website/blog/1-17-3-git-security/index.html

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width" />
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png" />
    <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png" />
    <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png" />
    <link rel="manifest" href="/site.webmanifest" />
    <link rel="me" href="https://pouet.chapril.org/@gna" />
    <link rel="stylesheet" href="https://gna.org/main.css" />
    <link
      rel="stylesheet"
      media="screen and (max-width: 1300px)"
      href="https://gna.org/mobile.css"
    />

	<meta name="referrer" content="no-referrer-when-downgrade" />
	<meta name="viewport" content="width=device-width, initial-scale=1" />

    
    <link rel="stylesheet" href="https://gna.org/main.css" />
    <link
      rel="stylesheet"
      media="screen and (max-width: 1300px)"
      href="https://gna.org/mobile.css"
    />

    <meta name="referrer" content="no-referrer-when-downgrade" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />

    <title>[security] Gitea &lt; 1.17.3 git option injection explained | Gna!: Managed Forgejo Hosting </title>
    <meta name="referrer" content="no-referrer-when-downgrade" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />

    <meta name="description" content="Prior to Gitea 1.17.3 the web interface that displays the commit graph could be used to inject git options used by the Gitea server." />
    

    <meta property="og:title" content="[security] Gitea &lt; 1.17.3 git option injection explained | Gna!: Managed Forgejo Hosting " />
    <meta property="og:type" content="article" />
    <meta property="og:url" content="https:&#x2F;&#x2F;gna.org" />

    <meta property="og:description" content="Prior to Gitea 1.17.3 the web interface that displays the commit graph could be used to inject git options used by the Gitea server." />
    <meta
      property="og:site_name"
      content="[security] Gitea &lt; 1.17.3 git option injection explained | Gna!: Managed Forgejo Hosting "
    />
  <link
    rel="apple-touch-icon"
    sizes="57x57"
    href="https://gna.org/apple-icon-57x57.png?h=c21de14cfdf862a6472ae977557fa048a7c36d39337e61d3274705e9bd8e857f"
  />
  <link
    rel="apple-touch-icon"
    sizes="60x60"
    href="https://gna.org/apple-icon-60x60.png?h=67089d9025a52d0d1ddce450078c7acefe2c150a2427dec9f5e13c6314f74281"
  />
  <link
    rel="apple-touch-icon"
    sizes="72x72"
    href="https://gna.org/apple-icon-72x72.png?h=70725943de8884804f9da28202ced0ad6fed483ae9cf8f6d874aa133e30cb693"
  />
  <link
    rel="apple-touch-icon"
    sizes="76x76"
    href="https://gna.org/apple-icon-76x76.png?h=1e6e8072df3b21bdcea254a42aac6e993611e845f91ddd79f6f35a6c441710a5"
  />
  <link
    rel="apple-touch-icon"
    sizes="114x114"
    href="https://gna.org/apple-icon-114x114.png?h=c20099f8190ed3962fab5726c5594857a871cdb3ee98439343c622cd3727fed6"
  />
  <link
    rel="apple-touch-icon"
    sizes="120x120"
    href="https://gna.org/apple-icon-120x120.png?h=4df78e402e60b58c6d44764678bdd737b5b6a836aeb85fb75fa49f706f7e8c81"
  />
  <link
    rel="apple-touch-icon"
    sizes="144x144"
    href="https://gna.org/apple-icon-144x144.png?h=0c44e6655d714f89ee95cc151032d1f0dc3204bd24d1ca2ee9d94692d4ede84d"
  />
  <link
    rel="apple-touch-icon"
    sizes="152x152"
    href="https://gna.org/apple-icon-152x152.png?h=157918f883ff95d4eeb6452d0ebb61ca5e21ea0dcac1aefe825f3e2f3999052f"
  />
  <link
    rel="apple-touch-icon"
    sizes="180x180"
    href="https://gna.org/apple-icon-180x180.png?h=7d5c16d379b7db6d8ea5aae64921d7162b84f543763acd8fc7c107f80a600213"
  />
  <link
    rel="icon"
    type="image/png"
    sizes="192x192"
    href="https://gna.org/android-icon-192x192.png?h=095e3835b082dba07f606c33fa6f71bcd671a71e987b0ab2e46dcddceef52b9c"
  />
  <link
    rel="icon"
    type="image/png"
    sizes="32x32"
    href="https://gna.org/favicon-32x32.png?h=1bf54bf111572b1d1639192b5360ee4345f702e563aa71bb66610a95a7290437"
  />
  <link
    rel="icon"
    type="image/png"
    sizes="96x96"
    href="https://gna.org/favicon-96x96.png?h=5a6ed96c09f5055526e3b236867a1272a26f7ba957d48b267bccd51ef0845fbe"
  />
  <link
    rel="icon"
    type="image/png"
    sizes="16x16"
    href="https://gna.org/favicon-16x16.png?h=1e5fa59ae78516055f662e40bb2599dc3828a7adb34567e9d8d2cfcaa6b7aa5f"
  />
  <link
    rel="manifest"
    href="https://gna.org/manifest.json?h=27eca3e8297eb7ff340deb3849b210185a459b3845456aa4d0036f6d966b3518"
  />
  <meta name="msapplication-TileColor" content="#ffffff" />
  <meta
    name="msapplication-TileImage"
    content="https://gna.org/ms-icon-144x144.png?h=8170ab51b871b84b8f98bd03cf441afdffb2998b7dfffb04abb7ebf5deeb1f94"
  />
  <meta name="theme-color" content="#ffffff" />


