[prev in list] [next in list] [prev in thread] [next in thread]
List: git
Subject: Re: security flaw with smart http
From: Ivan Kanis <ivan.kanis () googlemail ! com>
Date: 2012-06-28 7:35:23
Message-ID: 87obo3j3d0.fsf () visionobjects ! com
[Download RAW message or body]
Junio C Hamano <gitster@pobox.com> a écrit
> Shawn Pearce <spearce@spearce.org> writes:
>
>> On Fri, Jun 22, 2012 at 3:12 AM, Ivan Kanis <ivan.kanis@googlemail.com> wrote:
>>> I think we found a security flaw with git http smart backend. We are
>>> running git version 1.0.7.4 on our server. Adding random words after the
>>> password and the authentication still succeeds.
>>
>> git http-backend does not handle authentication or authorization. This
>> is handled in your web server. You should consult your web server's
>> documentation, and maybe its configuration files.
>
> Very good advice.
In case someone is reading this thread I confirm the problem comes from
Apache.
--
Ivan Kanis, Release Manager, Vision Objects,
Le mal est un mulet : il est opiniâtre et stérile.
-- Victor Hugo
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic