open_graph_reader 0.4.0 → 0.5.0

data/lib/open_graph_reader/parser/graph.rb

@@ -1,9 +1,9 @@
-require 'forwardable'
+require "forwardable"
 
 module OpenGraphReader
   class Parser
     # A Graph to represent OpenGraph tags.
-   class Graph
+    class Graph
       # A node in the graph.
       Node = Struct.new(:name, :content) do
         extend Forwardable
@@ -54,14 +54,14 @@ module OpenGraphReader
         #
         # @return [Array<String>]
         def path
-          @path ||= fullname.split(':')
+          @path ||= fullname.split(":")
         end
 
         # Get node's full name.
         #
         # @return [String]
         def fullname
-          @fullname ||= [namespace, name].compact.join(':')
+          @fullname ||= [namespace, name].compact.join(":")
           @fullname unless @fullname.empty?
         end
       end
@@ -80,7 +80,6 @@ module OpenGraphReader
       #   @return [Bool]
       def_delegators :root, :empty?
 
-
       # Create new graph.
       def initialize
         @root = Node.new
@@ -126,10 +125,23 @@ module OpenGraphReader
         select {|node| node.fullname == property }
       end
 
+      def find_or_create_path path
+        path.inject(root) {|node, name|
+          child = node.children.reverse.find {|child| child.name == name }
+
+          unless child
+            child = Node.new name
+            node << child
+          end
+
+          child
+        }
+      end
+
       private
 
       def normalize_property property
-        property.is_a?(Enumerable) ? property.join(':') : property
+        property.is_a?(Enumerable) ? property.join(":") : property
       end
     end
   end

data/lib/open_graph_reader/version.rb

@@ -1,4 +1,4 @@
 module OpenGraphReader
   # Tbe library version
-  VERSION = "0.4.0"
+  VERSION = "0.5.0"
 end

data/spec/fixtures/real_world/invalid_article_author.html

@@ -0,0 +1,299 @@
+<!DOCTYPE html>
+<html lang="en" class="">
+  <head prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb# object: http://ogp.me/ns/object# article: http://ogp.me/ns/article# profile: http://ogp.me/ns/profile#">
+    <meta charset='utf-8'>
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta http-equiv="Content-Language" content="en">
+
+
+    <title>Vulnerability announced: update your Git clients · GitHub</title>
+    <link rel="search" type="application/opensearchdescription+xml" href="/opensearch.xml" title="GitHub">
+    <link rel="fluid-icon" href="https://github.com/fluidicon.png" title="GitHub">
+    <link rel="apple-touch-icon" sizes="57x57" href="/apple-touch-icon-114.png">
+    <link rel="apple-touch-icon" sizes="114x114" href="/apple-touch-icon-114.png">
+    <link rel="apple-touch-icon" sizes="72x72" href="/apple-touch-icon-144.png">
+    <link rel="apple-touch-icon" sizes="144x144" href="/apple-touch-icon-144.png">
+    <meta property="fb:app_id" content="1401488693436528">
+
+      <meta content="@github" name="twitter:site" /><meta content="summary" name="twitter:card" /><meta content="Vulnerability announced: update your Git clients" name="twitter:title" /><meta content="A critical Git security vulnerability has been announced today, affecting all versions of the official Git client and all related software that interacts with Git repositories, including GitHub for Wi" name="twitter:description" />
+<meta content="GitHub" property="og:site_name" /><meta content="article" property="og:type" /><meta content="https://github.com/apple-touch-icon-144.png" property="og:image" /><meta content="Vulnerability announced: update your Git clients" property="og:title" /><meta content="https://github.com/blog/1938-vulnerability-announced-update-your-git-clients" property="og:url" /><meta content="A critical Git security vulnerability has been announced today, affecting all versions of the official Git client and all related software that interacts with Git repositories, including GitHub for Windows and GitHub for Mac. Because this is a client-side only vulnerability, github.com and GitHub Enterprise are not directly affected.
+
+The vulnerability concerns Git and Git-compatible clients that access Git repositories in a case-insensitive or case-normalizing filesystem. An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine. Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive filesystem.
+
+We strongly encourage all users of GitHub and GitHub Enterprise to update their Git clients as soon as possible, and to be particularly careful when cloning or accessing Git repositories hosted on unsafe or untrusted hosts.
+
+Repositories hosted on github.com cannot contain any of the malicious trees that trigger the vulnerability because we now verify and block these trees on push. We have also completed an automated scan of all existing content on github.com to look for malicious content that might have been pushed to our site before this vulnerability was discovered. This work is an extension of the data-quality checks we have always performed on repositories pushed to our servers to protect our users against malformed or malicious Git data.
