> 2013/10/26 Bryan Turner <btur...@atlassian.com>:
> > No, the .git/hooks directory in your clone is created from your local
> > templates, installed with your Git distribution, not the remote hooks.
> > On Linux distributions, these templates are often in someplace like
> > /usr/share/git-core/templates (for normal packages), and on Windows
> > with msysgit they are in share\git-core\templates under your
> > installation directory. If you look in this directory you will see a
> > hooks directory containing the sample hooks.
> > Hooks from a remote repository are never cloned. As far as I'm aware,
> > nothing from the .git directory (aside from refs and packs, of course)
> > is cloned, including configuration. Your .git directory after a clone
> > is completely new, assembled from scratch. There's nothing in the Git
> > wire protocol (currently) for moving other data like configuration or
> > hooks, and this sort of malicious code injection is one of the reasons
> > I've seen discussed on the list for why that's the case.
> > Hope this helps,
> > Bryan Turner
> > On 26 October 2013 09:25, Olivier Revollat <revol...@gmail.com> wrote:
> >> But when someone do a "clone" he don't have .git/hooks directory
> >> downloaded to his local computer ? I thought so ...
> >> 2013/10/26 Junio C Hamano <gits...@pobox.com>:
> >> > Olivier Revollat <revol...@gmail.com> writes:
> >> >
> >> >> I was wondering : What if I had a "malicious" GIT repository who can
> >> >> "inject" code via git hooks mechanism : someone clone my repo and
> >> >> some malicious code is executed when a certain GIT hook is triggered
> >> >> (for example on commit ("prepare-commit-msg' hook))
> >> >
> >> > In that somebody else's clone, you will not have _your_ malicious
> >> > hook installed, unless that cloner explicitly does something stupid,
> >> > like copying that malicious hook.
Also copying hooks is relatively low risk, real hackers hide exploits in
1MB configure scripts.
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html