Web lists-archives.com

Re: Security of .git/config and .git/hooks


On Tue, Oct 3, 2017 at 1:45 AM, Jonathan Nieder <jrnieder@xxxxxxxxx> wrote:

> Proposed fix: because of case (1), I would like a way to tell Git to
> stop trusting any files in .git.  That is:
>  1. Introduce a (configurable) list of "safe" configuration items that
>     can be set in .git/config and don't respect any others.

Maybe we can already add a --list-security or --check-security or
--unsafe to `git config` to list the unsafe options and their values
as well as the active hooks, so that admins/users can already easily
take a quick look at the config before they start playing with a
potentially unsafe repo.