summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2016-12-06remote-curl: rename shadowed options variableLibravatar Jeff King1-9/+9
The discover_refs() function has a local "options" variable to hold the http_get_options we pass to http_get_strbuf(). But this shadows the global "struct options" that holds our program-level options, which cannot be accessed from this function. Let's give the local one a more descriptive name so we can tell the two apart. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-06http: always update the base URL for redirectsLibravatar Jeff King4-4/+21
If a malicious server redirects the initial ref advertisement, it may be able to leak sha1s from other, unrelated servers that the client has access to. For example, imagine that Alice is a git user, she has access to a private repository on a server hosted by Bob, and Mallory runs a malicious server and wants to find out about Bob's private repository. Mallory asks Alice to clone an unrelated repository from her over HTTP. When Alice's client contacts Mallory's server for the initial ref advertisement, the server issues an HTTP redirect for Bob's server. Alice contacts Bob's server and gets the ref advertisement for the private repository. If there is anything to fetch, she then follows up by asking the server for one or more sha1 objects. But who is the server? If it is still Mallory's server, then Alice will leak the existence of those sha1s to her. Since commit c93c92f30 (http: update base URLs when we see redirects, 2013-09-28), the client usually rewrites the base URL such that all further requests will go to Bob's server. But this is done by textually matching the URL. If we were originally looking for "http://mallory/repo.git/info/refs", and we got pointed at "http://bob/other.git/info/refs", then we know that the right root is "http://bob/other.git". If the redirect appears to change more than just the root, we punt and continue to use the original server. E.g., imagine the redirect adds a URL component that Bob's server will ignore, like "http://bob/other.git/info/refs?dummy=1". We can solve this by aborting in this case rather than silently continuing to use Mallory's server. In addition to protecting from sha1 leakage, it's arguably safer and more sane to refuse a confusing redirect like that in general. For example, part of the motivation in c93c92f30 is avoiding accidentally sending credentials over clear http, just to get a response that says "try again over https". So even in a non-malicious case, we'd prefer to err on the side of caution. The downside is that it's possible this will break a legitimate but complicated server-side redirection scheme. The setup given in the newly added test does work, but it's convoluted enough that we don't need to care about it. A more plausible case would be a server which redirects a request for "info/refs?service=git-upload-pack" to just "info/refs" (because it does not do smart HTTP, and for some reason really dislikes query parameters). Right now we would transparently downgrade to dumb-http, but with this patch, we'd complain (and the user would have to set GIT_SMART_HTTP=0 to fetch). Reported-by: Jann Horn <jannh@google.com> Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-06http: simplify update_url_from_redirectLibravatar Jeff King1-6/+4
This function looks for a common tail between what we asked for and where we were redirected to, but it open-codes the comparison. We can avoid some confusing subtractions by using strip_suffix_mem(). Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-09-08Prepare for 2.9.4Libravatar Junio C Hamano2-1/+84
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-09-08Merge branch 'hv/doc-commit-reference-style' into maintLibravatar Junio C Hamano1-0/+10
A small doc update. * hv/doc-commit-reference-style: SubmittingPatches: use gitk's "Copy commit summary" format SubmittingPatches: document how to reference previous commits
2016-09-08Merge branch 'sg/reflog-past-root' into maintLibravatar Junio C Hamano1-1/+0
A small test clean-up for a topic introduced in v2.9.1 and later. * sg/reflog-past-root: t1410: remove superfluous 'git reflog' from the 'walk past root' test
2016-09-08Merge branch 'rs/mailinfo-lib' into maintLibravatar Junio C Hamano1-7/+2
Small code clean-up. * rs/mailinfo-lib: mailinfo: recycle strbuf in check_header()
2016-09-08Merge branch 'jk/tighten-alloc' into maintLibravatar Junio C Hamano2-4/+2
Small code and comment clean-up. * jk/tighten-alloc: receive-pack: use FLEX_ALLOC_MEM in queue_command() correct FLEXPTR_* example in comment
2016-09-08Merge branch 'rs/use-strbuf-add-unique-abbrev' into maintLibravatar Junio C Hamano3-16/+11
A small code clean-up. * rs/use-strbuf-add-unique-abbrev: use strbuf_add_unique_abbrev() for adding short hashes
2016-09-08Merge branch 'rs/merge-recursive-string-list-init' into maintLibravatar Junio C Hamano1-2/+1
