2007-12-01 21:24:59 +01:00
|
|
|
#include "../git-compat-util.h"
|
2008-09-27 10:43:01 +02:00
|
|
|
#include "win32.h"
|
2009-06-01 08:41:45 +02:00
|
|
|
#include <conio.h>
|
2012-03-15 18:21:28 +01:00
|
|
|
#include <wchar.h>
|
2007-11-24 22:49:16 +01:00
|
|
|
#include "../strbuf.h"
|
2011-02-07 21:51:21 +01:00
|
|
|
#include "../run-command.h"
|
2014-07-17 17:37:55 +02:00
|
|
|
#include "../cache.h"
|
2018-10-15 11:47:06 +02:00
|
|
|
#include "win32/lazyload.h"
|
2018-10-30 19:40:06 +01:00
|
|
|
#include "../config.h"
|
mingw: special-case arguments to `sh`
The MSYS2 runtime does its best to emulate the command-line wildcard
expansion and de-quoting which would be performed by the calling Unix
shell on Unix systems.
Those Unix shell quoting rules differ from the quoting rules applying to
Windows' cmd and Powershell, making it a little awkward to quote
command-line parameters properly when spawning other processes.
In particular, git.exe passes arguments to subprocesses that are *not*
intended to be interpreted as wildcards, and if they contain
backslashes, those are not to be interpreted as escape characters, e.g.
when passing Windows paths.
Note: this is only a problem when calling MSYS2 executables, not when
calling MINGW executables such as git.exe. However, we do call MSYS2
executables frequently, most notably when setting the use_shell flag in
the child_process structure.
There is no elegant way to determine whether the .exe file to be
executed is an MSYS2 program or a MINGW one. But since the use case of
passing a command line through the shell is so prevalent, we need to
work around this issue at least when executing sh.exe.
Let's introduce an ugly, hard-coded test whether argv[0] is "sh", and
whether it refers to the MSYS2 Bash, to determine whether we need to
quote the arguments differently than usual.
That still does not fix the issue completely, but at least it is
something.
Incidentally, this also fixes the problem where `git clone \\server\repo`
failed due to incorrect handling of the backslashes when handing the path
to the git-upload-pack process.
Further, we need to take care to quote not only whitespace and
backslashes, but also curly brackets. As aliases frequently go through
the MSYS2 Bash, and as aliases frequently get parameters such as
HEAD@{yesterday}, this is really important. As an early version of this
patch broke this, let's make sure that this does not regress by adding a
test case for that.
Helped-by: Kim Gybels <kgybels@infogroep.be>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-01-17 21:14:48 +01:00
|
|
|
#include "dir.h"
|
2007-12-01 21:24:59 +01:00
|
|
|
|
2016-01-15 14:24:34 +01:00
|
|
|
#define HCAST(type, handle) ((type)(intptr_t)handle)
|
|
|
|
|
2011-02-07 21:50:26 +01:00
|
|
|
static const int delay[] = { 0, 1, 10, 20, 40 };
|
|
|
|
|
2010-01-15 21:12:20 +01:00
|
|
|
int err_win_to_posix(DWORD winerr)
|
2009-01-24 15:04:39 +01:00
|
|
|
{
|
|
|
|
int error = ENOSYS;
|
|
|
|
switch(winerr) {
|
|
|
|
case ERROR_ACCESS_DENIED: error = EACCES; break;
|
|
|
|
case ERROR_ACCOUNT_DISABLED: error = EACCES; break;
|
|
|
|
case ERROR_ACCOUNT_RESTRICTION: error = EACCES; break;
|
|
|
|
case ERROR_ALREADY_ASSIGNED: error = EBUSY; break;
|
|
|
|
case ERROR_ALREADY_EXISTS: error = EEXIST; break;
|
|
|
|
case ERROR_ARITHMETIC_OVERFLOW: error = ERANGE; break;
|
|
|
|
case ERROR_BAD_COMMAND: error = EIO; break;
|
|
|
|
case ERROR_BAD_DEVICE: error = ENODEV; break;
|
|
|
|
case ERROR_BAD_DRIVER_LEVEL: error = ENXIO; break;
|
|
|
|
