On 3/31/25 1:12 PM, Johannes Sixt wrote:
Am 31.03.25 um 17:12 schrieb Mark Levedahl:
Commit 4cbe9e0e2 was written to address problems that result from Tcl's
documented behavior on Windows where the current working directory and a
number of Windows system directories are automatically prepended to
$PATH when searching for executables [1]. This basic Windows behavior
has resulted in more than one CVE against git for Windows:
CVE-2023-23618, CVE-2022-41953 are listed on the git for Windows github
website for the Tcl components of git (gitk, git-gui).
4cbe9e0e2 is intended to restrict the search to looking only in
directories given in $PATH and in the given order, which is exactly the
Tcl behavior documented to exist on non-Windows platforms [1]. Thus,
this change could have been written to affect only Windows, leaving
other platforms alone.
However, 4cbe9e0e2 implements the override for all platforms. and
includes specialized code for Cygwin, copied copied from git-gui prior
to commit 6d2f9d90 on https://github.com/j6t/git-gui.git), so targets a
I can't find 6d2f9d90 anywhere. Do you have a URL?
Sorry about that (bad copy / paste). Should be 7145c654
https://github.com/j6t/git-gui/commit/7145c654fffecd1f3d4a2b8bf05755ce262903e8
Now that this code is only about Windows, _search_exe is always ".exe".
It would be great if we could remove it as well.
Will do for v2.
Mark
