On Fri, Jun 22, 2012 at 3:12 AM, Ivan Kanis <ivan.kanis@xxxxxxxxxxxxxx> wrote: > I think we found a security flaw with git http smart backend. We are > running git version 1.0.7.4 on our server. Adding random words after the > password and the authentication still succeeds. git http-backend does not handle authentication or authorization. This is handled in your web server. You should consult your web server's documentation, and maybe its configuration files. > It's very easy to reproduce, say the username is ivan and the password > is the word secret: > > % git pull > Username: ivan > Password: secretfoo > Already up to date. > > Pull succeeds although the password is wrong! Can someone try to > reproduce with a more up to date git server? Git is freely available under the GPLv2 license. I believe it is possible for you to attempt experiments yourself with more up-to-date versions if you wish. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html