  </head>


  </head>
  <body class="base">
    <header>
      <nav class="nav__container">
  <input type="checkbox" class="nav__toggle" id="nav__toggle" />

  <div class="nav__header">
    <a class="nav__logo-container" href="/">

      <img src="https://gna.org/gna-logo-rectangle-48px.png?h=ba9eab043277265f94c51b87d5e14f9ca35789403ecb8afc9bd1e33b13c6a2a5" alt="Gna!"/>
    </a>
    <label class="nav__hamburger-menu" for="nav__toggle">
      <span class="nav__hamburger-inner"></span>
    </label>
  </div>
  <div class="nav__spacer--small"></div>
  <div class="nav__link-group">
    
  <div class="nav__link-container">
    <a class="nav__link" rel="noreferrer" href="&#x2F;about&#x2F;">About</a>
  </div>

    
  <div class="nav__link-container">
    <a class="nav__link" rel="noreferrer" href="&#x2F;blog&#x2F;">Blog</a>
  </div>

    
  <div class="nav__link-container">
    <a class="nav__link" rel="noreferrer" href="https:&#x2F;&#x2F;matrix.to&#x2F;#&#x2F;#gna:matrix.batsense.net">Chat</a>
  </div>

    
  <div class="nav__link-container">
    <a class="nav__link" rel="noreferrer" href="&#x2F;forgejo-clinic&#x2F;">Clinic</a>
  </div>

    
  <div class="nav__link-container">
    <a class="nav__link" rel="noreferrer" href="https:&#x2F;&#x2F;forum.gna.org">Forum</a>
  </div>

    
  <div class="nav__link-container">
    <a class="nav__link" rel="noreferrer" href="https:&#x2F;&#x2F;pouet.chapril.org&#x2F;@gna">Mastodon</a>
  </div>

  </div>
  <div class="nav__spacer"></div>
  <div class="nav__link-group--small">
    
  <div class="nav__link-container">
    <a class="nav__link" rel="noreferrer" href="https:&#x2F;&#x2F;hosteadashboard.gna.org&#x2F;login&#x2F;">Login</a>
  </div>

    
  <div class="nav__link-container--action">
    <a class="nav__link" rel="noreferrer" href="https:&#x2F;&#x2F;hosteadashboard.gna.org&#x2F;register&#x2F;">Join</a>
  </div>

  </div>
</nav>

    </header>
    <!-- See ../sass/main.scss. Required for pushing footer to the very 
      bottom of the page -->
    <div class="main__content-container">
      <main>
        

<div class="page__container">
  <h1 class="page__group-title">[security] Gitea &lt; 1.17.3 git option injection explained</h1>
   <p class="blog__post-meta"> 
 
  
        <a href="https:&#x2F;&#x2F;dachary.org" class="post__author">Loïc Dachary</a>
      
  
 &middot; 17 
	 October
	
,
  2022 &middot; <b>2 min read</b>
 </p>


  <div class="blog__content">
    <p><a href="https://pouet.chapril.org/@gna/109176306611564720">Gitea 1.17.3</a> includes a <a href="https://lab.forgefriends.org/forgefriends/forgefriends/-/commit/d98c5db58fdeded983bf5c0fe781fd7b77a1235f">security patch</a> that prevents the injection of arguments to the git command run by Gitea.</p>
<p>When displaying the commit graph <a href="https://gitea.gna.org/Gna/organization/graph?branch=refs%2Fheads%2Fmaster">for the master branch</a>, the URL contains the argument <strong>refs%2Fheads%2Fmaster</strong> that is passed to the <code>git</code> command with something like:</p>
<pre data-lang="shell" style="background-color:#2b303b;color:#c0c5ce;" class="language-shell "><code class="language-shell" data-lang="shell"><span>git log --graph refs/head/master
</span></code></pre>
<p>If, by accident or maliciously, the branch name starts with a dash, it would be mistaken to be a <code>git</code> argument instead of a branch name. For instance <strong>-h</strong> could be passed  to the <code>git</code> command as:</p>
<pre data-lang="shell" style="background-color:#2b303b;color:#c0c5ce;" class="language-shell "><code class="language-shell" data-lang="shell"><span>git log --graph -h
</span></code></pre>
<p>In reality the <code>rev-list</code> command is called before <code>log</code> and in Gitea 1.17.2 the debug output will show something like:</p>
<pre style="background-color:#2b303b;color:#c0c5ce;"><code><span>2022/10/17 07:17:17 ...s/web/repo/commit.go:124:Graph() [W] [634d017d] GetCommitGraphsCount error for generate graph exclude prs: false branches: [-h] in 1:root/test, Will Ignore branches and try again. Underlying Error: exit status 129 - usage: git rev-list [&lt;options&gt;] &lt;commit-id&gt;... [-- &lt;path&gt;...]
</span><span>...
</span></code></pre>
<p>In Gitea 1.17.3 when the same command is run, the option is discarded and the debug output shows something like:</p>
<pre style="background-color:#2b303b;color:#c0c5ce;"><code><span>2022/10/17 07:25:05 ...dules/git/command.go:166:Run() [E] [634d0351] git command is broken: /usr/bin/git -c protocol.version=2 -c uploadpack.allowfilter=true -c uploadpack.allowAnySHA1InWant=true -c credential.helper= rev-list --count, broken args: -h
</span><span>2022/10/17 07:25:05 ...s/web/repo/commit.go:124:Graph() [W] [634d0351] GetCommitGraphsCount error for generate graph exclude prs: false branches: [-h] in 1:root/test, Will Ignore branches and try again. Underlying Error: git command is broken
</span></code></pre>

  </div>
  <br>
  <br>
  <div class="blog__post-tag-container">
     
       <a class="blog__post-tag" href="/tags/gna">#gna</a>
     
       <a class="blog__post-tag" href="/tags/gitea">#gitea</a>
     
       <a class="blog__post-tag" href="/tags/security">#security</a>
     
       <a class="blog__post-tag" href="/tags/problem">#problem</a>
     
       <a class="blog__post-tag" href="/tags/upgrade">#upgrade</a>
     
       <a class="blog__post-tag" href="/tags/solution">#solution</a>
     
  </div>

</div>


      </main>
      <footer>
  <div class="footer__container">
    <!--    <div class="footer__column"> --->
      <p class="footer__column license__conatiner">
        All text <a
          class="license__link"
          rel="noreferrer"
          href="http://creativecommons.org/licenses/by-sa/4.0/"
          target="_blank"
          >&nbsp;CC-BY-SA&nbsp;</a
        >
        &amp; code
        <a
          class="license__link"
          rel="noreferrer"
          href="https://www.gnu.org/licenses/agpl-3.0.en.html"
          target="_blank"
          >&nbsp;AGPL&nbsp;</a
        >
        |
        <a
          class="license__link"
          rel="noreferrer"
          href="https://www.eff.org/issues/do-not-track/amp/"
          target="_blank"
          >&nbsp;No AMP&nbsp;</a
        >
      </p>
<!--    </div> -->
    <div class="footer__column--center">
      <a href="/blog/atom.xml" target="_blank" rel="noopener" title="RSS">
        <img
          src="https://gna.org/icons/rss.svg?h=f6cd584bdbcd2eb4d1b8b84c9cf083ef45f772167c33fdcee754b35ae8ff4c7d"
          class="footer__icon"
          alt="Email icon"
        />
      </a>
    </div>
    <div class="footer__column">
      <a href="/about" title="About">About</a>
      <a href="/coc" title="Code of Conduct">CoC</a>
      <span class="footer__column-divider--mobile-only">|</span>
      <a href="/legalese" title="Legalese">Legalese</a>
      <a href="/privacy-policy" title="Privacy Policy">Privacy</a>
      <span class="footer__column-divider--mobile-only">|</span>
      <a
        href="https://forgejo.gna.org/Gna"
        rel="noreferrer"
        target="_blank"
        title="Status"
        >Source Code</a
      >
      <a href="/tos" title="Terms of Service">ToS</a>
    </div>
  </div>
</footer>

