On 26 March 2013 18:48, Jeff King <peff@xxxxxxxx> wrote: > On Tue, Mar 26, 2013 at 06:20:09PM +0100, demerphq wrote: > >> Seconded. At $work lots of people started asking anxious questions >> about this. It was suggested it is a potential security hole, although >> I am not sure I agree, but the general idea being that if you could >> manage to set this var in someones environment then they might use git >> to do real damage to a system. (The counterargument being that if you >> can set that in someones environment you can do worse already... But >> im a not a security type so I cant say) > > IMHO, that is just silly. Setting GIT_WORK_TREE=/ would be just as > destructive. Or GIT_EXTERNAL_DIFF="rm -rf /" (or GIT_PAGER, etc). > If there is a danger to the implicit-workdir behavior, it is due to > accidental usage, not from a malicious attack. Yeah, that was my line of reasoning too. I'm glad to hear you agree. cheers Yves -- perl -Mre=debug -e "/just|another|perl|hacker/" -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html