case ERROR_BAD_EXE_FORMAT: error = ENOEXEC; break;
|
|
|
|
case ERROR_BAD_FORMAT: error = ENOEXEC; break;
|
|
|
|
case ERROR_BAD_LENGTH: error = EINVAL; break;
|
|
|
|
case ERROR_BAD_PATHNAME: error = ENOENT; break;
|
|
|
|
case ERROR_BAD_PIPE: error = EPIPE; break;
|
|
|
|
case ERROR_BAD_UNIT: error = ENODEV; break;
|
|
|
|
case ERROR_BAD_USERNAME: error = EINVAL; break;
|
|
|
|
case ERROR_BROKEN_PIPE: error = EPIPE; break;
|
|
|
|
case ERROR_BUFFER_OVERFLOW: error = ENAMETOOLONG; break;
|
|
|
|
case ERROR_BUSY: error = EBUSY; break;
|
|
|
|
case ERROR_BUSY_DRIVE: error = EBUSY; break;
|
|
|
|
case ERROR_CALL_NOT_IMPLEMENTED: error = ENOSYS; break;
|
|
|
|
case ERROR_CANNOT_MAKE: error = EACCES; break;
|
|
|
|
case ERROR_CANTOPEN: error = EIO; break;
|
|
|
|
case ERROR_CANTREAD: error = EIO; break;
|
|
|
|
case ERROR_CANTWRITE: error = EIO; break;
|
|
|
|
case ERROR_CRC: error = EIO; break;
|
|
|
|
case ERROR_CURRENT_DIRECTORY: error = EACCES; break;
|
|
|
|
case ERROR_DEVICE_IN_USE: error = EBUSY; break;
|
|
|
|
case ERROR_DEV_NOT_EXIST: error = ENODEV; break;
|
|
|
|
case ERROR_DIRECTORY: error = EINVAL; break;
|
|
|
|
case ERROR_DIR_NOT_EMPTY: error = ENOTEMPTY; break;
|
|
|
|
case ERROR_DISK_CHANGE: error = EIO; break;
|
|
|
|
case ERROR_DISK_FULL: error = ENOSPC; break;
|
|
|
|
case ERROR_DRIVE_LOCKED: error = EBUSY; break;
|
|
|
|
case ERROR_ENVVAR_NOT_FOUND: error = EINVAL; break;
|
|
|
|
case ERROR_EXE_MARKED_INVALID: error = ENOEXEC; break;
|
|
|
|
case ERROR_FILENAME_EXCED_RANGE: error = ENAMETOOLONG; break;
|
|
|
|
case ERROR_FILE_EXISTS: error = EEXIST; break;
|
|
|
|
case ERROR_FILE_INVALID: error = ENODEV; break;
|
|
|
|
case ERROR_FILE_NOT_FOUND: error = ENOENT; break;
|
|
|
|
case ERROR_GEN_FAILURE: error = EIO; break;
|
|
|
|
case ERROR_HANDLE_DISK_FULL: error = ENOSPC; break;
|
|
|
|
case ERROR_INSUFFICIENT_BUFFER: error = ENOMEM; break;
|
|
|
|
case ERROR_INVALID_ACCESS: error = EACCES; break;
|
|
|
|
case ERROR_INVALID_ADDRESS: error = EFAULT; break;
|
|
|
|
case ERROR_INVALID_BLOCK: error = EFAULT; break;
|
|
|
|
case ERROR_INVALID_DATA: error = EINVAL; break;
|
|
|
|
case ERROR_INVALID_DRIVE: error = ENODEV; break;
|
|
|
|
case ERROR_INVALID_EXE_SIGNATURE: error = ENOEXEC; break;
|
|
|
|
case ERROR_INVALID_FLAGS: error = EINVAL; break;
|
|
|
|
case ERROR_INVALID_FUNCTION: error = ENOSYS; break;
|
|
|
|
case ERROR_INVALID_HANDLE: error = EBADF; break;
|
|
|
|
case ERROR_INVALID_LOGON_HOURS: error = EACCES; break;
|
|
|
|
case ERROR_INVALID_NAME: error = EINVAL; break;
|
|
|
|
case ERROR_INVALID_OWNER: error = EINVAL; break;
|
|
|
|
case ERROR_INVALID_PARAMETER: error = EINVAL; break;
|
|
|
|
case ERROR_INVALID_PASSWORD: error = EPERM; break;
|
|
|
|
case ERROR_INVALID_PRIMARY_GROUP: error = EINVAL; break;
|
|
|
|
case ERROR_INVALID_SIGNAL_NUMBER: error = EINVAL; break;
|
|
|
|
case ERROR_INVALID_TARGET_HANDLE: error = EIO; break;
|
|
|
|
case ERROR_INVALID_WORKSTATION: error = EACCES; break;
|
|
|
|
case ERROR_IO_DEVICE: error = EIO; break;
|
|
|
|
case ERROR_IO_INCOMPLETE: error = EINTR; break;
|
|
|
|
case ERROR_LOCKED: error = EBUSY; break;
|
|
|
|
case ERROR_LOCK_VIOLATION: error = EACCES; break;
|
|
|
|
case ERROR_LOGON_FAILURE: error = EACCES; break;
|
|
|
|
case ERROR_MAPPED_ALIGNMENT: error = EINVAL; break;
|
|
|
|
case ERROR_META_EXPANSION_TOO_LONG: error = E2BIG; break;
|
|
|
|
case ERROR_MORE_DATA: error = EPIPE; break;
|
|
|
|
case ERROR_NEGATIVE_SEEK: error = ESPIPE; break;
|
|
|
|
case ERROR_NOACCESS: error = EFAULT; break;
|
|
|
|
case ERROR_NONE_MAPPED: error = EINVAL; break;
