--- a/mercurial/subrepo.py	Wed Mar 16 17:30:26 2016 -0700
+++ b/mercurial/subrepo.py	Sun Mar 20 21:52:21 2016 -0700
@@ -1383,6 +1383,11 @@
         are not supported and very probably fail.
         """
         self.ui.debug('%s: git %s\n' % (self._relpath, ' '.join(commands)))
+        if env is None:
+            env = os.environ.copy()
+        # fix for Git CVE-2015-7545
+        if 'GIT_ALLOW_PROTOCOL' not in env:
+            env['GIT_ALLOW_PROTOCOL'] = 'file:git:http:https:ssh'
         # unless ui.quiet is set, print git's stderr,
         # which is mostly progress and useful info
         errpipe = None