Shawn Pearce <spearce@xxxxxxxxxxx> writes: > On Fri, Jun 22, 2012 at 3:12 AM, Ivan Kanis <ivan.kanis@xxxxxxxxxxxxxx> wrote: >> I think we found a security flaw with git http smart backend. We are >> running git version 1.0.7.4 on our server. Adding random words after the >> password and the authentication still succeeds. > > git http-backend does not handle authentication or authorization. This > is handled in your web server. You should consult your web server's > documentation, and maybe its configuration files. Very good advice. > Git is freely available under the GPLv2 license. I believe it is > possible for you to attempt experiments yourself with more up-to-date > versions if you wish. And the result is very unlikely to change, if the only change between the earlier experiment and the next one is the vintage of Git used, as the part that makes authentication decision is Ivan's webserver and its configuration, which is not going to change between the two experiments. I do not recall ever releasing 1.0.7.4, nor having smart http support before v1.6.6, by the way. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html