Sync with Git 2.17.1

* maint: (25 commits)
  Git 2.17.1
  Git 2.16.4
  Git 2.15.2
  Git 2.14.4
  Git 2.13.7
  fsck: complain when .gitmodules is a symlink
  index-pack: check .gitmodules files with --strict
  unpack-objects: call fsck_finish() after fscking objects
  fsck: call fsck_finish() after fscking objects
  fsck: check .gitmodules content
  fsck: handle promisor objects in .gitmodules check
  fsck: detect gitmodules files
  fsck: actually fsck blob data
  fsck: simplify ".git" check
  index-pack: make fsck error message more specific
  verify_path: disallow symlinks in .gitmodules
  update-index: stat updated files earlier
  verify_dotfile: mention case-insensitivity in comment
  verify_path: drop clever fallthrough
  skip_prefix: add case-insensitive variant
  ...

4 files changed, 272 insertions, 0 deletions

diff --git a/t/helper/test-path-utils.c b/t/helper/test-path-utils.c
index e115d44ac2..ae091d9b3e 100644
--- a/t/helper/test-path-utils.c
+++ b/t/helper/test-path-utils.c
@@ -1,6 +1,7 @@
 #include "test-tool.h"
 #include "cache.h"
 #include "string-list.h"
+#include "utf8.h"
 
 /*
  * A "string_list_each_func_t" function that normalizes an entry from
@@ -171,6 +172,11 @@ static struct test_data dirname_data[] = {
 	{ NULL,              NULL     }
 };
 
+static int is_dotgitmodules(const char *path)
+{
+	return is_hfs_dotgitmodules(path) || is_ntfs_dotgitmodules(path);
+}
+
 int cmd__path_utils(int argc, const char **argv)
 {
 	if (argc == 3 && !strcmp(argv[1], "normalize_path_copy")) {
@@ -271,6 +277,20 @@ int cmd__path_utils(int argc, const char **argv)
 	if (argc == 2 && !strcmp(argv[1], "dirname"))
 		return test_function(dirname_data, posix_dirname, argv[1]);
 
+	if (argc > 2 && !strcmp(argv[1], "is_dotgitmodules")) {
+		int res = 0, expect = 1, i;
+		for (i = 2; i < argc; i++)
+			if (!strcmp("--not", argv[i]))
+				expect = !expect;
+			else if (expect != is_dotgitmodules(argv[i]))
+				res = error("'%s' is %s.gitmodules", argv[i],
+					    expect ? "not " : "");
+			else
+				fprintf(stderr, "ok: '%s' is %s.gitmodules\n",
+					argv[i], expect ? "" : "not ");
+		return !!res;
+	}
+
 	fprintf(stderr, "%s: unknown function name: %s\n", argv[0],
 		argv[1] ? argv[1] : "(there was none)");
 	return 1;
diff --git a/t/lib-pack.sh b/t/lib-pack.sh
index 501078249d..c4d907a450 100644
--- a/t/lib-pack.sh
+++ b/t/lib-pack.sh
@@ -79,6 +79,18 @@ pack_obj () {
 		;;
 	esac
 
+	# If it's not a delta, we can convince pack-objects to generate a pack
+	# with just our entry, and then strip off the header (12 bytes) and
+	# trailer (20 bytes).
+	if test -z "$2"
+	then
+		echo "$1" | git pack-objects --stdout >pack_obj.tmp &&
+		size=$(wc -c <pack_obj.tmp) &&
+		dd if=pack_obj.tmp bs=1 count=$((size - 20 - 12)) skip=12 &&
+		rm -f pack_obj.tmp
+		return
+	fi
+
 	echo >&2 "BUG: don't know how to print $1${2:+ (from $2)}"
 	return 1
 }
diff --git a/t/t0060-path-utils.sh b/t/t0060-path-utils.sh
index f46e3c4995..21a8b53132 100755
--- a/t/t0060-path-utils.sh
+++ b/t/t0060-path-utils.sh
@@ -349,4 +349,90 @@ test_submodule_relative_url "(null)" "ssh://hostname:22/repo" "../subrepo" "ssh:
 test_submodule_relative_url "(null)" "user@host:path/to/repo" "../subrepo" "user@host:path/to/subrepo"
 test_submodule_relative_url "(null)" "user@host:repo" "../subrepo" "user@host:subrepo"
 
+test_expect_success 'match .gitmodules' '
+	test-tool path-utils is_dotgitmodules \
+		.gitmodules \
+		\
+		.git${u200c}modules \
+		\
+		.Gitmodules \
+		.gitmoduleS \
+		\
+		".gitmodules " \
+		".gitmodules." \
+		".gitmodules  " \
+		".gitmodules. " \
+		".gitmodules ." \
+		".gitmodules.." \
+		".gitmodules   " \
+		".gitmodules.  " \
+		".gitmodules . " \
+		".gitmodules  ." \
+		\
+		".Gitmodules " \
+		".Gitmodules." \
+		".Gitmodules  " \
+		".Gitmodules. " \
+		".Gitmodules ." \
+		".Gitmodules.." \
+		".Gitmodules   " \
+		".Gitmodules.  " \
+		".Gitmodules . " \
+		".Gitmodules  ." \
+		\
+		GITMOD~1 \
+		gitmod~1 \
+		GITMOD~2 \
+		gitmod~3 \
+		GITMOD~4 \
+		\
+		"GITMOD~1 " \
+		"gitmod~2." \
+		"GITMOD~3  " \
+		"gitmod~4. " \
+		"GITMOD~1 ." \
+		"gitmod~2   " \
+		"GITMOD~3.  " \
+		"gitmod~4 . " \
+		\
+		GI7EBA~1 \
+		gi7eba~9 \
+		\
+		GI7EB~10 \
+		GI7EB~11 \
+		GI7EB~99 \
+		GI7EB~10 \
+		GI7E~100 \
+		GI7E~101 \
+		GI7E~999 \
+		~1000000 \
+		~9999999 \
+		\
+		--not \
+		".gitmodules x"  \
+		".gitmodules .x" \
+		\
+		" .gitmodules" \
+		\
+		..gitmodules \
+		\
+		gitmodules \
+		\
+		.gitmodule \
+		\
+		".gitmodules x " \
+		".gitmodules .x" \
+		\
+		GI7EBA~ \
+		GI7EBA~0 \
+		GI7EBA~~1 \
+		GI7EBA~X \
+		Gx7EBA~1 \
+		GI7EBX~1 \
+		\
+		GI7EB~1 \
+		GI7EB~01 \
+		GI7EB~1X
+'
+
 test_done
diff --git a/t/t7415-submodule-names.sh b/t/t7415-submodule-names.sh
new file mode 100755
index 0000000000..a770d92a55
--- /dev/null
+++ b/t/t7415-submodule-names.sh
@@ -0,0 +1,154 @@
+#!/bin/sh
+
+test_description='check handling of .. in submodule names
+
+Exercise the name-checking function on a variety of names, and then give a
+real-world setup that confirms we catch this in practice.
+'
+. ./test-lib.sh
+. "$TEST_DIRECTORY"/lib-pack.sh
+
+test_expect_success 'check names' '
+	cat >expect <<-\EOF &&
+	valid
+	valid/with/paths
+	EOF
+
+	git submodule--helper check-name >actual <<-\EOF &&
+	valid
+	valid/with/paths
+
+	../foo
+	/../foo
+	..\foo
+	\..\foo
+	foo/..
+	foo/../
+	foo\..
+	foo\..\
+	foo/../bar
+	EOF
+
+	test_cmp expect actual
+'
+
+test_expect_success 'create innocent subrepo' '
+	git init innocent &&
+	git -C innocent commit --allow-empty -m foo
+'
+
+test_expect_success 'submodule add refuses invalid names' '
+	test_must_fail \
+		git submodule add --name ../../modules/evil "$PWD/innocent" evil
+'
+
+test_expect_success 'add evil submodule' '
+	git submodule add "$PWD/innocent" evil &&
+
+	mkdir modules &&
+	cp -r .git/modules/evil modules &&
+	write_script modules/evil/hooks/post-checkout <<-\EOF &&
+	echo >&2 "RUNNING POST CHECKOUT"
+	EOF
+
+	git config -f .gitmodules submodule.evil.update checkout &&
+	git config -f .gitmodules --rename-section \
+		submodule.evil submodule.../../modules/evil &&
+	git add modules &&
+	git commit -am evil
+'
+
+# This step seems like it shouldn't be necessary, since the payload is
+# contained entirely in the evil submodule. But due to the vagaries of the
