* Jason A. Donenfeld <[email protected]> [2012-11-01]:
> 1. If PATH is controlled by an attacker, it's already game over, regardless
> of this script.
> 2. Using `which` doesn't make sense, since in a shell script you just call
> it by the name, and then it searches path.
> 3. Gitolite is frequently installed just in a home directory, in the case
> of shared hosting, not globally in /usr or /usr/local.
> 4. So, the best way is just to call gitolite by typing "gitolite"
The intention of the script is to be an example of how things *could* be
done. Depending on how your setup is configured, you need to patch this
script anyway. For example: the REMOTE_USER environment variable must be
matched with how you authenticate in your webserver. Therefore I don't
see any value in trying to make the script as generic as possible. I
could, of course replace the "${prog}" with just gitolite if that's what
people prefer.
V-
_______________________________________________
cgit mailing list
[email protected]
http://hjemli.net/mailman/listinfo/cgit