|
|
|
|
case ERROR_NOT_ENOUGH_MEMORY: error = ENOMEM; break;
|
|
|
|
case ERROR_NOT_READY: error = EAGAIN; break;
|
|
|
|
case ERROR_NOT_SAME_DEVICE: error = EXDEV; break;
|
|
|
|
case ERROR_NO_DATA: error = EPIPE; break;
|
|
|
|
case ERROR_NO_MORE_SEARCH_HANDLES: error = EIO; break;
|
|
|
|
case ERROR_NO_PROC_SLOTS: error = EAGAIN; break;
|
|
|
|
case ERROR_NO_SUCH_PRIVILEGE: error = EACCES; break;
|
|
|
|
case ERROR_OPEN_FAILED: error = EIO; break;
|
|
|
|
case ERROR_OPEN_FILES: error = EBUSY; break;
|
|
|
|
case ERROR_OPERATION_ABORTED: error = EINTR; break;
|
|
|
|
case ERROR_OUTOFMEMORY: error = ENOMEM; break;
|
|
|
|
case ERROR_PASSWORD_EXPIRED: error = EACCES; break;
|
|
|
|
case ERROR_PATH_BUSY: error = EBUSY; break;
|
|
|
|
case ERROR_PATH_NOT_FOUND: error = ENOENT; break;
|
|
|
|
case ERROR_PIPE_BUSY: error = EBUSY; break;
|
|
|
|
case ERROR_PIPE_CONNECTED: error = EPIPE; break;
|
|
|
|
case ERROR_PIPE_LISTENING: error = EPIPE; break;
|
|
|
|
case ERROR_PIPE_NOT_CONNECTED: error = EPIPE; break;
|
|
|
|
case ERROR_PRIVILEGE_NOT_HELD: error = EACCES; break;
|
|
|
|
case ERROR_READ_FAULT: error = EIO; break;
|
|
|
|
case ERROR_SEEK: error = EIO; break;
|
|
|
|
case ERROR_SEEK_ON_DEVICE: error = ESPIPE; break;
|
|
|
|
case ERROR_SHARING_BUFFER_EXCEEDED: error = ENFILE; break;
|
|
|
|
case ERROR_SHARING_VIOLATION: error = EACCES; break;
|
|
|
|
case ERROR_STACK_OVERFLOW: error = ENOMEM; break;
|
|
|
|
case ERROR_SWAPERROR: error = ENOENT; break;
|
|
|
|
case ERROR_TOO_MANY_MODULES: error = EMFILE; break;
|
|
|
|
case ERROR_TOO_MANY_OPEN_FILES: error = EMFILE; break;
|
|
|
|
case ERROR_UNRECOGNIZED_MEDIA: error = ENXIO; break;
|
|
|
|
case ERROR_UNRECOGNIZED_VOLUME: error = ENODEV; break;
|
|
|
|
case ERROR_WAIT_NO_CHILDREN: error = ECHILD; break;
|
|
|
|
case ERROR_WRITE_FAULT: error = EIO; break;
|
|
|
|
case ERROR_WRITE_PROTECT: error = EROFS; break;
|
|
|
|
}
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
2011-02-07 21:50:26 +01:00
|
|
|
static inline int is_file_in_use_error(DWORD errcode)
|
|
|
|
{
|
|
|
|
switch (errcode) {
|
|
|
|
case ERROR_SHARING_VIOLATION:
|
|
|
|
case ERROR_ACCESS_DENIED:
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-02-07 21:51:21 +01:00
|
|
|
static int read_yes_no_answer(void)
|
|
|
|
{
|
|
|
|
char answer[1024];
|
|
|
|
|
|
|
|
if (fgets(answer, sizeof(answer), stdin)) {
|
|
|
|
size_t answer_len = strlen(answer);
|
|
|
|
int got_full_line = 0, c;
|
|
|
|
|
|
|
|
/* remove the newline */
|
|
|
|
if (answer_len >= 2 && answer[answer_len-2] == '\r') {
|
|
|
|
answer[answer_len-2] = '\0';
|
|
|
|
got_full_line = 1;
|
|
|
|
} else if (answer_len >= 1 && answer[answer_len-1] == '\n') {
|
|
|
|
answer[answer_len-1] = '\0';
|
|
|
|
got_full_line = 1;
|
|
|
|
}
|
|
|
|
/* flush the buffer in case we did not get the full line */
|
|
|
|
if (!got_full_line)
|
|
|
|
while ((c = getchar()) != EOF && c != '\n')
|
|
|
|
;
|
|
|
|
} else
|
|
|
|
/* we could not read, return the
|
|
|
|
* default answer which is no */
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (tolower(answer[0]) == 'y' && !answer[1])
|
|
|
|
return 1;
|
|
|
|
if (!strncasecmp(answer, "yes", sizeof(answer)))
|
|
|
|
return 1;
|
|
|
|
if (tolower(answer[0]) == 'n' && !answer[1])
|
|
|
|
return 0;
|
|
|
|
if (!strncasecmp(answer, "no", sizeof(answer)))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
/* did not find an answer we understand */
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int ask_yes_no_if_possible(const char *format, ...)
