[PATCHv4 2/2] Helper script to interface to gitolite

Valentin Haenel valentin.haenel at gmx.de
Thu Nov 1 09:58:57 CET 2012


* Jason A. Donenfeld <Jason at zx2c4.com> [2012-11-01]:
> 1. If PATH is controlled by an attacker, it's already game over, regardless
> of this script.
> 2. Using `which` doesn't make sense, since in a shell script you just call
> it by the name, and then it searches path.
> 3. Gitolite is frequently installed just in a home directory, in the case
> of shared hosting, not globally in /usr or /usr/local.
> 4. So, the best way is just to call gitolite by typing "gitolite"

The intention of the script is to be an example of how things *could* be
done. Depending on how your setup is configured, you need to patch this
script anyway. For example: the REMOTE_USER environment variable must be
matched with how you authenticate in your webserver. Therefore I don't
see any value in trying to make the script as generic as possible. I
could, of course replace the "${prog}" with just gitolite if that's what
people prefer.

V-





More information about the CGit mailing list