+
+Updated versions of GitHub for Windows and GitHub for Mac are available for immediate download, and both contain the security fix on the Desktop application itself and on the bundled version of the Git command-line client.
+
+In addition, the following updated versions of Git address this vulnerability:
+
+
+The Git core team has announced maintenance releases for all current versions of Git (v1.8.5.6, v1.9.5, v2.0.5, v2.1.4, and v2.2.1).
+Git for Windows (also known as MSysGit) has released maintenance version 1.9.5.
+The two major Git libraries, libgit2 and JGit, have released maintenance versions with the fix. Third party software using these libraries is strongly encouraged to update.
+
+
+More details on the vulnerability can be found in the official Git mailing list announcement and on the git-blame blog." property="og:description" /><meta content="262588213843476" property="article:author" /><meta content="262588213843476" property="article:publisher" /><meta content="blog/engineering" property="article:section" />
+<!-- Original had an invalid datetime here (2014-12-18 21:16:27 UTC), but we want to test the invalid article:author reference -->
+<meta content="2014-12-18T21:16:27+00:00" property="article:published_time" />
+
+      <meta name="browser-stats-url" content="/_stats">
+    <link rel="assets" href="https://assets-cdn.github.com/">
+    <link rel="conduit-xhr" href="https://ghconduit.com:25035">
+
+    <meta name="pjax-timeout" content="1000">
+
+
+    <meta name="msapplication-TileImage" content="/windows-tile.png">
+    <meta name="msapplication-TileColor" content="#ffffff">
+    <meta name="selected-link" value="engineering" data-pjax-transient>
+      <meta name="google-analytics" content="UA-3769691-2">
+
+    <meta content="collector.githubapp.com" name="octolytics-host" /><meta content="collector-cdn.github.com" name="octolytics-script-host" /><meta content="github" name="octolytics-app-id" /><meta content="4D173C92:603A:45CCDD:5494C55F" name="octolytics-dimension-request_id" />
+
+    <meta content="Rails, view, posts#show" name="analytics-event" />
+
+
+
+    <link rel="icon" type="image/x-icon" href="https://assets-cdn.github.com/favicon.ico">
+
+
+    <meta content="authenticity_token" name="csrf-param" />
+<meta content="GNBdBOZ7iL8Nzyjwiz2m++TgKtr771EjF6ZRNd3qZfhtHZ0aNftnGKNXPW8sWlaBLZhJCVsJghN8fp0cEWWaSQ==" name="csrf-token" />
+
+    <link href="https://assets-cdn.github.com/assets/github-9bcf5def7eb44e2a101b20aaecf3707f4b0a10ab8f4d6eebec29371f821c4b29.css" media="all" rel="stylesheet" type="text/css" />
+    <link href="https://assets-cdn.github.com/assets/github2-47bc67324d463c7cecb5ee4c009628c91db85b0e9288a9e663f2d06ff9e03088.css" media="all" rel="stylesheet" type="text/css" />
+
+
+
+
+    <meta http-equiv="x-pjax-version" content="cffc32e08a29062b908cc3ddb47285af">
+
+      <meta name="description" content="Build software better, together.">
+  </head>
+
+
+  <body class="logged_out  env-production">
+    <a href="#start-of-content" tabindex="1" class="accessibility-aid js-skip-to-content">Skip to content</a>
+    <div class="wrapper">
+
+
+
+
+
+
+
+      <div class="header header-logged-out" role="banner">
+  <div class="container clearfix">
+
+    <a class="header-logo-wordmark" href="https://github.com/" ga-data-click="(Logged out) Header, go to homepage, icon:logo-wordmark">
+      <span class="mega-octicon octicon-logo-github"></span>
+    </a>
+
+    <div class="header-actions" role="navigation">
+        <a class="button primary" href="/join" data-ga-click="(Logged out) Header, clicked Sign up, text:sign-up">Sign up</a>
+      <a class="button" href="/login?return_to=%2Fblog%2F1938-vulnerability-announced-update-your-git-clients" data-ga-click="(Logged out) Header, clicked Sign in, text:sign-in">Sign in</a>
+    </div>
+
+    <div class="site-search  js-site-search" role="search">
+      <form accept-charset="UTF-8" action="/search" class="js-site-search-form" data-global-search-url="/search" data-repo-search-url="" method="get"><div style="margin:0;padding:0;display:inline"><input name="utf8" type="hidden" value="&#x2713;" /></div>
+  <input type="text"
+    class=""
+    data-hotkey="s"
+    name="q"
+    placeholder="Search GitHub"
+    data-global-scope-placeholder="Search GitHub"
+    data-repo-scope-placeholder="Search"
+    tabindex="1"
+    autocapitalize="off">
+  <div class="scope-badge">This repository</div>
+</form>
+    </div>
+
+      <ul class="header-nav left" role="navigation">
+          <li class="header-nav-item">
+            <a class="header-nav-link" href="/explore" data-ga-click="(Logged out) Header, go to explore, text:explore">Explore</a>
+          </li>
+          <li class="header-nav-item">
+            <a class="header-nav-link" href="/features" data-ga-click="(Logged out) Header, go to features, text:features">Features</a>
+          </li>
+          <li class="header-nav-item">
+            <a class="header-nav-link" href="https://enterprise.github.com/" data-ga-click="(Logged out) Header, go to enterprise, text:enterprise">Enterprise</a>
+          </li>
+          <li class="header-nav-item">
+            <a class="header-nav-link" href="/blog" data-ga-click="(Logged out) Header, go to blog, text:blog">Blog</a>
+          </li>
+      </ul>
+
+  </div>
+</div>
+
+
+
+      <div id="start-of-content" class="accessibility-aid"></div>
+        <div class="site clearfix" role="main">
+          <div id="site-container" class="context-loader-container" data-pjax-container>
+
+
+
+
+
+  <div id="blog-main" data-pjax-container>
+      <div class="pagehead separation">
+    <div class="container">
+      <form action="/blog/search" class="blog-search" data-pjax>
+        <span class="octicon octicon-search"></span>
+        <input class="blog-search-input" type="text" name="q" id="blog-search" value="" tabindex="2">
+      </form>
+
+      <h1>
+          <a href="/blog" id="blog-home"><span class="octicon octicon-home"></span></a><a href="/blog/1938-vulnerability-announced-update-your-git-clients" class=" blog-title">Vulnerability announced: update your Git clients</a>
+      </h1>
+    </div>
+  </div><!-- /.pagehead -->
+
+  <div class="container" id="blog-main">
+
+<div class="blog-aside">
+
+  <ul class="menu" role="navigation" data-pjax>
+    <a href="/blog" class="js-selected-navigation-item menu-item" data-selected-links=" /blog">Featured</a>
+    <a href="/blog/category/all" class="js-selected-navigation-item menu-item" data-selected-links="all /blog/category/all">All Posts</a>
+    <a href="/blog/category/ship" class="js-selected-navigation-item menu-item" data-selected-links="ship /blog/category/ship">New Features</a>
+    <a href="/blog/category/engineering" class="selected js-selected-navigation-item menu-item" data-selected-links="engineering /blog/category/engineering">Engineering</a>
+    <a href="/blog/category/enterprise" class="js-selected-navigation-item menu-item" data-selected-links="enterprise /blog/category/enterprise">Enterprise</a>
+    <a href="/blog/category/meetup" class="js-selected-navigation-item menu-item" data-selected-links="meetup /blog/category/meetup">Meetups</a>
+    <a href="/blog/category/hire" class="js-selected-navigation-item menu-item" data-selected-links="hire /blog/category/hire">New Hires</a>
+    <a href="/blog/category/watercooler" class="js-selected-navigation-item menu-item" data-selected-links="watercooler /blog/category/watercooler">Watercooler</a>
+  </ul>
+
+  <a class="rss" href="/blog/subscribe" data-pjax>
+    <span class="octicon octicon-rss"></span>
+    Subscribe
+  </a>
+</div>
+
+    <div class="blog-content">
+        <ul class="blog-post-meta">
+    <li class="meta-item">
+      <span class="octicon octicon-calendar"></span>
+      December 18, 2014
+    </li>
+
+  <li class="vcard fn meta-item">
+    <img alt="Vicent Marti" class="author-avatar" data-user="42793" height="18" src="https://avatars1.githubusercontent.com/u/42793?v=3&amp;s=36" width="18" /> <a href="/vmg">vmg</a>
+  </li>
+
+    <li class="meta-item">
+      <span class="octicon octicon-file-directory"></span>
+      <a href="/blog/category/engineering">Engineering</a>
+    </li>
+
+</ul>
+
+
+  <div class="blog-post-body markdown-body">
+    <p>A <a href="http://article.gmane.org/gmane.linux.kernel/1853266">critical Git security vulnerability has been announced today</a>, affecting all versions of the official Git client and all related software that interacts with Git repositories, including GitHub for Windows and GitHub for Mac. Because this is a client-side only vulnerability, <code>github.com</code> and GitHub Enterprise are not directly affected.</p>
+
+<p>The vulnerability concerns Git and Git-compatible clients that access Git repositories in a case-insensitive or case-normalizing filesystem. An attacker can craft a malicious Git tree that will cause Git to overwrite its own <code>.git/config</code> file when cloning or checking out a repository, leading to arbitrary command execution in the client machine. Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive filesystem. </p>
+
+<p><strong>We strongly encourage all users of GitHub and GitHub Enterprise to update their Git clients as soon as possible</strong>, and to be particularly careful when cloning or accessing Git repositories hosted on unsafe or untrusted hosts. </p>
+