    </div>
  </body>
</html>
new deploy: 2022-10-17T07:34:40+00:00 2022-10-17 07:34:40 +00:00			`<!DOCTYPE html>`
			`<html lang="en">`
			`<head>`
			`<meta charset="UTF-8" />`
			`<meta name="viewport" content="width=device-width" />`
			`<link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png" />`
			`<link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png" />`
			`<link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png" />`
			`<link rel="manifest" href="/site.webmanifest" />`
			`<link rel="me" href="https://pouet.chapril.org/@gna" />`
			`<link rel="stylesheet" href="https://gna.org/main.css" />`
			`<link`
			`rel="stylesheet"`
			`media="screen and (max-width: 1300px)"`
			`href="https://gna.org/mobile.css"`
			`/>`

			`<meta name="referrer" content="no-referrer-when-downgrade" />`
			`<meta name="viewport" content="width=device-width, initial-scale=1" />`







			`<link rel="stylesheet" href="https://gna.org/main.css" />`
			`<link`
			`rel="stylesheet"`
			`media="screen and (max-width: 1300px)"`
			`href="https://gna.org/mobile.css"`
			`/>`

			`<meta name="referrer" content="no-referrer-when-downgrade" />`
			`<meta name="viewport" content="width=device-width, initial-scale=1" />`

new deploy: 2023-01-09T09:59:43+00:00 2023-01-09 09:59:43 +00:00			`<title>[security] Gitea < 1.17.3 git option injection explained \| Gna!: Managed Forgejo Hosting </title>`
new deploy: 2022-10-17T07:34:40+00:00 2022-10-17 07:34:40 +00:00			`<meta name="referrer" content="no-referrer-when-downgrade" />`
			`<meta name="viewport" content="width=device-width, initial-scale=1" />`

new deploy: 2022-10-19T15:31:50+00:00 2022-10-19 15:31:50 +00:00			`<meta name="description" content="Prior to Gitea 1.17.3 the web interface that displays the commit graph could be used to inject git options used by the Gitea server." />`
new deploy: 2022-10-17T07:34:40+00:00 2022-10-17 07:34:40 +00:00

new deploy: 2023-01-09T09:59:43+00:00 2023-01-09 09:59:43 +00:00			`<meta property="og:title" content="[security] Gitea < 1.17.3 git option injection explained \| Gna!: Managed Forgejo Hosting " />`
new deploy: 2022-10-17T07:34:40+00:00 2022-10-17 07:34:40 +00:00			`<meta property="og:type" content="article" />`
			`<meta property="og:url" content="https://gna.org" />`

