summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2018-05-21index-pack: make fsck error message more specificLibravatar Jeff King2-2/+2
If fsck reports an error, we say only "Error in object". This isn't quite as bad as it might seem, since the fsck code would have dumped some errors to stderr already. But it might help to give a little more context. The earlier output would not have even mentioned "fsck", and that may be a clue that the "fsck.*" or "*.fsckObjects" config may be relevant. Signed-off-by: Jeff King <peff@peff.net>
2018-05-21Merge branch 'jk/submodule-name-verify-fix' into jk/submodule-name-verify-fsckLibravatar Jeff King16-42/+474
* jk/submodule-name-verify-fix: verify_path: disallow symlinks in .gitmodules update-index: stat updated files earlier verify_path: drop clever fallthrough skip_prefix: add icase-insensitive variant is_{hfs,ntfs}_dotgitmodules: add tests path: match NTFS short names for more .git files is_hfs_dotgit: match other .git files is_ntfs_dotgit: use a size_t for traversing string submodule-config: verify submodule names as paths Note that this includes two bits of evil-merge: - there's a new call to verify_path() that doesn't actually have a mode available. It should be OK to pass "0" here, since we're just manipulating the untracked cache, not an actual index entry. - the lstat() in builtin/update-index.c:update_one() needs to be updated to handle the fsmonitor case (without this it still behaves correctly, but does an unnecessary lstat).
2018-05-21verify_path: disallow symlinks in .gitmodulesLibravatar Jeff King4-15/+37
There are a few reasons it's not a good idea to make .gitmodules a symlink, including: 1. It won't be portable to systems without symlinks. 2. It may behave inconsistently, since Git may look at this file in the index or a tree without bothering to resolve any symbolic links. We don't do this _yet_, but the config infrastructure is there and it's planned for the future. With some clever code, we could make (2) work. And some people may not care about (1) if they only work on one platform. But there are a few security reasons to simply disallow it: a. A symlinked .gitmodules file may circumvent any fsck checks of the content. b. Git may read and write from the on-disk file without sanity checking the symlink target. So for example, if you link ".gitmodules" to "../oops" and run "git submodule add", we'll write to the file "oops" outside the repository. Again, both of those are problems that _could_ be solved with sufficient code, but given the complications in (1) and (2), we're better off just outlawing it explicitly. Note the slightly tricky call to verify_path() in update-index's update_one(). There we may not have a mode if we're not updating from the filesystem (e.g., we might just be removing the file). Passing "0" as the mode there works fine; since it's not a symlink, we'll just skip the extra checks. Signed-off-by: Jeff King <peff@peff.net>
2018-05-21update-index: stat updated files earlierLibravatar Jeff King1-8/+17
In the update_one(), we check verify_path() on the proposed path before doing anything else. In preparation for having verify_path() look at the file mode, let's stat the file earlier, so we can check the mode accurately. This is made a bit trickier by the fact that this function only does an lstat in a few code paths (the ones that flow down through process_path()). So we can speculatively do the lstat() here and pass the results down, and just use a dummy mode for cases where we won't actually be updating the index from the filesystem. Signed-off-by: Jeff King <peff@peff.net>
2018-05-21verify_dotfile: mention case-insensitivity in commentLibravatar Jeff King1-1/+4
We're more restrictive than we need to be in matching ".GIT" on case-sensitive filesystems; let's make a note that this is intentional. Signed-off-by: Jeff King <peff@peff.net>
2018-05-21verify_path: drop clever fallthroughLibravatar Jeff King1-4/+4
We check ".git" and ".." in the same switch statement, and fall through the cases to share the end-of-component check. While this saves us a line or two, it makes modifying the function much harder. Let's just write it out. Signed-off-by: Jeff King <peff@peff.net>
2018-05-21skip_prefix: add case-insensitive variantLibravatar Jeff King1-0/+17