+<p>Repositories hosted on <code>github.com</code> cannot contain any of the malicious trees that trigger the vulnerability because we now verify and block these trees on push. We have also completed an automated scan of all existing content on <code>github.com</code> to look for malicious content that might have been pushed to our site before this vulnerability was discovered. This work is an extension of the data-quality checks we have always performed on repositories pushed to our servers to protect our users against malformed or malicious Git data.</p>
+
+<p>Updated versions of <a href="https://windows.github.com/">GitHub for Windows</a> and <a href="https://mac.github.com/">GitHub for Mac</a> are available for immediate download, and both contain the security fix on the Desktop application itself <em>and</em> on the bundled version of the Git command-line client. </p>
+
+<p>In addition, the following updated versions of Git address this vulnerability:</p>
+
+<ul>
+<li><p>The Git core team <a href="https://www.kernel.org/pub/software/scm/git/">has announced maintenance releases</a> for all current versions of Git (v1.8.5.6, v1.9.5, v2.0.5, v2.1.4, and v2.2.1).</p></li>
+<li><p><a href="https://msysgit.github.io/">Git for Windows</a> (also known as MSysGit) has released maintenance version 1.9.5.</p></li>
+<li><p>The two major Git libraries, <a href="https://github.com/libgit2/libgit2/">libgit2</a> and <a href="https://eclipse.org/jgit/">JGit</a>, have released maintenance versions with the fix. Third party software using these libraries is strongly encouraged to update.</p></li>
+</ul>
+
+<p>More details on the vulnerability can be found in the <a href="http://article.gmane.org/gmane.linux.kernel/1853266">official Git mailing list announcement</a> and on the <a href="http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html"><code>git-blame</code> blog</a>.</p>
+  </div>
+
+  <div class="blog-feedback">
+    <h2 class="blog-feedback-header with-twitter">
+      Have feedback on this post? Let <a href="https://twitter.com/intent/tweet?text=@github%20&amp;related=github&amp;url=https://github.com/blog/1938-vulnerability-announced-update-your-git-clients" target="blank">@github</a> know on Twitter.
+    </h2>
+    <p class="blog-feedback-description">
+      Need help or found a bug? <a href="/contact">Contact us</a>.
+    </p>
+  </div>
+
+    </div>
+  </div>
+
+  </div>
+
+
+          </div>
+          <div class="modal-backdrop"></div>
+        </div>
+    </div><!-- /.wrapper -->
+
+      <div class="container">
+  <div class="site-footer" role="contentinfo">
+    <ul class="site-footer-links right">
+      <li><a href="https://status.github.com/">Status</a></li>
+      <li><a href="https://developer.github.com">API</a></li>
+      <li><a href="http://training.github.com">Training</a></li>
+      <li><a href="http://shop.github.com">Shop</a></li>
+      <li><a href="/blog">Blog</a></li>
+      <li><a href="/about">About</a></li>
+
+    </ul>
+
+    <a href="/" aria-label="Homepage">
+      <span class="mega-octicon octicon-mark-github" title="GitHub"></span>
+    </a>
+
+    <ul class="site-footer-links">
+      <li>&copy; 2014 <span title="0.01719s from github-fe117-cp1-prd.iad.github.net">GitHub</span>, Inc.</li>
+        <li><a href="/site/terms">Terms</a></li>
+        <li><a href="/site/privacy">Privacy</a></li>
+        <li><a href="/security">Security</a></li>
+        <li><a href="/contact">Contact</a></li>
+    </ul>
+  </div><!-- /.site-footer -->
+</div><!-- /.container -->
+
+
+    <div class="fullscreen-overlay js-fullscreen-overlay" id="fullscreen_overlay">
+  <div class="fullscreen-container js-suggester-container">
+    <div class="textarea-wrap">
+      <textarea name="fullscreen-contents" id="fullscreen-contents" class="fullscreen-contents js-fullscreen-contents" placeholder=""></textarea>
+      <div class="suggester-container">
+        <div class="suggester fullscreen-suggester js-suggester js-navigation-container"></div>
+      </div>
+    </div>
+  </div>
+  <div class="fullscreen-sidebar">
+    <a href="#" class="exit-fullscreen js-exit-fullscreen tooltipped tooltipped-w" aria-label="Exit Zen Mode">
+      <span class="mega-octicon octicon-screen-normal"></span>
+    </a>
+    <a href="#" class="theme-switcher js-theme-switcher tooltipped tooltipped-w"
+      aria-label="Switch themes">
+      <span class="octicon octicon-color-mode"></span>
+    </a>
+  </div>
+</div>
+
+
+
+    <div id="ajax-error-message" class="flash flash-error">
+      <span class="octicon octicon-alert"></span>
+      <a href="#" class="octicon octicon-x flash-close js-ajax-error-dismiss" aria-label="Dismiss error"></a>
+      Something went wrong with that request. Please try again.
