summaryrefslogtreecommitdiff
path: root/builtin
AgeCommit message (Collapse)AuthorFilesLines
2015-09-25convert trivial sprintf / strcpy calls to xsnprintfLibravatar Jeff King7-14/+16
We sometimes sprintf into fixed-size buffers when we know that the buffer is large enough to fit the input (either because it's a constant, or because it's numeric input that is bounded in size). Likewise with strcpy of constant strings. However, these sites make it hard to audit sprintf and strcpy calls for buffer overflows, as a reader has to cross-reference the size of the array with the input. Let's use xsnprintf instead, which communicates to a reader that we don't expect this to overflow (and catches the mistake in case we do). Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25mailsplit: make PATH_MAX buffers dynamicLibravatar Jeff King1-11/+23
There are several PATH_MAX-sized buffers in mailsplit, along with some questionable uses of sprintf. These are not really of security interest, as local mailsplit pathnames are not typically under control of an attacker, and you could generally only overflow a few numbers at the end of a path that approaches PATH_MAX (a longer path would choke mailsplit long before). But it does not hurt to be careful, and as a bonus we lift some limits for systems with too-small PATH_MAX varibles. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25fsck: use strbuf to generate alternate directoriesLibravatar Jeff King1-5/+6
When fsck-ing alternates, we make a copy of the alternate directory in a fixed PATH_MAX buffer. We memcpy directly, without any check whether we are overflowing the buffer. This is OK if PATH_MAX is a true representation of the maximum path on the system, because any path here will have already been vetted by the alternates subsystem. But that is not true on every system, so we should be more careful. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25fsck: don't fsck alternates for connectivity-only checkLibravatar Jeff King1-8/+9
Commit 02976bf (fsck: introduce `git fsck --connectivity-only`, 2015-06-22) recently gave fsck an option to perform only a subset of the checks, by skipping the fsck_object_dir() call. However, it does so only for the local object directory, and we still do expensive checks on any alternate repos. We should skip them in this case, too. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25mailsplit: fix FILE* leak in split_maildirLibravatar Jeff King1-1/+4
If we encounter an error while splitting a maildir, we exit the function early, leaking the open filehandle. This isn't a big deal, since we exit the program soon after, but it's easy enough to be careful. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25show-branch: avoid segfault with --reflog of unborn branchLibravatar Jeff King1-0/+2
When no branch is given to the "--reflog" option, we resolve HEAD to get the default branch. However, if HEAD points to an unborn branch, resolve_ref returns NULL, and we later segfault trying to access it. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-14Merge branch 'ah/show-ref-usage-string'Libravatar Junio C Hamano1-1/+1
Both "git show-ref -h" and "git show-ref --help" illustrated that the "--exclude-existing" option makes the command read list of refs from its standard input. Change only the "show-ref -h" output to have a pair of "<>" around the placeholder that designate an input file, i.e. "git show-ref --exclude-existing < <ref-list>". * ah/show-ref-usage-string: show-ref: place angle brackets around variables in usage string
2015-09-14Merge branch 'rt/help-strings-fix'Libravatar Junio C Hamano3-3/+3
* rt/help-strings-fix: tag, update-ref: improve description of option "create-reflog" pull: don't mark values for option "rebase" for translation
2015-09-14Merge branch 'gb/apply-comment-typofix'Libravatar Junio C Hamano1-1/+1
* gb/apply-comment-typofix: apply: comment grammar fix
2015-09-11tag, update-ref: improve description of option "create-reflog"Libravatar Ralf Thielow2-2/+2
The description of option "create-reflog" is "create_reflog", which is neither a good description, nor a sensible string to translate. Change it to a more meaningful message. Signed-off-by: Ralf Thielow <ralf.thielow@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-11pull: don't mark values for option "rebase" for translationLibravatar Ralf Thielow1-1/+1