We have the convenient skip_prefix() helper, but if you want to do case-insensitive matching, you're stuck doing it by hand. We could add an extra parameter to the function to let callers ask for this, but the function is small and somewhat performance-critical. Let's just re-implement it for the case-insensitive version. Signed-off-by: Jeff King <peff@peff.net>
2018-05-21is_{hfs,ntfs}_dotgitmodules: add testsLibravatar Johannes Schindelin2-0/+106
This tests primarily for NTFS issues, but also adds one example of an HFS+ issue. Thanks go to Congyi Wu for coming up with the list of examples where NTFS would possibly equate the filename with `.gitmodules`. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Jeff King <peff@peff.net>
2018-05-21is_ntfs_dotgit: match other .git filesLibravatar Johannes Schindelin2-1/+93
When we started to catch NTFS short names that clash with .git, we only looked for GIT~1. This is sufficient because we only ever clone into an empty directory, so .git is guaranteed to be the first subdirectory or file in that directory. However, even with a fresh clone, .gitmodules is *not* necessarily the first file to be written that would want the NTFS short name GITMOD~1: a malicious repository can add .gitmodul0000 and friends, which sorts before `.gitmodules` and is therefore checked out *first*. For that reason, we have to test not only for ~1 short names, but for others, too. It's hard to just adapt the existing checks in is_ntfs_dotgit(): since Windows 2000 (i.e., in all Windows versions still supported by Git), NTFS short names are only generated in the <prefix>~<number> form up to number 4. After that, a *different* prefix is used, calculated from the long file name using an undocumented, but stable algorithm. For example, the short name of .gitmodules would be GITMOD~1, but if it is taken, and all of ~2, ~3 and ~4 are taken, too, the short name GI7EBA~1 will be used. From there, collisions are handled by incrementing the number, shortening the prefix as needed (until ~9999999 is reached, in which case NTFS will not allow the file to be created). We'd also want to handle .gitignore and .gitattributes, which suffer from a similar problem, using the fall-back short names GI250A~1 and GI7D29~1, respectively. To accommodate for that, we could reimplement the hashing algorithm, but it is just safer and simpler to provide the known prefixes. This algorithm has been reverse-engineered and described at https://usn.pw/blog/gen/2015/06/09/filenames/, which is defunct but still available via https://web.archive.org/. These can be recomputed by running the following Perl script: -- snip -- use warnings; use strict; sub compute_short_name_hash ($) { my $checksum = 0; foreach (split('', $_[0])) { $checksum = ($checksum * 0x25 + ord($_)) & 0xffff; } $checksum = ($checksum * 314159269) & 0xffffffff; $checksum = 1 + (~$checksum & 0x7fffffff) if ($checksum & 0x80000000); $checksum -= (($checksum * 1152921497) >> 60) * 1000000007; return scalar reverse sprintf("%x", $checksum & 0xffff); } print compute_short_name_hash($ARGV[0]); -- snap -- E.g., running that with the argument ".gitignore" will result in "250a" (which then becomes "gi250a" in the code). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Jeff King <peff@peff.net>
2018-05-21is_hfs_dotgit: match other .git filesLibravatar Jeff King2-12/+51
Both verify_path() and fsck match ".git", ".GIT", and other variants specific to HFS+. Let's allow matching other special files like ".gitmodules", which we'll later use to enforce extra restrictions via verify_path() and fsck. Signed-off-by: Jeff King <peff@peff.net>
2018-05-21is_ntfs_dotgit: use a size_t for traversing stringLibravatar Jeff King1-1/+1
We walk through the "name" string using an int, which can wrap to a negative value and cause us to read random memory before our array (e.g., by creating a tree with a name >2GB, since "int" is still 32 bits even on most 64-bit platforms). Worse, this is easy to trigger during the fsck_tree() check, which is supposed to be protecting us from malicious garbage. Note one bit of trickiness in the existing code: we sometimes assign -1 to "len" at the end of the loop, and then rely on the "len++" in the for-loop's increment to take it back to 0. This is still legal with a size_t, since assigning -1 will turn into SIZE_MAX, which then wraps around to 0 on increment. Signed-off-by: Jeff King <peff@peff.net>
2018-05-21submodule-config: verify submodule names as pathsLibravatar Jeff King5-0/+143