+    </div>
+
+
+      <script crossorigin="anonymous" src="https://assets-cdn.github.com/assets/frameworks-fc447938e306b7b2c26a33cfee9dfda9052aeb1aa6ad84b72f1b35fd008efe9e.js" type="text/javascript"></script>
+      <script async="async" crossorigin="anonymous" src="https://assets-cdn.github.com/assets/github-56c56f7fe2ed90ca50b9eefebccd56f3b9729a85d7ba17f0f9c9ebd02f20a7e3.js" type="text/javascript"></script>
+
+
+  </body>
+</html>

data/spec/fixtures/real_world/invalid_datetime.html

@@ -0,0 +1,301 @@
+<!DOCTYPE html>
+<html lang="en" class="">
+  <head prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb# object: http://ogp.me/ns/object# article: http://ogp.me/ns/article# profile: http://ogp.me/ns/profile#">
+    <meta charset='utf-8'>
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta http-equiv="Content-Language" content="en">
+
+
+    <title>Vulnerability announced: update your Git clients · GitHub</title>
+    <link rel="search" type="application/opensearchdescription+xml" href="/opensearch.xml" title="GitHub">
+    <link rel="fluid-icon" href="https://github.com/fluidicon.png" title="GitHub">
+    <link rel="apple-touch-icon" sizes="57x57" href="/apple-touch-icon-114.png">
+    <link rel="apple-touch-icon" sizes="114x114" href="/apple-touch-icon-114.png">
+    <link rel="apple-touch-icon" sizes="72x72" href="/apple-touch-icon-144.png">
+    <link rel="apple-touch-icon" sizes="144x144" href="/apple-touch-icon-144.png">
+    <meta property="fb:app_id" content="1401488693436528">
+
+      <meta content="@github" name="twitter:site" /><meta content="summary" name="twitter:card" /><meta content="Vulnerability announced: update your Git clients" name="twitter:title" /><meta content="A critical Git security vulnerability has been announced today, affecting all versions of the official Git client and all related software that interacts with Git repositories, including GitHub for Wi" name="twitter:description" />
+<meta content="GitHub" property="og:site_name" /><meta content="article" property="og:type" /><meta content="https://github.com/apple-touch-icon-144.png" property="og:image" /><meta content="Vulnerability announced: update your Git clients" property="og:title" /><meta content="https://github.com/blog/1938-vulnerability-announced-update-your-git-clients" property="og:url" /><meta content="A critical Git security vulnerability has been announced today, affecting all versions of the official Git client and all related software that interacts with Git repositories, including GitHub for Windows and GitHub for Mac. Because this is a client-side only vulnerability, github.com and GitHub Enterprise are not directly affected.
+
+The vulnerability concerns Git and Git-compatible clients that access Git repositories in a case-insensitive or case-normalizing filesystem. An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine. Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive filesystem.
+
+We strongly encourage all users of GitHub and GitHub Enterprise to update their Git clients as soon as possible, and to be particularly careful when cloning or accessing Git repositories hosted on unsafe or untrusted hosts.
+
+Repositories hosted on github.com cannot contain any of the malicious trees that trigger the vulnerability because we now verify and block these trees on push. We have also completed an automated scan of all existing content on github.com to look for malicious content that might have been pushed to our site before this vulnerability was discovered. This work is an extension of the data-quality checks we have always performed on repositories pushed to our servers to protect our users against malformed or malicious Git data.
+
+Updated versions of GitHub for Windows and GitHub for Mac are available for immediate download, and both contain the security fix on the Desktop application itself and on the bundled version of the Git command-line client.
+
+In addition, the following updated versions of Git address this vulnerability:
+
+
+The Git core team has announced maintenance releases for all current versions of Git (v1.8.5.6, v1.9.5, v2.0.5, v2.1.4, and v2.2.1).
+Git for Windows (also known as MSysGit) has released maintenance version 1.9.5.
+The two major Git libraries, libgit2 and JGit, have released maintenance versions with the fix. Third party software using these libraries is strongly encouraged to update.
