Re: Security of .git/config and .git/hooks
- Date: Tue, 3 Oct 2017 12:59:58 +0200
- From: Christian Couder <christian.couder@xxxxxxxxx>
- Subject: Re: Security of .git/config and .git/hooks
On Tue, Oct 3, 2017 at 1:45 AM, Jonathan Nieder <jrnieder@xxxxxxxxx> wrote:
> Proposed fix: because of case (1), I would like a way to tell Git to
> stop trusting any files in .git. That is:
> 1. Introduce a (configurable) list of "safe" configuration items that
> can be set in .git/config and don't respect any others.
Maybe we can already add a --list-security or --check-security or
--unsafe to `git config` to list the unsafe options and their values
as well as the active hooks, so that admins/users can already easily
take a quick look at the config before they start playing with a
potentially unsafe repo.