Submodule "names" come from the untrusted .gitmodules file, but we blindly append them to $GIT_DIR/modules to create our on-disk repo paths. This means you can do bad things by putting "../" into the name (among other things). Let's sanity-check these names to avoid building a path that can be exploited. There are two main decisions: 1. What should the allowed syntax be? It's tempting to reuse verify_path(), since submodule names typically come from in-repo paths. But there are two reasons not to: a. It's technically more strict than what we need, as we really care only about breaking out of the $GIT_DIR/modules/ hierarchy. E.g., having a submodule named "foo/.git" isn't actually dangerous, and it's possible that somebody has manually given such a funny name. b. Since we'll eventually use this checking logic in fsck to prevent downstream repositories, it should be consistent across platforms. Because verify_path() relies on is_dir_sep(), it wouldn't block "foo\..\bar" on a non-Windows machine. 2. Where should we enforce it? These days most of the .gitmodules reads go through submodule-config.c, so I've put it there in the reading step. That should cover all of the C code. We also construct the name for "git submodule add" inside the git-submodule.sh script. This is probably not a big deal for security since the name is coming from the user anyway, but it would be polite to remind them if the name they pick is invalid (and we need to expose the name-checker to the shell anyway for our test scripts). This patch issues a warning when reading .gitmodules and just ignores the related config entry completely. This will generally end up producing a sensible error, as it works the same as a .gitmodules file which is missing a submodule entry (so "submodule update" will barf, but "git clone --recurse-submodules" will print an error but not abort the clone. There is one minor oddity, which is that we print the warning once per malformed config key (since that's how the config subsystem gives us the entries). So in the new test, for example, the user would see three warnings. That's OK, since the intent is that this case should never come up outside of malicious repositories (and then it might even benefit the user to see the message multiple times). Credit for finding this vulnerability and the proof of concept from which the test script was adapted goes to Etienne Stalmans. Signed-off-by: Jeff King <peff@peff.net>
2018-04-02Git 2.17Libravatar Junio C Hamano1-1/+1
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-04-02Merge tag 'l10n-2.17.0-rnd1' of git://github.com/git-l10n/git-poLibravatar Junio C Hamano10-22585/+26683
l10n for Git 2.17.0 round 1 * tag 'l10n-2.17.0-rnd1' of git://github.com/git-l10n/git-po: l10n: de.po: translate 132 new messages l10n: zh_CN: review for git v2.17.0 l10n round 1 l10n: zh_CN: for git v2.17.0 l10n round 1 l10n: ko.po: Update Korean translation l10n: fr.po: v2.17.0 no fuzzy l10n: sv.po: Update Swedish translation (3376t0f0u) l10n: Update Catalan translation l10n: fr.po v2.17.0 round 1 l10n: vi.po(3376t): Updated Vietnamese translation for v2.17 l10n: bg.po: Updated Bulgarian translation (3376t) l10n: es.po: Update Spanish translation 2.17.0 l10n: git.pot: v2.17.0 round 1 (132 new, 44 removed) l10n: es.po: fixes to Spanish translation
2018-04-02Merge branch 'pw/add-p-single'Libravatar Junio C Hamano1-1/+1
Hotfix. * pw/add-p-single: add -p: fix 2.17.0-rc* regression due to moved code
2018-03-31add -p: fix 2.17.0-rc* regression due to moved codeLibravatar Ævar Arnfjörð Bjarmason1-1/+1
Fix a regression in 88f6ffc1c2 ("add -p: only bind search key if there's more than one hunk", 2018-02-13) which is present in 2.17.0-rc*, but not 2.16.0. In Perl, regex variables like $1 always refer to the last regex match. When the aforementioned change added a new regex match between the old match and the corresponding code that was expecting $1, the $1 variable would always be undef, since the newly inserted regex match doesn't have any captures. As a result the "/" feature to search for a string in a hunk by regex completely broke, on git.git: $ perl -pi -e 's/Git/Tig/g' README.md $ ./git --exec-path=$PWD add -p [..] Stage this hunk [y,n,q,a,d,j,J,g,/,s,e,?]? s Split into 4 hunks. [...] Stage this hunk [y,n,q,a,d,j,J,g,/,s,e,?]? /Many Use of uninitialized value $1 in string eq at /home/avar/g/git/git-add--interactive line 1568, <STDIN> line 1. search for regex? Many I.e. the initial "/regex" command wouldn't work, and would always emit a warning and ask again for a regex, now it works as intended again. Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-03-31l10n: de.po: translate 132 new messagesLibravatar Ralf Thielow1-2093/+2527
