-
Bug
-
Resolution: Unresolved
-
High
-
None
-
2.6.6
-
Git server running on a Linux server. Sourcetree on Windows.
-
Severity 3 - Minor
I attempted to close a feature branch. I added the tag that included an ampersand (CNT-421&CNTUI-123). The tag that was applied to the branch was CNT-421 as the ampersand was not escaped when running the command in Git. The ampersand was treated the same as an ampersand in Bash, which allows the command to run in the background. There is a possible security hole here as well as it may be possible to inject bash scripting after the ampersand since the shell being used to run the command may return to a usable shell after the ampersand is processed. The ampersand (and probably other characters) needs to be properly escaped when included in the tag of a branch closure.
[SRCTREEWIN-8789] Linux Git Server - Ampersand (&) in tag is not properly handled when closing a branch
Michael - I actually can't repeat the issue now.
When I had this issue, I started a new release branch using the git-flow button. I then clicked git-flow again to finish the release. I entered the tag from my description. The tag was only the text before the ampersand. I have a screenshot of the ending tag, but It doesn't look like I can paste it here. I should have saved the log at the time, but the git log showed that the tag application failed along with a error about the OS not recognizing the command.
Hi
I can't reproduce this behaviour, but I might be doing something different, could you confirm how you were adding that tag?
Tentatively tagging as 'no-cvss-required' since the issue hasn't been reproduced.