LE Manh Cuong <cuong.manhle.vn@xxxxxxxxx> writes: > It's not only people shooting their foot, but also from malicious user. > Given that `curl url | sudo sh/bash` is often found in many instructions, > an end user may not be noticed about the environment variable injection > from their side. > > IMHO, it's better if git can protect the end users in this situation. Huh? For those who run `curl url | sudo sh`, I do not think the incoming script setting and exporting LV to an arbitrary value and runing Git is not the top thing they need worry about. While I think enclosing the string in dq is an improvement (as I said already), I still do think your use of the v-word is making a mountain out of an anthill. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html