summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2016-12-19Merge branch 'jk/stash-disable-renames-internally'Libravatar Junio C Hamano2-1/+10
When diff.renames configuration is on (and with Git 2.9 and later, it is enabled by default, which made it worse), "git stash" misbehaved if a file is removed and another file with a very similar content is added. * jk/stash-disable-renames-internally: stash: prefer plumbing over git-diff
2016-12-19Merge branch 'jk/http-walker-limit-redirect'Libravatar Junio C Hamano2-3/+6
Update the error messages from the dumb-http client when it fails to obtain loose objects; we used to give sensible error message only upon 404 but we now forbid unexpected redirects that needs to be reported with something sensible. * jk/http-walker-limit-redirect: http-walker: complain about non-404 loose object errors
2016-12-19Merge branch 'jk/http-walker-limit-redirect-2.9'Libravatar Junio C Hamano9-25/+159
Transport with dumb http can be fooled into following foreign URLs that the end user does not intend to, especially with the server side redirects and http-alternates mechanism, which can lead to security issues. Tighten the redirection and make it more obvious to the end user when it happens. * jk/http-walker-limit-redirect-2.9: http: treat http-alternates like redirects http: make redirects more obvious remote-curl: rename shadowed options variable http: always update the base URL for redirects http: simplify update_url_from_redirect
2016-12-19Merge branch 'nd/for-each-ref-ignore-case'Libravatar Junio C Hamano10-17/+112
"git branch --list" and friends learned "--ignore-case" option to optionally sort branches and tags case insensitively. * nd/for-each-ref-ignore-case: tag, branch, for-each-ref: add --ignore-case for sorting and filtering
2016-12-19Merge branch 'sb/unpack-trees-grammofix'Libravatar Junio C Hamano2-2/+2
* sb/unpack-trees-grammofix: unpack-trees: fix grammar for untracked files in directories
2016-12-19Merge branch 'ls/travis-update-p4-and-lfs'Libravatar Junio C Hamano1-2/+2
The default Travis-CI configuration specifies newer P4 and GitLFS. * ls/travis-update-p4-and-lfs: travis-ci: update P4 to 16.2 and GitLFS to 1.5.2 in Linux build
2016-12-19Merge branch 'ls/t0021-fixup'Libravatar Junio C Hamano1-3/+2
* ls/t0021-fixup: t0021: minor filter process test cleanup
2016-12-19Merge branch 'ah/grammos'Libravatar Junio C Hamano4-5/+5
A few messages have been fixed for their grammatical errors. * ah/grammos: clone,fetch: explain the shallow-clone option a little more clearly receive-pack: improve English grammar of denyCurrentBranch message bisect: improve English grammar of not-ancestors message
2016-12-19Merge branch 'jc/renormalize-merge-kill-safer-crlf'Libravatar Junio C Hamano3-6/+21
Fix a corner case in merge-recursive regression that crept in during 2.10 development cycle. * jc/renormalize-merge-kill-safer-crlf: convert: git cherry-pick -Xrenormalize did not work merge-recursive: handle NULL in add_cacheinfo() correctly cherry-pick: demonstrate a segmentation fault
2016-12-19Merge branch 'jt/use-trailer-api-in-commands'Libravatar Junio C Hamano9-198/+318
Commands that operate on a log message and add lines to the trailer blocks, such as "format-patch -s", "cherry-pick (-x|-s)", and "commit -s", have been taught to use the logic of and share the code with "git interpret-trailer". * jt/use-trailer-api-in-commands: sequencer: use trailer's trailer layout trailer: have function to describe trailer layout trailer: avoid unnecessary splitting on lines commit: make ignore_non_trailer take buf/len trailer: be stricter in parsing separators
2016-12-16First batch for 2.12Libravatar Junio C Hamano1-1/+34
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-16Merge branch 'ls/p4-retry-thrice'Libravatar Junio C Hamano2-0/+9
* ls/p4-retry-thrice: git-p4: add config to retry p4 commands; retry 3 times by default
2016-12-16Merge branch 'ls/p4-empty-file-on-lfs'Libravatar Junio C Hamano2-12/+19
"git p4" LFS support was broken when LFS stores an empty blob. * ls/p4-empty-file-on-lfs: git-p4: fix empty file processing for large file system backend GitLFS
2016-12-16Merge branch 'ld/p4-update-shelve'Libravatar Junio C Hamano3-4/+71
* ld/p4-update-shelve: git-p4: support updating an existing shelved changelist
2016-12-16Merge branch 'vk/p4-submit-shelve'Libravatar Junio C Hamano3-14/+58
* vk/p4-submit-shelve: git-p4: allow submit to create shelved changelists.
