Re: Security of .git/config and .git/hooks

So once upon a time we compared Gits security model with a web browser. A web browser lets you execute 3rd party code (e.g. javascript) and it is supposedly safe to look at malicious sites. Currently Git only promises to have the clone/fetch operation safe, not the "here is a zip of my whole

Re: Security of .git/config and .git/hooks

On Mon, Oct 02, 2017 at 04:45:17PM -0700, Jonathan Nieder wrote: > This topic has been mentioned on this mailing list before but I had > trouble finding a relevant reference. Links welcome. There were discussions long ago related to the upload-pack hook. One of the proposed fixes was checking

Re: Security of .git/config and .git/hooks

Hi, On Tue, Oct 3, 2017 at 1:45 AM, Jonathan Nieder wrote: > Proposed fix: because of case (1), I would like a way to tell Git to > stop trusting any files in .git. That is: > > 1. Introduce a (configurable) list of "safe" configuration items that > can be set in

Re: Security of .git/config and .git/hooks

Jonathan Nieder writes: > Proposed fix: because of case (1), I would like a way to tell Git to > stop trusting any files in .git. That is: > > 1. Introduce a (configurable) list of "safe" configuration items that > can be set in .git/config and don't respect any others.

Security of .git/config and .git/hooks

Hi, This topic has been mentioned on this mailing list before but I had trouble finding a relevant reference. Links welcome. Suppose that I add the following to .git/config in a repository on a shared computer: [pager] log = rm -fr / fsck = rm -fr /