|
|
|
|
{
|
|
|
|
char question[4096];
|
|
|
|
const char *retry_hook[] = { NULL, NULL, NULL };
|
|
|
|
va_list args;
|
|
|
|
|
|
|
|
va_start(args, format);
|
|
|
|
vsnprintf(question, sizeof(question), format, args);
|
|
|
|
va_end(args);
|
|
|
|
|
2011-06-06 09:06:02 +02:00
|
|
|
if ((retry_hook[0] = mingw_getenv("GIT_ASK_YESNO"))) {
|
2011-02-07 21:51:21 +01:00
|
|
|
retry_hook[1] = question;
|
|
|
|
return !run_command_v_opt(retry_hook, 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!isatty(_fileno(stdin)) || !isatty(_fileno(stderr)))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
while (1) {
|
|
|
|
int answer;
|
|
|
|
fprintf(stderr, "%s (y/n) ", question);
|
|
|
|
|
|
|
|
if ((answer = read_yes_no_answer()) >= 0)
|
|
|
|
return answer;
|
|
|
|
|
|
|
|
fprintf(stderr, "Sorry, I did not understand your answer. "
|
|
|
|
"Please type 'y' or 'n'\n");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-10-30 19:40:06 +01:00
|
|
|
/* Windows only */
|
|
|
|
enum hide_dotfiles_type {
|
|
|
|
HIDE_DOTFILES_FALSE = 0,
|
|
|
|
HIDE_DOTFILES_TRUE,
|
|
|
|
HIDE_DOTFILES_DOTGITONLY
|
|
|
|
};
|
|
|
|
|
|
|
|
static enum hide_dotfiles_type hide_dotfiles = HIDE_DOTFILES_DOTGITONLY;
|
2018-10-30 19:40:07 +01:00
|
|
|
static char *unset_environment_variables;
|
2018-10-30 19:40:06 +01:00
|
|
|
|
2018-10-30 19:40:04 +01:00
|
|
|
int mingw_core_config(const char *var, const char *value, void *cb)
|
|
|
|
{
|
2018-10-30 19:40:06 +01:00
|
|
|
if (!strcmp(var, "core.hidedotfiles")) {
|
|
|
|
if (value && !strcasecmp(value, "dotgitonly"))
|
|
|
|
hide_dotfiles = HIDE_DOTFILES_DOTGITONLY;
|
|
|
|
else
|
|
|
|
hide_dotfiles = git_config_bool(var, value);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2018-10-30 19:40:07 +01:00
|
|
|
if (!strcmp(var, "core.unsetenvvars")) {
|
|
|
|
free(unset_environment_variables);
|
|
|
|
unset_environment_variables = xstrdup(value);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2018-10-30 19:40:04 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2018-10-23 12:52:49 +02:00
|
|
|
/* Normalizes NT paths as returned by some low-level APIs. */
|
|
|
|
static wchar_t *normalize_ntpath(wchar_t *wbuf)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
/* fix absolute path prefixes */
|
|
|
|
if (wbuf[0] == '\\') {
|
|
|
|
/* strip NT namespace prefixes */
|
|
|
|
if (!wcsncmp(wbuf, L"\\??\\", 4) ||
|
|
|
|
!wcsncmp(wbuf, L"\\\\?\\", 4))
|
|
|
|
wbuf += 4;
|