2016-12-16Merge branch 'da/mergetool-trust-exit-code'Libravatar Junio C Hamano20-38/+75
mergetool.<tool>.trustExitCode configuration variable did not apply to built-in tools, but now it does. * da/mergetool-trust-exit-code: mergetools/vimdiff: trust Vim's exit code mergetool: honor mergetool.$tool.trustExitCode for built-in tools
2016-12-16Merge branch 'ak/lazy-prereq-mktemp'Libravatar Junio C Hamano1-1/+2
Test code clean-up. * ak/lazy-prereq-mktemp: t7610: clean up foo.XXXXXX tmpdir
2016-12-16Merge branch 'nd/worktree-list-fixup'Libravatar Junio C Hamano6-30/+74
The output from "git worktree list" was made in readdir() order, and was unstable. * nd/worktree-list-fixup: worktree list: keep the list sorted worktree.c: get_worktrees() takes a new flag argument get_worktrees() must return main worktree as first item even on error worktree: reorder an if statement worktree.c: zero new 'struct worktree' on allocation
2016-12-16Merge branch 'nd/qsort-in-merge-recursive'Libravatar Junio C Hamano1-9/+7
Code simplification. * nd/qsort-in-merge-recursive: merge-recursive.c: use string_list_sort instead of qsort
2016-12-16Merge branch 'bw/push-dry-run'Libravatar Junio C Hamano4-9/+41
"git push --dry-run --recurse-submodule=on-demand" wasn't "--dry-run" in the submodules. * bw/push-dry-run: push: fix --dry-run to not push submodules push: --dry-run updates submodules when --recurse-submodules=on-demand
2016-12-16Merge branch 'hv/submodule-not-yet-pushed-fix'Libravatar Junio C Hamano3-36/+121
The code in "git push" to compute if any commit being pushed in the superproject binds a commit in a submodule that hasn't been pushed out was overly inefficient, making it unusable even for a small project that does not have any submodule but have a reasonable number of refs. * hv/submodule-not-yet-pushed-fix: submodule_needs_pushing(): explain the behaviour when we cannot answer batch check whether submodule needs pushing into one call serialize collection of refs that contain submodule changes serialize collection of changed submodules
2016-12-16Merge branch 'dt/empty-submodule-in-merge'Libravatar Junio C Hamano3-11/+17
An empty directory in a working tree that can simply be nuked used to interfere while merging or cherry-picking a change to create a submodule directory there, which has been fixed.. * dt/empty-submodule-in-merge: submodules: allow empty working-tree dirs in merge/cherry-pick
2016-12-16Merge branch 'jk/rev-parse-symbolic-parents-fix'Libravatar Junio C Hamano2-1/+24
"git rev-parse --symbolic" failed with a more recent notation like "HEAD^-1" and "HEAD^!". * jk/rev-parse-symbolic-parents-fix: rev-parse: fix parent shorthands with --symbolic
2016-12-13Early fixes for 2.11.x seriesLibravatar Junio C Hamano1-0/+10
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-13Merge branch 'ew/svn-fixes'Libravatar Junio C Hamano2-2/+8
* ew/svn-fixes: git-svn: document useLogAuthor and addAuthorFrom config keys git-svn: allow "0" in SVN path components
2016-12-13Merge branch 'js/mingw-isatty'Libravatar Junio C Hamano2-0/+36
We often decide if a session is interactive by checking if the standard I/O streams are connected to a TTY, but isatty() emulation on Windows incorrectly returned true if it is used on NUL (i.e. an equivalent to /dev/null). This has been fixed. * js/mingw-isatty: mingw: intercept isatty() to handle /dev/null as Git expects it
2016-12-12git-svn: document useLogAuthor and addAuthorFrom config keysLibravatar Eric Wong1-1/+7
We've always supported these config keys in git-svn, so document them so users won't have to respecify them on every invocation. Reported-by: Juergen Kosel <juergen.kosel@gmx.de> Signed-off-by: Eric Wong <e@80x24.org>
2016-12-12git-svn: allow "0" in SVN path componentsLibravatar Eric Wong1-1/+1
Blindly checking a path component for falsiness is unwise, as "0" is false to Perl, but a valid pathname component for SVN (or any filesystem). Found via random code reading. Signed-off-by: Eric Wong <e@80x24.org>
2016-12-11mingw: intercept isatty() to handle /dev/null as Git expects itLibravatar Johannes Schindelin2-0/+36
When Git's source code calls isatty(), it really asks whether the respective file descriptor is connected to an interactive terminal. Windows' _isatty() function, however, determines whether the file descriptor is associated with a character device. And NUL, Windows' equivalent of /dev/null, is a character device. Which means that for years, Git mistakenly detected an associated interactive terminal when being run through the test suite, which almost always redirects stdin, stdout and stderr to /dev/null. This bug only became obvious, and painfully so, when the new bisect--helper entered the `pu` branch and made the automatic build & test time out because t6030 was waiting for an answer. For details, see https://msdn.microsoft.com/en-us/library/f4s0ddew.aspx Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-06stash: prefer plumbing over git-diffLibravatar Jeff King2-1/+10
