On Thu, Jan 14, 2010 at 11:31:57PM +0530, Arun Raghavan wrote: > [I'm not on the list, so please CC me on replies] > > Hello, > I noticed that the post-upload hook had been removed in commit > 1456b043fc0f0a395c35d6b5e55b0dad1b6e7acc. The commit message states: > > This hook runs after "git fetch" in the repository the objects are > fetched from as the user who fetched, and has security implications. > > I was wondering if someone could shed some light (or links) on what > security implications this hook has? Because receive-pack runs as the user who is pushing, not as the repository owner. So by convincing you to push to my repository in a multi-user environment, I convince you to run some arbitrary code of mine. -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html