On Tue, Mar 26, 2013 at 06:20:09PM +0100, demerphq wrote: > Seconded. At $work lots of people started asking anxious questions > about this. It was suggested it is a potential security hole, although > I am not sure I agree, but the general idea being that if you could > manage to set this var in someones environment then they might use git > to do real damage to a system. (The counterargument being that if you > can set that in someones environment you can do worse already... But > im a not a security type so I cant say)
IMHO, that is just silly. Setting GIT_WORK_TREE=/ would be just as destructive. Or GIT_EXTERNAL_DIFF="rm -rf /" (or GIT_PAGER, etc). If there is a danger to the implicit-workdir behavior, it is due to accidental usage, not from a malicious attack. -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
