Jeff King <peff@xxxxxxxx> wrote: > On Thu, Jan 14, 2010 at 11:31:57PM +0530, Arun Raghavan wrote: > > [I'm not on the list, so please CC me on replies] > > > > Hello, > > I noticed that the post-upload hook had been removed in commit > > 1456b043fc0f0a395c35d6b5e55b0dad1b6e7acc. The commit message states: > > > > This hook runs after "git fetch" in the repository the objects are > > fetched from as the user who fetched, and has security implications. > > > > I was wondering if someone could shed some light (or links) on what > > security implications this hook has? > > Because receive-pack runs as the user who is pushing, not as the > repository owner. So by convincing you to push to my repository in a > multi-user environment, I convince you to run some arbitrary code of > mine. Uhhh, this was in fetch/upload-pack Peff, not push/receive-pack. Same issue though. -- Shawn. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html