From mboxrd@z Thu Jan 1 00:00:00 1970 From: valentin.haenel at gmx.de (Valentin Haenel) Date: Thu, 1 Nov 2012 09:58:57 +0100 Subject: [PATCHv4 2/2] Helper script to interface to gitolite In-Reply-To: References: <1351709440-29185-1-git-send-email-valentin.haenel@gmx.de> <1351709556-29355-2-git-send-email-valentin.haenel@gmx.de> <20121101030301.GA28025@neptune.phub.net.cable.rogers.com> <20121101032356.GA29338@sir-slippy> Message-ID: <20121101085857.GE31961@kudu.in-berlin.de> * Jason A. Donenfeld [2012-11-01]: > 1. If PATH is controlled by an attacker, it's already game over, regardless > of this script. > 2. Using `which` doesn't make sense, since in a shell script you just call > it by the name, and then it searches path. > 3. Gitolite is frequently installed just in a home directory, in the case > of shared hosting, not globally in /usr or /usr/local. > 4. So, the best way is just to call gitolite by typing "gitolite" The intention of the script is to be an example of how things *could* be done. Depending on how your setup is configured, you need to patch this script anyway. For example: the REMOTE_USER environment variable must be matched with how you authenticate in your webserver. Therefore I don't see any value in trying to make the script as generic as possible. I could, of course replace the "${prog}" with just gitolite if that's what people prefer. V-