Pre-auth RCE in a self-hosted Git server via tag ref names

git-receive-pack hands tag names directly to a Lua post-receive hook, and the hook concatenates them into a shell command. The reference grammar permits backticks. There is no length cap.