summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2017-07-30Merge tag 'v2.10.4' into maint-2.11Libravatar Junio C Hamano10-0/+112
Git 2.10.4
2017-07-30Git 2.10.4Libravatar Junio C Hamano3-2/+6
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-30Merge tag 'v2.9.5' into maint-2.10Libravatar Junio C Hamano9-0/+108
Git 2.9.5
2017-07-30Git 2.9.5Libravatar Junio C Hamano3-2/+6
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-30Merge tag 'v2.8.6' into maint-2.9Libravatar Junio C Hamano8-0/+104
Git 2.8.6
2017-07-30Git 2.8.6Libravatar Junio C Hamano3-2/+6
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-30Merge tag 'v2.7.6' into maint-2.8Libravatar Junio C Hamano7-0/+100
Git 2.7.6
2017-07-30Git 2.7.6Libravatar Junio C Hamano3-2/+27
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-28Merge branch 'jk/ssh-funny-url' into maint-2.7Libravatar Junio C Hamano6-0/+75
2017-07-28connect: reject paths that look like command line optionsLibravatar Jeff King3-0/+40
If we get a repo path like "-repo.git", we may try to invoke "git-upload-pack -repo.git". This is going to fail, since upload-pack will interpret it as a set of bogus options. But let's reject this before we even run the sub-program, since we would not want to allow any mischief with repo names that actually are real command-line options. You can still ask for such a path via git-daemon, but there's no security problem there, because git-daemon enters the repo itself and then passes "." on the command line. Signed-off-by: Jeff King <peff@peff.net> Reviewed-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-28connect: reject dashed arguments for proxy commandsLibravatar Jeff King2-0/+10
If you have a GIT_PROXY_COMMAND configured, we will run it with the host/port on the command-line. If a URL contains a mischievous host like "--foo", we don't know how the proxy command may handle it. It's likely to break, but it may also do something dangerous and unwanted (technically it could even do something useful, but that seems unlikely). We should err on the side of caution and reject this before we even run the command. The hostname check matches the one we do in a similar circumstance for ssh. The port check is not present for ssh, but there it's not necessary because the syntax is "-p <port>", and there's no ambiguity on the parsing side. It's not clear whether you can actually get a negative port to the proxy here or not. Doing: git fetch git://remote:-1234/repo.git keeps the "-1234" as part of the hostname, with the default port of 9418. But it's a good idea to keep this check close to the point of running the command to make it clear that there's no way to circumvent it (and at worst it serves as a belt-and-suspenders check). Signed-off-by: Jeff King <peff@peff.net> Reviewed-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-28connect: factor out "looks like command line option" checkLibravatar Jeff King3-1/+14
We reject hostnames that start with a dash because they may be confused for command-line options. Let's factor out that notion into a helper function, as we'll use it in more places. And while it's simple now, it's not clear if some systems might need more complex logic to handle all cases. Signed-off-by: Jeff King <peff@peff.net> Reviewed-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-28t5813: add test for hostname starting with dashLibravatar Jeff King1-0/+9
Per the explanation in the previous patch, this should be (and is) rejected. Signed-off-by: Jeff King <peff@peff.net> Reviewed-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-28connect: reject ssh hostname that begins with a dashLibravatar Junio C Hamano1-0/+3
When commands like "git fetch" talk with ssh://$rest_of_URL/, the code splits $rest_of_URL into components like host, port, etc., and then spawns the underlying "ssh" program by formulating argv[] array that has: - the path to ssh command taken from GIT_SSH_COMMAND, etc. - dashed options like '-batch' (for Tortoise), '-p <port>' as needed. - ssh_host, which is supposed to be the hostname parsed out of $rest_of_URL. - then the command to be run on the other side, e.g. git upload-pack. If the ssh_host ends up getting '-<anything>', the argv[] that is used to spawn the command becomes something like: { "ssh", "-p", "22", "-<anything>", "command", "to", "run", NULL } which obviously is bogus, but depending on the actual value of "<anything>", will make "ssh" parse and use it as an option. Prevent this by forbidding ssh_host that begins with a "-". Noticed-by: Joern Schneeweisz of Recurity Labs Reported-by: Brian at GitLab Signed-off-by: Junio C Hamano <gitster@pobox.com> Reviewed-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05Git 2.11.2Libravatar Junio C Hamano4-3/+16
