In case anyone hasn't seen it yet, today's Bash vulnerability (CVE-2014-6271) [0] may affect CGit servers.
I don't believe CGit in its default configuration will cause a shell to be executed, but if you configure a filter then you may well be causing a shell to be executed with the environment of the cgit process, which will include user-specified variables such as the HTTP User-Agent header. The example syntax-highlighting.sh, about-formatting.sh and commit-links.sh are vulnerable if /bin/sh on your system is a vulnerable version of Bash. I confirmed that I can echo arbitrary content from the User-Agent header into the response on a CGit server I run which has custom filters installed. [0] http://seclists.org/oss-sec/2014/q3/650 _______________________________________________ CGit mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/cgit