A small code clean-up. * rs/merge-recursive-string-list-init: merge-recursive: use STRING_LIST_INIT_NODUP
2016-09-08Merge branch 'rs/merge-add-strategies-simplification' into maintLibravatar Junio C Hamano1-34/+10
A small code clean-up. * rs/merge-add-strategies-simplification: merge: use string_list_split() in add_strategies()
2016-09-08Merge branch 'ls/packet-line-protocol-doc-fix' into maintLibravatar Junio C Hamano1-3/+3
Correct an age-old calco (is that a typo-like word for calc) in the documentation. * ls/packet-line-protocol-doc-fix: pack-protocol: fix maximum pkt-line size
2016-09-08Merge branch 'bw/mingw-avoid-inheriting-fd-to-lockfile' into maintLibravatar Junio C Hamano6-1/+35
The tempfile (hence its user lockfile) API lets the caller to open a file descriptor to a temporary file, write into it and then finalize it by first closing the filehandle and then either removing or renaming the temporary file. When the process spawns a subprocess after obtaining the file descriptor, and if the subprocess has not exited when the attempt to remove or rename is made, the last step fails on Windows, because the subprocess has the file descriptor still open. Open tempfile with O_CLOEXEC flag to avoid this (on Windows, this is mapped to O_NOINHERIT). * bw/mingw-avoid-inheriting-fd-to-lockfile: mingw: ensure temporary file handles are not inherited by child processes t6026-merge-attr: child processes must not inherit index.lock handles
2016-09-08Merge branch 'dg/document-git-c-in-git-config-doc' into maintLibravatar Junio C Hamano1-0/+3
The "git -c var[=val] cmd" facility to append a configuration variable definition at the end of the search order was described in git(1) manual page, but not in git-config(1), which was more likely place for people to look for when they ask "can I make a one-shot override, and if so how?" * dg/document-git-c-in-git-config-doc: doc: mention `git -c` in git-config(1)
2016-09-08Merge branch 'js/no-html-bypass-on-windows' into maintLibravatar Junio C Hamano3-52/+0
On Windows, help.browser configuration variable used to be ignored, which has been corrected. * js/no-html-bypass-on-windows: Revert "display HTML in default browser using Windows' shell API"
2016-09-08Merge branch 'jk/difftool-command-not-found' into maintLibravatar Junio C Hamano2-0/+13
"git difftool" by default ignores the error exit from the backend commands it spawns, because often they signal that they found differences by exiting with a non-zero status code just like "diff" does; the exit status codes 126 and above however are special in that they are used to signal that the command is not executable, does not exist, or killed by a signal. "git difftool" has been taught to notice these exit status codes. * jk/difftool-command-not-found: difftool: always honor fatal error exit codes
2016-09-08Merge branch 'sb/checkout-explit-detach-no-advice' into maintLibravatar Junio C Hamano2-1/+25
"git checkout --detach <branch>" used to give the same advice message as that is issued when "git checkout <tag>" (or anything that is not a branch name) is given, but asking with "--detach" is an explicit enough sign that the user knows what is going on. The advice message has been squelched in this case. * sb/checkout-explit-detach-no-advice: checkout: do not mention detach advice for explicit --detach option
2016-09-08Merge branch 'rs/pull-signed-tag' into maintLibravatar Junio C Hamano4-12/+33
When "git merge-recursive" works on history with many criss-cross merges in "verbose" mode, the names the command assigns to the virtual merge bases could have overwritten each other by unintended reuse of the same piece of memory. * rs/pull-signed-tag: commit: use FLEX_ARRAY in struct merge_remote_desc merge-recursive: fix verbose output for multiple base trees commit: factor out set_merge_remote_desc() commit: use xstrdup() in get_merge_parent()
2016-09-08Merge branch 'js/test-lint-pathname' into maintLibravatar Junio C Hamano1-1/+10
The "t/" hierarchy is prone to get an unusual pathname; "make test" has been taught to make sure they do not contain paths that cannot be checked out on Windows (and the mechanism can be reusable to catch pathnames that are not portable to other platforms as need arises). * js/test-lint-pathname: t/Makefile: ensure that paths are valid on platforms we care
2016-09-08Merge branch 'js/mv-dir-to-new-directory' into maintLibravatar Junio C Hamano1-4/+7
"git mv dir non-existing-dir/" did not work in some environments the same way as existing mainstream platforms. The code now moves "dir" to "non-existing-dir", without relying on rename("A", "B/") that strips the trailing slash of '/'. * js/mv-dir-to-new-directory: git mv: do not keep slash in `git mv dir non-existing-dir/`
2016-09-08Merge branch 'js/import-tars-hardlinks' into maintLibravatar Junio C Hamano1-11/+20