When creating a stash, we need to look at the diff between the working tree and HEAD, and do so using the git-diff porcelain. Because git-diff enables porcelain config like renames by default, this causes at least one problem. The --name-only format will not mention the source side of a rename, meaning we will fail to stash a deletion that is part of a rename. We could fix that case by passing --no-renames, but this is a symptom of a larger problem. We should be using the diff-index plumbing here, which does not have renames enabled by default, and also does not respect any potentially confusing config options. Reported-by: Matthew Patey <matthew.patey2167@gmail.com> Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-06http-walker: complain about non-404 loose object errorsLibravatar Jeff King2-3/+6
Since commit 17966c0a6 (http: avoid disconnecting on 404s for loose objects, 2016-07-11), we turn off curl's FAILONERROR option and instead manually deal with failing HTTP codes. However, the logic to do so only recognizes HTTP 404 as a failure. This is probably the most common result, but if we were to get another code, the curl result remains CURLE_OK, and we treat it as success. We still end up detecting the failure when we try to zlib-inflate the object (which will fail), but instead of reporting the HTTP error, we just claim that the object is corrupt. Instead, let's catch anything in the 300's or above as an error (300's are redirects which are not an error at the HTTP level, but are an indication that we've explicitly disabled redirects, so we should treat them as such; we certainly don't have the resulting object content). Note that we also fill in req->errorstr, which we didn't do before. Without FAILONERROR, curl will not have filled this in, and it will remain a blank string. This never mattered for the 404 case, because in the logic below we hit the "missing_target()" branch and print nothing. But for other errors, we'd want to say _something_, if only to fill in the blank slot in the error message. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-06Merge branch 'ew/http-walker' into jk/http-walker-limit-redirectLibravatar Junio C Hamano3-31/+206
* ew/http-walker: list: avoid incompatibility with *BSD sys/queue.h http-walker: reduce O(n) ops with doubly-linked list http: avoid disconnecting on 404s for loose objects http-walker: remove unused parameter from fetch_object
2016-12-06http: treat http-alternates like redirectsLibravatar Jeff King3-3/+44
The previous commit made HTTP redirects more obvious and tightened up the default behavior. However, there's another way for a server to ask a git client to fetch arbitrary content: by having an http-alternates file (or a regular alternates file, which is used as a backup). Similar to the HTTP redirect case, a malicious server can claim to have refs pointing at object X, return a 404 when the client asks for X, but point to some other URL via http-alternates, which the client will transparently fetch. The end result is that it looks from the user's perspective like the objects came from the malicious server, as the other URL is not mentioned at all. Worse, because we feed the new URL to curl ourselves, the usual protocol restrictions do not kick in (neither curl's default of disallowing file://, nor the protocol whitelisting in f4113cac0 (http: limit redirection to protocol-whitelist, 2015-09-22). Let's apply the same rules here as we do for HTTP redirects. Namely: - unless http.followRedirects is set to "always", we will not follow remote redirects from http-alternates (or alternates) at all - set CURLOPT_PROTOCOLS alongside CURLOPT_REDIR_PROTOCOLS restrict ourselves to a known-safe set and respect any user-provided whitelist. - mention alternate object stores on stderr so that the user is aware another source of objects may be involved The first item may prove to be too restrictive. The most common use of alternates is to point to another path on the same server. While it's possible for a single-server redirect to be an attack, it takes a fairly obscure setup (victim and evil repository on the same host, host speaks dumb http, and evil repository has access to edit its own http-alternates file). So we could make the checks more specific, and only cover cross-server redirects. But that means parsing the URLs ourselves, rather than letting curl handle them. This patch goes for the simpler approach. Given that they are only used with dumb http, http-alternates are probably pretty rare. And there's an escape hatch: the user can allow redirects on a specific server by setting http.<url>.followRedirects to "always". Reported-by: Jann Horn <jannh@google.com> Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-06http: make redirects more obviousLibravatar Jeff King6-3/+81
