| ▲ | HenriTEL a day ago | |
So they had a security-critical header whose fields are set by their internal authentication service. And that same field can also contain arbitrary strings passed by the end user with git push -o I know it's easy to say after the fact but still, wtf | ||
| ▲ | melozo 19 hours ago | parent [-] | |
Yeah I’m struggling to understand why the same header field would be used for git options in the first place. Why ever allow users to modify that specific header? | ||