on Cygwin Mark Levedahl
2025-03-28 17:30 ` Johannes Sixt
2025-03-29 21:49 ` Mark Levedahl
2025-03-31 15:12 ` [PATCH] gitk - override $PATH search only on Windows Mark Levedahl
2025-03-31 17:12 ` Johannes Sixt
2025-03-31 19:29 ` Mark Levedahl [this message]
2025-04-01 3:00 ` [PATCH v2 0/3] gitk: override PATH " Mark Levedahl
2025-04-01 3:01 ` [PATCH v2 1/3] gitk: override $PATH " Mark Levedahl
2025-04-01 3:01 ` [PATCH v2 2/3] gitk: _search_exe is no longer needed Mark Levedahl
2025-04-01 3:01 ` [PATCH v2 3/3] gitk: limit PATH search to bare executable names Mark Levedahl
2025-04-01 16:10 ` [PATCH v2 0/3] gitk: override PATH search only on Windows Johannes Schindelin
2025-04-01 16:44 ` Mark Levedahl
2025-04-01 16:40 ` Johannes Sixt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5b09f1c2-be58-43a2-9908-7243b5207251@gmail.com \
--to=mlevedahl@gmail.com \
--cc=git@vger.kernel.org \
--cc=j6t@kdbg.org \
--cc=johannes.schindelin@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).