We instruct curl to always follow HTTP redirects. This is convenient, but it creates opportunities for malicious servers to create confusing situations. For instance, imagine Alice is a git user with access to a private repository on Bob's server. Mallory runs her own server and wants to access objects from Bob's repository. Mallory may try a few tricks that involve asking Alice to clone from her, build on top, and then push the result: 1. Mallory may simply redirect all fetch requests to Bob's server. Git will transparently follow those redirects and fetch Bob's history, which Alice may believe she got from Mallory. The subsequent push seems like it is just feeding Mallory back her own objects, but is actually leaking Bob's objects. There is nothing in git's output to indicate that Bob's repository was involved at all. The downside (for Mallory) of this attack is that Alice will have received Bob's entire repository, and is likely to notice that when building on top of it. 2. If Mallory happens to know the sha1 of some object X in Bob's repository, she can instead build her own history that references that object. She then runs a dumb http server, and Alice's client will fetch each object individually. When it asks for X, Mallory redirects her to Bob's server. The end result is that Alice obtains objects from Bob, but they may be buried deep in history. Alice is less likely to notice. Both of these attacks are fairly hard to pull off. There's a social component in getting Mallory to convince Alice to work with her. Alice may be prompted for credentials in accessing Bob's repository (but not always, if she is using a credential helper that caches). Attack (1) requires a certain amount of obliviousness on Alice's part while making a new commit. Attack (2) requires that Mallory knows a sha1 in Bob's repository, that Bob's server supports dumb http, and that the object in question is loose on Bob's server. But we can probably make things a bit more obvious without any loss of functionality. This patch does two things to that end. First, when we encounter a whole-repo redirect during the initial ref discovery, we now inform the user on stderr, making attack (1) much more obvious. Second, the decision to follow redirects is now configurable. The truly paranoid can set the new http.followRedirects to false to avoid any redirection entirely. But for a more practical default, we will disallow redirects only after the initial ref discovery. This is enough to thwart attacks similar to (2), while still allowing the common use of redirects at the repository level. Since c93c92f30 (http: update base URLs when we see redirects, 2013-09-28) we re-root all further requests from the redirect destination, which should generally mean that no further redirection is necessary. As an escape hatch, in case there really is a server that needs to redirect individual requests, the user can set http.followRedirects to "true" (and this can be done on a per-server basis via http.*.followRedirects config). Reported-by: Jann Horn <jannh@google.com> Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-06remote-curl: rename shadowed options variableLibravatar Jeff King1-9/+9
The discover_refs() function has a local "options" variable to hold the http_get_options we pass to http_get_strbuf(). But this shadows the global "struct options" that holds our program-level options, which cannot be accessed from this function. Let's give the local one a more descriptive name so we can tell the two apart. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-06http: always update the base URL for redirectsLibravatar Jeff King4-4/+21
If a malicious server redirects the initial ref advertisement, it may be able to leak sha1s from other, unrelated servers that the client has access to. For example, imagine that Alice is a git user, she has access to a private repository on a server hosted by Bob, and Mallory runs a malicious server and wants to find out about Bob's private repository. Mallory asks Alice to clone an unrelated repository from her over HTTP. When Alice's client contacts Mallory's server for the initial ref advertisement, the server issues an HTTP redirect for Bob's server. Alice contacts Bob's server and gets the ref advertisement for the private repository. If there is anything to fetch, she then follows up by asking the server for one or more sha1 objects. But who is the server? If it is still Mallory's server, then Alice will leak the existence of those sha1s to her. Since commit c93c92f30 (http: update base URLs when we see redirects, 2013-09-28), the client usually rewrites the base URL such that all further requests will go to Bob's server. But this is done by textually matching the URL. If we were originally looking for "http://mallory/repo.git/info/refs", and we got pointed at "http://bob/other.git/info/refs", then we know that the right root is "http://bob/other.git". If the redirect appears to change more than just the root, we punt and continue to use the original server. E.g., imagine the redirect adds a URL component that Bob's server will ignore, like "http://bob/other.git/info/refs?dummy=1". We can solve this by aborting in this case rather than silently continuing to use Mallory's server. In addition to protecting from sha1 leakage, it's arguably safer and more sane to refuse a confusing redirect like that in general. For example, part of the motivation in c93c92f30 is avoiding accidentally sending credentials over clear http, just to get a response that says "try again over https". So even in a non-malicious case, we'd prefer to err on the side of caution. The downside is that it's possible this will break a legitimate but complicated server-side redirection scheme. The setup given in the newly added test does work, but it's convoluted enough that we don't need to care about it. A more plausible case would be a server which redirects a request for "info/refs?service=git-upload-pack" to just "info/refs" (because it does not do smart HTTP, and for some reason really dislikes query parameters). Right now we would transparently downgrade to dumb-http, but with this patch, we'd complain (and the user would have to set GIT_SMART_HTTP=0 to fetch). Reported-by: Jann Horn <jannh@google.com> Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-06http: simplify update_url_from_redirectLibravatar Jeff King1-6/+4
