Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
git push --receive-pack option gives the flexibility of running git-receive-pack not in $PATH.
But it is also a security vulnerability, as it can run any other commands as well.
How can I prevent a user from hacking the server by specifying --receive-pack?
Similarly, how can I avoid the vulnerability from git pull --upload-pack?
Through https or ssh, you can add an authorization layer like gitolite between your git request (push/pull) and git itself.
For ssh, it will use the ssh forced-command mechanism to intercept all commands, rejecting non-git ones.
Its
gitolite-shellwill parse the command, and extract the repo name, callinggit-upload-pack|git-receive-packwithout taking into account the Path to the git-receive-pack program.