"import-tars" fast-import script (in contrib/) used to ignore a hardlink target and replaced it with an empty file, which has been corrected to record the same blob as the other file the hardlink is shared with. * js/import-tars-hardlinks: import-tars: support hard links
2016-09-08Merge branch 'ms/document-pack-window-memory-is-per-thread' into maintLibravatar Junio C Hamano2-4/+6
* ms/document-pack-window-memory-is-per-thread: document git-repack interaction of pack.threads and pack.windowMemory
2016-09-08Merge branch 'jk/push-force-with-lease-creation' into maintLibravatar Junio C Hamano4-7/+46
"git push --force-with-lease" already had enough logic to allow ensuring that such a push results in creation of a ref (i.e. the receiving end did not have another push from sideways that would be discarded by our force-pushing), but didn't expose this possibility to the users. It does so now. * jk/push-force-with-lease-creation: t5533: make it pass on case-sensitive filesystems push: allow pushing new branches with --force-with-lease push: add shorthand for --force-with-lease branch creation Documentation/git-push: fix placeholder formatting
2016-09-08Merge branch 'jk/reflog-date' into maintLibravatar Junio C Hamano6-10/+57
The reflog output format is documented better, and a new format --date=unix to report the seconds-since-epoch (without timezone) has been added. * jk/reflog-date: date: clarify --date=raw description date: add "unix" format date: document and test "raw-local" mode doc/pretty-formats: explain shortening of %gd doc/pretty-formats: describe index/time formats for %gd doc/rev-list-options: explain "-g" output formats doc/rev-list-options: clarify "commit@{Nth}" for "-g" option
2016-09-08Merge branch 'jc/renormalize-merge-kill-safer-crlf' into maintLibravatar Junio C Hamano10-90/+112
"git merge" with renormalization did not work well with merge-recursive, due to "safer crlf" conversion kicking in when it shouldn't. * jc/renormalize-merge-kill-safer-crlf: merge: avoid "safer crlf" during recording of merge results convert: unify the "auto" handling of CRLF
2016-09-08Merge branch 'jk/common-main' into maintLibravatar Junio C Hamano53-153/+126
There are certain house-keeping tasks that need to be performed at the very beginning of any Git program, and programs that are not built-in commands had to do them exactly the same way as "git" potty does. It was easy to make mistakes in one-off standalone programs (like test helpers). A common "main()" function that calls cmd_main() of individual program has been introduced to make it harder to make mistakes. * jk/common-main: mingw: declare main()'s argv as const common-main: call git_setup_gettext() common-main: call restore_sigpipe_to_default() common-main: call sanitize_stdfds() common-main: call git_extract_argv0_path() add an extra level of indirection to main()
2016-08-30pack-protocol: fix maximum pkt-line sizeLibravatar Lars Schneider1-3/+3
According to LARGE_PACKET_MAX in pkt-line.h the maximal length of a pkt-line packet is 65520 bytes. The pkt-line header takes 4 bytes and therefore the pkt-line data component must not exceed 65516 bytes. Signed-off-by: Lars Schneider <larsxschneider@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-08-26SubmittingPatches: use gitk's "Copy commit summary" formatLibravatar Beat Bolli1-3/+8
Update the suggestion in 175d38ca ("SubmittingPatches: document how to reference previous commits", 2016-07-28) on the format to refer to a commit to match what gitk has been giving since last year with its "Copy commit summary" command; also mention this as one of the ways to obtain a commit reference in this format. Signed-off-by: Beat Bolli <dev+git@drbeat.li> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-08-23doc: mention `git -c` in git-config(1)Libravatar David Glasser1-0/+3
Signed-off-by: David Glasser <glasser@davidglasser.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-08-23mingw: ensure temporary file handles are not inherited by child processesLibravatar Ben Wijen6-2/+23
When the index is locked and child processes inherit the handle to said lock and the parent process wants to remove the lock before the child process exits, on Windows there is a problem: it won't work because files cannot be deleted if a process holds a handle on them. The symptom: Rename from 'xxx/.git/index.lock' to 'xxx/.git/index' failed. Should I try again? (y/n) Spawning child processes with bInheritHandles==FALSE would not work because no file handles would be inherited, not even the hStdXxx handles in STARTUPINFO (stdin/stdout/stderr). Opening every file with O_NOINHERIT does not work, either, as e.g. git-upload-pack expects inherited file handles. This leaves us with the only way out: creating temp files with the O_NOINHERIT flag. This flag is Windows-specific, however. For our purposes, it is equivalent to O_CLOEXEC (which does not exist on Windows), so let's just open temporary files with the O_CLOEXEC flag and map that flag to O_NOINHERIT on Windows. As Eric Wong pointed out, we need to be careful to handle the case where the Linux headers used to compile Git support O_CLOEXEC but the Linux kernel used to run Git does not: it returns an EINVAL. This fixes the test that we just introduced to demonstrate the problem. Signed-off-by: Ben Wijen <ben@wijen.net> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-08-19Revert "display HTML in default browser using Windows' shell API"Libravatar Johannes Schindelin3-52/+0