This function looks for a common tail between what we asked for and where we were redirected to, but it open-codes the comparison. We can avoid some confusing subtractions by using strip_suffix_mem(). Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-05tag, branch, for-each-ref: add --ignore-case for sorting and filteringLibravatar Nguyễn Thái Ngọc Duy10-17/+112
This options makes sorting ignore case, which is great when you have branches named bug-12-do-something, Bug-12-do-some-more and BUG-12-do-what and want to group them together. Sorting externally may not be an option because we lose coloring and column layout from git-branch and git-tag. The same could be said for filtering, but it's probably less important because you can always go with the ugly pattern [bB][uU][gG]-* if you're desperate. You can't have case-sensitive filtering and case-insensitive sorting (or the other way around) with this though. For branch and tag, that should be no problem. for-each-ref, as a plumbing, might want finer control. But we can always add --{filter,sort}-ignore-case when there is a need for it. Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-05t0021: minor filter process test cleanupLibravatar Lars Schneider1-3/+2
Remove superfluous .gitignore pattern and invalid '.' in `git commit` calls. Signed-off-by: Lars Schneider <larsxschneider@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-05git-p4: fix empty file processing for large file system backend GitLFSLibravatar Lars Schneider2-12/+19
If git-p4 tried to store an empty file in GitLFS then it crashed while parsing the pointer file: oid = re.search(r'^oid \w+:(\w+)', pointerFile, re.MULTILINE).group(1) AttributeError: 'NoneType' object has no attribute 'group' This happens because GitLFS does not create a pointer file for an empty file. Teach git-p4 this behavior to fix the problem and add a test case. Signed-off-by: Lars Schneider <larsxschneider@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-05travis-ci: update P4 to 16.2 and GitLFS to 1.5.2 in Linux buildLibravatar Lars Schneider1-2/+2
Update Travis-CI dependencies to the latest available versions in Linux build. Signed-off-by: Lars Schneider <larsxschneider@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-05git-p4: add config to retry p4 commands; retry 3 times by defaultLibravatar Lars Schneider2-0/+9
P4 commands can fail due to random network issues. P4 users can counter these issues by using a retry flag supported by all p4 commands [1]. Add an integer Git config value `git-p4.retries` to define the number of retries for all p4 invocations. If the config is not defined then set the default retry count to 3. [1] https://www.perforce.com/perforce/doc.current/manuals/cmdref/global.options.html Signed-off-by: Lars Schneider <larsxschneider@gmail.com> Reviewed-by: Luke Diamand <luke@diamand.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-05clone,fetch: explain the shallow-clone option a little more clearlyLibravatar Alex Henrie2-2/+2
"deepen by excluding" does not make sense because excluding a revision does not deepen a repository; it makes the repository more shallow. Signed-off-by: Alex Henrie <alexhenrie24@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-05receive-pack: improve English grammar of denyCurrentBranch messageLibravatar Alex Henrie1-2/+2
The article "the" is required here. Signed-off-by: Alex Henrie <alexhenrie24@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-05bisect: improve English grammar of not-ancestors messageLibravatar Alex Henrie1-1/+1
Multiple revisions cannot be a single ancestor. Signed-off-by: Alex Henrie <alexhenrie24@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-05git-p4: support updating an existing shelved changelistLibravatar Luke Diamand3-4/+71
Adds new option "--update-shelve CHANGELIST" which updates an existing shelved changelist. The original changelist must have been created by the current user. This allows workflow something like: hack hack hack git commit git p4 submit --shelve $mail interested parties about shelved changelist make corrections git commit --amend git p4 submit --update-shelve $CHANGELIST $mail interested parties about shelved changelist etc Signed-off-by: Luke Diamand <luke@diamand.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-05unpack-trees: fix grammar for untracked files in directoriesLibravatar Stefan Beller2-2/+2
Noticed-by: David Turner <dturner@twosigma.com> Signed-off-by: Stefan Beller <sbeller@google.com> Reviewed-by: David Turner <dturner@twosigma.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-05Start post 2.11 cycleLibravatar Junio C Hamano3-2/+45
For now, let's call it 2.12 tentatively. Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-05Sync with maint-2.10Libravatar Junio C Hamano1-0/+48
* maint-2.10: preparing for 2.10.3
2016-12-05preparing for 2.10.3Libravatar Junio C Hamano2-1/+49
Signed-off-by: Junio C Hamano <gitster@pobox.com>