+
+
+More details on the vulnerability can be found in the official Git mailing list announcement and on the git-blame blog." property="og:description" />
+<!-- we only want to test the invalid datetime here
+<meta content="262588213843476" property="article:author" />
+-->
+<meta content="262588213843476" property="article:publisher" /><meta content="blog/engineering" property="article:section" /><meta content="2014-12-18 21:16:27 UTC" property="article:published_time" />
+
+      <meta name="browser-stats-url" content="/_stats">
+    <link rel="assets" href="https://assets-cdn.github.com/">
+    <link rel="conduit-xhr" href="https://ghconduit.com:25035">
+
+    <meta name="pjax-timeout" content="1000">
+
+
+    <meta name="msapplication-TileImage" content="/windows-tile.png">
+    <meta name="msapplication-TileColor" content="#ffffff">
+    <meta name="selected-link" value="engineering" data-pjax-transient>
+      <meta name="google-analytics" content="UA-3769691-2">
+
+    <meta content="collector.githubapp.com" name="octolytics-host" /><meta content="collector-cdn.github.com" name="octolytics-script-host" /><meta content="github" name="octolytics-app-id" /><meta content="4D173C92:603A:45CCDD:5494C55F" name="octolytics-dimension-request_id" />
+
+    <meta content="Rails, view, posts#show" name="analytics-event" />
+
+
+
+    <link rel="icon" type="image/x-icon" href="https://assets-cdn.github.com/favicon.ico">
+
+
+    <meta content="authenticity_token" name="csrf-param" />
+<meta content="GNBdBOZ7iL8Nzyjwiz2m++TgKtr771EjF6ZRNd3qZfhtHZ0aNftnGKNXPW8sWlaBLZhJCVsJghN8fp0cEWWaSQ==" name="csrf-token" />
+
+    <link href="https://assets-cdn.github.com/assets/github-9bcf5def7eb44e2a101b20aaecf3707f4b0a10ab8f4d6eebec29371f821c4b29.css" media="all" rel="stylesheet" type="text/css" />
+    <link href="https://assets-cdn.github.com/assets/github2-47bc67324d463c7cecb5ee4c009628c91db85b0e9288a9e663f2d06ff9e03088.css" media="all" rel="stylesheet" type="text/css" />
+
+
+
+
+    <meta http-equiv="x-pjax-version" content="cffc32e08a29062b908cc3ddb47285af">
+
+      <meta name="description" content="Build software better, together.">
+  </head>
+
+
+  <body class="logged_out  env-production">
+    <a href="#start-of-content" tabindex="1" class="accessibility-aid js-skip-to-content">Skip to content</a>
+    <div class="wrapper">
+
+
+
+
+
+
+
+      <div class="header header-logged-out" role="banner">
+  <div class="container clearfix">
+
+    <a class="header-logo-wordmark" href="https://github.com/" ga-data-click="(Logged out) Header, go to homepage, icon:logo-wordmark">
+      <span class="mega-octicon octicon-logo-github"></span>
+    </a>
+
+    <div class="header-actions" role="navigation">
+        <a class="button primary" href="/join" data-ga-click="(Logged out) Header, clicked Sign up, text:sign-up">Sign up</a>
+      <a class="button" href="/login?return_to=%2Fblog%2F1938-vulnerability-announced-update-your-git-clients" data-ga-click="(Logged out) Header, clicked Sign in, text:sign-in">Sign in</a>
+    </div>
+
+    <div class="site-search  js-site-search" role="search">
+      <form accept-charset="UTF-8" action="/search" class="js-site-search-form" data-global-search-url="/search" data-repo-search-url="" method="get"><div style="margin:0;padding:0;display:inline"><input name="utf8" type="hidden" value="&#x2713;" /></div>
+  <input type="text"
+    class=""
+    data-hotkey="s"
+    name="q"
+    placeholder="Search GitHub"
+    data-global-scope-placeholder="Search GitHub"
+    data-repo-scope-placeholder="Search"
+    tabindex="1"
+    autocapitalize="off">
+  <div class="scope-badge">This repository</div>
+</form>
+    </div>
+
+      <ul class="header-nav left" role="navigation">
+          <li class="header-nav-item">
+            <a class="header-nav-link" href="/explore" data-ga-click="(Logged out) Header, go to explore, text:explore">Explore</a>
+          </li>
+          <li class="header-nav-item">
+            <a class="header-nav-link" href="/features" data-ga-click="(Logged out) Header, go to features, text:features">Features</a>
+          </li>
+          <li class="header-nav-item">
+            <a class="header-nav-link" href="https://enterprise.github.com/" data-ga-click="(Logged out) Header, go to enterprise, text:enterprise">Enterprise</a>
+          </li>
+          <li class="header-nav-item">
+            <a class="header-nav-link" href="/blog" data-ga-click="(Logged out) Header, go to blog, text:blog">Blog</a>
+          </li>
+      </ul>
+
+  </div>
+</div>
+
+
+
+      <div id="start-of-content" class="accessibility-aid"></div>
+        <div class="site clearfix" role="main">
+          <div id="site-container" class="context-loader-container" data-pjax-container>
+
+
+
+
+
+  <div id="blog-main" data-pjax-container>
+      <div class="pagehead separation">
+    <div class="container">
+      <form action="/blog/search" class="blog-search" data-pjax>
+        <span class="octicon octicon-search"></span>
+        <input class="blog-search-input" type="text" name="q" id="blog-search" value="" tabindex="2">
+      </form>
+
+      <h1>
+          <a href="/blog" id="blog-home"><span class="octicon octicon-home"></span></a><a href="/blog/1938-vulnerability-announced-update-your-git-clients" class=" blog-title">Vulnerability announced: update your Git clients</a>
+      </h1>
+    </div>
+  </div><!-- /.pagehead -->
+
