On Thu, 14 Apr 2022 11:37:32 +1200, Peter Reutemann quoted:
'Arguably, if an "untrusted party" has write access to a hard disk, then all bets are off when it comes to the nooks and crannies of a PC anyway. In this case, the miscreants would only need to create the folder c:\.git, "which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory," according to NIST. The result is that Git would use the config in the directory.'
Just a note that Git for Unix/Linux behaves in exactly the same way. Why is it not a security hole there? Because *nixes are multiuser systems, that’s why. “I’m having trouble running «piece of Windows software».” “Have you tried running as administrator?” “That fixed it! Thanks!”