# regression severity 798602 important tags 798602 + upstream fixed-upstream quit
Hi, Axel Beckert wrote: > My coworker (who ran into this issue on MacOS X) finally found what > triggers this issue. It's the following setting in our both's ~/.ssh/config: > > SendEnv TERM GIT_* > > Intention of this is to forward variables like GIT_EDITOR, > GIT_COMMITTER_NAME, GIT_COMMITTER_EMAIL, GIT_AUTHOR_NAME and > GIT_AUTHOR_EMAIL via SSH. Unfortunately git since 2.5.1 additionally > seems to set GIT_WORK_TREE -- which gets forwarded that way, too. Ah! I had been wondering why this only started showing up recently. > The fix is to change the according line in ~/.ssh/config to > > SendEnv TERM GIT_EDITOR GIT_COMMITTER_* GIT_AUTHOR_* There is a change on the "next" branch: aab40438 git_connect: clear GIT_* environment for ssh, 2015-09-04 It filters out the following variables: GIT_ALTERNATE_OBJECT_DIRECTORIES GIT_CONFIG GIT_CONFIG_PARAMETERS GIT_OBJECT_DIRECTORY GIT_DIR GIT_WORK_TREE GIT_IMPLICIT_WORK_TREE GIT_GRAFT_FILE GIT_INDEX_FILE GIT_NO_REPLACE_OBJECTS GIT_REPLACE_REF_BASE GIT_PREFIX GIT_SHALLOW_FILE GIT_COMMON_DIR I think that should help. It will probably land in 2.7.0, but I can apply it earlier. The GIT_CONFIG_PARAMETERS is particularly important: if the server allows the environment variable through then arbitrary code execution isn't hard. Thanks, Jonathan
