Bug report incorrectly originally posted in the forum as When --git-dir is not in --work-tree.

Simple test case:

    joey@darkstar:~/src/git-annex>cd /tmp
    joey@darkstar:/tmp>mkdir foo
    joey@darkstar:/tmp>cd foo
    joey@darkstar:/tmp/foo>git --git-dir=`pwd`/.dotfiles --work-tree=`pwd` init
    Initialized empty Git repository in /tmp/foo/.dotfiles/
    joey@darkstar:/tmp/foo>git --git-dir=`pwd`/.dotfiles --work-tree=`pwd` annex init
    git-annex: Git refuses to operate in this repository,
    probably because it is owned by someone else.

    To add an exception for this directory, call:
            git config --global --add safe.directory /tmp/foo


And --debug shows:

[2022-09-20 14:17:56.238686901] (Utility.Process) process [1284622] read: git ["config","--local","--list"]
[2022-09-20 14:17:56.240836887] (Utility.Process) process [1284622] done ExitFailure 128
[2022-09-20 14:17:56.24107763] (Git.Config) config output: fatal: --local can only be used inside a git repository

So passing --git-dir to that command will make it succeeed. The problem though is that passing --git-dir to that command also bypasses git's fix for CVE-2022-24765. The command would even succeed if the directory were owned by someone else then.

joey@darkstar:/tmp/foo>sudo chown -R root.root .
[sudo] password for joey:
joey@darkstar:/tmp/foo>git --git-dir=`pwd`/.dotfiles config --local --list
joey@darkstar:/tmp/foo>git config --local --list
fatal: --local can only be used inside a git repository

But, if the user runs git-annex with an explicit --git-dir, it's actually ok for git-annex to bypass the CVE-2022-24765 check. Because --git-dir actually bypasses that check.

So, the fix for this seems like it will involve it remembering when the git repo was originally specified using --git-dir (or GIT_DIR), and if so, guardSafeToUseRepo can skip the check, or pass --git-dir to git config --local --list.

fixed --Joey