Translate 132 new messages came from git.pot update in abc8de64d (l10n: git.pot: v2.17.0 round 1 (132 new, 44 removed)). Signed-off-by: Ralf Thielow <ralf.thielow@gmail.com>
2018-03-29Merge branch 'jh/partial-clone'Libravatar Junio C Hamano3-5/+6
Hotfix. * jh/partial-clone: upload-pack: disable object filtering when disabled by config unpack-trees: release oid_array after use in check_updates()
2018-03-29upload-pack: disable object filtering when disabled by configLibravatar Jonathan Nieder2-5/+5
When upload-pack gained partial clone support (v2.17.0-rc0~132^2~12, 2017-12-08), it was guarded by the uploadpack.allowFilter config item to allow server operators to control when they start supporting it. That config item didn't go far enough, though: it controls whether the 'filter' capability is advertised, but if a (custom) client ignores the capability advertisement and passes a filter specification anyway, the server would handle that despite allowFilter being false. This is particularly significant if a security bug is discovered in this new experimental partial clone code. Installations without uploadpack.allowFilter ought not to be affected since they don't intend to support partial clone, but they would be swept up into being vulnerable. Simplify and limit the attack surface by making uploadpack.allowFilter disable the feature, not just the advertisement of it. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-03-29l10n: zh_CN: review for git v2.17.0 l10n round 1Libravatar Ray Chen1-5/+5
Signed-off-by: Ray Chen <oldsharp@gmail.com>
2018-03-29l10n: zh_CN: for git v2.17.0 l10n round 1Libravatar Jiang Xin1-2066/+2495
Translate 132 new messages (3376t0f0u) for git 2.17.0-rc0. Reviewed-by: 依云 <lilydjwg@gmail.com> Reviewed-by: Fangyi Zhou <fangyi.zhou@yuriko.moe> Signed-off-by: Jiang Xin <worldhello.net@gmail.com>
2018-03-28Git 2.17-rc2Libravatar Junio C Hamano1-1/+1
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-03-28Merge branch 'tg/stash-doc-typofix'Libravatar Junio C Hamano1-1/+1
Hotfix. * tg/stash-doc-typofix: git-stash.txt: remove extra square bracket
2018-03-28Merge branch 'pc/submodule-helper'Libravatar Junio C Hamano1-1/+1
Hotfix. * pc/submodule-helper: submodule deinit: handle non existing pathspecs gracefully
2018-03-28Merge branch 'nd/parseopt-completion'Libravatar Junio C Hamano2-0/+35
Hotfix for recently graduated topic that give help to completion scripts from the Git subcommands that are being completed * nd/parseopt-completion: t9902: disable test on the list of merge-strategies under GETTEXT_POISON completion: clear cached --options when sourcing the completion script
2018-03-28l10n: ko.po: Update Korean translationLibravatar Changwoo Ryu1-2074/+2509
Signed-off-by: Changwoo Ryu <cwryu@debian.org> Signed-off-by: Sihyeon Jang <uneedsihyeon@gmail.com> Signed-off-by: Gwan-gyeong Mun <elongbug@gmail.com> Reviewed-by: Changwoo Ryu <cwryu@debian.org>
2018-03-27submodule deinit: handle non existing pathspecs gracefullyLibravatar Stefan Beller1-1/+1
This fixes a regression introduced in 2e612731b5 (submodule: port submodule subcommand 'deinit' from shell to C, 2018-01-15), when handling pathspecs that do not exist gracefully. This restores the historic behavior of reporting the pathspec as unknown and returning instead of reporting a bug. Reported-by: Peter Oberndorfer <kumbayo84@arcor.de> Signed-off-by: Stefan Beller <sbeller@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-03-27git-stash.txt: remove extra square bracketLibravatar Thomas Gummerer1-1/+1
In 1ada5020b3 ("stash: use stash_push for no verb form", 2017-02-28), when the pathspec argument was introduced in 'git stash', that was also documented. However I forgot to remove an extra square bracket after the '--message' argument, even though the square bracket should have been after the pathspec argument (where it was also added). Remove the extra square bracket after the '--message' argument, to show that the pathspec argument should be used with the 'push' verb. While the pathspec argument can be used without the push verb, that's a special case described later in the man page, and removing the first extra square bracket instead of the second one makes the synopis easier to understand. Signed-off-by: Thomas Gummerer <t.gummerer@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-03-25unpack-trees: release oid_array after use in check_updates()Libravatar René Scharfe1-0/+1
