summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2017-09-11cvsserver: use safe_pipe_capture instead of backticksLibravatar joernchen1-11/+11
This makes the script pass arguments that are derived from end-user input in safer way when invoking subcommands. Reported-by: joernchen <joernchen@phenoelit.de> Signed-off-by: joernchen <joernchen@phenoelit.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-09-11cvsserver: move safe_pipe_capture() to the main packageLibravatar Junio C Hamano1-25/+22
As a preparation for replacing `command` with a call to this function from outside GITCVS::updater package, move it to the main package. Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-30Git 2.9.5Libravatar Junio C Hamano3-2/+6
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-30Merge tag 'v2.8.6' into maint-2.9Libravatar Junio C Hamano8-0/+104
Git 2.8.6
2017-07-30Git 2.8.6Libravatar Junio C Hamano3-2/+6
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-30Merge tag 'v2.7.6' into maint-2.8Libravatar Junio C Hamano7-0/+100
Git 2.7.6
2017-07-30Git 2.7.6Libravatar Junio C Hamano3-2/+27
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-28Merge branch 'jk/ssh-funny-url' into maint-2.7Libravatar Junio C Hamano6-0/+75
2017-07-28connect: reject paths that look like command line optionsLibravatar Jeff King3-0/+40
If we get a repo path like "-repo.git", we may try to invoke "git-upload-pack -repo.git". This is going to fail, since upload-pack will interpret it as a set of bogus options. But let's reject this before we even run the sub-program, since we would not want to allow any mischief with repo names that actually are real command-line options. You can still ask for such a path via git-daemon, but there's no security problem there, because git-daemon enters the repo itself and then passes "." on the command line. Signed-off-by: Jeff King <peff@peff.net> Reviewed-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-28connect: reject dashed arguments for proxy commandsLibravatar Jeff King2-0/+10
If you have a GIT_PROXY_COMMAND configured, we will run it with the host/port on the command-line. If a URL contains a mischievous host like "--foo", we don't know how the proxy command may handle it. It's likely to break, but it may also do something dangerous and unwanted (technically it could even do something useful, but that seems unlikely). We should err on the side of caution and reject this before we even run the command. The hostname check matches the one we do in a similar circumstance for ssh. The port check is not present for ssh, but there it's not necessary because the syntax is "-p <port>", and there's no ambiguity on the parsing side. It's not clear whether you can actually get a negative port to the proxy here or not. Doing: git fetch git://remote:-1234/repo.git keeps the "-1234" as part of the hostname, with the default port of 9418. But it's a good idea to keep this check close to the point of running the command to make it clear that there's no way to circumvent it (and at worst it serves as a belt-and-suspenders check). Signed-off-by: Jeff King <peff@peff.net> Reviewed-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-28connect: factor out "looks like command line option" checkLibravatar Jeff King3-1/+14
We reject hostnames that start with a dash because they may be confused for command-line options. Let's factor out that notion into a helper function, as we'll use it in more places. And while it's simple now, it's not clear if some systems might need more complex logic to handle all cases. Signed-off-by: Jeff King <peff@peff.net> Reviewed-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-28t5813: add test for hostname starting with dashLibravatar Jeff King1-0/+9
Per the explanation in the previous patch, this should be (and is) rejected. Signed-off-by: Jeff King <peff@peff.net> Reviewed-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-28connect: reject ssh hostname that begins with a dashLibravatar Junio C Hamano1-0/+3
When commands like "git fetch" talk with ssh://$rest_of_URL/, the code splits $rest_of_URL into components like host, port, etc., and then spawns the underlying "ssh" program by formulating argv[] array that has: - the path to ssh command taken from GIT_SSH_COMMAND, etc. - dashed options like '-batch' (for Tortoise), '-p <port>' as needed. - ssh_host, which is supposed to be the hostname parsed out of $rest_of_URL. - then the command to be run on the other side, e.g. git upload-pack. If the ssh_host ends up getting '-<anything>', the argv[] that is used to spawn the command becomes something like: { "ssh", "-p", "22", "-<anything>", "command", "to", "run", NULL } which obviously is bogus, but depending on the actual value of "<anything>", will make "ssh" parse and use it as an option. Prevent this by forbidding ssh_host that begins with a "-". Noticed-by: Joern Schneeweisz of Recurity Labs Reported-by: Brian at GitLab Signed-off-by: Junio C Hamano <gitster@pobox.com> Reviewed-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05Git 2.9.4Libravatar Junio C Hamano3-2/+11
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05Merge branch 'maint-2.8' into maint-2.9Libravatar Junio C Hamano7-6/+74
2017-05-05Git 2.8.5Libravatar Junio C Hamano4-3/+16
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05Merge branch 'maint-2.7' into maint-2.8Libravatar Junio C Hamano6-5/+60
2017-05-05Git 2.7.5Libravatar Junio C Hamano4-3/+19
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05Merge branch 'maint-2.6' into maint-2.7Libravatar Junio C Hamano5-4/+43
2017-05-05Git 2.6.7Libravatar Junio C Hamano4-3/+16
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05Merge branch 'maint-2.5' into maint-2.6Libravatar Junio C Hamano4-3/+29
2017-05-05Git 2.5.6Libravatar Junio C Hamano4-3/+16
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05Merge branch 'maint-2.4' into maint-2.5Libravatar Junio C Hamano3-2/+15
2017-05-05Git 2.4.12Libravatar Junio C Hamano4-3/+16
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05Merge branch 'jk/shell-no-repository-that-begins-with-dash' into maint-2.4Libravatar Junio C Hamano1-1/+1
* jk/shell-no-repository-that-begins-with-dash: shell: disallow repo names beginning with dash
2017-05-05shell: disallow repo names beginning with dashLibravatar Jeff King1-1/+1
When a remote server uses git-shell, the client side will connect to it like: ssh server "git-upload-pack 'foo.git'" and we literally exec ("git-upload-pack", "foo.git"). In early versions of upload-pack and receive-pack, we took a repository argument and nothing else. But over time they learned to accept dashed options. If the user passes a repository name that starts with a dash, the results are confusing at best (we complain of a bogus option instead of a non-existent repository) and malicious at worst (the user can start an interactive pager via "--help"). We could pass "--" to the sub-process to make sure the user's argument is interpreted as a branch name. I.e.: git-upload-pack -- -foo.git But adding "--" automatically would make us inconsistent with a normal shell (i.e., when git-shell is not in use), where "-foo.git" would still be an error. For that case, the client would have to specify the "--", but they can't do so reliably, as existing versions of git-shell do not allow more than a single argument. The simplest thing is to simply disallow "-" at the start of the repo name argument. This hasn't worked either with or without git-shell since version 1.0.0, and nobody has complained. Note that this patch just applies to do_generic_cmd(), which runs upload-pack, receive-pack, and upload-archive. There are two other types of commands that git-shell runs: - do_cvs_cmd(), but this already restricts the argument to be the literal string "server" - admin-provided commands in the git-shell-commands directory. We'll pass along arbitrary arguments there, so these commands could have similar problems. But these commands might actually understand dashed arguments, so we cannot just block them here. It's up to the writer of the commands to make sure they are safe. With great power comes great responsibility. Reported-by: Timo Schmid <tschmid@ernw.de> Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-09-08Prepare for 2.9.4Libravatar Junio C Hamano2-1/+84
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-09-08Merge branch 'hv/doc-commit-reference-style' into maintLibravatar Junio C Hamano1-0/+10
A small doc update. * hv/doc-commit-reference-style: SubmittingPatches: use gitk's "Copy commit summary" format SubmittingPatches: document how to reference previous commits
2016-09-08Merge branch 'sg/reflog-past-root' into maintLibravatar Junio C Hamano1-1/+0
A small test clean-up for a topic introduced in v2.9.1 and later. * sg/reflog-past-root: t1410: remove superfluous 'git reflog' from the 'walk past root' test
2016-09-08Merge branch 'rs/mailinfo-lib' into maintLibravatar Junio C Hamano1-7/+2
Small code clean-up. * rs/mailinfo-lib: mailinfo: recycle strbuf in check_header()
2016-09-08Merge branch 'jk/tighten-alloc' into maintLibravatar Junio C Hamano2-4/+2
Small code and comment clean-up. * jk/tighten-alloc: receive-pack: use FLEX_ALLOC_MEM in queue_command() correct FLEXPTR_* example in comment
2016-09-08Merge branch 'rs/use-strbuf-add-unique-abbrev' into maintLibravatar Junio C Hamano3-16/+11
A small code clean-up. * rs/use-strbuf-add-unique-abbrev: use strbuf_add_unique_abbrev() for adding short hashes
2016-09-08Merge branch 'rs/merge-recursive-string-list-init' into maintLibravatar Junio C Hamano1-2/+1
A small code clean-up. * rs/merge-recursive-string-list-init: merge-recursive: use STRING_LIST_INIT_NODUP
2016-09-08Merge branch 'rs/merge-add-strategies-simplification' into maintLibravatar Junio C Hamano1-34/+10
A small code clean-up. * rs/merge-add-strategies-simplification: merge: use string_list_split() in add_strategies()
2016-09-08Merge branch 'ls/packet-line-protocol-doc-fix' into maintLibravatar Junio C Hamano1-3/+3
Correct an age-old calco (is that a typo-like word for calc) in the documentation. * ls/packet-line-protocol-doc-fix: pack-protocol: fix maximum pkt-line size
2016-09-08Merge branch 'bw/mingw-avoid-inheriting-fd-to-lockfile' into maintLibravatar Junio C Hamano6-1/+35
The tempfile (hence its user lockfile) API lets the caller to open a file descriptor to a temporary file, write into it and then finalize it by first closing the filehandle and then either removing or renaming the temporary file. When the process spawns a subprocess after obtaining the file descriptor, and if the subprocess has not exited when the attempt to remove or rename is made, the last step fails on Windows, because the subprocess has the file descriptor still open. Open tempfile with O_CLOEXEC flag to avoid this (on Windows, this is mapped to O_NOINHERIT). * bw/mingw-avoid-inheriting-fd-to-lockfile: mingw: ensure temporary file handles are not inherited by child processes t6026-merge-attr: child processes must not inherit index.lock handles
2016-09-08Merge branch 'dg/document-git-c-in-git-config-doc' into maintLibravatar Junio C Hamano1-0/+3
The "git -c var[=val] cmd" facility to append a configuration variable definition at the end of the search order was described in git(1) manual page, but not in git-config(1), which was more likely place for people to look for when they ask "can I make a one-shot override, and if so how?" * dg/document-git-c-in-git-config-doc: doc: mention `git -c` in git-config(1)
2016-09-08Merge branch 'js/no-html-bypass-on-windows' into maintLibravatar Junio C Hamano3-52/+0
On Windows, help.browser configuration variable used to be ignored, which has been corrected. * js/no-html-bypass-on-windows: Revert "display HTML in default browser using Windows' shell API"
2016-09-08Merge branch 'jk/difftool-command-not-found' into maintLibravatar Junio C Hamano2-0/+13
"git difftool" by default ignores the error exit from the backend commands it spawns, because often they signal that they found differences by exiting with a non-zero status code just like "diff" does; the exit status codes 126 and above however are special in that they are used to signal that the command is not executable, does not exist, or killed by a signal. "git difftool" has been taught to notice these exit status codes. * jk/difftool-command-not-found: difftool: always honor fatal error exit codes
2016-09-08Merge branch 'sb/checkout-explit-detach-no-advice' into maintLibravatar Junio C Hamano2-1/+25
"git checkout --detach <branch>" used to give the same advice message as that is issued when "git checkout <tag>" (or anything that is not a branch name) is given, but asking with "--detach" is an explicit enough sign that the user knows what is going on. The advice message has been squelched in this case. * sb/checkout-explit-detach-no-advice: checkout: do not mention detach advice for explicit --detach option
2016-09-08Merge branch 'rs/pull-signed-tag' into maintLibravatar Junio C Hamano4-12/+33
When "git merge-recursive" works on history with many criss-cross merges in "verbose" mode, the names the command assigns to the virtual merge bases could have overwritten each other by unintended reuse of the same piece of memory. * rs/pull-signed-tag: commit: use FLEX_ARRAY in struct merge_remote_desc merge-recursive: fix verbose output for multiple base trees commit: factor out set_merge_remote_desc() commit: use xstrdup() in get_merge_parent()
2016-09-08Merge branch 'js/test-lint-pathname' into maintLibravatar Junio C Hamano1-1/+10
The "t/" hierarchy is prone to get an unusual pathname; "make test" has been taught to make sure they do not contain paths that cannot be checked out on Windows (and the mechanism can be reusable to catch pathnames that are not portable to other platforms as need arises). * js/test-lint-pathname: t/Makefile: ensure that paths are valid on platforms we care
2016-09-08Merge branch 'js/mv-dir-to-new-directory' into maintLibravatar Junio C Hamano1-4/+7
"git mv dir non-existing-dir/" did not work in some environments the same way as existing mainstream platforms. The code now moves "dir" to "non-existing-dir", without relying on rename("A", "B/") that strips the trailing slash of '/'. * js/mv-dir-to-new-directory: git mv: do not keep slash in `git mv dir non-existing-dir/`
2016-09-08Merge branch 'js/import-tars-hardlinks' into maintLibravatar Junio C Hamano1-11/+20
"import-tars" fast-import script (in contrib/) used to ignore a hardlink target and replaced it with an empty file, which has been corrected to record the same blob as the other file the hardlink is shared with. * js/import-tars-hardlinks: import-tars: support hard links
2016-09-08Merge branch 'ms/document-pack-window-memory-is-per-thread' into maintLibravatar Junio C Hamano2-4/+6
* ms/document-pack-window-memory-is-per-thread: document git-repack interaction of pack.threads and pack.windowMemory
2016-09-08Merge branch 'jk/push-force-with-lease-creation' into maintLibravatar Junio C Hamano4-7/+46
"git push --force-with-lease" already had enough logic to allow ensuring that such a push results in creation of a ref (i.e. the receiving end did not have another push from sideways that would be discarded by our force-pushing), but didn't expose this possibility to the users. It does so now. * jk/push-force-with-lease-creation: t5533: make it pass on case-sensitive filesystems push: allow pushing new branches with --force-with-lease push: add shorthand for --force-with-lease branch creation Documentation/git-push: fix placeholder formatting
2016-09-08Merge branch 'jk/reflog-date' into maintLibravatar Junio C Hamano6-10/+57
The reflog output format is documented better, and a new format --date=unix to report the seconds-since-epoch (without timezone) has been added. * jk/reflog-date: date: clarify --date=raw description date: add "unix" format date: document and test "raw-local" mode doc/pretty-formats: explain shortening of %gd doc/pretty-formats: describe index/time formats for %gd doc/rev-list-options: explain "-g" output formats doc/rev-list-options: clarify "commit@{Nth}" for "-g" option
2016-09-08Merge branch 'jc/renormalize-merge-kill-safer-crlf' into maintLibravatar Junio C Hamano10-90/+112
"git merge" with renormalization did not work well with merge-recursive, due to "safer crlf" conversion kicking in when it shouldn't. * jc/renormalize-merge-kill-safer-crlf: merge: avoid "safer crlf" during recording of merge results convert: unify the "auto" handling of CRLF
2016-09-08Merge branch 'jk/common-main' into maintLibravatar Junio C Hamano53-153/+126
There are certain house-keeping tasks that need to be performed at the very beginning of any Git program, and programs that are not built-in commands had to do them exactly the same way as "git" potty does. It was easy to make mistakes in one-off standalone programs (like test helpers). A common "main()" function that calls cmd_main() of individual program has been introduced to make it harder to make mistakes. * jk/common-main: mingw: declare main()'s argv as const common-main: call git_setup_gettext() common-main: call restore_sigpipe_to_default() common-main: call sanitize_stdfds() common-main: call git_extract_argv0_path() add an extra level of indirection to main()
2016-08-30pack-protocol: fix maximum pkt-line sizeLibravatar Lars Schneider1-3/+3
According to LARGE_PACKET_MAX in pkt-line.h the maximal length of a pkt-line packet is 65520 bytes. The pkt-line header takes 4 bytes and therefore the pkt-line data component must not exceed 65516 bytes. Signed-off-by: Lars Schneider <larsxschneider@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>