--- a/mercurial/subrepo.py Wed Mar 16 17:30:26 2016 -0700
+++ b/mercurial/subrepo.py Sun Mar 20 21:52:21 2016 -0700
@@ -1383,6 +1383,11 @@
are not supported and very probably fail.
"""
self.ui.debug('%s: git %s\n' % (self._relpath, ' '.join(commands)))
+ if env is None:
+ env = os.environ.copy()
+ # fix for Git CVE-2015-7545
+ if 'GIT_ALLOW_PROTOCOL' not in env:
+ env['GIT_ALLOW_PROTOCOL'] = 'file:git:http:https:ssh'
# unless ui.quiet is set, print git's stderr,
# which is mostly progress and useful info
errpipe = None