Since 4804aab (help (Windows): Display HTML in default browser using Windows' shell API, 2008-07-13), Git for Windows used to call `ShellExecute()` to launch the default Windows handler for `.html` files. The idea was to avoid going through a shell script, for performance reasons. However, this change ignores the `help.browser` config setting. Together with browsing help not being a performance-critical operation, let's just revert that patch. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-08-18t6026-merge-attr: child processes must not inherit index.lock handlesLibravatar Ben Wijen1-0/+13
On Windows, a file cannot be removed unless all file handles to it have been released. Hence it is particularly important to close handles when spawning children (which would probably not even know that they hold on to those handles). The example chosen for this test is a custom merge driver that indeed has no idea that it blocks the deletion of index.lock. The full use case is a daemon that lives on after the merge, with subsequent invocations handing off to the daemon, thereby avoiding hefty start-up costs. We simulate this behavior by simply sleeping one second. Note that the test only fails on Windows, due to the file locking issue. Since we have no way to say "expect failure with MINGW, success otherwise", we simply skip this test on Windows for now. Signed-off-by: Ben Wijen <ben@wijen.net> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-08-17SubmittingPatches: document how to reference previous commitsLibravatar Heiko Voigt1-0/+5
To reference previous commits people used to put just the abbreviated SHA-1 into commit messages. This is what has evolved as a more stable format for referencing commits. So lets document it for everyone to look-up when needed. Signed-off-by: Heiko Voigt <hvoigt@hvoigt.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-08-16t/Makefile: ensure that paths are valid on platforms we careLibravatar Johannes Schindelin1-1/+10
Some pathnames that are okay on ext4 and on HFS+ cannot be checked out on Windows. Tests that want to see operations on such paths on filesystems that support them must do so behind appropriate test prerequisites, and must not include them in the source tree (instead they should create them when they run). Otherwise, the source tree cannot even be checked out. Make sure that double-quotes, asterisk, colon, greater/less-than, question-mark, backslash, tab, vertical-bar, as well as any non-ASCII characters never appear in the pathnames with a new test-lint-* target as part of a `make test`. To that end, we call `git ls-files` (ensuring that the paths are quoted properly), relying on the fact that paths containing non-ASCII characters are quoted within double-quotes. In case that the source code does not actually live in a Git repository (e.g. when extracted from a .zip file), or that the `git` executable cannot be executed, we simply ignore the error for now; In that case, our trusty Continuous Integration will be the last line of defense and catch any problematic file name. Noticed when a topic wanted to add a pathname with '>' in it. A check like this will prevent a similar problems from happening in the future. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-08-15difftool: always honor fatal error exit codesLibravatar John Keeping2-0/+13
At the moment difftool's "trust exit code" logic always suppresses the exit status of the diff utility we invoke. This is useful because we don't want to exit just because diff returned "1" because the files differ, but it's confusing if the shell returns an error because the selected diff utility is not found. POSIX specifies 127 as the exit status for "command not found", 126 for "command found but is not executable" and values greater than 128 if the command terminated because it received a signal [1] and at least bash and dash follow this specification, while diff utilities generally use "1" for the exit status we want to ignore. Handle any value of 126 or greater as a special value indicating that some form of fatal error occurred. [1] http://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_08_02 Signed-off-by: John Keeping <john@keeping.me.uk> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-08-15checkout: do not mention detach advice for explicit --detach optionLibravatar Stefan Beller2-1/+25
