On Wed, Jun 25, 2025, at 15:57, Phillip Wood wrote: > On 25/06/2025 09:53, Kristoffer Haugsbakk wrote: >> On Tue, Jun 24, 2025, at 14:59, Ondrej Pohorelsky wrote: >>> Hi, >>> >>> Our customer has found a possible issue when switching branches. >>> Output redirection character `>` is not escaped properly when >>> switching/checking out to different branch. >>> >>> Steps to reproduce: >>> 1. Create a new branch and switch back to master >>> ``` >>> $ git switch -C 'issue#1234>/tmp/dangerfile' >>> Switched to a new branch 'issue#1234>/tmp/dangerfile' >>> $ git switch master >>> ``` >> >> It’s too bad that git-check-ref-format(1) does not disallow `>`. > > It also allows `<`, `$`, `&`, `;`, `(`, `)`, `#`, `"`, `'`, '`' and `|`. > Our ref format is not designed for them to be used unquoted in the > shell. I think the problem here is with our completion script not > quoting the refname, not the format. On Wed, Jun 25, 2025, at 18:38, Junio C Hamano wrote: > "Kristoffer Haugsbakk" <kristofferhaugsbakk@xxxxxxxxxxxx> writes: > >> On Tue, Jun 24, 2025, at 14:59, Ondrej Pohorelsky wrote: >>> Hi, >>> >>> Our customer has found a possible issue when switching branches. >>> Output redirection character `>` is not escaped properly when >>> switching/checking out to different branch. >>> >>> Steps to reproduce: >>> 1. Create a new branch and switch back to master >>> ``` >>> $ git switch -C 'issue#1234>/tmp/dangerfile' >>> Switched to a new branch 'issue#1234>/tmp/dangerfile' >>> $ git switch master >>> ``` >> >> It’s too bad that git-check-ref-format(1) does not disallow `>`. > > Is it? It looks like an outright bug in the completion code, > nothing more, to me. That was an aside.