|
|
|
else if (!wcsnicmp(wbuf, L"\\DosDevices\\", 12))
|
|
|
|
wbuf += 12;
|
|
|
|
/* replace remaining '...UNC\' with '\\' */
|
|
|
|
if (!wcsnicmp(wbuf, L"UNC\\", 4)) {
|
|
|
|
wbuf += 2;
|
|
|
|
*wbuf = '\\';
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/* convert backslashes to slashes */
|
|
|
|
for (i = 0; wbuf[i]; i++)
|
|
|
|
if (wbuf[i] == '\\')
|
|
|
|
wbuf[i] = '/';
|
|
|
|
return wbuf;
|
|
|
|
}
|
|
|
|
|
2011-02-07 21:49:33 +01:00
|
|
|
int mingw_unlink(const char *pathname)
|
|
|
|
{
|
2011-02-07 21:50:26 +01:00
|
|
|
int ret, tries = 0;
|
2012-03-15 18:21:28 +01:00
|
|
|
wchar_t wpathname[MAX_PATH];
|
|
|
|
if (xutftowcs_path(wpathname, pathname) < 0)
|
|
|
|
return -1;
|
2011-02-07 21:50:26 +01:00
|
|
|
|
2011-02-07 21:49:33 +01:00
|
|
|
/* read-only files cannot be removed */
|
2012-03-15 18:21:28 +01:00
|
|
|
_wchmod(wpathname, 0666);
|
|
|
|
while ((ret = _wunlink(wpathname)) == -1 && tries < ARRAY_SIZE(delay)) {
|
2011-02-07 21:50:26 +01:00
|
|
|
if (!is_file_in_use_error(GetLastError()))
|
|
|
|
break;
|
|
|
|
/*
|
|
|
|
* We assume that some other process had the source or
|
|
|
|
* destination file open at the wrong moment and retry.
|
|
|
|
* In order to give the other process a higher chance to
|
|
|
|
* complete its operation, we give up our time slice now.
|
|
|
|
* If we have to retry again, we do sleep a bit.
|
|
|
|
*/
|
|
|
|
Sleep(delay[tries]);
|
|
|
|
tries++;
|
|
|
|
}
|
2011-02-07 21:51:21 +01:00
|
|
|
while (ret == -1 && is_file_in_use_error(GetLastError()) &&
|
|
|
|
ask_yes_no_if_possible("Unlink of file '%s' failed. "
|
|
|
|
"Should I try again?", pathname))
|
2012-03-15 18:21:28 +01:00
|
|
|
ret = _wunlink(wpathname);
|
2011-02-07 21:50:26 +01:00
|
|
|
return ret;
|
2011-02-07 21:49:33 +01:00
|
|
|
}
|
|
|
|
|
2012-03-15 18:21:28 +01:00
|
|
|
static int is_dir_empty(const wchar_t *wpath)
|
2011-02-07 21:54:01 +01:00
|
|
|
{
|
2012-03-15 18:21:28 +01:00
|
|
|
WIN32_FIND_DATAW findbuf;
|
2011-02-07 21:54:01 +01:00
|
|
|
HANDLE handle;
|
2012-03-15 18:21:28 +01:00
|
|
|
wchar_t wbuf[MAX_PATH + 2];
|
|
|
|
wcscpy(wbuf, wpath);
|
|
|
|
wcscat(wbuf, L"\\*");
|
|
|
|
handle = FindFirstFileW(wbuf, &findbuf);
|
|
|
|
if (handle == INVALID_HANDLE_VALUE)
|
2011-02-07 21:54:01 +01:00
|
|
|
return GetLastError() == ERROR_NO_MORE_FILES;
|
|
|
|
|
2012-03-15 18:21:28 +01:00
|
|
|
while (!wcscmp(findbuf.cFileName, L".") ||
|
|
|
|
!wcscmp(findbuf.cFileName, L".."))
