"Johannes Schindelin via GitGitGadget" <gitgitgadget@xxxxxxxxx>
writes:
> What the added protection did not anticipate is that such a
> repository-local `core.hooksPath` can not only be used to point to
> maliciously-placed scripts in the current worktree, but also to
> _prevent_ hooks from being called altogether.
> ...
> diff --git a/t/t1350-config-hooks-path.sh b/t/t1350-config-hooks-path.sh
> index f6dc83e2aab..1eae346a6e3 100755
> --- a/t/t1350-config-hooks-path.sh
> +++ b/t/t1350-config-hooks-path.sh
> @@ -41,4 +41,8 @@ test_expect_success 'git rev-parse --git-path hooks' '
> test .git/custom-hooks/abc = "$(cat actual)"
> '
>
> +test_expect_success 'core.hooksPath=/dev/null' '
> + git clone -c core.hooksPath=/dev/null . no-templates
> +'
Is it sufficient that the command exits with 0? I am wondering if
we want to verify that the resulting repository looks like it
should, e.g., with
v=$(git -C no-templates config --local --get core.hookspath) &&
test "$v" = /dev/null
or something silly like that.