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05Merge branch 'maint-2.10' into maint-2.11Libravatar Junio C Hamano9-8/+92
2017-05-05Git 2.10.3Libravatar Junio C Hamano3-2/+10
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05Merge branch 'maint-2.9' into maint-2.10Libravatar Junio C Hamano8-7/+83
2017-05-05Git 2.9.4Libravatar Junio C Hamano3-2/+11
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05Merge branch 'maint-2.8' into maint-2.9Libravatar Junio C Hamano7-6/+74
2017-05-05Git 2.8.5Libravatar Junio C Hamano4-3/+16
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05Merge branch 'maint-2.7' into maint-2.8Libravatar Junio C Hamano6-5/+60
2017-05-05Git 2.7.5Libravatar Junio C Hamano4-3/+19
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05Merge branch 'maint-2.6' into maint-2.7Libravatar Junio C Hamano5-4/+43
2017-05-05Git 2.6.7Libravatar Junio C Hamano4-3/+16
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05Merge branch 'maint-2.5' into maint-2.6Libravatar Junio C Hamano4-3/+29
2017-05-05Git 2.5.6Libravatar Junio C Hamano4-3/+16
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05Merge branch 'maint-2.4' into maint-2.5Libravatar Junio C Hamano3-2/+15
2017-05-05Git 2.4.12Libravatar Junio C Hamano4-3/+16
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05Merge branch 'jk/shell-no-repository-that-begins-with-dash' into maint-2.4Libravatar Junio C Hamano1-1/+1
* jk/shell-no-repository-that-begins-with-dash: shell: disallow repo names beginning with dash
2017-05-05shell: disallow repo names beginning with dashLibravatar Jeff King1-1/+1
When a remote server uses git-shell, the client side will connect to it like: ssh server "git-upload-pack 'foo.git'" and we literally exec ("git-upload-pack", "foo.git"). In early versions of upload-pack and receive-pack, we took a repository argument and nothing else. But over time they learned to accept dashed options. If the user passes a repository name that starts with a dash, the results are confusing at best (we complain of a bogus option instead of a non-existent repository) and malicious at worst (the user can start an interactive pager via "--help"). We could pass "--" to the sub-process to make sure the user's argument is interpreted as a branch name. I.e.: git-upload-pack -- -foo.git But adding "--" automatically would make us inconsistent with a normal shell (i.e., when git-shell is not in use), where "-foo.git" would still be an error. For that case, the client would have to specify the "--", but they can't do so reliably, as existing versions of git-shell do not allow more than a single argument. The simplest thing is to simply disallow "-" at the start of the repo name argument. This hasn't worked either with or without git-shell since version 1.0.0, and nobody has complained. Note that this patch just applies to do_generic_cmd(), which runs upload-pack, receive-pack, and upload-archive. There are two other types of commands that git-shell runs: - do_cvs_cmd(), but this already restricts the argument to be the literal string "server" - admin-provided commands in the git-shell-commands directory. We'll pass along arbitrary arguments there, so these commands could have similar problems. But these commands might actually understand dashed arguments, so we cannot just block them here. It's up to the writer of the commands to make sure they are safe. With great power comes great responsibility. Reported-by: Timo Schmid <tschmid@ernw.de> Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-02-02Git 2.11.1Libravatar Junio C Hamano1-0/+3
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-02-02Merge branch 'ws/request-pull-code-cleanup' into maintLibravatar Junio C Hamano1-3/+0
Code clean-up. * ws/request-pull-code-cleanup: request-pull: drop old USAGE stuff
2017-02-02Merge branch 'jk/execv-dashed-external' into maintLibravatar Junio C Hamano3-21/+35
Typing ^C to pager, which usually does not kill it, killed Git and took the pager down as a collateral damage in certain process-tree structure. This has been fixed. * jk/execv-dashed-external: execv_dashed_external: wait for child on signal death execv_dashed_external: stop exiting with negative code execv_dashed_external: use child_process struct
2017-01-31Ready for 2.11.1Libravatar Junio C Hamano1-0/+45
