
SourceTree Security Advisory 2017-05-10 - breck
https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2017-05-10-900820365.html
======
delhanty
TLDR: it took me 30 minutes to install the update for SourceTree for Mac - too
long really. Any recommendations for the best replacement Git/Mercurial GUI on
Mac? 1\. Check for updates from existing SourceTree 2.0.5.2 offered me only
2.3.2. FAIL as that still has the Command Injection problem. 2\. I download
SourceTree 2.5.1 from the Atlassian web site, unzip and drag into the
Applications folder and run. (Re)-registration required - tedious, but still
it's gratis software ... 3\. I lookup my existing Atlassian account details in
1Password, but they are not accepted. I'm certain I haven't changed my
password. But it's 31 characters long - expect a password truncation problem -
but no real evidence. 4\. I click through in the Mac app to email me a
password reset and am persented with a RECAPTCHA of photos of cars and house
numbers that I cannot solve after 10 minutes of trying. 5\. I try the voice
RECAPTCHA - it's blocked because my computer is "sending too many requests".
6\. I try RECAPTCHA from the Atlassian website. The picture RECAPTCHA is still
too difficult for me, but I manage the to pass the voice RECAPTCHA. 7\. I
reset my password - stick to 16 characters this time - mixed case and digits -
log_2(62^16) bits of entropy - should be enough. 8\. I complete my
registration with the reset password from the SourceTree for Mac app.

~~~
hellofunk
For me, the best replacement was several command line aliases and bash scripts
for maximizing my productivity with Git in the shell. I can now see all my
projects (i.e. Sourcetree bookmarks) and their git status with one command,
and easily fetch updates for all my projects at once (like Sourcetree does in
the background) and view diffs in a tree-like form with branch lines, etc. All
with simple scripts.

I used to think I wouldn't be able to live without something like ST but I was
wrong and am more productive now without it.

~~~
heme
Care to share? I have yet to find the right mix of aliases that replicate
SourceTree's overview of the whole project.

~~~
hellofunk
It really depends on what information is important to you. For example, seeing
all your branches with visual lines that show how they are connected, you can
do something like this in your .gitconfig file:

[alias]

    
    
        lg = !"git lg1"
    
        lg1 = !"git lg1-specific --all"
    
        lg2 = !"git lg2-specific --all"
    
        lg3 = !"git lg3-specific --all"
    
        lg1-specific = log --graph --abbrev-commit --decorate --format=format:'%C(bold blue)%h%C(reset) - %C(bold green)(%ar)%C(reset) %C(black)%s%C(reset) %C(dim black)- %an%C(reset)%C(auto)%d%C(reset)'
    
        lg2-specific = log --graph --abbrev-commit --decorate --format=format:'%C(bold blue)%h%C(reset) - %C(bold cyan)%aD%C(reset) %C(bold green)(%ar)%C(reset)%C(auto)%d%C(reset)%n''          %C(black)%s%C(reset) %C(dim black)- %an%C(reset)'
    
        lg3-specific = log --graph --abbrev-commit --decorate --format=format:'%C(bold blue)%h%C(reset) - %C(bold cyan)%aD%C(reset) %C(bold green)(%ar)%C(reset) %C(bold cyan)(committed: %cD)%C(reset) %C(auto)%d%C(reset)%n''          %C(black)%s%C(reset)%n''          %C(dim black)- %an <%ae> %C(reset) %C(dim black)(committer: %cn <%ce>)%C(reset)'
    

Then doing "git lg" or one of these variants gives you a quick tree view.
Colors and other customizations can of course be changed.

This is one of many tools I used to replace ST.

------
hellofunk
Can anyone explain what a hacker might actually do with this exploit?