"false|true|preserve" are actual values for option "rebase" of the "git-pull" command and should therefore not be marked for translation. Signed-off-by: Ralf Thielow <ralf.thielow@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-09Sync with 2.5.2Libravatar Junio C Hamano1-2/+4
2015-09-08Merge branch 'jc/builtin-am-signoff-regression-fix'Libravatar Junio C Hamano1-2/+29
Recent "git am" had regression when adding a Signed-off-by line with its "-s" option by an unintended tightening of how an existing trailer block is detected. * jc/builtin-am-signoff-regression-fix: am: match --signoff to the original scripted version
2015-09-06am: match --signoff to the original scripted versionLibravatar Junio C Hamano1-2/+29
Linus noticed that the recently reimplemented "git am -s" defines the trailer block too rigidly, resulting in an unnecessary blank line between the existing sign-offs and his new sign-off. An e-mail submission sent to Linus in real life ends with mixture of sign-offs and commentaries, e.g. title here message here Signed-off-by: Original Author <original@auth.or> [rv: tweaked frotz and nitfol] Signed-off-by: Re Viewer <rv@ew.er> Signed-off-by: Other Reviewer <other@rev.ewer> --- patch here Because the reimplementation reused append_signoff() helper that is used by other codepaths, which is unaware that people intermix such comments with their sign-offs in the trailer block, such a message was judged to end with a non-trailer, resulting in an extra blank line before adding a new sign-off. The original scripted version of "git am" used a lot looser definition, i.e. "if and only if there is no line that begins with Signed-off-by:, add a blank line before adding a new sign-off". For the upcoming release, stop using the append_signoff() in "git am" and reimplement the looser definition used by the scripted version to use only in "git am" to fix this regression in "am" while avoiding new regressions to other users of append_signoff(). In the longer term, we should look into loosening append_signoff() so that other codepaths that add a new sign-off behave the same way as "git am -s", but that is a task for post-release. Reported-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-04Sync with 2.4.9Libravatar Junio C Hamano1-2/+4
2015-09-04Sync with 2.3.9Libravatar Junio C Hamano1-2/+4
2015-09-04Sync with 2.2.3Libravatar Junio C Hamano1-2/+4
2015-09-04show-branch: use a strbuf for reflog descriptionsLibravatar Jeff King1-2/+4
When we show "branch@{0}", we format into a fixed-size buffer using sprintf. This can overflow if you have long branch names. We can fix it by using a temporary strbuf. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-03Merge branch ↵Libravatar Junio C Hamano1-3/+1
'dt/commit-preserve-base-index-upon-opportunistic-cache-tree-update' into maint When re-priming the cache-tree opportunistically while committing the in-core index as-is, we mistakenly invalidated the in-core index too aggressively, causing the experimental split-index code to unnecessarily rewrite the on-disk index file(s). * dt/commit-preserve-base-index-upon-opportunistic-cache-tree-update: commit: don't rewrite shared index unnecessarily
2015-09-03Merge branch 'jc/calloc-pathspec' into maintLibravatar Junio C Hamano2-2/+2
Minor code cleanup. * jc/calloc-pathspec: ps_matched: xcalloc() takes nmemb and then element size
2015-09-03Merge branch 'jk/rev-list-has-no-notes' into maintLibravatar Junio C Hamano1-0/+3
"git rev-list" does not take "--notes" option, but did not complain when one is given. * jk/rev-list-has-no-notes: rev-list: make it obvious that we do not support notes
2015-09-03Merge branch 'mh/get-remote-group-fix' into maintLibravatar Junio C Hamano1-8/+6
An off-by-one error made "git remote" to mishandle a remote with a single letter nickname. * mh/get-remote-group-fix: get_remote_group(): use skip_prefix() get_remote_group(): eliminate superfluous call to strcspn() get_remote_group(): rename local variable "space" to "wordlen" get_remote_group(): handle remotes with single-character names
2015-09-03Merge branch 'jk/am-rerere-lock-fix'Libravatar Junio C Hamano2-14/+9
Recent "git am" introduced a double-locking failure when used with the "--3way" option that invokes rerere machinery. * jk/am-rerere-lock-fix: rerere: release lockfile in non-writing functions
2015-09-01Merge branch ↵Libravatar Junio C Hamano1-3/+1
