I also am staying on version 1.7 as I'm unable to use the UI in later versions.

Tim - I found the same thing with the missing key being re-added.

However what I found was it doesn't check the key value of the actual command for changes.

What I did was modified the command to not allow any parameters - this key value remains the same after restarts.

Reg file to fix this is below.

Can the devs confirm this will fix the issue?

Remove-sourcetree-link.reg

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\sourcetree\shell\open\command]
@="\"C:\\Program Files (x86)\\Atlassian\\SourceTree\\SourceTree.exe\""

I can't see that option in 1.7.0.32509 (Windows) but I appreciate it's an older version so the option might not be available. Thanks again!

sourcetree79

You should uncheck the "Use this version of SourceTree for URI association" in the Toots/Options/General tab in SourceTree this will prevent the registry setting being recreated.

Alternatively toggling the same checkbox off/on in v2.0.20.1 will reset the URI association to use v2.0.20.1

Thanks Michael!

For anyone in the same situation, I think the only action required to disable the protocol is to remove this registry key (if it exists):

HKEY_CLASSES_ROOT\sourcetree

Edit: when the program launches it re-adds the registry entry...I disabled it by restricting permissions on the key. I can't find anything in options to turn this off, have I missed something?

@Michael Thanks for the info. However, rebooting didn't help, I had to remove it from the registry as you suggested.

sourcetree79 If the protocol is not registered, then you should be protected. However it is also advisable to update to Git v2.12.0 at least as the 'ext::' protocol is blacklisted by default

matthias.pohl2058819109

Please see https://nvd.nist.gov/vuln/detail/CVE-2017-8768

The fix in SourceTree is to block processing of remote URLs to use the 'ext::', 'fd::' and 'testgit::' protocols

Hi adam.gaca

No, that is not evidence of your system being hacked. We changed the installer technology used by SourceTree and unfortunately it copied the developer information rather than the Company information. SourceTree is still signed by Atlassian, you can check by right clicking on SourceTree.exe and checking the Digital Signatures tab. Apologies for any confusion we will fix that going forward.

With respect to the popup reporting older versions, it checks registry entries for evidence of older versions, it maybe you require a reboot.

For what it is worth the registry sub keys it looks in are as follows

        64 Bit = "SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall";
        32 Bit = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall";

And entries where the DisplayName = SourceTree

After the upgrade on Windows, every time I start SourceTree, the following dialog appears, though the previous version is removed and the path doesn't even exist:

Moreover, when I check what's actually installed, it doesn't look like an Atlassian app:

The installer was downloaded from https://www.sourcetreeapp.com/ (with Atlassian as the publisher)!

Is this the official Atlassian site: https://bitbucket.org/atlassian/ ?

Please explain this. Is my system already hacked?

Since you broke power users' workflow with the 2.x version (https://jira.atlassian.com/browse/SRCTREEWIN-7176) additional detailed information on wich features of the old version are affected and how to avoid triggering it would be highly appreciated.