new deploy: 2022-10-19T15:31:50+00:00 2022-10-19 15:31:50 +00:00			`<meta property="og:description" content="Prior to Gitea 1.17.3 the web interface that displays the commit graph could be used to inject git options used by the Gitea server." />`
new deploy: 2022-10-17T07:34:40+00:00 2022-10-17 07:34:40 +00:00			`<meta`
			`property="og:site_name"`
new deploy: 2023-01-09T09:59:43+00:00 2023-01-09 09:59:43 +00:00			`content="[security] Gitea < 1.17.3 git option injection explained \| Gna!: Managed Forgejo Hosting "`
new deploy: 2022-10-17T07:34:40+00:00 2022-10-17 07:34:40 +00:00			`/>`
			`<link`
			`rel="apple-touch-icon"`
			`sizes="57x57"`
			`href="https://gna.org/apple-icon-57x57.png?h=c21de14cfdf862a6472ae977557fa048a7c36d39337e61d3274705e9bd8e857f"`
			`/>`
			`<link`
			`rel="apple-touch-icon"`
			`sizes="60x60"`
			`href="https://gna.org/apple-icon-60x60.png?h=67089d9025a52d0d1ddce450078c7acefe2c150a2427dec9f5e13c6314f74281"`
			`/>`
			`<link`
			`rel="apple-touch-icon"`
			`sizes="72x72"`
			`href="https://gna.org/apple-icon-72x72.png?h=70725943de8884804f9da28202ced0ad6fed483ae9cf8f6d874aa133e30cb693"`
			`/>`
			`<link`
			`rel="apple-touch-icon"`
			`sizes="76x76"`
			`href="https://gna.org/apple-icon-76x76.png?h=1e6e8072df3b21bdcea254a42aac6e993611e845f91ddd79f6f35a6c441710a5"`
			`/>`
			`<link`
			`rel="apple-touch-icon"`
			`sizes="114x114"`
			`href="https://gna.org/apple-icon-114x114.png?h=c20099f8190ed3962fab5726c5594857a871cdb3ee98439343c622cd3727fed6"`
			`/>`
			`<link`
			`rel="apple-touch-icon"`
			`sizes="120x120"`
			`href="https://gna.org/apple-icon-120x120.png?h=4df78e402e60b58c6d44764678bdd737b5b6a836aeb85fb75fa49f706f7e8c81"`
			`/>`
			`<link`
			`rel="apple-touch-icon"`
			`sizes="144x144"`
			`href="https://gna.org/apple-icon-144x144.png?h=0c44e6655d714f89ee95cc151032d1f0dc3204bd24d1ca2ee9d94692d4ede84d"`
			`/>`
			`<link`
			`rel="apple-touch-icon"`
			`sizes="152x152"`
			`href="https://gna.org/apple-icon-152x152.png?h=157918f883ff95d4eeb6452d0ebb61ca5e21ea0dcac1aefe825f3e2f3999052f"`
			`/>`
			`<link`
			`rel="apple-touch-icon"`
			`sizes="180x180"`
			`href="https://gna.org/apple-icon-180x180.png?h=7d5c16d379b7db6d8ea5aae64921d7162b84f543763acd8fc7c107f80a600213"`
			`/>`
			`<link`
			`rel="icon"`
			`type="image/png"`
			`sizes="192x192"`
			`href="https://gna.org/android-icon-192x192.png?h=095e3835b082dba07f606c33fa6f71bcd671a71e987b0ab2e46dcddceef52b9c"`
			`/>`
			`<link`
			`rel="icon"`
			`type="image/png"`
			`sizes="32x32"`
			`href="https://gna.org/favicon-32x32.png?h=1bf54bf111572b1d1639192b5360ee4345f702e563aa71bb66610a95a7290437"`
			`/>`
			`<link`
			`rel="icon"`
			`type="image/png"`
			`sizes="96x96"`
			`href="https://gna.org/favicon-96x96.png?h=5a6ed96c09f5055526e3b236867a1272a26f7ba957d48b267bccd51ef0845fbe"`
			`/>`
			`<link`
			`rel="icon"`
			`type="image/png"`
			`sizes="16x16"`
			`href="https://gna.org/favicon-16x16.png?h=1e5fa59ae78516055f662e40bb2599dc3828a7adb34567e9d8d2cfcaa6b7aa5f"`
			`/>`
			`<link`
			`rel="manifest"`
			`href="https://gna.org/manifest.json?h=27eca3e8297eb7ff340deb3849b210185a459b3845456aa4d0036f6d966b3518"`
			`/>`
			`<meta name="msapplication-TileColor" content="#ffffff" />`
			`<meta`
			`name="msapplication-TileImage"`
			`content="https://gna.org/ms-icon-144x144.png?h=8170ab51b871b84b8f98bd03cf441afdffb2998b7dfffb04abb7ebf5deeb1f94"`
			`/>`
			`<meta name="theme-color" content="#ffffff" />`


			`</head>`




			`</head>`
			`<body class="base">`
			`<header>`
			`<nav class="nav__container">`
			`<input type="checkbox" class="nav__toggle" id="nav__toggle" />`

