diff options
| author | Junio C Hamano <gitster@pobox.com> | 2024-05-14 07:53:46 -0700 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2024-05-14 07:53:46 -0700 |
| commit | 81632a6851a67a669f4118f317c4c317597f3580 (patch) | |
| tree | d2134236e1e1eeac75b067ffea4f230cae79baa8 /git.html | |
| parent | 1365ca3bda21f91694f354abdb3459692fcbcf1c (diff) | |
| download | git-htmldocs-81632a6851a67a669f4118f317c4c317597f3580.tar.gz | |
Autogenerated HTML docs for v2.45.1-145-g83f1a
Diffstat (limited to 'git.html')
| -rw-r--r-- | git.html | 31 |
1 files changed, 30 insertions, 1 deletions
@@ -3817,6 +3817,35 @@ unmerged version of a file when a merge is in progress.</p></div> </div>
</div>
<div class="sect1">
+<h2 id="_security">SECURITY</h2>
+<div class="sectionbody">
+<div class="paragraph"><p>Some configuration options and hook files may cause Git to run arbitrary
+shell commands. Because configuration and hooks are not copied using
+<code>git clone</code>, it is generally safe to clone remote repositories with
+untrusted content, inspect them with <code>git log</code>, and so on.</p></div>
+<div class="paragraph"><p>However, it is not safe to run Git commands in a <code>.git</code> directory (or
+the working tree that surrounds it) when that <code>.git</code> directory itself
+comes from an untrusted source. The commands in its config and hooks
+are executed in the usual way.</p></div>
+<div class="paragraph"><p>By default, Git will refuse to run when the repository is owned by
+someone other than the user running the command. See the entry for
+<code>safe.directory</code> in <a href="git-config.html">git-config(1)</a>. While this can help protect
+you in a multi-user environment, note that you can also acquire
+untrusted repositories that are owned by you (for example, if you
+extract a zip file or tarball from an untrusted source). In such cases,
+you’d need to "sanitize" the untrusted repository first.</p></div>
+<div class="paragraph"><p>If you have an untrusted <code>.git</code> directory, you should first clone it
+with <code>git clone --no-local</code> to obtain a clean copy. Git does restrict
+the set of options and hooks that will be run by <code>upload-pack</code>, which
+handles the server side of a clone or fetch, but beware that the
+surface area for attack against <code>upload-pack</code> is large, so this does
+carry some risk. The safest thing is to serve the repository as an
+unprivileged user (either via <a href="git-daemon.html">git-daemon(1)</a>, ssh, or using
+other tools to change user ids). See the discussion in the <code>SECURITY</code>
+section of <a href="git-upload-pack.html">git-upload-pack(1)</a>.</p></div>
+</div>
+</div>
+<div class="sect1">
<h2 id="_further_documentation">FURTHER DOCUMENTATION</h2>
<div class="sectionbody">
<div class="paragraph"><p>See the references in the "description" section to get started
@@ -3879,7 +3908,7 @@ the Git Security mailing list <<a href="mailto:git-security@googlegroups.com" <div id="footer">
<div id="footer-text">
Last updated
- 2024-03-25 17:24:49 PDT
+ 2024-05-14 07:52:20 PDT
</div>
</div>
</body>
|