Theodore Tso <tytso@xxxxxxx> wrote: > On Sun, Feb 11, 2007 at 01:44:25PM -0800, Junio C Hamano wrote: > > Theodore Tso <tytso@xxxxxxx> writes: > > > > > ..., I think we're > > > still safe, since aliases can't override commands. > > > > I feel a bit uneasy to hear safety argument based on that > > current restriction, since we might want to loosen it later. > > Loosen which restriction? > > 1) The ability for aliases to shadow existing git commands? This one. > 2) The ability for untrusted users to make arbitrary changes to the > config file? > 3) The ability for untrusted users to execute arbitrary git commands via > git-shell? > > You hjave to loosen at least 2 of the 3 current restrictions before > the ability to execute shell commands out of aliases becomes a problem > --- and I would argue that either (2) or (3) are things that we would > be insane to loosen at least to the point of allowing untrusted users > to make arbitrary changes to the config or execute arbitrary git > commands, since even today, they could do a huge amount of damage > already. I agree, 2 and 3 are the real issue here, not 1. 1 is only an issue for scripts which expect the plumbing to behave a certain way, but doesn't, as the user has aliased the plumbing command. -- Shawn. - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html