Security and hardening
- Apply
core.protectHFSandcore.protectNTFStogether when selecting the checkout path-element validator. Previously only the NTFS validator ran whenprotectNTFSwas on (the default), so on macOS an HFS+ spelling of.gitusing ignorable code points could pass validation and poison.giton checkout. - Canonicalize file modes in
git archivetarballs, so a crafted tree entry can no longer carry setuid/setgid/sticky bits into an extracted file. - Collapse embedded whitespace in reflog messages, so a crafted multi-line commit message can no longer forge additional reflog entries with attacker-chosen SHAs.
- Verify that a
.bitmapindex matches the pack it is loaded for, so a stale or swapped-in bitmap can't produce a wrong reachable-object set during fetch negotiation. - Parse commit-message trailers in linear time, fixing a cubic blowup where a crafted commit message could tie up CPU for minutes to hours.
Features and fixes
- Honour
core.worktree, so the working tree can live outside the parent of the control directory. - Porcelain functions now take an
envargument, and readGIT_PROTOCOL,GIT_SSH_COMMAND/GIT_SSHwhen called as a library rather than only from the CLI (fixes a regression since 1.2.1 whereporcelain.clone()silently ignored the SSH variables). porcelain.archive()gained aremoteargument.- Recurse into subtrees when merging trees, so non-overlapping changes under a shared directory merge cleanly.
- Clear
core.barewhen setting up a submodule's working tree.
Security and hardening fixes in this release were contributed by Kartik Kenchi (@netliomax25-code).