On Tue, Mar 26, 2013 at 06:20:09PM +0100, demerphq wrote:
> Seconded. At $work lots of people started asking anxious questions
> about this. It was suggested it is a potential security hole, although
> I am not sure I agree, but the general idea being that if you could
> manage to set this var in someones environment then they might use git
> to do real damage to a system. (The counterargument being that if you
> can set that in someones environment you can do worse already... But
> im a not a security type so I cant say)
IMHO, that is just silly. Setting GIT_WORK_TREE=/ would be just as
destructive. Or GIT_EXTERNAL_DIFF="rm -rf /" (or GIT_PAGER, etc).
If there is a danger to the implicit-workdir behavior, it is due to
accidental usage, not from a malicious attack.
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html