summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2015-09-28Merge branch 'jk/transfer-limit-redirection' into maint-2.3Libravatar Junio C Hamano6-15/+78
2015-09-28Merge branch 'jk/transfer-limit-protocol' into maint-2.3Libravatar Junio C Hamano13-1/+306
2015-09-25http: limit redirection depthLibravatar Blake Burkhart3-0/+8
By default, libcurl will follow circular http redirects forever. Let's put a cap on this so that somebody who can trigger an automated fetch of an arbitrary repository (e.g., for CI) cannot convince git to loop infinitely. The value chosen is 20, which is the same default that Firefox uses. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25http: limit redirection to protocol-whitelistLibravatar Blake Burkhart4-5/+27
Previously, libcurl would follow redirection to any protocol it was compiled for support with. This is desirable to allow redirection from HTTP to HTTPS. However, it would even successfully allow redirection from HTTP to SFTP, a protocol that git does not otherwise support at all. Furthermore git's new protocol-whitelisting could be bypassed by following a redirect within the remote helper, as it was only enforced at transport selection time. This patch limits redirects within libcurl to HTTP, HTTPS, FTP and FTPS. If there is a protocol-whitelist present, this list is limited to those also allowed by the whitelist. As redirection happens from within libcurl, it is impossible for an HTTP redirect to a protocol implemented within another remote helper. When the curl version git was compiled with is too old to support restrictions on protocol redirection, we warn the user if GIT_ALLOW_PROTOCOL restrictions were requested. This is a little inaccurate, as even without that variable in the environment, we would still restrict SFTP, etc, and we do not warn in that case. But anything else means we would literally warn every time git accesses an http remote. This commit includes a test, but it is not as robust as we would hope. It redirects an http request to ftp, and checks that curl complained about the protocol, which means that we are relying on curl's specific error message to know what happened. Ideally we would redirect to a working ftp server and confirm that we can clone without protocol restrictions, and not with them. But we do not have a portable way of providing an ftp server, nor any other protocol that curl supports (https is the closest, but we would have to deal with certificates). [jk: added test and version warning] Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25transport: refactor protocol whitelist codeLibravatar Jeff King2-10/+43
The current callers only want to die when their transport is prohibited. But future callers want to query the mechanism without dying. Let's break out a few query functions, and also save the results in a static list so we don't have to re-parse for each query. Based-on-a-patch-by: Blake Burkhart <bburky@bburky.com> Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-23submodule: allow only certain protocols for submodule fetchesLibravatar Jeff King2-0/+52
Some protocols (like git-remote-ext) can execute arbitrary code found in the URL. The URLs that submodules use may come from arbitrary sources (e.g., .gitmodules files in a remote repository). Let's restrict submodules to fetching from a known-good subset of protocols. Note that we apply this restriction to all submodule commands, whether the URL comes from .gitmodules or not. This is more restrictive than we need to be; for example, in the tests we run: git submodule add ext::... which should be trusted, as the URL comes directly from the command line provided by the user. But doing it this way is simpler, and makes it much less likely that we would miss a case. And since such protocols should be an exception (especially because nobody who clones from them will be able to update the submodules!), it's not likely to inconvenience anyone in practice. Reported-by: Blake Burkhart <bburky@bburky.com> Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-23transport: add a protocol-whitelist environment variableLibravatar Jeff King11-1/+254