			`<div class="nav__header">`
			`<a class="nav__logo-container" href="/">`

			`<img src="https://gna.org/gna-logo-rectangle-48px.png?h=ba9eab043277265f94c51b87d5e14f9ca35789403ecb8afc9bd1e33b13c6a2a5" alt="Gna!"/>`
			`</a>`
			`<label class="nav__hamburger-menu" for="nav__toggle">`
			`<span class="nav__hamburger-inner"></span>`
			`</label>`
			`</div>`
			`<div class="nav__spacer--small"></div>`
			`<div class="nav__link-group">`

			`<div class="nav__link-container">`
			`<a class="nav__link" rel="noreferrer" href="/about/">About</a>`
			`</div>`


			`<div class="nav__link-container">`
			`<a class="nav__link" rel="noreferrer" href="/blog/">Blog</a>`
			`</div>`


			`<div class="nav__link-container">`
			`<a class="nav__link" rel="noreferrer" href="https://matrix.to/#/#gna:matrix.batsense.net">Chat</a>`
			`</div>`


			`<div class="nav__link-container">`
new deploy: 2023-01-09T09:59:43+00:00 2023-01-09 09:59:43 +00:00			`<a class="nav__link" rel="noreferrer" href="/forgejo-clinic/">Clinic</a>`
new deploy: 2022-10-17T07:34:40+00:00 2022-10-17 07:34:40 +00:00			`</div>`


			`<div class="nav__link-container">`
			`<a class="nav__link" rel="noreferrer" href="https://forum.gna.org">Forum</a>`
			`</div>`


			`<div class="nav__link-container">`
			`<a class="nav__link" rel="noreferrer" href="https://pouet.chapril.org/@gna">Mastodon</a>`
			`</div>`

			`</div>`
			`<div class="nav__spacer"></div>`
			`<div class="nav__link-group--small">`

			`<div class="nav__link-container">`
			`<a class="nav__link" rel="noreferrer" href="https://hosteadashboard.gna.org/login/">Login</a>`
			`</div>`


			`<div class="nav__link-container--action">`
			`<a class="nav__link" rel="noreferrer" href="https://hosteadashboard.gna.org/register/">Join</a>`
			`</div>`

			`</div>`
			`</nav>`

			`</header>`
			`<!-- See ../sass/main.scss. Required for pushing footer to the very`
			`bottom of the page -->`
			`<div class="main__content-container">`
			`<main>`


			`<div class="page__container">`
			`<h1 class="page__group-title">[security] Gitea < 1.17.3 git option injection explained</h1>`
			`<p class="blog__post-meta">`



			`<a href="https://dachary.org" class="post__author">Loïc Dachary</a>`




			`· 17`
			`October`

			`,`
			`2022 · <b>2 min read</b>`
			`</p>`


			`<div class="blog__content">`
			`<p><a href="https://pouet.chapril.org/@gna/109176306611564720">Gitea 1.17.3</a> includes a <a href="https://lab.forgefriends.org/forgefriends/forgefriends/-/commit/d98c5db58fdeded983bf5c0fe781fd7b77a1235f">security patch</a> that prevents the injection of arguments to the git command run by Gitea.</p>`
			`<p>When displaying the commit graph <a href="https://gitea.gna.org/Gna/organization/graph?branch=refs%2Fheads%2Fmaster">for the master branch</a>, the URL contains the argument <strong>refs%2Fheads%2Fmaster</strong> that is passed to the <code>git</code> command with something like:</p>`
			`<pre data-lang="shell" style="background-color:#2b303b;color:#c0c5ce;" class="language-shell "><code class="language-shell" data-lang="shell"><span>git log --graph refs/head/master`
			`</span></code></pre>`
new deploy: 2022-10-17T09:10:37+00:00 2022-10-17 09:10:37 +00:00			`<p>If, by accident or maliciously, the branch name starts with a dash, it would be mistaken to be a <code>git</code> argument instead of a branch name. For instance <strong>-h</strong> could be passed to the <code>git</code> command as:</p>`
new deploy: 2022-10-17T07:34:40+00:00 2022-10-17 07:34:40 +00:00			`<pre data-lang="shell" style="background-color:#2b303b;color:#c0c5ce;" class="language-shell "><code class="language-shell" data-lang="shell"><span>git log --graph -h`
			`</span></code></pre>`
			`<p>In reality the <code>rev-list</code> command is called before <code>log</code> and in Gitea 1.17.2 the debug output will show something like:</p>`
			`<pre style="background-color:#2b303b;color:#c0c5ce;"><code><span>2022/10/17 07:17:17 ...s/web/repo/commit.go:124:Graph() [W] [634d017d] GetCommitGraphsCount error for generate graph exclude prs: false branches: [-h] in 1:root/test, Will Ignore branches and try again. Underlying Error: exit status 129 - usage: git rev-list [<options>] <commit-id>... [-- <path>...]`
			`</span><span>...`
			`</span></code></pre>`
			`<p>In Gitea 1.17.3 when the same command is run, the option is discarded and the debug output shows something like:</p>`
			`<pre style="background-color:#2b303b;color:#c0c5ce;"><code><span>2022/10/17 07:25:05 ...dules/git/command.go:166:Run() [E] [634d0351] git command is broken: /usr/bin/git -c protocol.version=2 -c uploadpack.allowfilter=true -c uploadpack.allowAnySHA1InWant=true -c credential.helper= rev-list --count, broken args: -h`
			`</span><span>2022/10/17 07:25:05 ...s/web/repo/commit.go:124:Graph() [W] [634d0351] GetCommitGraphsCount error for generate graph exclude prs: false branches: [-h] in 1:root/test, Will Ignore branches and try again. Underlying Error: git command is broken`
			`</span></code></pre>`