Signed-off-by: Rene Scharfe <l.s.r@web.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-03-25Merge branch 'fr_v2.17.0' of git://github.com/jnavila/gitLibravatar Jiang Xin1-2/+2
* 'fr_v2.17.0' of git://github.com/jnavila/git: l10n: fr.po: v2.17.0 no fuzzy
2018-03-23l10n: fr.po: v2.17.0 no fuzzyLibravatar Jean-Noël Avila1-2/+2
Signed-off-by: Jean-Noël Avila <jn.avila@free.fr>
2018-03-23t9902: disable test on the list of merge-strategies under GETTEXT_POISONLibravatar Junio C Hamano1-1/+1
The code to learn the list of merge strategies from the output of "git merge -s help" forces C locale, so that it can notice the message shown to indicate where the list starts in the output. However, GETTEXT_POISON build corrupts its output even when run in the C locale, and we cannot expect this test to succeed. Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-03-22Sync with Git 2.16.3Libravatar Junio C Hamano1-0/+49
2018-03-22Git 2.16.3Libravatar Junio C Hamano3-2/+51
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-03-22Merge branch 'ms/non-ascii-ticks' into maintLibravatar Junio C Hamano1-7/+7
Doc markup fix. * ms/non-ascii-ticks: Documentation/gitsubmodules.txt: avoid non-ASCII apostrophes
2018-03-22Merge branch 'jk/cached-commit-buffer' into maintLibravatar Junio C Hamano5-46/+1
Code clean-up. * jk/cached-commit-buffer: revision: drop --show-all option commit: drop uses of get_cached_commit_buffer()
2018-03-22Merge branch 'sm/mv-dry-run-update' into maintLibravatar Junio C Hamano2-2/+7
Code clean-up. * sm/mv-dry-run-update: mv: remove unneeded 'if (!show_only)' t7001: add test case for --dry-run
2018-03-22Merge branch 'tg/worktree-create-tracking' into maintLibravatar Junio C Hamano1-2/+3
Hotfix for a recent topic. * tg/worktree-create-tracking: git-worktree.txt: fix indentation of example and text of 'add' command git-worktree.txt: fix missing ")" typo
2018-03-22Merge branch 'gs/test-unset-xdg-cache-home' into maintLibravatar Junio C Hamano1-0/+1
Test update. * gs/test-unset-xdg-cache-home: test-lib.sh: unset XDG_CACHE_HOME
2018-03-22Merge branch 'sb/status-doc-fix' into maintLibravatar Junio C Hamano1-2/+2
Docfix. * sb/status-doc-fix: Documentation/git-status: clarify status table for porcelain mode
2018-03-22Merge branch 'rd/typofix' into maintLibravatar Junio C Hamano5-6/+6
Typofix. * rd/typofix: Correct mispellings of ".gitmodule" to ".gitmodules" t/: correct obvious typo "detahced"
2018-03-22Merge branch 'bp/fsmonitor' into maintLibravatar Junio C Hamano1-2/+2
Doc update for a recently added feature. * bp/fsmonitor: fsmonitor: update documentation to remove reference to invalid config settings
2018-03-22Merge branch 'bc/doc-interpret-trailers-grammofix' into maintLibravatar Junio C Hamano1-1/+1
Docfix. * bc/doc-interpret-trailers-grammofix: docs/interpret-trailers: fix agreement error
2018-03-22Merge branch 'sg/doc-test-must-fail-args' into maintLibravatar Junio C Hamano2-2/+22
Devdoc update. * sg/doc-test-must-fail-args: t: document 'test_must_fail ok=<signal-name>'
2018-03-22Merge branch 'rj/sparse-updates' into maintLibravatar Junio C Hamano2-1/+2
Devtool update. * rj/sparse-updates: Makefile: suppress a sparse warning for pack-revindex.c config.mak.uname: remove SPARSE_FLAGS setting for cygwin
2018-03-22Merge branch 'jk/gettext-poison' into maintLibravatar Junio C Hamano2-8/+4
Test updates. * jk/gettext-poison: git-sh-i18n: check GETTEXT_POISON before USE_GETTEXT_SCHEME t0205: drop redundant test
2018-03-22Merge branch 'nd/ignore-glob-doc-update' into maintLibravatar Junio C Hamano1-6/+5
Doc update. * nd/ignore-glob-doc-update: gitignore.txt: elaborate shell glob syntax
2018-03-22Merge branch 'rs/cocci-strbuf-addf-to-addstr' into maintLibravatar Junio C Hamano1-16/+1
* rs/cocci-strbuf-addf-to-addstr: cocci: simplify check for trivial format strings
2018-03-22Merge branch 'jc/worktree-add-short-help' into maintLibravatar Junio C Hamano1-1/+1
Error message fix. * jc/worktree-add-short-help: worktree: say that "add" takes an arbitrary commit in short-help
2018-03-22Merge branch 'tz/doc-show-defaults-to-head' into maintLibravatar Junio C Hamano1-2/+2
Doc update. * tz/doc-show-defaults-to-head: doc: mention 'git show' defaults to HEAD