If we are cloning an untrusted remote repository into a sandbox, we may also want to fetch remote submodules in order to get the complete view as intended by the other side. However, that opens us up to attacks where a malicious user gets us to clone something they would not otherwise have access to (this is not necessarily a problem by itself, but we may then act on the cloned contents in a way that exposes them to the attacker). Ideally such a setup would sandbox git entirely away from high-value items, but this is not always practical or easy to set up (e.g., OS network controls may block multiple protocols, and we would want to enable some but not others). We can help this case by providing a way to restrict particular protocols. We use a whitelist in the environment. This is more annoying to set up than a blacklist, but defaults to safety if the set of protocols git supports grows). If no whitelist is specified, we continue to default to allowing all protocols (this is an "unsafe" default, but since the minority of users will want this sandboxing effect, it is the only sensible one). A note on the tests: ideally these would all be in a single test file, but the git-daemon and httpd test infrastructure is an all-or-nothing proposition rather than a test-by-test prerequisite. By putting them all together, we would be unable to test the file-local code on machines without apache. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-04Git 2.3.9Libravatar Junio C Hamano4-3/+13
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-04Sync with 2.2.3Libravatar Junio C Hamano6-25/+38
2015-09-04Git 2.2.3Libravatar Junio C Hamano4-3/+13
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-04Merge branch 'jk/long-paths' into maint-2.2Libravatar Junio C Hamano4-24/+27
2015-09-04show-branch: use a strbuf for reflog descriptionsLibravatar Jeff King1-2/+4
When we show "branch@{0}", we format into a fixed-size buffer using sprintf. This can overflow if you have long branch names. We can fix it by using a temporary strbuf. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-04read_info_alternates: handle paths larger than PATH_MAXLibravatar Jeff King1-6/+3
This function assumes that the relative_base path passed into it is no larger than PATH_MAX, and writes into a fixed-size buffer. However, this path may not have actually come from the filesystem; for example, add_submodule_odb generates a path using a strbuf and passes it in. This is hard to trigger in practice, though, because the long submodule directory would have to exist on disk before we would try to open its info/alternates file. We can easily avoid the bug, though, by simply creating the filename on the heap. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-04notes: use a strbuf in add_non_noteLibravatar Jeff King1-9/+10
When we are loading a notes tree into our internal hash table, we also collect any files that are clearly non-notes. We format the name of the file into a PATH_MAX buffer, but unlike true notes (which cannot be larger than a fanned-out sha1 hash), these tree entries can be arbitrarily long, overflowing our buffer. We can fix this by switching to a strbuf. It doesn't even cost us an extra allocation, as we can simply hand ownership of the buffer over to the non-note struct. This is of moderate security interest, as you might fetch notes trees from an untrusted remote. However, we do not do so by default, so you would have to manually fetch into the notes namespace. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-04verify_absent: allow filenames longer than PATH_MAXLibravatar Jeff King1-7/+10
When unpack-trees wants to know whether a path will overwrite anything in the working tree, we use lstat() to see if there is anything there. But if we are going to write "foo/bar", we can't just lstat("foo/bar"); we need to look for leading prefixes (e.g., "foo"). So we use the lstat cache to find the length of the leading prefix, and copy the filename up to that length into a temporary buffer (since the original name is const, we cannot just stick a NUL in it). The copy we make goes into a PATH_MAX-sized buffer, which will overflow if the prefix is longer than PATH_MAX. How this happens is a little tricky, since in theory PATH_MAX is the biggest path we will have read from the filesystem. But this can happen if: - the compiled-in PATH_MAX does not accurately reflect what the filesystem is capable of - the leading prefix is not _quite_ what is on disk; it