summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2017-07-30Git 2.10.4Libravatar Junio C Hamano3-2/+6
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-30Merge tag 'v2.9.5' into maint-2.10Libravatar Junio C Hamano9-0/+108
Git 2.9.5
2017-07-30Git 2.9.5Libravatar Junio C Hamano3-2/+6
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-30Merge tag 'v2.8.6' into maint-2.9Libravatar Junio C Hamano8-0/+104
Git 2.8.6
2017-07-30Git 2.8.6Libravatar Junio C Hamano3-2/+6
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-30Merge tag 'v2.7.6' into maint-2.8Libravatar Junio C Hamano7-0/+100
Git 2.7.6
2017-07-30Git 2.7.6Libravatar Junio C Hamano3-2/+27
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-28Merge branch 'jk/ssh-funny-url' into maint-2.7Libravatar Junio C Hamano6-0/+75
2017-07-28connect: reject paths that look like command line optionsLibravatar Jeff King3-0/+40
If we get a repo path like "-repo.git", we may try to invoke "git-upload-pack -repo.git". This is going to fail, since upload-pack will interpret it as a set of bogus options. But let's reject this before we even run the sub-program, since we would not want to allow any mischief with repo names that actually are real command-line options. You can still ask for such a path via git-daemon, but there's no security problem there, because git-daemon enters the repo itself and then passes "." on the command line. Signed-off-by: Jeff King <peff@peff.net> Reviewed-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-28connect: reject dashed arguments for proxy commandsLibravatar Jeff King2-0/+10
If you have a GIT_PROXY_COMMAND configured, we will run it with the host/port on the command-line. If a URL contains a mischievous host like "--foo", we don't know how the proxy command may handle it. It's likely to break, but it may also do something dangerous and unwanted (technically it could even do something useful, but that seems unlikely). We should err on the side of caution and reject this before we even run the command. The hostname check matches the one we do in a similar circumstance for ssh. The port check is not present for ssh, but there it's not necessary because the syntax is "-p <port>", and there's no ambiguity on the parsing side. It's not clear whether you can actually get a negative port to the proxy here or not. Doing: git fetch git://remote:-1234/repo.git keeps the "-1234" as part of the hostname, with the default port of 9418. But it's a good idea to keep this check close to the point of running the command to make it clear that there's no way to circumvent it (and at worst it serves as a belt-and-suspenders check). Signed-off-by: Jeff King <peff@peff.net> Reviewed-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-28connect: factor out "looks like command line option" checkLibravatar Jeff King3-1/+14
We reject hostnames that start with a dash because they may be confused for command-line options. Let's factor out that notion into a helper function, as we'll use it in more places. And while it's simple now, it's not clear if some systems might need more complex logic to handle all cases. Signed-off-by: Jeff King <peff@peff.net> Reviewed-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-28t5813: add test for hostname starting with dashLibravatar Jeff King1-0/+9
Per the explanation in the previous patch, this should be (and is) rejected. Signed-off-by: Jeff King <peff@peff.net> Reviewed-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-28connect: reject ssh hostname that begins with a dashLibravatar Junio C Hamano1-0/+3
When commands like "git fetch" talk with ssh://$rest_of_URL/, the code splits $rest_of_URL into components like host, port, etc., and then spawns the underlying "ssh" program by formulating argv[] array that has: - the path to ssh command taken from GIT_SSH_COMMAND, etc. - dashed options like '-batch' (for Tortoise), '-p <port>' as needed. - ssh_host, which is supposed to be the hostname parsed out of $rest_of_URL. - then the command to be run on the other side, e.g. git upload-pack. If the ssh_host ends up getting '-<anything>', the argv[] that is used to spawn the command becomes something like: { "ssh", "-p", "22", "-<anything>", "command", "to", "run", NULL } which obviously is bogus, but depending on the actual value of "<anything>", will make "ssh" parse and use it as an option. Prevent this by forbidding ssh_host that begins with a "-". Noticed-by: Joern Schneeweisz of Recurity Labs Reported-by: Brian at GitLab Signed-off-by: Junio C Hamano <gitster@pobox.com> Reviewed-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05Git 2.10.3Libravatar Junio C Hamano3-2/+10
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05Merge branch 'maint-2.9' into maint-2.10Libravatar Junio C Hamano8-7/+83
2017-05-05Git 2.9.4Libravatar Junio C Hamano3-2/+11
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05Merge branch 'maint-2.8' into maint-2.9Libravatar Junio C Hamano7-6/+74
2017-05-05Git 2.8.5Libravatar Junio C Hamano4-3/+16
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05Merge branch 'maint-2.7' into maint-2.8Libravatar Junio C Hamano6-5/+60
2017-05-05Git 2.7.5Libravatar Junio C Hamano4-3/+19
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05Merge branch 'maint-2.6' into maint-2.7Libravatar Junio C Hamano5-4/+43
2017-05-05Git 2.6.7Libravatar Junio C Hamano4-3/+16
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05Merge branch 'maint-2.5' into maint-2.6Libravatar Junio C Hamano4-3/+29
2017-05-05Git 2.5.6Libravatar Junio C Hamano4-3/+16
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05Merge branch 'maint-2.4' into maint-2.5Libravatar Junio C Hamano3-2/+15
2017-05-05Git 2.4.12Libravatar Junio C Hamano4-3/+16
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05Merge branch 'jk/shell-no-repository-that-begins-with-dash' into maint-2.4Libravatar Junio C Hamano1-1/+1
* jk/shell-no-repository-that-begins-with-dash: shell: disallow repo names beginning with dash
2017-05-05shell: disallow repo names beginning with dashLibravatar Jeff King1-1/+1
When a remote server uses git-shell, the client side will connect to it like: ssh server "git-upload-pack 'foo.git'" and we literally exec ("git-upload-pack", "foo.git"). In early versions of upload-pack and receive-pack, we took a repository argument and nothing else. But over time they learned to accept dashed options. If the user passes a repository name that starts with a dash, the results are confusing at best (we complain of a bogus option instead of a non-existent repository) and malicious at worst (the user can start an interactive pager via "--help"). We could pass "--" to the sub-process to make sure the user's argument is interpreted as a branch name. I.e.: git-upload-pack -- -foo.git But adding "--" automatically would make us inconsistent with a normal shell (i.e., when git-shell is not in use), where "-foo.git" would still be an error. For that case, the client would have to specify the "--", but they can't do so reliably, as existing versions of git-shell do not allow more than a single argument. The simplest thing is to simply disallow "-" at the start of the repo name argument. This hasn't worked either with or without git-shell since version 1.0.0, and nobody has complained. Note that this patch just applies to do_generic_cmd(), which runs upload-pack, receive-pack, and upload-archive. There are two other types of commands that git-shell runs: - do_cvs_cmd(), but this already restricts the argument to be the literal string "server" - admin-provided commands in the git-shell-commands directory. We'll pass along arbitrary arguments there, so these commands could have similar problems. But these commands might actually understand dashed arguments, so we cannot just block them here. It's up to the writer of the commands to make sure they are safe. With great power comes great responsibility. Reported-by: Timo Schmid <tschmid@ernw.de> Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-05preparing for 2.10.3Libravatar Junio C Hamano2-1/+49
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-05Merge branch 'jk/common-main' into maint-2.10Libravatar Junio C Hamano5-11/+12
* jk/common-main: common-main: stop munging argv[0] path git-compat-util: move content inside ifdef/endif guards
2016-11-29Merge branch 'tk/diffcore-delta-remove-unused' into maintLibravatar Junio C Hamano5-8/+1
Code cleanup. * tk/diffcore-delta-remove-unused: diffcore-delta: remove unused parameter to diffcore_count_changes()
2016-11-29Merge branch 'jk/create-branch-remove-unused-param' into maintLibravatar Junio C Hamano4-13/+18
Code clean-up. * jk/create-branch-remove-unused-param: create_branch: drop unused "head" parameter
2016-11-29Merge branch 'nd/worktree-lock' into maintLibravatar Junio C Hamano1-1/+1
Typofix. * nd/worktree-lock: git-worktree.txt: fix typo "to"/"two", and add comma
2016-11-29Merge branch 'ps/common-info-doc' into maintLibravatar Junio C Hamano1-1/+1
Doc fix. * ps/common-info-doc: doc: fix location of 'info/' with $GIT_COMMON_DIR
2016-11-29Merge branch 'rs/cocci' into maintLibravatar Junio C Hamano1-0/+15
Improve the rule to convert "unsigned char [20]" into "struct object_id *" in contrib/coccinelle/ * rs/cocci: cocci: avoid self-references in object_id transformations
2016-11-29Merge branch 'nd/test-helpers' into maintLibravatar Junio C Hamano2-3/+18
Update to the test framework made in 2.9 timeframe broke running the tests under valgrind, which has been fixed. * nd/test-helpers: valgrind: support test helpers
2016-11-29Merge branch 'sc/fmt-merge-msg-doc-markup-fix' into maintLibravatar Junio C Hamano1-2/+2
Documentation fix. * sc/fmt-merge-msg-doc-markup-fix: Documentation/fmt-merge-msg: fix markup in example
2016-11-29Merge branch 'rs/commit-pptr-simplify' into maintLibravatar Junio C Hamano1-8/+6
Code simplification. * rs/commit-pptr-simplify: commit: simplify building parents list
2016-11-29Merge branch 'jk/rebase-config-insn-fmt-docfix' into maintLibravatar Junio C Hamano1-1/+1
Documentation fix. * jk/rebase-config-insn-fmt-docfix: doc: fix missing "::" in config list
2016-11-29Merge branch 'ak/pre-receive-hook-template-modefix' into maintLibravatar Junio C Hamano1-0/+0
A trivial clean-up to a recently graduated topic. * ak/pre-receive-hook-template-modefix: pre-receive.sample: mark it executable
2016-11-29Merge branch 'ls/macos-update' into maintLibravatar Junio C Hamano2-1/+3
Portability update and workaround for builds on recent Mac OS X. * ls/macos-update: travis-ci: disable GIT_TEST_HTTPD for macOS Makefile: set NO_OPENSSL on macOS by default
2016-11-29Merge branch 'as/merge-attr-sleep' into maintLibravatar Junio C Hamano1-5/+13
Fix for a racy false-positive test failure. * as/merge-attr-sleep: t6026: clarify the point of "kill $(cat sleep.pid)" t6026: ensure that long-running script really is Revert "t6026-merge-attr: don't fail if sleep exits early" Revert "t6026-merge-attr: ensure that the merge driver was called" t6026-merge-attr: ensure that the merge driver was called t6026-merge-attr: don't fail if sleep exits early
2016-11-29Merge branch 'ak/sh-setup-dot-source-i18n-fix' into maintLibravatar Junio C Hamano1-3/+3
Recent update to git-sh-setup (a library of shell functions that are used by our in-tree scripted Porcelain commands) included another shell library git-sh-i18n without specifying where it is, relying on the $PATH. This has been fixed to be more explicit by prefixing $(git --exec-path) output in front. * ak/sh-setup-dot-source-i18n-fix: git-sh-setup: be explicit where to dot-source git-sh-i18n from.
2016-11-29Merge branch 'jk/daemon-path-ok-check-truncation' into maintLibravatar Junio C Hamano1-4/+21
"git daemon" used fixed-length buffers to turn URL to the repository the client asked for into the server side directory path, using snprintf() to avoid overflowing these buffers, but allowed possibly truncated paths to the directory. This has been tightened to reject such a request that causes overlong path to be required to serve. * jk/daemon-path-ok-check-truncation: daemon: detect and reject too-long paths
2016-11-29Merge branch 'rs/ring-buffer-wraparound' into maintLibravatar Junio C Hamano2-2/+4
The code that we have used for the past 10+ years to cycle 4-element ring buffers turns out to be not quite portable in theoretical world. * rs/ring-buffer-wraparound: hex: make wraparound of the index into ring-buffer explicit
2016-11-29Merge branch 'mm/send-email-cc-cruft-after-address' into maintLibravatar Junio C Hamano3-10/+42
"git send-email" attempts to pick up valid e-mails from the trailers, but people in real world write non-addresses there, like "Cc: Stable <add@re.ss> # 4.8+", which broke the output depending on the availability and vintage of Mail::Address perl module. * mm/send-email-cc-cruft-after-address: Git.pm: add comment pointing to t9000 t9000-addresses: update expected results after fix parse_mailboxes: accept extra text after <...> address
2016-11-29Merge branch 'cp/completion-negative-refs' into maintLibravatar Junio C Hamano1-3/+4
The command-line completion script (in contrib/) learned to complete "git cmd ^mas<HT>" to complete the negative end of reference to "git cmd ^master". * cp/completion-negative-refs: completion: support excluding refs
2016-11-29Merge branch 'jc/am-read-author-file' into maintLibravatar Junio C Hamano1-58/+45
Extract a small helper out of the function that reads the authors script file "git am" internally uses. This by itself is not useful until a second caller appears in the future for "rebase -i" helper. * jc/am-read-author-file: am: refactor read_author_script()
2016-11-29common-main: stop munging argv[0] pathLibravatar Jeff King4-9/+10
Since 650c44925 (common-main: call git_extract_argv0_path(), 2016-07-01), the argv[0] that is seen in cmd_main() of individual programs is always the basename of the executable, as common-main strips off the full path. This can produce confusing results for git-daemon, which wants to re-exec itself. For instance, if the program was originally run as "/usr/lib/git/git-daemon", it will try just re-execing "git-daemon", which will find the first instance in $PATH. If git's exec-path has not been prepended to $PATH, we may find the git-daemon from a different version (or no git-daemon at all). Normally this isn't a problem. Git commands are run as "git daemon", the git wrapper puts the exec-path at the front of $PATH, and argv[0] is already "daemon" anyway. But running git-daemon via its full exec-path, while not really a recommended method, did work prior to 650c44925. Let's make it work again. The real goal of 650c44925 was not to munge argv[0], but to reliably set the argv0_path global. The only reason it munges at all is that one caller, the git.c wrapper, piggy-backed on that computation to find the command basename. Instead, let's leave argv[0] untouched in common-main, and have git.c do its own basename computation. While we're at it, let's drop the return value from git_extract_argv0_path(). It was only ever used in this one callsite, and its dual purposes is what led to this confusion in the first place. Note that by changing the interface, the compiler can confirm for us that there are no other callers storing the return value. But the compiler can't tell us whether any of the cmd_main() functions (besides git.c) were relying on the basename munging. However, we can observe that prior to 650c44925, no other cmd_main() functions did that munging, and no new cmd_main() functions have been introduced since then. So we can't be regressing any of those cases. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-11-14diffcore-delta: remove unused parameter to diffcore_count_changes()Libravatar Tobias Klauser5-8/+1
The delta_limit parameter to diffcore_count_changes() has been unused since commit ba23bbc8e ("diffcore-delta: make change counter to byte oriented again.", 2006-03-04). Remove the parameter and adjust all callers. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> Signed-off-by: Junio C Hamano <gitster@pobox.com>