git/gitk-git
Johannes Schindelin 5276fbd6c2 gitk(Windows): avoid inadvertently calling executables in the worktree
Just like CVE-2022-41953 for Git GUI, there exists a vulnerability of
`gitk` where it looks for `taskkill.exe` in the current directory before
searching `PATH`.

Note that the many `exec git` calls are unaffected, due to an obscure
quirk in Tcl's `exec` function. Typically, `git.exe` lives next to
`wish.exe` (i.e. the program that is run to execute `gitk` or Git GUI)
in Git for Windows, and that is the saving grace for `git.exe because
`exec` searches the directory where `wish.exe` lives even before the
current directory, according to
https://www.tcl-lang.org/man/tcl/TclCmd/exec.htm#M24:

	If a directory name was not specified as part of the application
	name, the following directories are automatically searched in
	order when attempting to locate the application:

	    The directory from which the Tcl executable was loaded.

	    The current directory.

	    The Windows 32-bit system directory.

	    The Windows home directory.

	    The directories listed in the path.

The same is not true, however, for `taskkill.exe`: it lives in the
Windows system directory (never mind the 32-bit, Tcl's documentation is
outdated on that point, it really means `C:\Windows\system32`).

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2024-04-29 21:47:12 +02:00
..
po Merge gitk to pick up emergency build fix 2019-09-17 14:59:18 -07:00
.gitignore Merge git://ozlabs.org/~paulus/gitk 2013-01-30 13:52:44 -08:00
Makefile Makefile(s): avoid recipe prefix in conditional statements 2024-04-08 14:42:32 -07:00
gitk gitk(Windows): avoid inadvertently calling executables in the worktree 2024-04-29 21:47:12 +02:00