From: Matthias Beyer <mail@beyermatthias.de>
To: git@vger.kernel.org
Subject: git-am applies commit message diffs
Date: Fri, 6 Feb 2026 08:43:56 +0100 [thread overview]
Message-ID: <bcqvh7ahjjgzpgxwnr4kh3hfkksfruf54refyry3ha7qk7dldf@fij5calmscvm> (raw)
[-- Attachment #1: Type: text/plain, Size: 738 bytes --]
Hi,
I am not sure whether this was already reported, searching the lore did
not yield anything for me, but I might have overlooked it...
This was just posted on mastodon[0]:
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://
github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
TL;DR: If you put a diff in the commit message, that diff will be
applied by git-am.
This looks clearly like unintended and might be an attack-vector, right?
Best,
Matthias
[0]: https://mas.to/@zekjur/116022397626943871
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next reply other threads:[~2026-02-06 7:50 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-06 7:43 Matthias Beyer [this message]
2026-02-06 8:04 ` git-am applies commit message diffs Jacob Keller
2026-02-06 8:18 ` Matthias Beyer
2026-02-06 9:03 ` Jeff King
2026-02-07 14:57 ` [PATCH 0/3] commit-msg.sample: reject messages that would confuse "git am" Phillip Wood
2026-02-07 14:58 ` [PATCH 1/3] templates: add .gitattributes entry for sample hooks Phillip Wood
2026-02-07 14:58 ` [PATCH 2/3] templates: detect commit messages containing diffs Phillip Wood
2026-02-07 14:58 ` [PATCH 3/3] templates: detect messages that contain a separator line Phillip Wood
2026-02-07 21:27 ` Junio C Hamano
2026-02-07 21:38 ` Kristoffer Haugsbakk
2026-02-09 0:17 ` Junio C Hamano
2026-02-09 7:00 ` Jeff King
2026-02-09 10:42 ` Phillip Wood
2026-02-10 6:44 ` Jeff King
2026-02-09 6:57 ` [PATCH 0/3] commit-msg.sample: reject messages that would confuse "git am" Jeff King
2026-02-09 10:43 ` Phillip Wood
2026-02-09 11:07 ` Matthias Beyer
2026-02-10 6:46 ` Jeff King
2026-02-09 15:58 ` git-am applies commit message diffs Patrick Steinhardt
2026-02-10 2:16 ` Jacob Keller
2026-02-10 14:22 ` Patrick Steinhardt
2026-02-10 15:47 ` Junio C Hamano
2026-02-11 2:31 ` Jacob Keller
2026-02-11 2:34 ` Jacob Keller
2026-02-11 7:47 ` Jeff King
2026-02-11 15:23 ` Kristoffer Haugsbakk
2026-02-11 15:47 ` Junio C Hamano
2026-02-10 6:56 ` Jeff King
2026-02-13 14:34 ` [PATCH v2 0/2] commit-msg.sample: reject messages that would confuse "git am" Phillip Wood
2026-02-13 14:34 ` [PATCH v2 1/2] templates: add .gitattributes entry for sample hooks Phillip Wood
2026-02-13 14:34 ` [PATCH v2 2/2] templates: detect commit messages containing diffs Phillip Wood
2026-02-13 16:42 ` Kristoffer Haugsbakk
2026-02-13 18:08 ` Junio C Hamano
2026-02-14 14:46 ` Phillip Wood
2026-02-13 17:59 ` Junio C Hamano
2026-02-14 14:36 ` Phillip Wood
2026-02-14 15:42 ` Junio C Hamano
2026-02-13 17:41 ` [PATCH v2 0/2] commit-msg.sample: reject messages that would confuse "git am" Junio C Hamano
2026-02-06 8:59 ` git-am applies commit message diffs Florian Weimer
2026-02-06 9:24 ` Jeff King
2026-02-06 9:48 ` Florian Weimer
2026-02-06 10:08 ` Jeff King
2026-02-06 8:43 ` Kristoffer Haugsbakk
2026-02-06 17:45 ` Jakob Haufe
2026-02-07 10:08 ` Kristoffer Haugsbakk
2026-02-07 21:44 ` Kristoffer Haugsbakk
2026-02-08 0:11 ` [PATCH] doc: add caveat about roundtripping format-patch kristofferhaugsbakk
2026-02-08 1:39 ` Junio C Hamano
2026-02-08 17:18 ` Kristoffer Haugsbakk
2026-02-09 16:42 ` Phillip Wood
2026-02-09 17:59 ` Kristoffer Haugsbakk
2026-02-10 10:57 ` Phillip Wood
2026-02-10 16:00 ` Kristoffer Haugsbakk
2026-02-09 22:37 ` [PATCH v2] " kristofferhaugsbakk
2026-02-09 22:59 ` Junio C Hamano
2026-02-09 23:11 ` Kristoffer Haugsbakk
2026-02-10 11:02 ` Phillip Wood
2026-02-10 18:20 ` Kristoffer Haugsbakk
2026-02-12 22:28 ` [PATCH v3] doc: add caveat about round-tripping format-patch kristofferhaugsbakk
2026-02-12 23:19 ` Junio C Hamano
2026-02-13 14:41 ` Phillip Wood
2026-02-13 14:43 ` Kristoffer Haugsbakk
2026-02-13 18:02 ` Junio C Hamano
2026-02-10 0:53 ` [PATCH] doc: add caveat about roundtripping format-patch Christoph Anton Mitterer
2026-02-10 16:00 ` Kristoffer Haugsbakk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bcqvh7ahjjgzpgxwnr4kh3hfkksfruf54refyry3ha7qk7dldf@fij5calmscvm \
--to=mail@beyermatthias.de \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a
Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).