set safe.directory when getting config for git-annex-shell or git remotes

Fix more breakage caused by git's fix for CVE-2022-24765, this time
involving a remote (either local or ssh) that is a repository not owned by
the current user.

Sponsored-by: Dartmouth College's DANDI project
This commit is contained in:
Joey Hess 2023-09-07 14:36:16 -04:00
parent 32cb2bd3fa
commit cbfd214993
No known key found for this signature in database
GPG key ID: DB12DB0FF05F8F38
10 changed files with 75 additions and 4 deletions

View file

@ -72,12 +72,19 @@ read' repo = go repo
go _ = assertLocal repo $ error "internal"
git_config addparams d = withCreateProcess p (git_config' p)
where
params = addparams ++ ["config", "--null", "--list"]
params = addparams ++ safedirparam
++ ["config", "--null", "--list"]
p = (proc "git" params)
{ cwd = Just (fromRawFilePath d)
, env = gitEnv repo
, std_out = CreatePipe
}
safedirparam = if safeDirectory repo
-- Use * rather than d, because git treats
-- "dir/" differently than "dir" when comparing for
-- safe.directory purposes.
then ["-c", "safe.directory=*"]
else []
git_config' p _ (Just hout) _ pid =
forceSuccessProcess p pid
`after`