contains the next element from the name we are checking. So if we want to write "aaa/bbb/ccc/ddd" and "aaa/bbb" exists, the prefix of interest is "aaa/bbb/ccc". If "aaa/bbb" approaches PATH_MAX, then "ccc" can overflow it. So this can be triggered, but it's hard to do. In particular, you cannot just "git clone" a bogus repo. The verify_absent checks happen before unpack-trees writes anything to the filesystem, so there are never any leading prefixes during the initial checkout, and the bug doesn't trigger. And by definition, these files are larger than PATH_MAX, so writing them will fail, and clone will complain (though it may write a partial path, which will cause a subsequent "git checkout" to hit the bug). We can fix it by creating the temporary path on the heap. The extra malloc overhead is not important, as we are already making at least one stat() call (and probably more for the prefix discovery). Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-05-11Git 2.3.8Libravatar Junio C Hamano4-3/+26
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-05-11Merge branch 'mm/usage-log-l-can-take-regex' into maint-2.3Libravatar Junio C Hamano6-15/+16
Documentation fix. * mm/usage-log-l-can-take-regex: log -L: improve error message on malformed argument Documentation: change -L:<regex> to -L:<funcname>
2015-05-11Merge branch 'jc/diff-no-index-d-f' into maint-2.3Libravatar Junio C Hamano2-2/+98
The usual "git diff" when seeing a file turning into a directory showed a patchset to remove the file and create all files in the directory, but "git diff --no-index" simply refused to work. Also, when asked to compare a file and a directory, imitate POSIX "diff" and compare the file with the file with the same name in the directory, instead of refusing to run. * jc/diff-no-index-d-f: diff-no-index: align D/F handling with that of normal Git diff-no-index: DWIM "diff D F" into "diff D/F F"
2015-05-11Merge branch 'oh/fix-config-default-user-name-section' into maint-2.3Libravatar Junio C Hamano1-2/+2
The default $HOME/.gitconfig file created upon "git config --global" that edits it had incorrectly spelled user.name and user.email entries in it. * oh/fix-config-default-user-name-section: config: fix settings in default_user_config template
2015-05-11Merge branch 'jc/epochtime-wo-tz' into maint-2.3Libravatar Junio C Hamano1-5/+9
"git commit --date=now" or anything that relies on approxidate lost the daylight-saving-time offset. * jc/epochtime-wo-tz: parse_date_basic(): let the system handle DST conversion parse_date_basic(): return early when given a bogus timestamp
2015-04-27Git 2.3.7Libravatar Junio C Hamano4-3/+25
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-04-27Merge branch 'tb/connect-ipv6-parse-fix' into maintLibravatar Junio C Hamano3-16/+24
An earlier update to the parser that disects a URL broke an address, followed by a colon, followed by an empty string (instead of the port number), e.g. ssh://example.com:/path/to/repo. * tb/connect-ipv6-parse-fix: connect.c: ignore extra colon after hostname
2015-04-27Merge branch 'ma/bash-completion-leaking-x' into maintLibravatar Junio C Hamano1-1/+1
The completion script (in contrib/) contaminated global namespace and clobbered on a shell variable $x. * ma/bash-completion-leaking-x: completion: fix global bash variable leak on __gitcompappend
2015-04-27Merge branch 'jc/push-cert' into maintLibravatar Junio C Hamano1-0/+23
The "git push --signed" protocol extension did not limit what the "nonce" that is a server-chosen string can contain or how long it can be, which was unnecessarily lax. Limit both the length and the alphabet to a reasonably small space that can still have enough entropy. * jc/push-cert: push --signed: tighten what the receiving end can ask to sign
2015-04-21Git 2.3.6Libravatar Junio C Hamano4-3/+17
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-04-21Merge branch 'jk/colors' into maintLibravatar Junio C Hamano1-2/+7
"diff-highlight" (in contrib/) used to show byte-by-byte differences, which meant that multi-byte characters can be chopped in the middle. It learned to pay attention to character boundaries (assuming the UTF-8 payload). * jk/colors: diff-highlight: do not split multibyte characters
2015-04-21Merge branch 'jk/test-annoyances' into maintLibravatar Junio C Hamano5-15/+24
Test fixes. * jk/test-annoyances: t5551: make EXPENSIVE test cheaper t5541: move run_with_cmdline_limit to test-lib.sh t: pass GIT_TRACE through Apache t: redirect stderr GIT_TRACE to descriptor 4 t: translate SIGINT to an exit
2015-04-21Merge branch 'pt/enter-repo-comment-fix' into maintLibravatar Junio C Hamano1-8/+3
Documentation update. * pt/enter-repo-comment-fix: enter_repo(): fix docs to match code
2015-04-21Merge branch 'jz/gitweb-conf-doc-fix' into maintLibravatar Junio C Hamano1-1/+1
Documentation update. * jz/gitweb-conf-doc-fix: gitweb.conf.txt: say "build-time", not "built-time"
2015-04-21Merge branch 'jk/cherry-pick-docfix' into maintLibravatar Junio C Hamano1-1/+2
* jk/cherry-pick-docfix: cherry-pick: fix docs describing handling of empty commits
2015-04-21Merge branch 'iu/fix-parse-options-h-comment' into maintLibravatar Junio C Hamano1-2/+1
* iu/fix-parse-options-h-comment: parse-options.h: OPTION_{BIT,SET_INT} do not store pointer to defval
2015-04-21Merge branch 'jg/cguide-we-cannot-count' into maintLibravatar Junio C Hamano1-1/+1
* jg/cguide-we-cannot-count: CodingGuidelines: update 'rough' rule count
2015-04-21Merge branch 'jk/pack-corruption-post-mortem' into maintLibravatar Junio C Hamano1-0/+237
Documentation update. * jk/pack-corruption-post-mortem: howto: document more tools for recovery corruption
2015-04-21Merge branch 'jn/doc-fast-import-no-16-octopus-limit' into maintLibravatar Junio C Hamano1-4/+0
Documentation update. * jn/doc-fast-import-no-16-octopus-limit: fast-import doc: remove suggested 16-parent limit
2015-04-20log -L: improve error message on malformed argumentLibravatar Matthieu Moy2-5/+5
The old message did not mention the :regex:file form. To avoid overly long lines, split the message into two lines (in case item->string is long, it will be the only part truncated in a narrow terminal). Signed-off-by: Matthieu Moy <Matthieu.Moy@imag.fr> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-04-20Documentation: change -L:<regex> to -L:<funcname>Libravatar Matthieu Moy4-10/+11
The old wording was somehow implying that <start> and <end> were not regular expressions. Also, the common case is to use a plain function name here so <funcname> makes sense (the fact that it is a regular expression is documented in line-range-format.txt). Signed-off-by: Matthieu Moy <Matthieu.Moy@imag.fr> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-04-17config: fix settings in default_user_config templateLibravatar Ossi Herrala1-2/+2
The name (not user) and email setting should be in config section "user" and not in "core" as documented in Documentation/config.txt. Signed-off-by: Ossi Herrala <oherrala@gmail.com> Reviewed-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-04-15parse_date_basic(): let the system handle DST conversionLibravatar Junio C Hamano1-2/+6
The function parses the input to compute the broken-down time in "struct tm", and the GMT timezone offset. If the timezone offset does not exist in the input, the broken-down time is turned into the number of seconds since epoch both in the current timezone and in GMT and the offset is computed as their difference. However, we forgot to make sure tm.tm_isdst is set to -1 (i.e. let the system figure out if DST is in effect in the current timezone when turning the broken-down time to the number of seconds since epoch); it is done so at the beginning of the function, but a call to match_digit() in the function can lead to a call to gmtime_r() to clobber the field. Reported-by: Linus Torvalds <torvalds@linux-foundation.org> Diagnosed-by: Eric Sunshine <sunshine@sunshineco.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-04-15parse_date_basic(): return early when given a bogus timestampLibravatar Junio C Hamano1-3/+3
When the input does not have GMT timezone offset, the code computes it by computing the local and GMT time for the given timestamp. But there is no point doing so if the given timestamp is known to be a bogus one. Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-04-14CodingGuidelines: update 'rough' rule countLibravatar Julian Gindi1-1/+1
Changed inaccurate count of "rough rules" from three to the more generic 'a few'. Signed-off-by: Julian Gindi <juliangindi@gmail.com> Reviewed-by: Eric Sunshine <sunshine@sunshineco.com> Reviewed-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-04-12completion: fix global bash variable leak on __gitcompappendLibravatar Márcio Almada1-1/+1
