diff options
| author | Johannes Schindelin <johannes.schindelin@gmx.de> | 2024-04-10 22:10:06 +0200 |
|---|---|---|
| committer | Johannes Schindelin <johannes.schindelin@gmx.de> | 2024-04-19 12:38:54 +0200 |
| commit | e5e6663e69e4fddcf10f69fc4278632482e1889a (patch) | |
| tree | 81c1e92b4d465a11878015b47e050179fc11c7de /Documentation/git.txt | |
| parent | 3c2a3fdc388747b9eaf4a4a4f2035c1c9ddb26d0 (diff) | |
| parent | 1f2e64e22dee75db96b92d526d14003ba59a154e (diff) | |
| download | git-e5e6663e69e4fddcf10f69fc4278632482e1889a.tar.gz | |
Sync with 2.43.4
* maint-2.43: (40 commits)
Git 2.43.4
Git 2.42.2
Git 2.41.1
Git 2.40.2
Git 2.39.4
fsck: warn about symlink pointing inside a gitdir
core.hooksPath: add some protection while cloning
init.templateDir: consider this config setting protected
clone: prevent hooks from running during a clone
Add a helper function to compare file contents
init: refactor the template directory discovery into its own function
find_hook(): refactor the `STRIP_EXTENSION` logic
clone: when symbolic links collide with directories, keep the latter
entry: report more colliding paths
t5510: verify that D/F confusion cannot lead to an RCE
submodule: require the submodule path to contain directories only
clone_submodule: avoid using `access()` on directories
submodules: submodule paths must not contain symlinks
clone: prevent clashing git dirs when cloning submodule in parallel
t7423: add tests for symlinked submodule directories
...
Diffstat (limited to 'Documentation/git.txt')
| -rw-r--r-- | Documentation/git.txt | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/Documentation/git.txt b/Documentation/git.txt index 0d25224c96..fbc0c02281 100644 --- a/Documentation/git.txt +++ b/Documentation/git.txt @@ -1049,6 +1049,37 @@ The index is also capable of storing multiple entries (called "stages") for a given pathname. These stages are used to hold the various unmerged version of a file when a merge is in progress. +SECURITY +-------- + +Some configuration options and hook files may cause Git to run arbitrary +shell commands. Because configuration and hooks are not copied using +`git clone`, it is generally safe to clone remote repositories with +untrusted content, inspect them with `git log`, and so on. + +However, it is not safe to run Git commands in a `.git` directory (or +the working tree that surrounds it) when that `.git` directory itself +comes from an untrusted source. The commands in its config and hooks +are executed in the usual way. + +By default, Git will refuse to run when the repository is owned by +someone other than the user running the command. See the entry for +`safe.directory` in linkgit:git-config[1]. While this can help protect +you in a multi-user environment, note that you can also acquire +untrusted repositories that are owned by you (for example, if you +extract a zip file or tarball from an untrusted source). In such cases, +you'd need to "sanitize" the untrusted repository first. + +If you have an untrusted `.git` directory, you should first clone it +with `git clone --no-local` to obtain a clean copy. Git does restrict +the set of options and hooks that will be run by `upload-pack`, which +handles the server side of a clone or fetch, but beware that the +surface area for attack against `upload-pack` is large, so this does +carry some risk. The safest thing is to serve the repository as an +unprivileged user (either via linkgit:git-daemon[1], ssh, or using +other tools to change user ids). See the discussion in the `SECURITY` +section of linkgit:git-upload-pack[1]. + FURTHER DOCUMENTATION --------------------- |