Patch applies fake diffs from commit messages
a day ago
- #GNU patch
- #security
- #GitHub
- GitHub exposes mail-style patches via .patch URLs which can be downloaded.
- GNU patch may apply diff-shaped text within commit messages as part of the patch.
- A demo shows a commit that changes readme.md but includes a phantom diff for SHOULD_NOT_BE_HERE.md.
- Applying the patch results in patching both files, despite SHOULD_NOT_BE_HERE.md not being in the actual commit.
- git apply and git am rejected paths like .git/, but still accepted injected diffs for working-tree files.
- git cherry-pick behaves differently as it interacts with Git objects directly.
- The bug's origin unclear: could be GNU patch, GitHub's .patch export, or patch-format contract.
- A reminder to scrutinize commit messages for embedded diff text.