|
|
|
|
if (!FindNextFileW(handle, &findbuf)) {
|
|
|
|
DWORD err = GetLastError();
|
|
|
|
FindClose(handle);
|
|
|
|
return err == ERROR_NO_MORE_FILES;
|
2011-02-07 21:54:01 +01:00
|
|
|
}
|
|
|
|
FindClose(handle);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-02-07 21:52:34 +01:00
|
|
|
int mingw_rmdir(const char *pathname)
|
|
|
|
{
|
|
|
|
int ret, tries = 0;
|
2012-03-15 18:21:28 +01:00
|
|
|
wchar_t wpathname[MAX_PATH];
|
|
|
|
if (xutftowcs_path(wpathname, pathname) < 0)
|
|
|
|
return -1;
|
2011-02-07 21:52:34 +01:00
|
|
|
|
2012-03-15 18:21:28 +01:00
|
|
|
while ((ret = _wrmdir(wpathname)) == -1 && tries < ARRAY_SIZE(delay)) {
|
2011-02-07 21:52:34 +01:00
|
|
|
if (!is_file_in_use_error(GetLastError()))
|
2012-12-10 15:42:27 +01:00
|
|
|
errno = err_win_to_posix(GetLastError());
|
|
|
|
if (errno != EACCES)
|
2011-02-07 21:52:34 +01:00
|
|
|
break;
|
2012-03-15 18:21:28 +01:00
|
|
|
if (!is_dir_empty(wpathname)) {
|
2011-02-07 21:54:01 +01:00
|
|
|
errno = ENOTEMPTY;
|
|
|
|
break;
|
|
|
|
}
|
2011-02-07 21:52:34 +01:00
|
|
|
/*
|
|
|
|
* We assume that some other process had the source or
|
|
|
|
* destination file open at the wrong moment and retry.
|
|
|
|
* In order to give the other process a higher chance to
|
|
|
|
* complete its operation, we give up our time slice now.
|
|
|
|
* If we have to retry again, we do sleep a bit.
|
|
|
|
*/
|
|
|
|
Sleep(delay[tries]);
|
|
|
|
tries++;
|
|
|
|
}
|
2012-12-10 15:42:27 +01:00
|
|
|
while (ret == -1 && errno == EACCES && is_file_in_use_error(GetLastError()) &&
|
2011-02-07 21:52:34 +01:00
|
|
|
ask_yes_no_if_possible("Deletion of directory '%s' failed. "
|
|
|
|
"Should I try again?", pathname))
|
2012-03-15 18:21:28 +01:00
|
|
|
ret = _wrmdir(wpathname);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
mingw: introduce the 'core.hideDotFiles' setting
On Unix (and Linux), files and directories whose names start with a dot
are usually not shown by default. This convention is used by Git: the
.git/ directory should be left alone by regular users, and only accessed
through Git itself.
On Windows, no such convention exists. Instead, there is an explicit flag
to mark files or directories as hidden.
In the early days, Git for Windows did not mark the .git/ directory (or
for that matter, any file or directory whose name starts with a dot)
hidden. This lead to quite a bit of confusion, and even loss of data.
Consequently, Git for Windows introduced the core.hideDotFiles setting,
with three possible values: true, false, and dotGitOnly, defaulting to
marking only the .git/ directory as hidden.
The rationale: users do not need to access .git/ directly, and indeed (as
was demonstrated) should not really see that directory, either. However,
not all dot files should be hidden by default, as e.g. Eclipse does not
show them (and the user would therefore be unable to see, say, a
.gitattributes file).
In over five years since the last attempt to bring this patch into core
Git, a slightly buggy version of this patch has served Git for Windows'
users well: no single report indicated problems with the hidden .git/
directory, and the stream of problems caused by the previously non-hidden
.git/ directory simply stopped. The bugs have been fixed during the
process of getting this patch upstream.
Note that there is a funny quirk we have to pay attention to when
creating hidden files: we use Win32's _wopen() function which
transmogrifies its arguments and hands off to Win32's CreateFile()
function. That latter function errors out with ERROR_ACCESS_DENIED (the
equivalent of EACCES) when the equivalent of the O_CREAT flag was passed
and the file attributes (including the hidden flag) do not match an
existing file's. And _wopen() accepts no parameter that would be
transmogrified into said hidden flag. Therefore, we simply try again
without O_CREAT.
A slightly different method is required for our fopen()/freopen()
function as we cannot even *remove* the implicit O_CREAT flag.
Therefore, we briefly mark existing files as unhidden when opening them
via fopen()/freopen().
The ERROR_ACCESS_DENIED error can also be triggered by opening a file
that is marked as a system file (which is unlikely to be tracked in
Git), and by trying to create a file that has *just* been deleted and is
awaiting the last open handles to be released (which would be handled
better by the "Try again?" logic, a story for a different patch series,
though). In both cases, it does not matter much if we try again without
the O_CREAT flag, read: it does not hurt, either.
