On 26 March 2013 18:48, Jeff King <p...@peff.net> wrote:
> On Tue, Mar 26, 2013 at 06:20:09PM +0100, demerphq wrote:
>> Seconded. At $work lots of people started asking anxious questions
>> about this. It was suggested it is a potential security hole, although
>> I am not sure I agree, but the general idea being that if you could
>> manage to set this var in someones environment then they might use git
>> to do real damage to a system. (The counterargument being that if you
>> can set that in someones environment you can do worse already... But
>> im a not a security type so I cant say)
> IMHO, that is just silly. Setting GIT_WORK_TREE=/ would be just as
> destructive. Or GIT_EXTERNAL_DIFF="rm -rf /" (or GIT_PAGER, etc).
> If there is a danger to the implicit-workdir behavior, it is due to
> accidental usage, not from a malicious attack.

Yeah, that was my line of reasoning too. I'm glad to hear you agree.


perl -Mre=debug -e "/just|another|perl|hacker/"
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to