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-04-08connect.c: ignore extra colon after hostnameLibravatar Torsten Bögershausen3-16/+24
Ignore an extra ':' at the end of the hostname in URL's like "ssh://example.com:/path/to/repo" The colon is meant to separate a port number from the hostname. If the port is empty, the colon should be ignored, see RFC 3986. It had been working for URLs with ssh:// scheme, but was unintentionally broken in 86ceb3, "allow ssh://user@[2001:db8::1]/repo.git" Reported-by: Reid Woodbury Jr. <reidw@rawsound.com> Signed-off-by: Torsten Bögershausen <tboegi@web.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-04-04diff-highlight: do not split multibyte charactersLibravatar Kyle J. McKay1-2/+7
When the input is UTF-8 and Perl is operating on bytes instead of characters, a diff that changes one multibyte character to another that shares an initial byte sequence will result in a broken diff display as the common byte sequence prefix will be separated from the rest of the bytes in the multibyte character. For example, if a single line contains only the unicode character U+C9C4 (encoded as UTF-8 0xEC, 0xA7, 0x84) and that line is then changed to the unicode character U+C9C0 (encoded as UTF-8 0xEC, 0xA7, 0x80), when operating on bytes diff-highlight will show only the single byte change from 0x84 to 0x80 thus creating invalid UTF-8 and a broken diff display. Fix this by putting Perl into character mode when splitting the line and then back into byte mode after the split is finished. The utf8::xxx functions require Perl 5.8 so we require that as well. Also, since we are mucking with code in the split_line function, we change a '*' quantifier to a '+' quantifier when matching the $COLOR expression which has the side effect of speeding everything up while eliminating useless '' elements in the returned array. Reported-by: Yi EungJun <semtlenori@gmail.com> Signed-off-by: Kyle J. McKay <mackyle@gmail.com> Acked-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-04-02push --signed: tighten what the receiving end can ask to signLibravatar Junio C Hamano1-0/+23
Instead of blindly trusting the receiving side to give us a sensible nonce to sign, limit the length (max 256 bytes) and the alphabet (alnum and a few selected punctuations, enough to encode in base64) that can be used in nonce. Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-04-01howto: document more tools for recovery corruptionLibravatar Jeff King1-0/+237
Long ago, I documented a corruption recovery I did and gave some C code that I used to help find a flipped bit. I had to fix a similar case recently, and I ended up writing a few more tools. I hope nobody ever has to use these, but it does not hurt to share them, just in case. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-03-31fast-import doc: remove suggested 16-parent limitLibravatar Jonathan Nieder1-4/+0
Merges with an absurd number of parents are still a bad idea because they do not render well in tools like gitk, but if they are present in the repository being imported into git then there's no need to avoid reproducing them faithfully. In olden times, before v1.6.0-rc0~194 (2008-06-27), git commit-tree and higher-level tools built on top of it were limited to writing 16 parents for a commit. Nowadays normal git operations are happy to write more parents when asked, so the motivation for this note in the fast-import documentation is gone and we can remove it. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-03-31Git 2.3.5Libravatar Junio C Hamano3-2/+6
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-03-31Merge branch 'ss/pull-rebase-preserve' into maintLibravatar Junio C Hamano2-4/+5
* ss/pull-rebase-preserve: docs: clarify what git-rebase's "-p" / "--preserve-merges" does docs: clarify "preserve" option wording for git-pull
2015-03-31Merge branch 'jc/report-path-error-to-dir' into maintLibravatar Junio C Hamano4-44/+44
Code clean-up. * jc/report-path-error-to-dir: report_path_error(): move to dir.c
2015-03-31Merge branch 'ph/push-doc-cas' into maintLibravatar Junio C Hamano1-8/+6
* ph/push-doc-cas: git-push.txt: clean up force-with-lease wording