More info on the Command Injection issue?

I received an email from Atlassian relating to the Command Injection issue in SourceTree and suggesting an upgrade to the most recent version of SourceTree, as I'm sure all users did.

I am hesitant about upgrading in an Enterprise environment to the newest version for a couple reasons I will not get into here. Is there any information on what exactly the risks are if I stay on a pre-2 version? And is there any way of mitigating those risks other than upgrading?

Much appreciate any responses

1 answer

1 accepted

1 vote
Accepted answer
Gary Sackett Atlassian Team May 10, 2017

Hi Scott,

Please see for more information.

Can you also tell me if you are using the Windows version, or OSX version of SourceTree?


Thanks for the links. I had seen the first one and found it a little vague on what exactly the possible repercussions could be, I will follow up on the latter link though.

I'm using the Windows version.

After following the links I believe I understand the seriousness of the issue. Is there any way of effectively negating the issue in affected versions, such as unlinking the installed Sourcetree from URI association?

Gary Sackett Atlassian Team May 10, 2017

Hey Scott,

Upgrading is the preferred path.  

Alternatively, you can uncheck the option "Use this version of SourceTree for UIR Association" in the Tools/Options/General Tab and remove the following registry key "HKEY_CURRENT_USER\SOFTWARE\Classes\sourcetree\shell\opencommand" - this disables the handling of the "sourcetree://" protocol.

Please note that we do not test on older versions of SourceTree.



Suggest an answer

Log in or Sign up to answer
Community showcase
Published Oct 23, 2018 in Sourcetree

Tip from the team: configure your repos for hosting goodness!

Supported Platforms macOS Windows We recently introduced support for additional hosting services such as GitHub Enterprise, GitLab (Cloud, Community Edition, Enterprise Edition), and...

1,114 views 4 2
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you