+  <div class="container" id="blog-main">
+
+<div class="blog-aside">
+
+  <ul class="menu" role="navigation" data-pjax>
+    <a href="/blog" class="js-selected-navigation-item menu-item" data-selected-links=" /blog">Featured</a>
+    <a href="/blog/category/all" class="js-selected-navigation-item menu-item" data-selected-links="all /blog/category/all">All Posts</a>
+    <a href="/blog/category/ship" class="js-selected-navigation-item menu-item" data-selected-links="ship /blog/category/ship">New Features</a>
+    <a href="/blog/category/engineering" class="selected js-selected-navigation-item menu-item" data-selected-links="engineering /blog/category/engineering">Engineering</a>
+    <a href="/blog/category/enterprise" class="js-selected-navigation-item menu-item" data-selected-links="enterprise /blog/category/enterprise">Enterprise</a>
+    <a href="/blog/category/meetup" class="js-selected-navigation-item menu-item" data-selected-links="meetup /blog/category/meetup">Meetups</a>
+    <a href="/blog/category/hire" class="js-selected-navigation-item menu-item" data-selected-links="hire /blog/category/hire">New Hires</a>
+    <a href="/blog/category/watercooler" class="js-selected-navigation-item menu-item" data-selected-links="watercooler /blog/category/watercooler">Watercooler</a>
+  </ul>
+
+  <a class="rss" href="/blog/subscribe" data-pjax>
+    <span class="octicon octicon-rss"></span>
+    Subscribe
+  </a>
+</div>
+
+    <div class="blog-content">
+        <ul class="blog-post-meta">
+    <li class="meta-item">
+      <span class="octicon octicon-calendar"></span>
+      December 18, 2014
+    </li>
+
+  <li class="vcard fn meta-item">
+    <img alt="Vicent Marti" class="author-avatar" data-user="42793" height="18" src="https://avatars1.githubusercontent.com/u/42793?v=3&amp;s=36" width="18" /> <a href="/vmg">vmg</a>
+  </li>
+
+    <li class="meta-item">
+      <span class="octicon octicon-file-directory"></span>
+      <a href="/blog/category/engineering">Engineering</a>
+    </li>
+
+</ul>
+
+
+  <div class="blog-post-body markdown-body">
+    <p>A <a href="http://article.gmane.org/gmane.linux.kernel/1853266">critical Git security vulnerability has been announced today</a>, affecting all versions of the official Git client and all related software that interacts with Git repositories, including GitHub for Windows and GitHub for Mac. Because this is a client-side only vulnerability, <code>github.com</code> and GitHub Enterprise are not directly affected.</p>
+
+<p>The vulnerability concerns Git and Git-compatible clients that access Git repositories in a case-insensitive or case-normalizing filesystem. An attacker can craft a malicious Git tree that will cause Git to overwrite its own <code>.git/config</code> file when cloning or checking out a repository, leading to arbitrary command execution in the client machine. Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive filesystem. </p>
+
+<p><strong>We strongly encourage all users of GitHub and GitHub Enterprise to update their Git clients as soon as possible</strong>, and to be particularly careful when cloning or accessing Git repositories hosted on unsafe or untrusted hosts. </p>
+
+<p>Repositories hosted on <code>github.com</code> cannot contain any of the malicious trees that trigger the vulnerability because we now verify and block these trees on push. We have also completed an automated scan of all existing content on <code>github.com</code> to look for malicious content that might have been pushed to our site before this vulnerability was discovered. This work is an extension of the data-quality checks we have always performed on repositories pushed to our servers to protect our users against malformed or malicious Git data.</p>
+
+<p>Updated versions of <a href="https://windows.github.com/">GitHub for Windows</a> and <a href="https://mac.github.com/">GitHub for Mac</a> are available for immediate download, and both contain the security fix on the Desktop application itself <em>and</em> on the bundled version of the Git command-line client. </p>
+
+<p>In addition, the following updated versions of Git address this vulnerability:</p>
+
+<ul>
+<li><p>The Git core team <a href="https://www.kernel.org/pub/software/scm/git/">has announced maintenance releases</a> for all current versions of Git (v1.8.5.6, v1.9.5, v2.0.5, v2.1.4, and v2.2.1).</p></li>
+<li><p><a href="https://msysgit.github.io/">Git for Windows</a> (also known as MSysGit) has released maintenance version 1.9.5.</p></li>
+<li><p>The two major Git libraries, <a href="https://github.com/libgit2/libgit2/">libgit2</a> and <a href="https://eclipse.org/jgit/">JGit</a>, have released maintenance versions with the fix. Third party software using these libraries is strongly encouraged to update.</p></li>
+</ul>
+
+<p>More details on the vulnerability can be found in the <a href="http://article.gmane.org/gmane.linux.kernel/1853266">official Git mailing list announcement</a> and on the <a href="http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html"><code>git-blame</code> blog</a>.</p>
+  </div>
+
+  <div class="blog-feedback">
+    <h2 class="blog-feedback-header with-twitter">
+      Have feedback on this post? Let <a href="https://twitter.com/intent/tweet?text=@github%20&amp;related=github&amp;url=https://github.com/blog/1938-vulnerability-announced-update-your-git-clients" target="blank">@github</a> know on Twitter.
