-
Bug
-
Resolution: Unresolved
-
High
-
None
-
2.6.6
-
Git server running on a Linux server. Sourcetree on Windows.
-
Severity 3 - Minor
I attempted to close a feature branch. I added the tag that included an ampersand (CNT-421&CNTUI-123). The tag that was applied to the branch was CNT-421 as the ampersand was not escaped when running the command in Git. The ampersand was treated the same as an ampersand in Bash, which allows the command to run in the background. There is a possible security hole here as well as it may be possible to inject bash scripting after the ampersand since the shell being used to run the command may return to a usable shell after the ampersand is processed. The ampersand (and probably other characters) needs to be properly escaped when included in the tag of a branch closure.
[SRCTREEWIN-8789] Linux Git Server - Ampersand (&) in tag is not properly handled when closing a branch
| Labels | Original: no-cvss-required security tag | New: dmb-legacy-jac-none no-cvss-required security tag |
| Workflow | Original: JAC Bug Workflow v3 [ 3448692 ] | New: SRCTREE JAC Bug Workflow [ 3738230 ] |
| Workflow | Original: SourceTree Bug Workflow [ 2693393 ] | New: JAC Bug Workflow v3 [ 3448692 ] |
| Status | Original: Needs Verification [ 10004 ] | New: Needs Triage [ 10030 ] |
| Labels | Original: security tag | New: no-cvss-required security tag |
| Status | Original: Open [ 1 ] | New: Needs Verification [ 10004 ] |
| Labels | New: security tag |