hg2git: audit path components during export (CVE-2014-9390) A user recently got confused and managed to track and export a .git directory, which confuses git and causes it to emit very odd errors. For example, cloning one such repository (which has a symlink for .git) produces this output from git: Cloning into 'git'... done. error: Updating '.git' would lose untracked files in it and another (which has a .git directory checked in) produces this: Cloning into 'git'... done. error: Invalid path '.git/hooks/post-update' If it ended there, that'd be fine, but this led to a line of investigation that ended with CVE-2014-9390, so now git will block checking these revisions out, so we should try to prevent foot-shooting on our end. Since some servers (notably github) are blocking trees that contain these entries, default to refusing to export any path component that looks like it folds to .git. Since some histories probably contain this already, we offer an escape hatch via the config option git.blockdotgit that allows users to resume foot-shooting behavior.