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-01-31Merge branch 'sb/in-core-index-doc' into maintLibravatar Junio C Hamano3-22/+32
Documentation and in-code comments updates. * sb/in-core-index-doc: documentation: retire unfinished documentation cache.h: document add_[file_]to_index cache.h: document remove_index_entry_at cache.h: document index_name_pos
2017-01-31Merge branch 'js/mingw-isatty' into maintLibravatar Junio C Hamano1-7/+4
An update to a topic that is already in 'master'. * js/mingw-isatty: mingw: follow-up to "replace isatty() hack"
2017-01-31Merge branch 'jk/coding-guidelines-update' into maintLibravatar Junio C Hamano1-5/+32
Developer doc update. * jk/coding-guidelines-update: CodingGuidelines: clarify multi-line brace style
2017-01-31Merge branch 'js/exec-path-coverity-workaround' into maintLibravatar Junio C Hamano1-6/+8
Code cleanup. * js/exec-path-coverity-workaround: git_exec_path: do not return the result of getenv() git_exec_path: avoid Coverity warning about unfree()d result
2017-01-31Merge branch 'ad/bisect-terms' into maintLibravatar Junio C Hamano1-2/+2
Documentation fix. * ad/bisect-terms: Documentation/bisect: improve on (bad|new) and (good|bad)
2017-01-31Merge branch 'jk/grep-e-could-be-extended-beyond-posix' into maintLibravatar Junio C Hamano1-11/+15
Tighten a test to avoid mistaking an extended ERE regexp engine as a PRE regexp engine. * jk/grep-e-could-be-extended-beyond-posix: t7810: avoid assumption about invalid regex syntax
2017-01-31Merge branch 'km/branch-get-push-while-detached' into maintLibravatar Junio C Hamano2-3/+9
"git <cmd> @{push}" on a detached HEAD used to segfault; it has been corrected to error out with a message. * km/branch-get-push-while-detached: branch_get_push: do not segfault when HEAD is detached
2017-01-31Merge branch 'jk/rebase-i-squash-count-fix' into maintLibravatar Junio C Hamano1-1/+1
"git rebase -i" with a recent update started showing an incorrect count when squashing more than 10 commits. * jk/rebase-i-squash-count-fix: rebase--interactive: count squash commits above 10 correctly
2017-01-31Merge branch 'jk/blame-fixes' into maintLibravatar Junio C Hamano3-10/+166
"git blame --porcelain" misidentified the "previous" <commit, path> pair (aka "source") when contents came from two or more files. * jk/blame-fixes: blame: output porcelain "previous" header for each file blame: handle --no-abbrev blame: fix alignment with --abbrev=40
2017-01-31Merge branch 'jk/archive-zip-userdiff-config' into maintLibravatar Junio C Hamano2-4/+25
"git archive" did not read the standard configuration files, and failed to notice a file that is marked as binary via the userdiff driver configuration. * jk/archive-zip-userdiff-config: archive-zip: load userdiff config
2017-01-31Merge branch 'dt/disable-bitmap-in-auto-gc' into maintLibravatar Junio C Hamano4-6/+45
It is natural that "git gc --auto" may not attempt to pack everything into a single pack, and there is no point in warning when the user has configured the system to use the pack bitmap, leading to disabling further "gc". * dt/disable-bitmap-in-auto-gc: repack: die on incremental + write-bitmap-index auto gc: don't write bitmaps for incremental repacks
2017-01-31Merge branch 'nd/config-misc-fixes' into maintLibravatar Junio C Hamano1-5/+15
Leakage of lockfiles in the config subsystem has been fixed. * nd/config-misc-fixes: config.c: handle lock file in error case in git_config_rename_... config.c: rename label unlock_and_out config.c: handle error case for fstat() calls
2017-01-31Merge branch 'jc/abbrev-autoscale-config' into maintLibravatar Junio C Hamano2-8/+15
Recent update to the default abbreviation length that auto-scales lacked documentation update, which has been corrected. * jc/abbrev-autoscale-config: config.abbrev: document the new default that auto-scales
2017-01-31Merge branch 'mh/fast-import-notes-fix-new' into maintLibravatar Junio C Hamano2-3/+47
"git fast-import" sometimes mishandled while rebalancing notes tree, which has been fixed. * mh/fast-import-notes-fix-new: fast-import: properly fanout notes when tree is imported
2017-01-31Merge branch 'jc/compression-config' into maintLibravatar Junio C Hamano9-31/+158
Compression setting for producing packfiles were spread across three codepaths, one of which did not honor any configuration. Unify these so that all of them honor core.compression and pack.compression variables the same way. * jc/compression-config: compression: unify pack.compression configuration parsing