'dt/commit-preserve-base-index-upon-opportunistic-cache-tree-update' When re-priming the cache-tree opportunistically while committing the in-core index as-is, we mistakenly invalidated the in-core index too aggressively, causing the experimental split-index code to unnecessarily rewrite the on-disk index file(s). * dt/commit-preserve-base-index-upon-opportunistic-cache-tree-update: commit: don't rewrite shared index unnecessarily
2015-09-01Merge branch 'ah/reflog-typofix-in-error'Libravatar Junio C Hamano1-1/+1
Error string fix. * ah/reflog-typofix-in-error: reflog: add missing single quote to error message
2015-09-01Merge branch 'ah/read-tree-usage-string'Libravatar Junio C Hamano1-1/+1
Usage string fix. * ah/read-tree-usage-string: read-tree: replace bracket set with parentheses to clarify usage
2015-09-01Merge branch 'ah/pack-objects-usage-strings'Libravatar Junio C Hamano1-2/+2
Usage string fix. * ah/pack-objects-usage-strings: pack-objects: place angle brackets around placeholders in usage strings
2015-09-01rerere: release lockfile in non-writing functionsLibravatar Jeff King2-14/+9
There's a bug in builtin/am.c in which we take a lock on MERGE_RR recursively. But rather than fix am.c, this patch fixes the confusing interface from rerere.c that caused the bug. Read on for the gory details. The setup_rerere() function both reads the existing MERGE_RR file, and takes MERGE_RR.lock. In the rerere() and rerere_forget() functions, we end up in write_rr(), which will then commit the lock file. But for functions like rerere_clear() that do not write to MERGE_RR, we expect the caller to have handled setup_rerere(). That caller would then need to release the lockfile, but it can't; the lock struct is local to rerere.c. For builtin/rerere.c, this is OK. We run a single rerere operation and then exit immediately, which has the side effect of rolling back the lockfile. But in builtin/am.c, this is actively wrong. If we run "git am -3 --skip", we call setup-rerere twice without releasing the lock: 1. The "--skip" causes us to call am_rerere_clear(), which calls setup_rerere(), but never drops the lock. 2. We then proceed to the next patch. 3. The "--3way" may cause us to call rerere() to handle conflicts in that patch, but we are already holding the lock. The lockfile code dies with: BUG: prepare_tempfile_object called for active object We could fix this by having rerere_clear() call rollback_lock_file(). But it feels a bit odd for it to roll back a lockfile that it did not itself take. So let's simplify the interface further, and handle setup_rerere in the function itself, taking away the question from the caller over whether they need to do so. We can give rerere_gc() the same treatment, as well (even though it doesn't have any callers besides builtin/rerere.c at this point). Note that these functions don't take flags from their callers to pass along to setup_rerere; that's OK, because the flags would not be meaningful for what they are doing. Both of those functions need to hold the lock because even though they do not write to MERGE_RR, they are still writing and should be protected from a simultaneous "rerere" run. But rerere_remaining(), "rerere diff", and "rerere status" are all read-only operations. They want to setup_rerere(), but do not care about taking the lock in the first place. Since our update of MERGE_RR is the usual atomic rename done by commit_lock_file, they can just do a lockless read. For that, we teach setup_rerere a READONLY flag to avoid the lock. As a bonus, this pushes builtin/rerere.c's setup_rerere call closer to the functions that use it. Which means that "git rerere totally-bogus-command" will no longer silently exit(0) in a repository without rerere enabled. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-08-31Merge branch 'sg/describe-contains'Libravatar Junio C Hamano1-4/+4
"git describe" without argument defaulted to describe the HEAD commit, but "git describe --contains" didn't. Arguably, in a repository used for active development, such defaulting would not be very useful as the tip of branch is typically not tagged, but it is better to be consistent. * sg/describe-contains: describe --contains: default to HEAD when no commit-ish is given
2015-08-31Merge branch 'db/push-sign-if-asked'Libravatar Junio C Hamano2-106/+128
