* Paul Wise <p...@debian.org>, 2018-02-07, 16:59:
$ webcheckout /path/to/badgit.html
git clone ext::sh -c cowsay% pwned% >% /dev/tty
I consider this particular attack to be a bug in git and the git
authors seem to agree with me because it is blocked in sid.
It's hard to tell whether they agree, because disabling git-remote-ext
by default is not documented AFAICT. See bug #867699.
Users might need to re-enable git-remote-ext for their own purposes, so
this needs to be fixed in webcheckout.
webcheckout is also susceptible to option injection, but I couldn't find
a way to exploit it for anything nefarious.
--
Jakub Wilk