New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use HTTPS for manual git clone to avoid MITM #6043
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The git:// transport is completely unauthenticated. An attacker on the local or upstream network can easily man-in-the-middle an oh-my-zsh update and get remote code execution on your system. Only the https:// git transport should be used.
Also note that the git:// transport uses a port (tcp/9418) that's often blocked in company or university firewalls, while https:// usually just works. |
Good thinking. Thanks! |
lesterchan
added a commit
to lesterchan/oh-my-zsh
that referenced
this pull request
Apr 19, 2018
* upstream/master: (47 commits) [installer] use `command -v` to check for git [cloud theme] add a space (ohmyzsh#3215) updated symfony plugin to add entity generation and schema update aliases (ohmyzsh#5042) Fix styling and format of hanami README Add table of aliases for hanami plugin Add README for hanami plugin Add hanami plugin inspired by rails npm init (ohmyzsh#6648) [archlinux] add recent aliases and functions to readme plugins/archlinux: add pacls, pacown, pacweb Use HTTPS for manual git clone to avoid MITM (ohmyzsh#6043) Fix git_commits_{ahead,before} when no upstream branch is defined (ohmyzsh#6658) [archlinux] Fix function syntax to avoid clashes with aliases [rkj-repos] Check for 'hg prompt' and exit if not found (ohmyzsh#6655) Fix typo that resulted in math error (ohmyzsh#6731) Improve emotty plugin (ohmyzsh#5999) Fix emotty theme when using zsh 5.2 (ohmyzsh#5998) Added trizen to the archlinux plugin (ohmyzsh#6650) Reduce number of git calls when displaying prompt (ohmyzsh#3795) hotfix for archlinux.plugin.zsh (ohmyzsh#5909) ...
seth-cohen
pushed a commit
to seth-cohen/oh-my-zsh
that referenced
this pull request
Oct 29, 2018
The git:// transport is completely unauthenticated. An attacker on the local or upstream network can easily man-in-the-middle an oh-my-zsh update and get remote code execution on your system. Only the https:// git transport should be used.
jmartindf
pushed a commit
to jmartindf/oh-my-zsh
that referenced
this pull request
Nov 10, 2018
The git:// transport is completely unauthenticated. An attacker on the local or upstream network can easily man-in-the-middle an oh-my-zsh update and get remote code execution on your system. Only the https:// git transport should be used.
sagischwarz
pushed a commit
to sagischwarz/ohmyzsh
that referenced
this pull request
Nov 19, 2018
The git:// transport is completely unauthenticated. An attacker on the local or upstream network can easily man-in-the-middle an oh-my-zsh update and get remote code execution on your system. Only the https:// git transport should be used.
chihchun
pushed a commit
to chihchun/oh-my-zsh
that referenced
this pull request
Aug 6, 2019
The git:// transport is completely unauthenticated. An attacker on the local or upstream network can easily man-in-the-middle an oh-my-zsh update and get remote code execution on your system. Only the https:// git transport should be used.
kankongmeng
pushed a commit
to kankongmeng/oh-my-zsh
that referenced
this pull request
Jan 8, 2020
The git:// transport is completely unauthenticated. An attacker on the local or upstream network can easily man-in-the-middle an oh-my-zsh update and get remote code execution on your system. Only the https:// git transport should be used.
spiliopoulos
pushed a commit
to spiliopoulos/zsh-config
that referenced
this pull request
Jun 17, 2020
The git:// transport is completely unauthenticated. An attacker on the local or upstream network can easily man-in-the-middle an oh-my-zsh update and get remote code execution on your system. Only the https:// git transport should be used.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The git:// transport is completely unauthenticated. An attacker on the local or upstream network can easily man-in-the-middle an oh-my-zsh update and get remote code execution on your system. Only the https:// git transport should be used.