Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
SourceTree Security Advisory 2017-05-10 (atlassian.com)
8 points by breck on May 11, 2017 | hide | past | favorite | 6 comments


TLDR: it took me 30 minutes to install the update for SourceTree for Mac - too long really. Any recommendations for the best replacement Git/Mercurial GUI on Mac? 1. Check for updates from existing SourceTree 2.0.5.2 offered me only 2.3.2. FAIL as that still has the Command Injection problem. 2. I download SourceTree 2.5.1 from the Atlassian web site, unzip and drag into the Applications folder and run. (Re)-registration required - tedious, but still it's gratis software ... 3. I lookup my existing Atlassian account details in 1Password, but they are not accepted. I'm certain I haven't changed my password. But it's 31 characters long - expect a password truncation problem - but no real evidence. 4. I click through in the Mac app to email me a password reset and am persented with a RECAPTCHA of photos of cars and house numbers that I cannot solve after 10 minutes of trying. 5. I try the voice RECAPTCHA - it's blocked because my computer is "sending too many requests". 6. I try RECAPTCHA from the Atlassian website. The picture RECAPTCHA is still too difficult for me, but I manage the to pass the voice RECAPTCHA. 7. I reset my password - stick to 16 characters this time - mixed case and digits - log_2(62^16) bits of entropy - should be enough. 8. I complete my registration with the reset password from the SourceTree for Mac app.


For me, the best replacement was several command line aliases and bash scripts for maximizing my productivity with Git in the shell. I can now see all my projects (i.e. Sourcetree bookmarks) and their git status with one command, and easily fetch updates for all my projects at once (like Sourcetree does in the background) and view diffs in a tree-like form with branch lines, etc. All with simple scripts.

I used to think I wouldn't be able to live without something like ST but I was wrong and am more productive now without it.


Care to share? I have yet to find the right mix of aliases that replicate SourceTree's overview of the whole project.


It really depends on what information is important to you. For example, seeing all your branches with visual lines that show how they are connected, you can do something like this in your .gitconfig file:

[alias]

    lg = !"git lg1"

    lg1 = !"git lg1-specific --all"

    lg2 = !"git lg2-specific --all"

    lg3 = !"git lg3-specific --all"

    lg1-specific = log --graph --abbrev-commit --decorate --format=format:'%C(bold blue)%h%C(reset) - %C(bold green)(%ar)%C(reset) %C(black)%s%C(reset) %C(dim black)- %an%C(reset)%C(auto)%d%C(reset)'

    lg2-specific = log --graph --abbrev-commit --decorate --format=format:'%C(bold blue)%h%C(reset) - %C(bold cyan)%aD%C(reset) %C(bold green)(%ar)%C(reset)%C(auto)%d%C(reset)%n''          %C(black)%s%C(reset) %C(dim black)- %an%C(reset)'

    lg3-specific = log --graph --abbrev-commit --decorate --format=format:'%C(bold blue)%h%C(reset) - %C(bold cyan)%aD%C(reset) %C(bold green)(%ar)%C(reset) %C(bold cyan)(committed: %cD)%C(reset) %C(auto)%d%C(reset)%n''          %C(black)%s%C(reset)%n''          %C(dim black)- %an <%ae> %C(reset) %C(dim black)(committer: %cn <%ce>)%C(reset)'
Then doing "git lg" or one of these variants gives you a quick tree view. Colors and other customizations can of course be changed.

This is one of many tools I used to replace ST.


GitKraken is excellent.


Can anyone explain what a hacker might actually do with this exploit?




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: