summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2018-09-21add: do not accept pathspec magic 'attr'Libravatar Nguyễn Thái Ngọc Duy2-2/+2
Commit b0db704652 (pathspec: allow querying for attributes - 2017-03-13) adds new pathspec magic 'attr' but only with match_pathspec(). "git add" has some pathspec related code that still does not know about 'attr' and will bail out: $ git add ':(attr:foo)' fatal: BUG:dir.c:1584: unsupported magic 40 A better solution would be making this code support 'attr'. But I don't know how much work is needed (I'm not familiar with this new magic). For now, let's simply reject this magic with a friendlier message: $ git add ':(attr:foo)' fatal: :(attr:foo): pathspec magic not supported by this command: 'attr' Update t6135 so that the expected error message is from the "graceful" rejection codepath, not "oops, we were supposed to reject the request to trigger this magic" codepath. Reported-by: smaudet@sebastianaudet.com Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-05-22Git 2.15.2Libravatar Junio C Hamano2-1/+4
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-05-22Sync with Git 2.14.4Libravatar Junio C Hamano17-41/+497
* maint-2.14: Git 2.14.4 Git 2.13.7 verify_path: disallow symlinks in .gitmodules update-index: stat updated files earlier verify_dotfile: mention case-insensitivity in comment verify_path: drop clever fallthrough skip_prefix: add case-insensitive variant is_{hfs,ntfs}_dotgitmodules: add tests is_ntfs_dotgit: match other .git files is_hfs_dotgit: match other .git files is_ntfs_dotgit: use a size_t for traversing string submodule-config: verify submodule names as paths
2018-05-22Git 2.14.4Libravatar Junio C Hamano3-2/+7
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-05-22Sync with Git 2.13.7Libravatar Junio C Hamano16-41/+492
* maint-2.13: Git 2.13.7 verify_path: disallow symlinks in .gitmodules update-index: stat updated files earlier verify_dotfile: mention case-insensitivity in comment verify_path: drop clever fallthrough skip_prefix: add case-insensitive variant is_{hfs,ntfs}_dotgitmodules: add tests is_ntfs_dotgit: match other .git files is_hfs_dotgit: match other .git files is_ntfs_dotgit: use a size_t for traversing string submodule-config: verify submodule names as paths
2018-05-22Git 2.13.7Libravatar Junio C Hamano3-2/+22
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-05-22Merge branch 'jk/submodule-fix-loose' into maint-2.13Libravatar Junio C Hamano15-41/+472
* jk/submodule-fix-loose: verify_path: disallow symlinks in .gitmodules update-index: stat updated files earlier verify_dotfile: mention case-insensitivity in comment verify_path: drop clever fallthrough skip_prefix: add case-insensitive variant is_{hfs,ntfs}_dotgitmodules: add tests is_ntfs_dotgit: match other .git files is_hfs_dotgit: match other .git files is_ntfs_dotgit: use a size_t for traversing string submodule-config: verify submodule names as paths
2018-05-21verify_path: disallow symlinks in .gitmodulesLibravatar Jeff King4-15/+37
There are a few reasons it's not a good idea to make .gitmodules a symlink, including: 1. It won't be portable to systems without symlinks. 2. It may behave inconsistently, since Git may look at this file in the index or a tree without bothering to resolve any symbolic links. We don't do this _yet_, but the config infrastructure is there and it's planned for the future. With some clever code, we could make (2) work. And some people may not care about (1) if they only work on one platform. But there are a few security reasons to simply disallow it: a. A symlinked .gitmodules file may circumvent any fsck checks of the content. b. Git may read and write from the on-disk file without sanity checking the symlink target. So for example, if you link ".gitmodules" to "../oops" and run "git submodule add", we'll write to the file "oops" outside the repository. Again, both of those are problems that _could_ be solved with sufficient code, but given the complications in (1) and (2), we're better off just outlawing it explicitly. Note the slightly tricky call to verify_path() in update-index's update_one(). There we may not have a mode if we're not updating from the filesystem (e.g., we might just be removing the file). Passing "0" as the mode there works fine; since it's not a symlink, we'll just skip the extra checks. Signed-off-by: Jeff King <peff@peff.net>
2018-05-21update-index: stat updated files earlierLibravatar Jeff King1-8/+17
In the update_one(), we check verify_path() on the proposed path before doing anything else. In preparation for having verify_path() look at the file mode, let's stat the file earlier, so we can check the mode accurately. This is made a bit trickier by the fact that this function only does an lstat in a few code paths (the ones that flow down through process_path()). So we can speculatively do the lstat() here and pass the results down, and just use a dummy mode for cases where we won't actually be updating the index from the filesystem. Signed-off-by: Jeff King <peff@peff.net>
2018-05-21verify_dotfile: mention case-insensitivity in commentLibravatar Jeff King1-1/+4
We're more restrictive than we need to be in matching ".GIT" on case-sensitive filesystems; let's make a note that this is intentional. Signed-off-by: Jeff King <peff@peff.net>
2018-05-21verify_path: drop clever fallthroughLibravatar Jeff King1-4/+4
We check ".git" and ".." in the same switch statement, and fall through the cases to share the end-of-component check. While this saves us a line or two, it makes modifying the function much harder. Let's just write it out. Signed-off-by: Jeff King <peff@peff.net>
2018-05-21skip_prefix: add case-insensitive variantLibravatar Jeff King1-0/+17
We have the convenient skip_prefix() helper, but if you want to do case-insensitive matching, you're stuck doing it by hand. We could add an extra parameter to the function to let callers ask for this, but the function is small and somewhat performance-critical. Let's just re-implement it for the case-insensitive version. Signed-off-by: Jeff King <peff@peff.net>
2018-05-21is_{hfs,ntfs}_dotgitmodules: add testsLibravatar Johannes Schindelin2-0/+106
This tests primarily for NTFS issues, but also adds one example of an HFS+ issue. Thanks go to Congyi Wu for coming up with the list of examples where NTFS would possibly equate the filename with `.gitmodules`. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Jeff King <peff@peff.net>
2018-05-21is_ntfs_dotgit: match other .git filesLibravatar Johannes Schindelin2-1/+93
When we started to catch NTFS short names that clash with .git, we only looked for GIT~1. This is sufficient because we only ever clone into an empty directory, so .git is guaranteed to be the first subdirectory or file in that directory. However, even with a fresh clone, .gitmodules is *not* necessarily the first file to be written that would want the NTFS short name GITMOD~1: a malicious repository can add .gitmodul0000 and friends, which sorts before `.gitmodules` and is therefore checked out *first*. For that reason, we have to test not only for ~1 short names, but for others, too. It's hard to just adapt the existing checks in is_ntfs_dotgit(): since Windows 2000 (i.e., in all Windows versions still supported by Git), NTFS short names are only generated in the <prefix>~<number> form up to number 4. After that, a *different* prefix is used, calculated from the long file name using an undocumented, but stable algorithm. For example, the short name of .gitmodules would be GITMOD~1, but if it is taken, and all of ~2, ~3 and ~4 are taken, too, the short name GI7EBA~1 will be used. From there, collisions are handled by incrementing the number, shortening the prefix as needed (until ~9999999 is reached, in which case NTFS will not allow the file to be created). We'd also want to handle .gitignore and .gitattributes, which suffer from a similar problem, using the fall-back short names GI250A~1 and GI7D29~1, respectively. To accommodate for that, we could reimplement the hashing algorithm, but it is just safer and simpler to provide the known prefixes. This algorithm has been reverse-engineered and described at https://usn.pw/blog/gen/2015/06/09/filenames/, which is defunct but still available via https://web.archive.org/. These can be recomputed by running the following Perl script: -- snip -- use warnings; use strict; sub compute_short_name_hash ($) { my $checksum = 0; foreach (split('', $_[0])) { $checksum = ($checksum * 0x25 + ord($_)) & 0xffff; } $checksum = ($checksum * 314159269) & 0xffffffff; $checksum = 1 + (~$checksum & 0x7fffffff) if ($checksum & 0x80000000); $checksum -= (($checksum * 1152921497) >> 60) * 1000000007; return scalar reverse sprintf("%x", $checksum & 0xffff); } print compute_short_name_hash($ARGV[0]); -- snap -- E.g., running that with the argument ".gitignore" will result in "250a" (which then becomes "gi250a" in the code). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Jeff King <peff@peff.net>
2018-05-21is_hfs_dotgit: match other .git filesLibravatar Jeff King2-12/+51
Both verify_path() and fsck match ".git", ".GIT", and other variants specific to HFS+. Let's allow matching other special files like ".gitmodules", which we'll later use to enforce extra restrictions via verify_path() and fsck. Signed-off-by: Jeff King <peff@peff.net>
2018-05-21is_ntfs_dotgit: use a size_t for traversing stringLibravatar Jeff King1-1/+1
We walk through the "name" string using an int, which can wrap to a negative value and cause us to read random memory before our array (e.g., by creating a tree with a name >2GB, since "int" is still 32 bits even on most 64-bit platforms). Worse, this is easy to trigger during the fsck_tree() check, which is supposed to be protecting us from malicious garbage. Note one bit of trickiness in the existing code: we sometimes assign -1 to "len" at the end of the loop, and then rely on the "len++" in the for-loop's increment to take it back to 0. This is still legal with a size_t, since assigning -1 will turn into SIZE_MAX, which then wraps around to 0 on increment. Signed-off-by: Jeff King <peff@peff.net>
2018-05-21submodule-config: verify submodule names as pathsLibravatar Jeff King5-0/+143
Submodule "names" come from the untrusted .gitmodules file, but we blindly append them to $GIT_DIR/modules to create our on-disk repo paths. This means you can do bad things by putting "../" into the name (among other things). Let's sanity-check these names to avoid building a path that can be exploited. There are two main decisions: 1. What should the allowed syntax be? It's tempting to reuse verify_path(), since submodule names typically come from in-repo paths. But there are two reasons not to: a. It's technically more strict than what we need, as we really care only about breaking out of the $GIT_DIR/modules/ hierarchy. E.g., having a submodule named "foo/.git" isn't actually dangerous, and it's possible that somebody has manually given such a funny name. b. Since we'll eventually use this checking logic in fsck to prevent downstream repositories, it should be consistent across platforms. Because verify_path() relies on is_dir_sep(), it wouldn't block "foo\..\bar" on a non-Windows machine. 2. Where should we enforce it? These days most of the .gitmodules reads go through submodule-config.c, so I've put it there in the reading step. That should cover all of the C code. We also construct the name for "git submodule add" inside the git-submodule.sh script. This is probably not a big deal for security since the name is coming from the user anyway, but it would be polite to remind them if the name they pick is invalid (and we need to expose the name-checker to the shell anyway for our test scripts). This patch issues a warning when reading .gitmodules and just ignores the related config entry completely. This will generally end up producing a sensible error, as it works the same as a .gitmodules file which is missing a submodule entry (so "submodule update" will barf, but "git clone --recurse-submodules" will print an error but not abort the clone. There is one minor oddity, which is that we print the warning once per malformed config key (since that's how the config subsystem gives us the entries). So in the new test, for example, the user would see three warnings. That's OK, since the intent is that this case should never come up outside of malicious repositories (and then it might even benefit the user to see the message multiple times). Credit for finding this vulnerability and the proof of concept from which the test script was adapted goes to Etienne Stalmans. Signed-off-by: Jeff King <peff@peff.net>
2017-12-06Prepare for 2.15.2Libravatar Junio C Hamano2-1/+48
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-12-06Merge branch 'jc/merge-base-fork-point-doc' into maintLibravatar Junio C Hamano1-8/+56
Clarify and enhance documentation for "merge-base --fork-point", as it was clear what it computed but not why/what for. * jc/merge-base-fork-point-doc: merge-base --fork-point doc: clarify the example and failure modes
2017-12-06Merge branch 'tz/redirect-fix' into maintLibravatar Junio C Hamano2-2/+2
A few scripts (both in production and tests) incorrectly redirected their error output. These have been corrected. * tz/redirect-fix: rebase: fix stderr redirect in apply_autostash() t/lib-gpg: fix gpgconf stderr redirect to /dev/null
2017-12-06Merge branch 'tz/notes-error-to-stderr' into maintLibravatar Junio C Hamano3-9/+9
"git notes" sent its error message to its standard output stream, which was corrected. * tz/notes-error-to-stderr: notes: send "Automatic notes merge failed" messages to stderr
2017-12-06Merge branch 'sb/test-cherry-pick-submodule-getting-in-a-way' into maintLibravatar Junio C Hamano2-2/+39
The three-way merge performed by "git cherry-pick" was confused when a new submodule was added in the meantime, which has been fixed (or "papered over"). * sb/test-cherry-pick-submodule-getting-in-a-way: merge-recursive: handle addition of submodule on our side of history t/3512: demonstrate unrelated submodule/file conflict as cherry-pick failure
2017-12-06Merge branch 'pw/sequencer-recover-from-unlockable-index' into maintLibravatar Junio C Hamano1-1/+2
The sequencer machinery (used by "git cherry-pick A..B", and "git rebase -i", among other things) would have lost a commit if stopped due to an unlockable index file, which has been fixed. * pw/sequencer-recover-from-unlockable-index: sequencer: reschedule pick if index can't be locked
2017-12-06Merge branch 'rs/apply-inaccurate-eof-with-incomplete-line' into maintLibravatar Junio C Hamano2-0/+16
"git apply --inaccurate-eof" when used with "--ignore-space-change" triggered an internal sanity check, which has been fixed. * rs/apply-inaccurate-eof-with-incomplete-line: apply: update line lengths for --inaccurate-eof
2017-12-06Merge branch 'tz/complete-branch-copy' into maintLibravatar Junio C Hamano1-1/+1
Command line completion (in contrib/) has been taught about the "--copy" option of "git branch". * tz/complete-branch-copy: completion: add '--copy' option to 'git branch'
2017-12-06Merge branch 'ew/rebase-mboxrd' into maintLibravatar Junio C Hamano2-0/+24
When "git rebase" prepared an mailbox of changes and fed it to "git am" to replay them, it was confused when a stray "From " happened to be in the log message of one of the replayed changes. This has been corrected. * ew/rebase-mboxrd: rebase: use mboxrd format to avoid split errors
2017-12-06Merge branch 'sd/branch-copy' into maintLibravatar Junio C Hamano1-2/+2
Code clean-up. * sd/branch-copy: config: avoid "write_in_full(fd, buf, len) != len" pattern
2017-12-06Merge branch 'sw/pull-ipv46-passthru' into maintLibravatar Junio C Hamano1-0/+12
Contrary to the documentation, "git pull -4/-6 other-args" did not ask the underlying "git fetch" to go over IPv4/IPv6, which has been corrected. * sw/pull-ipv46-passthru: pull: pass -4/-6 option to 'git fetch'
2017-12-06Merge branch 'bc/submitting-patches-in-asciidoc' into maintLibravatar Junio C Hamano3-161/+192
The SubmittingPatches document has been converted to produce an HTML version via AsciiDoc/Asciidoctor. * bc/submitting-patches-in-asciidoc: Documentation: convert SubmittingPatches to AsciiDoc Documentation: enable compat-mode for Asciidoctor
2017-12-06Merge branch 'mh/avoid-rewriting-packed-refs' into maintLibravatar Junio C Hamano4-1/+238
Recent update to the refs infrastructure implementation started rewriting packed-refs file more often than before; this has been optimized again for most trivial cases. * mh/avoid-rewriting-packed-refs: files-backend: don't rewrite the `packed-refs` file unnecessarily t1409: check that `packed-refs` is not rewritten unnecessarily
2017-11-28Git 2.15.1Libravatar Junio C Hamano1-0/+3
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-11-28Merge branch 'rs/config-write-section-fix' into maintLibravatar Junio C Hamano1-1/+1
There was a recent semantic mismerge in the codepath to write out a section of a configuration section, which has been corrected. * rs/config-write-section-fix: config: flip return value of write_section()
2017-11-27A bit more fixes for 2.15.1Libravatar Junio C Hamano1-0/+5
We've been waiting long enough, a few more would not hurt ;-) Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-11-27Merge branch 'ma/reduce-heads-leakfix' into maintLibravatar Junio C Hamano7-23/+52
Leak fixes. * ma/reduce-heads-leakfix: reduce_heads: fix memory leaks builtin/merge-base: free commit lists
2017-11-27Merge branch 'ma/bisect-leakfix' into maintLibravatar Junio C Hamano3-19/+29
Leak fixes. * ma/bisect-leakfix: bisect: fix memory leak when returning best element bisect: fix off-by-one error in `best_bisection_sorted()` bisect: fix memory leak in `find_bisection()` bisect: change calling-convention of `find_bisection()`
2017-11-27Merge branch 'rs/apply-fuzzy-match-fix' into maintLibravatar Junio C Hamano1-39/+20
A fix for an ancient bug in "git apply --ignore-space-change" codepath. * rs/apply-fuzzy-match-fix: apply: avoid out-of-bounds access in fuzzy_matchlines()
2017-11-27Merge branch 'ad/submitting-patches-title-decoration' into maintLibravatar Junio C Hamano1-8/+13
Doc update around use of "format-patch --subject-prefix" etc. * ad/submitting-patches-title-decoration: doc/SubmittingPatches: correct subject guidance
2017-11-27Merge branch 'rs/imap-send-next-arg-fix' into maintLibravatar Junio C Hamano1-2/+13
Error checking in "git imap-send" for empty response has been improved. * rs/imap-send-next-arg-fix: imap-send: handle missing response codes gracefully imap-send: handle NULL return of next_arg()
2017-11-26RelNotes: minor typo fixes in 2.15.1 draftLibravatar Todd Zullinger1-3/+3
Signed-off-by: Todd Zullinger <tmz@pobox.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-11-21Almost ready for 2.15.1Libravatar Junio C Hamano1-0/+12
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-11-21Merge branch 'rs/sequencer-rewrite-file-cleanup' into maintLibravatar Junio C Hamano1-29/+16
Code cleanup. * rs/sequencer-rewrite-file-cleanup: sequencer.c: check return value of close() in rewrite_file() sequencer: use O_TRUNC to truncate files sequencer: factor out rewrite_file()
2017-11-21Merge branch 'cb/t4201-robustify' into maintLibravatar Junio C Hamano2-5/+7
A test update. * cb/t4201-robustify: t4201: make use of abbreviation in the test more robust
2017-11-21Merge branch 'tz/fsf-address-update' into maintLibravatar Junio C Hamano44-103/+69
Replace the mailing address of FSF to a URL, as FSF prefers. * tz/fsf-address-update: Replace Free Software Foundation address in license notices Replace Free Software Foundation address in license notices
2017-11-21Merge branch 'ad/rebase-i-serie-typofix' into maintLibravatar Junio C Hamano1-1/+1
Typofix. * ad/rebase-i-serie-typofix: rebase -i: fix comment typo
2017-11-21Merge branch 'jk/info-alternates-fix' into maintLibravatar Junio C Hamano1-1/+3
We used to add an empty alternate object database to the system that does not help anything; it has been corrected. * jk/info-alternates-fix: link_alt_odb_entries: make empty input a noop
2017-11-21Merge branch 'ab/pcre-v2' into maintLibravatar Junio C Hamano2-3/+4
Building with NO_LIBPCRE1_JIT did not disable it, which has been fixed. * ab/pcre-v2: grep: fix NO_LIBPCRE1_JIT to fully disable JIT
2017-11-21Merge branch 'sr/wrapper-quote-filenames' into maintLibravatar Junio C Hamano3-6/+6
Some error messages did not quote filenames shown in it, which have been fixed. * sr/wrapper-quote-filenames: wrapper.c: consistently quote filenames in error messages
2017-11-21Merge branch 'bw/rebase-i-ignored-submodule-fix' into maintLibravatar Junio C Hamano2-1/+20
"git rebase -i" recently started misbehaving when a submodule that is configured with 'submodule.<name>.ignore' is dirty; this has been corrected. * bw/rebase-i-ignored-submodule-fix: wt-status: actually ignore submodules when requested
2017-11-21pull: pass -4/-6 option to 'git fetch'Libravatar Shuyu Wei1-0/+12
The -4/-6 option should be passed through to 'git fetch' to be consistent with the man page. Signed-off-by: Wei Shuyu <wsy@dogben.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-11-18config: flip return value of write_section()Libravatar René Scharfe1-1/+1
d9bd4cbb9cc (config: flip return value of store_write_*()) made write_section() follow the convention of write(2) to return -1 on error and the number of written bytes on success. 3b48045c6c7 (Merge branch 'sd/branch-copy') changed it back to returning 0 on error and 1 on success, but left its callers still checking for negative values. Let write_section() follow the convention of write(2) again to meet the expectations of its callers. Reported-by: Jeff King <peff@peff.net> Signed-off-by: Rene Scharfe <l.s.r@web.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>