The client side codepaths in "git push" have been cleaned up and the user can request to perform an optional "signed push", i.e. sign only when the other end accepts signed push. * db/push-sign-if-asked: push: add a config option push.gpgSign for default signed pushes push: support signing pushes iff the server supports it builtin/send-pack.c: use parse_options API config.c: rename git_config_maybe_bool_text and export it as git_parse_maybe_bool transport: remove git_transport_options.push_cert gitremote-helpers.txt: document pushcert option Documentation/git-send-pack.txt: document --signed Documentation/git-send-pack.txt: wrap long synopsis line Documentation/git-push.txt: document when --signed may fail
2015-08-31Merge branch 'jk/notes-merge-config'Libravatar Junio C Hamano1-13/+30
"git notes merge" can be told with "--strategy=<how>" option how to automatically handle conflicts; this can now be configured by setting notes.mergeStrategy configuration variable. * jk/notes-merge-config: notes: teach git-notes about notes.<name>.mergeStrategy option notes: add notes.mergeStrategy option to select default strategy notes: add tests for --commit/--abort/--strategy exclusivity notes: extract parse_notes_merge_strategy to notes-utils notes: extract enum notes_merge_strategy to notes-utils.h notes: document cat_sort_uniq rewriteMode
2015-08-31Merge branch 'jc/am-state-fix'Libravatar Junio C Hamano4-34/+48
Recent reimplementation of "git am" changed the format of state files kept in $GIT_DIR/rebase-apply/ without meaning to do so, primarily because write_file() API was cumbersome to use and it was easy to mistakenly make text files with incomplete lines. Update write_file() interface to make it harder to misuse. * jc/am-state-fix: write_file(): drop caller-supplied LF from calls to create a one-liner file write_file_v(): do not leave incomplete line at the end write_file(): drop "fatal" parameter builtin/am: make sure state files are text builtin/am: introduce write_state_*() helper functions
2015-08-31Merge branch 'jc/log-p-cc'Libravatar Junio C Hamano1-9/+16
"git log --cc" did not show any patch, even though most of the time the user meant "git log --cc -p -m" to see patch output for commits with a single parent, and combined diff for merge commits. The command is taught to DWIM "--cc" (without "--raw" and other forms of output specification) to "--cc -p -m". * jc/log-p-cc: builtin/log.c: minor reformat log: show merge commit when --cc is given log: when --cc is given, default to -p unless told otherwise log: rename "tweak" helpers
2015-08-31Merge branch 'jk/rev-list-has-no-notes'Libravatar Junio C Hamano1-0/+3
"git rev-list" does not take "--notes" option, but did not complain when one is given. * jk/rev-list-has-no-notes: rev-list: make it obvious that we do not support notes
2015-08-31Merge branch 'hv/submodule-config'Libravatar Junio C Hamano2-0/+2
The gitmodules API accessed from the C code learned to cache stuff lazily. * hv/submodule-config: submodule: allow erroneous values for the fetchRecurseSubmodules option submodule: use new config API for worktree configurations submodule: extract functions for config set and lookup submodule: implement a config API for lookup of .gitmodules values
2015-08-31Merge branch 'sg/config-name-only'Libravatar Junio C Hamano1-45/+41
"git config --list" output was hard to parse when values consist of multiple lines. "--name-only" option is added to help this. * sg/config-name-only: get_urlmatch: avoid useless strbuf write format_config: simplify buffer handling format_config: don't init strbuf config: restructure format_config() for better control flow completion: list variable names reliably with 'git config --name-only' config: add '--name-only' option to list only variable names
2015-08-31show-ref: place angle brackets around variables in usage stringLibravatar Alex Henrie1-1/+1
Signed-off-by: Alex Henrie <alexhenrie24@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-08-31commit: don't rewrite shared index unnecessarilyLibravatar David Turner1-3/+1