			`</div>`
			`<br>`
			`<br>`
			`<div class="blog__post-tag-container">`

			`<a class="blog__post-tag" href="/tags/gna">#gna</a>`

			`<a class="blog__post-tag" href="/tags/gitea">#gitea</a>`

			`<a class="blog__post-tag" href="/tags/security">#security</a>`

			`<a class="blog__post-tag" href="/tags/problem">#problem</a>`

			`<a class="blog__post-tag" href="/tags/upgrade">#upgrade</a>`

			`<a class="blog__post-tag" href="/tags/solution">#solution</a>`

			`</div>`

			`</div>`


			`</main>`
			`<footer>`
			`<div class="footer__container">`
			`<!-- <div class="footer__column"> --->`
			`<p class="footer__column license__conatiner">`
			`All text <a`
			`class="license__link"`
			`rel="noreferrer"`
			`href="http://creativecommons.org/licenses/by-sa/4.0/"`
			`target="_blank"`
			`> CC-BY-SA </a`
			`>`
			`& code`
			`<a`
			`class="license__link"`
			`rel="noreferrer"`
			`href="https://www.gnu.org/licenses/agpl-3.0.en.html"`
			`target="_blank"`
			`> AGPL </a`
			`>`
			`\|`
			`<a`
			`class="license__link"`
			`rel="noreferrer"`
			`href="https://www.eff.org/issues/do-not-track/amp/"`
			`target="_blank"`
			`> No AMP </a`
			`>`
			`</p>`
			`<!-- </div> -->`
			`<div class="footer__column--center">`
			`<a href="/blog/atom.xml" target="_blank" rel="noopener" title="RSS">`
			`<img`
			`src="https://gna.org/icons/rss.svg?h=f6cd584bdbcd2eb4d1b8b84c9cf083ef45f772167c33fdcee754b35ae8ff4c7d"`
			`class="footer__icon"`
			`alt="Email icon"`
			`/>`
			`</a>`
			`</div>`
			`<div class="footer__column">`
			`<a href="/about" title="About">About</a>`
			`<a href="/coc" title="Code of Conduct">CoC</a>`
			`<span class="footer__column-divider--mobile-only">\|</span>`
			`<a href="/legalese" title="Legalese">Legalese</a>`
			`<a href="/privacy-policy" title="Privacy Policy">Privacy</a>`
			`<span class="footer__column-divider--mobile-only">\|</span>`
			`<a`
new deploy: 2023-01-09T09:59:43+00:00 2023-01-09 09:59:43 +00:00			`href="https://forgejo.gna.org/Gna"`
new deploy: 2022-10-17T07:34:40+00:00 2022-10-17 07:34:40 +00:00			`rel="noreferrer"`
			`target="_blank"`
			`title="Status"`
			`>Source Code</a`
			`>`
			`<a href="/tos" title="Terms of Service">ToS</a>`
			`</div>`
			`</div>`
			`</footer>`

			`</div>`
			`</body>`
			`</html>`