+# submodule code, checking out the evil module will fail unless ".git/modules"
+# exists. Adding another submodule (with a name that sorts before "evil") is an
+# easy way to make sure this is the case in the victim clone.
+test_expect_success 'add other submodule' '
+	git submodule add "$PWD/innocent" another-module &&
+	git add another-module &&
+	git commit -am another
+'
+
+test_expect_success 'clone evil superproject' '
+	git clone --recurse-submodules . victim >output 2>&1 &&
+	! grep "RUNNING POST CHECKOUT" output
+'
+
+test_expect_success 'fsck detects evil superproject' '
+	test_must_fail git fsck
+'
+
+test_expect_success 'transfer.fsckObjects detects evil superproject (unpack)' '
+	rm -rf dst.git &&
+	git init --bare dst.git &&
+	git -C dst.git config transfer.fsckObjects true &&
+	test_must_fail git push dst.git HEAD
+'
+
+test_expect_success 'transfer.fsckObjects detects evil superproject (index)' '
+	rm -rf dst.git &&
+	git init --bare dst.git &&
+	git -C dst.git config transfer.fsckObjects true &&
+	git -C dst.git config transfer.unpackLimit 1 &&
+	test_must_fail git push dst.git HEAD
+'
+
+# Normally our packs contain commits followed by trees followed by blobs. This
+# reverses the order, which requires backtracking to find the context of a
+# blob. We'll start with a fresh gitmodules-only tree to make it simpler.
+test_expect_success 'create oddly ordered pack' '
+	git checkout --orphan odd &&
+	git rm -rf --cached . &&
+	git add .gitmodules &&
+	git commit -m odd &&
+	{
+		pack_header 3 &&
+		pack_obj $(git rev-parse HEAD:.gitmodules) &&
+		pack_obj $(git rev-parse HEAD^{tree}) &&
+		pack_obj $(git rev-parse HEAD)
+	} >odd.pack &&
+	pack_trailer odd.pack
+'
+
+test_expect_success 'transfer.fsckObjects handles odd pack (unpack)' '
+	rm -rf dst.git &&
+	git init --bare dst.git &&
+	test_must_fail git -C dst.git unpack-objects --strict <odd.pack
+'
+
+test_expect_success 'transfer.fsckObjects handles odd pack (index)' '
+	rm -rf dst.git &&
+	git init --bare dst.git &&
+	test_must_fail git -C dst.git index-pack --strict --stdin <odd.pack
+'
+
+test_expect_success 'fsck detects symlinked .gitmodules file' '
+	git init symlink &&
+	(
+		cd symlink &&
+
+		# Make the tree directly to avoid index restrictions.
+		#
+		# Because symlinks store the target as a blob, choose
+		# a pathname that could be parsed as a .gitmodules file
+		# to trick naive non-symlink-aware checking.
+		tricky="[foo]bar=true" &&
+		content=$(git hash-object -w ../.gitmodules) &&
+		target=$(printf "$tricky" | git hash-object -w --stdin) &&
+		tree=$(
+			{
+				printf "100644 blob $content\t$tricky\n" &&
+				printf "120000 blob $target\t.gitmodules\n"
+			} | git mktree
+		) &&
+		commit=$(git commit-tree $tree) &&
+
+		# Check not only that we fail, but that it is due to the
+		# symlink detector; this grep string comes from the config
+		# variable name and will not be translated.
+		test_must_fail git fsck 2>output &&
+		grep gitmodulesSymlink output
+	)
+'
+
+test_done