For details how ERROR_ACCESS_DENIED can be triggered, see
https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858
Original-patch-by: Erik Faye-Lund <kusmabite@gmail.com>
Initial-Test-By: Pat Thoyts <patthoyts@users.sourceforge.net>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-05-11 10:43:37 +02:00
|
|
|
static inline int needs_hiding(const char *path)
|
|
|
|
{
|
|
|
|
const char *basename;
|
|
|
|
|
|
|
|
if (hide_dotfiles == HIDE_DOTFILES_FALSE)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
/* We cannot use basename(), as it would remove trailing slashes */
|
2018-12-15 05:33:30 +01:00
|
|
|
win32_skip_dos_drive_prefix((char **)&path);
|
mingw: introduce the 'core.hideDotFiles' setting
On Unix (and Linux), files and directories whose names start with a dot
are usually not shown by default. This convention is used by Git: the
.git/ directory should be left alone by regular users, and only accessed
through Git itself.
On Windows, no such convention exists. Instead, there is an explicit flag
to mark files or directories as hidden.
In the early days, Git for Windows did not mark the .git/ directory (or
for that matter, any file or directory whose name starts with a dot)
hidden. This lead to quite a bit of confusion, and even loss of data.
Consequently, Git for Windows introduced the core.hideDotFiles setting,
with three possible values: true, false, and dotGitOnly, defaulting to
marking only the .git/ directory as hidden.
The rationale: users do not need to access .git/ directly, and indeed (as
was demonstrated) should not really see that directory, either. However,
not all dot files should be hidden by default, as e.g. Eclipse does not
show them (and the user would therefore be unable to see, say, a
.gitattributes file).
In over five years since the last attempt to bring this patch into core
Git, a slightly buggy version of this patch has served Git for Windows'
users well: no single report indicated problems with the hidden .git/
directory, and the stream of problems caused by the previously non-hidden
.git/ directory simply stopped. The bugs have been fixed during the
process of getting this patch upstream.
Note that there is a funny quirk we have to pay attention to when
creating hidden files: we use Win32's _wopen() function which
transmogrifies its arguments and hands off to Win32's CreateFile()
function. That latter function errors out with ERROR_ACCESS_DENIED (the
equivalent of EACCES) when the equivalent of the O_CREAT flag was passed
and the file attributes (including the hidden flag) do not match an
existing file's. And _wopen() accepts no parameter that would be
transmogrified into said hidden flag. Therefore, we simply try again
without O_CREAT.
A slightly different method is required for our fopen()/freopen()
function as we cannot even *remove* the implicit O_CREAT flag.
Therefore, we briefly mark existing files as unhidden when opening them
via fopen()/freopen().
The ERROR_ACCESS_DENIED error can also be triggered by opening a file
that is marked as a system file (which is unlikely to be tracked in
Git), and by trying to create a file that has *just* been deleted and is
awaiting the last open handles to be released (which would be handled
better by the "Try again?" logic, a story for a different patch series,
though). In both cases, it does not matter much if we try again without
the O_CREAT flag, read: it does not hurt, either.
For details how ERROR_ACCESS_DENIED can be triggered, see
https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858
Original-patch-by: Erik Faye-Lund <kusmabite@gmail.com>
Initial-Test-By: Pat Thoyts <patthoyts@users.sourceforge.net>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-05-11 10:43:37 +02:00
|
|
|
if (!*path)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
for (basename = path; *path; path++)
|
|
|
|
if (is_dir_sep(*path)) {
|
|
|
|
do {
|
|
|
|
path++;
|
|
|
|
} while (is_dir_sep(*path));
|
|
|
|
/* ignore trailing slashes */
|
|
|
|
if (*path)
|
|
|
|
basename = path;
|
2019-10-25 16:13:36 +02:00
|
|
|
else
|
|
|
|
break;
|
mingw: introduce the 'core.hideDotFiles' setting
On Unix (and Linux), files and directories whose names start with a dot
are usually not shown by default. This convention is used by Git: the
.git/ directory should be left alone by regular users, and only accessed
through Git itself.
On Windows, no such convention exists. Instead, there is an explicit flag
to mark files or directories as hidden.
In the early days, Git for Windows did not mark the .git/ directory (or
for that matter, any file or directory whose name starts with a dot)
hidden. This lead to quite a bit of confusion, and even loss of data.
Consequently, Git for Windows introduced the core.hideDotFiles setting,
with three possible values: true, false, and dotGitOnly, defaulting to
marking only the .git/ directory as hidden.
The rationale: users do not need to access .git/ directly, and indeed (as
was demonstrated) should not really see that directory, either. However,
not all dot files should be hidden by default, as e.g. Eclipse does not
show them (and the user would therefore be unable to see, say, a
.gitattributes file).
