Until releases today, Git, Mercurial and Subversion //all// mishandled SSH URIs in the form `ssh://-flag=evil/...`, and would invoke `ssh` in such a way that the domains in these URIs were interpreted as flags by SSH.
From there, certain combinations of flags, like `-oProxyCommand=curl...` could cause the SSH subprocess to do materially harmful things (e.g., take over the host).
Phabricator does not appear to be vulnerable to these attacks:
- We are relatively strict about host/domain parsing. Although we allow `-` to appear in domain names, we forbid characters like `=`, `|`, and `$` from appearing in domain names, limiting the reach of this attack.
- We wrap `ssh` at the VCS level and separate flags and hosts with a `--` ("end of arguments") argument, disambiguating the argument parsing and defusing this attack.
- After D18388 (in `master` now, and in `stable` after August 11th) we've further increased the strictness of hostname parsing, but this is just a general hardening measure.
Out-of-date clients may be vulnerable (for example, if an attacker can convince you to clone from a specially formatted malicious URI), and you should upgrade `git`, `hg` and `svn` on client systems to defuse versions of this attack which target clients. It couldn't hurt to upgrade them on server hosts too, of course.
---
//Originally//
Still unrolling this:
https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1466490.html
https://github.com/git/git/commit/4274c698f46a9bc45834c4904e7e113450c042fb