)]}'
{
  "commit": "1a3609e402a062ef7b11f197fe96c28cabca132c",
  "tree": "469c92e12e61fa6dba844a1b3943909c7dd7e3b7",
  "parents": [
    "e7fab62b736cca3416660636e46f0be8386a5030"
  ],
  "author": {
    "name": "Jonathan Nieder",
    "email": "jrnieder@gmail.com",
    "time": "Sat Apr 18 20:57:22 2020 -0700"
  },
  "committer": {
    "name": "Jonathan Nieder",
    "email": "jrnieder@gmail.com",
    "time": "Sun Apr 19 16:10:58 2020 -0700"
  },
  "message": "fsck: reject URL with empty host in .gitmodules\n\nGit\u0027s URL parser interprets\n\n\thttps:///example.com/repo.git\n\nto have no host and a path of \"example.com/repo.git\".  Curl, on the\nother hand, internally redirects it to https://example.com/repo.git.  As\na result, until \"credential: parse URL without host as empty host, not\nunset\", tricking a user into fetching from such a URL would cause Git to\nsend credentials for another host to example.com.\n\nTeach fsck to block and detect .gitmodules files using such a URL to\nprevent sharing them with Git versions that are not yet protected.\n\nA relative URL in a .gitmodules file could also be used to trigger this.\nThe relative URL resolver used for .gitmodules does not normalize\nsequences of slashes and can follow \"..\" components out of the path part\nand to the host part of a URL, meaning that such a relative URL can be\nused to traverse from a https://foo.example.com/innocent superproject to\na https:///attacker.example.com/exploit submodule. Fortunately,\nredundant extra slashes in .gitmodules are rare, so we can catch this by\ndetecting one after a leading sequence of \"./\" and \"../\" components.\n\nHelped-by: Jeff King \u003cpeff@peff.net\u003e\nSigned-off-by: Jonathan Nieder \u003cjrnieder@gmail.com\u003e\nReviewed-by: Jeff King \u003cpeff@peff.net\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "41af5c0d5f54299b0474f1230a4dcf80daf80b1f",
      "old_mode": 33188,
      "old_path": "fsck.c",
      "new_id": "31b5be05f54ac7a68fd8b477e762d9578fc5eecb",
      "new_mode": 33188,
      "new_path": "fsck.c"
    },
    {
      "type": "modify",
      "old_id": "9309040373c83211c4ee96da4202c40d5189fc89",
      "old_mode": 33261,
      "old_path": "t/t7416-submodule-dash-url.sh",
      "new_id": "eec96e0ba9e371e9603bd47ad5e13f0e547d7b5a",
      "new_mode": 33261,
      "new_path": "t/t7416-submodule-dash-url.sh"
    }
  ]
}