Set GIT_ALLOW_PROTOCOL to limit dangerous protocols See git commit 33cfccbbf35a -- some protocols allow arbitrary command execution as part of the URL. Instead of blindly allowing those, whitelist the allowed URL protocols unless the user has already done so. Bug: Issue 210 Change-Id: I6bd8e721aa5e3dab53ef28cfdc8fde33eb74ef76

commit: 466b8c4ea26f119f2b0532ece764c543e78a873e [log] [tgz]
author: Dan Willemsen <dwillemsen@google.com> Wed Nov 25 13:26:39 2015 -0800
committer: David Pursehouse <david.pursehouse@sonymobile.com> Thu Nov 26 11:03:19 2015 +0900
tree: 70af80b53e2d5a5e149e4af38e3eb1694083cf04
parent: e1e0bd1f75e64ba4854f288741aa88dfe2f3cf61 [diff]
diff --git a/git_command.py b/git_command.py
index 0893bff..63b7b6f 100644
--- a/git_command.py
+++ b/git_command.py

@@ -168,6 +168,9 @@
       if p is not None:
         s = p + ' ' + s
       _setenv(env, 'GIT_CONFIG_PARAMETERS', s)
+    if 'GIT_ALLOW_PROTOCOL' not in env:
+      _setenv(env, 'GIT_ALLOW_PROTOCOL',
+              'file:git:http:https:ssh:persistent-http:persistent-https:sso')
 
     if project:
       if not cwd:
commit	466b8c4ea26f119f2b0532ece764c543e78a873e	[log] [tgz]
author	Dan Willemsen <dwillemsen@google.com>	Wed Nov 25 13:26:39 2015 -0800
committer	David Pursehouse <david.pursehouse@sonymobile.com>	Thu Nov 26 11:03:19 2015 +0900
tree	70af80b53e2d5a5e149e4af38e3eb1694083cf04
parent	e1e0bd1f75e64ba4854f288741aa88dfe2f3cf61 [diff]