Junio C Hamano <gits...@pobox.com> writes:
> I am inclined to say that it has no security implications. You have
> to be able to write a bogus loose object in an object store you
> already have write access to in the first place, in order to cause
> this ...
Note that you could social-engineer others to fetch from you and
feed a small enough update that results in loose objects created in
their repositories, without you having a direct write access to the
The codepath under discussion in this thread however cannot be used
as an attack vector via that route, because the "fetch from
elsewhere" codepath runs verification of the incoming data stream
before storing the results (either in loose object files, or in a
packfile) on disk.