This is a security-fix for CVE-2014-9390, which affects users on Windows and Mac OS X but not typical UNIX users.
* We used to allow committing a path ".Git/config" with JGit & EGit that is
running on a case sensitive filesystem, but an attempt to check out
such a path with Git that runs on a case insensitive filesystem
would have clobbered ".git/config", which is definitely not what
the user would have expected. JGit now prevents you from tracking
a path with ".Git" (in any case combination) as a path component.
* On Windows, certain path components that are different from ".git"
are mapped to ".git", e.g. "git~1/config" is treated as if it were
".git/config". HFS+ has a similar issue, where certain unicode
codepoints are ignored, e.g. ".g\u200cit/config" is treated as if
it were ".git/config". Pathnames with these potential issues are
rejected on the affected systems.
A big "thanks!" for bringing this issue to us goes to our friends in
the Mercurial land, namely, Matt Mackall and Augie Fackler.
Thursday, December 18, 2014
Service release (bug fixes only)