Derrick Stolee <sto...@gmail.com> writes:

> Config options to consider stripping out:
>
>       *url*
>       *pass* (anything "password" but also "sendmail.smtppass")

Blacklisting?  I wonder if users feel safer if these are limited to
known-benign ones.

>> +    echo "[Configured Hooks]"
>> +    find "$GIT_DIR/hooks/" -type f | grep -v "\.sample$" | 
>> print_filenames_and_content
>> +    echo
>
> Remove the sample hooks, but focus on the others. Will this look like garbage 
> if a hook
> is a binary file?

This makes me feel very nervous.  $GIT_DIR/hooks/ are private and
people can hardcode credentials in them; $GIT_DIR/hooks/pre-foo may
be written toread from $GIT_DIR/hooks/mypassword with the knowledge
that there won't be any "mypassword" hook.

Reply via email to