2010/1/15 Shawn O. Pearce <spearce@xxxxxxxxxxx>: > Jeff King <peff@xxxxxxxx> wrote: >> On Thu, Jan 14, 2010 at 11:31:57PM +0530, Arun Raghavan wrote: >> > [I'm not on the list, so please CC me on replies] >> > >> > Hello, >> > I noticed that the post-upload hook had been removed in commit >> > 1456b043fc0f0a395c35d6b5e55b0dad1b6e7acc. The commit message states: >> > >> > This hook runs after "git fetch" in the repository the objects are >> > fetched from as the user who fetched, and has security implications. >> > >> > I was wondering if someone could shed some light (or links) on what >> > security implications this hook has? >> >> Because receive-pack runs as the user who is pushing, not as the >> repository owner. So by convincing you to push to my repository in a >> multi-user environment, I convince you to run some arbitrary code of >> mine. > > Uhhh, this was in fetch/upload-pack Peff, not push/receive-pack. > > Same issue though. Ah, got it - thank you! -- Arun Raghavan http://arunraghavan.net/ (Ford_Prefect | Gentoo) & (arunsr | GNOME) -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html