Derrick Stolee <stolee@xxxxxxxxx> writes: > Config options to consider stripping out: > > *url* > *pass* (anything "password" but also "sendmail.smtppass") Blacklisting? I wonder if users feel safer if these are limited to known-benign ones. >> + echo "[Configured Hooks]" >> + find "$GIT_DIR/hooks/" -type f | grep -v "\.sample$" | print_filenames_and_content >> + echo > > Remove the sample hooks, but focus on the others. Will this look like garbage if a hook > is a binary file? This makes me feel very nervous. $GIT_DIR/hooks/ are private and people can hardcode credentials in them; $GIT_DIR/hooks/pre-foo may be written toread from $GIT_DIR/hooks/mypassword with the knowledge that there won't be any "mypassword" hook.