When a user asked for a detached HEAD specifically with `--detach`, we do not need to give advice on what a detached HEAD state entails as we can assume they know what they're getting into as they asked for it. Signed-off-by: Stefan Beller <sbeller@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-08-15t1410: remove superfluous 'git reflog' from the 'walk past root' testLibravatar SZEDER Gábor1-1/+0
The test added in 71abeb753fa8 (reflog: continue walking the reflog past root commits, 2016-06-03) contains an unnecessary 'git reflog' execution, which was part of my debug/tracing instrumentation that I somehow didn't manage to remove before submitting. Signed-off-by: SZEDER Gábor <szeder@ira.uka.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-08-13receive-pack: use FLEX_ALLOC_MEM in queue_command()Libravatar René Scharfe1-3/+1
Use the macro FLEX_ALLOC_MEM instead of open-coding it. This shortens and simplifies the code a bit. Signed-off-by: Rene Scharfe <l.s.r@web.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-08-13commit: use FLEX_ARRAY in struct merge_remote_descLibravatar René Scharfe2-3/+2
Convert the name member of struct merge_remote_desc to a FLEX_ARRAY and use FLEX_ALLOC_STR to build the struct. This halves the number of memory allocations, saves the storage for a pointer and avoids an indirection when reading the name. Suggested-by: Jeff King <peff@peff.net> Signed-off-by: Rene Scharfe <l.s.r@web.de> Reviewed-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-08-13merge-recursive: fix verbose output for multiple base treesLibravatar René Scharfe2-4/+19
One of the indirect callers of make_virtual_commit() passes the result of oid_to_hex() as the name, i.e. a pointer to a static buffer. Since the function uses that string pointer directly in building a struct merge_remote_desc, multiple entries can end up sharing the same name inadvertently. Fix that by calling set_merge_remote_desc(), which creates a copy of the string, instead of building the struct by hand. Signed-off-by: Rene Scharfe <l.s.r@web.de> Reviewed-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-08-13commit: factor out set_merge_remote_desc()Libravatar René Scharfe2-7/+14
Export a helper function for allocating, populating and attaching a merge_remote_desc to a commit. Signed-off-by: Rene Scharfe <l.s.r@web.de> Reviewed-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-08-13commit: use xstrdup() in get_merge_parent()Libravatar René Scharfe1-1/+1
Handle allocation errors for the name member just like we already do for the struct merge_remote_desc itself. Signed-off-by: Rene Scharfe <l.s.r@web.de> Reviewed-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-08-13mailinfo: recycle strbuf in check_header()Libravatar René Scharfe1-7/+2
handle_message_id() duplicates the contents of the strbuf that is passed to it. Its only caller proceeds to release the strbuf immediately after that. Reuse it instead and make that change of object ownership more obvious by inlining this short function. Signed-off-by: Rene Scharfe <l.s.r@web.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-08-13correct FLEXPTR_* example in commentLibravatar René Scharfe1-1/+1
This section is about "The FLEXPTR_* variants", so use FLEXPTR_ALLOC_STR in the example. Signed-off-by: Rene Scharfe <l.s.r@web.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-08-12Git 2.9.3Libravatar Junio C Hamano3-2/+13
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-08-12Merge branch 'jk/difftool-in-subdir' into maintLibravatar Junio C Hamano2-59/+41
"git difftool <paths>..." started in a subdirectory failed to interpret the paths relative to that directory, which has been fixed. * jk/difftool-in-subdir: difftool: use Git::* functions instead of passing around state difftool: avoid $GIT_DIR and $GIT_WORK_TREE difftool: fix argument handling in subdirs
2016-08-12Merge branch 'jk/reset-ident-time-per-commit' into maintLibravatar Junio C Hamano3-0/+8
Not-so-recent rewrite of "git am" that started making internal calls into the commit machinery had an unintended regression, in that no matter how many seconds it took to apply many patches, the resulting committer timestamp for the resulting commits were all the same. * jk/reset-ident-time-per-commit: am: reset cached ident date for each patch
2016-08-10Yet another batch for 2.9.3Libravatar Junio C Hamano1-0/+68
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-08-10Merge branch 'jh/clean-smudge-f-doc' into maintLibravatar Junio C Hamano1-0/+5
A minor documentation update. This was split out from a stalled jh/clean-smudge-annex topic before discarding it. * jh/clean-smudge-f-doc: clarify %f documentation
2016-08-10Merge branch 'rs/use-strbuf-addstr' into maintLibravatar Junio C Hamano7-9/+9
* rs/use-strbuf-addstr: use strbuf_addstr() instead of strbuf_addf() with "%s" use strbuf_addstr() for adding constant strings to a strbuf