Hi, On Sat, 10 Feb 2007, Theodore Tso wrote: > On Sat, Feb 10, 2007 at 09:34:38PM +0100, Johannes Schindelin wrote: > > > It made me feel a little uneasy that we can execute _any_ command now, > > but I can only find one way to exploit this, when an attacker does not > > have shell access anyway: git-shell. > > ... and git-shell only allows git-receive-pack and git-upload-pack to be > called, with a single argument, and aliases aren't allowed to override > commands. So we're safe here, I think. Yes, sorry. I have a modified git-shell, which allows the git wrapper, too, to allow setting the config. I'll just fix it here. Ciao, Dscho - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html