+    </h2>
+    <p class="blog-feedback-description">
+      Need help or found a bug? <a href="/contact">Contact us</a>.
+    </p>
+  </div>
+
+    </div>
+  </div>
+
+  </div>
+
+
+          </div>
+          <div class="modal-backdrop"></div>
+        </div>
+    </div><!-- /.wrapper -->
+
+      <div class="container">
+  <div class="site-footer" role="contentinfo">
+    <ul class="site-footer-links right">
+      <li><a href="https://status.github.com/">Status</a></li>
+      <li><a href="https://developer.github.com">API</a></li>
+      <li><a href="http://training.github.com">Training</a></li>
+      <li><a href="http://shop.github.com">Shop</a></li>
+      <li><a href="/blog">Blog</a></li>
+      <li><a href="/about">About</a></li>
+
+    </ul>
+
+    <a href="/" aria-label="Homepage">
+      <span class="mega-octicon octicon-mark-github" title="GitHub"></span>
+    </a>
+
+    <ul class="site-footer-links">
+      <li>&copy; 2014 <span title="0.01719s from github-fe117-cp1-prd.iad.github.net">GitHub</span>, Inc.</li>
+        <li><a href="/site/terms">Terms</a></li>
+        <li><a href="/site/privacy">Privacy</a></li>
+        <li><a href="/security">Security</a></li>
+        <li><a href="/contact">Contact</a></li>
+    </ul>
+  </div><!-- /.site-footer -->
+</div><!-- /.container -->
+
+
+    <div class="fullscreen-overlay js-fullscreen-overlay" id="fullscreen_overlay">
+  <div class="fullscreen-container js-suggester-container">
+    <div class="textarea-wrap">
+      <textarea name="fullscreen-contents" id="fullscreen-contents" class="fullscreen-contents js-fullscreen-contents" placeholder=""></textarea>
+      <div class="suggester-container">
+        <div class="suggester fullscreen-suggester js-suggester js-navigation-container"></div>
+      </div>
+    </div>
+  </div>
+  <div class="fullscreen-sidebar">
+    <a href="#" class="exit-fullscreen js-exit-fullscreen tooltipped tooltipped-w" aria-label="Exit Zen Mode">
+      <span class="mega-octicon octicon-screen-normal"></span>
+    </a>
+    <a href="#" class="theme-switcher js-theme-switcher tooltipped tooltipped-w"
+      aria-label="Switch themes">
+      <span class="octicon octicon-color-mode"></span>
+    </a>
+  </div>
+</div>
+
+
+
+    <div id="ajax-error-message" class="flash flash-error">
+      <span class="octicon octicon-alert"></span>
+      <a href="#" class="octicon octicon-x flash-close js-ajax-error-dismiss" aria-label="Dismiss error"></a>
+      Something went wrong with that request. Please try again.
+    </div>
+
+
+      <script crossorigin="anonymous" src="https://assets-cdn.github.com/assets/frameworks-fc447938e306b7b2c26a33cfee9dfda9052aeb1aa6ad84b72f1b35fd008efe9e.js" type="text/javascript"></script>
+      <script async="async" crossorigin="anonymous" src="https://assets-cdn.github.com/assets/github-56c56f7fe2ed90ca50b9eefebccd56f3b9729a85d7ba17f0f9c9ebd02f20a7e3.js" type="text/javascript"></script>
+
+
+  </body>
+</html>