[prev in list] [next in list] [prev in thread] [next in thread] 

List:       git
Subject:    Re: security flaw with smart http
From:       Ivan Kanis <ivan.kanis () googlemail ! com>
Date:       2012-06-28 7:35:23
Message-ID: 87obo3j3d0.fsf () visionobjects ! com
[Download RAW message or body]

Junio C Hamano <gitster@pobox.com> a écrit

> Shawn Pearce <spearce@spearce.org> writes:
>
>> On Fri, Jun 22, 2012 at 3:12 AM, Ivan Kanis <ivan.kanis@googlemail.com> wrote:
>>> I think we found a security flaw with git http smart backend. We are
>>> running git version 1.0.7.4 on our server. Adding random words after the
>>> password and the authentication still succeeds.
>>
>> git http-backend does not handle authentication or authorization. This
>> is handled in your web server. You should consult your web server's
>> documentation, and maybe its configuration files.
>
> Very good advice.

In case someone is reading this thread I confirm the problem comes from
Apache.
-- 
Ivan Kanis, Release Manager, Vision Objects,

Le mal est un mulet : il est opiniâtre et stérile.
    -- Victor Hugo
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]