Remove a cache invalidation which would cause the shared index to be rewritten on as-is commits. When the cache-tree has changed, we need to update it. But we don't necessarily need to update the shared index. So setting active_cache_changed to SOMETHING_CHANGED is unnecessary. Instead, we let update_main_cache_tree just update the CACHE_TREE_CHANGED bit. In order to test this, make test-dump-split-index not segfault on missing replace_bitmap/delete_bitmap. This new codepath is not called now that the test passes, but is necessary to avoid a segfault when the new test is run with the old builtin/commit.c code. Signed-off-by: David Turner <dturner@twopensource.com> Acked-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-08-28read-tree: replace bracket set with parentheses to clarify usageLibravatar Alex Henrie1-1/+1
-u and -i can only be given if -m, --reset, or --prefix is given. Without parentheses, it looks like -u and -i can be used no matter what, and the second pair of brackets is confusing. Signed-off-by: Alex Henrie <alexhenrie24@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-08-28pack-objects: place angle brackets around placeholders in usage stringsLibravatar Alex Henrie1-2/+2
Signed-off-by: Alex Henrie <alexhenrie24@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-08-28reflog: add missing single quote to error messageLibravatar Alex Henrie1-1/+1
The error message can be seen by running `git config gc.reflogexpire foo` and then `git reflog expire`. Signed-off-by: Alex Henrie <alexhenrie24@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-08-26Merge branch 'jc/calloc-pathspec'Libravatar Junio C Hamano2-2/+2
* jc/calloc-pathspec: ps_matched: xcalloc() takes nmemb and then element size
2015-08-26Merge branch 'pt/am-builtin'Libravatar Junio C Hamano1-1/+1
Rewrite "am" in "C". * pt/am-builtin: i18n: am: fix typo in description of -b option
2015-08-26Merge branch 'pt/am-builtin-abort-fix'Libravatar Junio C Hamano1-13/+36
"git am" that was recently reimplemented in C had a performance regression in "git am --abort" that goes back to the version before an attempted (and failed) patch application. * pt/am-builtin-abort-fix: am --skip/--abort: merge HEAD/ORIG_HEAD tree into index
2015-08-26i18n: am: fix typo in description of -b optionLibravatar Jiang Xin1-1/+1
Signed-off-by: Jiang Xin <worldhello.net@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-08-25Merge branch 'jk/guess-repo-name-regression-fix' into maintLibravatar Junio C Hamano1-1/+2
"git clone $URL" in recent releases of Git contains a regression in the code that invents a new repository name incorrectly based on the $URL. This has been corrected. * jk/guess-repo-name-regression-fix: clone: use computed length in guess_dir_name clone: add tests for output directory
2015-08-25Merge branch 'mh/tempfile'Libravatar Junio C Hamano4-29/+20
The "lockfile" API has been rebuilt on top of a new "tempfile" API. * mh/tempfile: credential-cache--daemon: use tempfile module credential-cache--daemon: delete socket from main() gc: use tempfile module to handle gc.pid file lock_repo_for_gc(): compute the path to "gc.pid" only once diff: use tempfile module setup_temporary_shallow(): use tempfile module write_shared_index(): use tempfile module register_tempfile(): new function to handle an existing temporary file tempfile: add several functions for creating temporary files prepare_tempfile_object(): new function, extracted from create_tempfile() tempfile: a new module for handling temporary files commit_lock_file(): use get_locked_file_path() lockfile: add accessor get_lock_file_path() lockfile: add accessors get_lock_file_fd() and get_lock_file_fp() create_bundle(): duplicate file descriptor to avoid closing it twice lockfile: move documentation to lockfile.h and lockfile.c
2015-08-25Merge branch 'pt/am-builtin-options'Libravatar Junio C Hamano1-6/+36
After "git am --opt1" stops, running "git am --opt2" pays attention to "--opt2" only for the patch that caused the original invocation to stop. * pt/am-builtin-options: am: let --signoff override --no-signoff am: let command-line options override saved options test_terminal: redirect child process' stdin to a pty
2015-08-25Merge branch 'dt/notes-multiple'Libravatar Junio C Hamano1-0/+6
When linked worktree is used, simultaneous "notes merge" instances for the same ref in refs/notes/* are prevented from stomping on each other. * dt/notes-multiple: notes: handle multiple worktrees worktrees: add find_shared_symref
2015-08-25builtin/log.c: minor reformatLibravatar Junio C Hamano1-4/+2
Two logical lines that were not overly long was split in the middle, which made them read worse. Signed-off-by: Junio C Hamano <gitster@pobox.com>