In over five years since the last attempt to bring this patch into core
Git, a slightly buggy version of this patch has served Git for Windows'
users well: no single report indicated problems with the hidden .git/
directory, and the stream of problems caused by the previously non-hidden
.git/ directory simply stopped. The bugs have been fixed during the
process of getting this patch upstream.
Note that there is a funny quirk we have to pay attention to when
creating hidden files: we use Win32's _wopen() function which
transmogrifies its arguments and hands off to Win32's CreateFile()
function. That latter function errors out with ERROR_ACCESS_DENIED (the
equivalent of EACCES) when the equivalent of the O_CREAT flag was passed
and the file attributes (including the hidden flag) do not match an
existing file's. And _wopen() accepts no parameter that would be
transmogrified into said hidden flag. Therefore, we simply try again
without O_CREAT.
A slightly different method is required for our fopen()/freopen()
function as we cannot even *remove* the implicit O_CREAT flag.
Therefore, we briefly mark existing files as unhidden when opening them
via fopen()/freopen().
The ERROR_ACCESS_DENIED error can also be triggered by opening a file
that is marked as a system file (which is unlikely to be tracked in
Git), and by trying to create a file that has *just* been deleted and is
awaiting the last open handles to be released (which would be handled
better by the "Try again?" logic, a story for a different patch series,
though). In both cases, it does not matter much if we try again without
the O_CREAT flag, read: it does not hurt, either.
For details how ERROR_ACCESS_DENIED can be triggered, see
https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858
Original-patch-by: Erik Faye-Lund <kusmabite@gmail.com>
Initial-Test-By: Pat Thoyts <patthoyts@users.sourceforge.net>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-05-11 10:43:37 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
if (hide_dotfiles == HIDE_DOTFILES_TRUE)
|
|
|
|
return *basename == '.';
|
|
|
|
|
|
|
|
assert(hide_dotfiles == HIDE_DOTFILES_DOTGITONLY);
|
|
|
|
return !strncasecmp(".git", basename, 4) &&
|
|
|
|
(!basename[4] || is_dir_sep(basename[4]));
|
|
|
|
}
|
|
|
|
|
|
|
|
static int set_hidden_flag(const wchar_t *path, int set)
|
|
|
|
{
|
|
|
|
DWORD original = GetFileAttributesW(path), modified;
|
|
|
|
if (set)
|
|
|
|
modified = original | FILE_ATTRIBUTE_HIDDEN;
|
|
|
|
else
|
|
|
|
modified = original & ~FILE_ATTRIBUTE_HIDDEN;
|
|
|
|
if (original == modified || SetFileAttributesW(path, modified))
|
|
|
|
return 0;
|
|
|
|
errno = err_win_to_posix(GetLastError());
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2012-03-15 18:21:28 +01:00
|
|
|
int mingw_mkdir(const char *path, int mode)
|
|
|
|
{
|
|
|
|
int ret;
|
|
|
|
wchar_t wpath[MAX_PATH];
|
mingw: refuse to access paths with trailing spaces or periods
When creating a directory on Windows whose path ends in a space or a
period (or chains thereof), the Win32 API "helpfully" trims those. For
example, `mkdir("abc ");` will return success, but actually create a
directory called `abc` instead.
This stems back to the DOS days, when all file names had exactly 8
characters plus exactly 3 characters for the file extension, and the
only way to have shorter names was by padding with spaces.
Sadly, this "helpful" behavior is a bit inconsistent: after a successful
`mkdir("abc ");`, a `mkdir("abc /def")` will actually _fail_ (because
the directory `abc ` does not actually exist).
Even if it would work, we now have a serious problem because a Git
repository could contain directories `abc` and `abc `, and on Windows,
they would be "merged" unintentionally.
As these paths are illegal on Windows, anyway, let's disallow any
accesses to such paths on that Operating System.
For practical reasons, this behavior is still guarded by the
config setting `core.protectNTFS`: it is possible (and at least two
regression tests make use of it) to create commits without involving the
worktree. In such a scenario, it is of course possible -- even on
Windows -- to create such file names.
Among other consequences, this patch disallows submodules' paths to end
in spaces on Windows (which would formerly have confused Git enough to
try to write into incorrect paths, anyway).
While this patch does not fix a vulnerability on its own, it prevents an
attack vector that was exploited in demonstrations of a number of
recently-fixed security bugs.
The regression test added to `t/t7417-submodule-path-url.sh` reflects
that attack vector.
Note that we have to adjust the test case "prevent git~1 squatting on
Windows" in `t/t7415-submodule-names.sh` because of a very subtle issue.
It tries to clone two submodules whose names differ only in a trailing
period character, and as a consequence their git directories differ in
the same way. Previously, when Git tried to clone the second submodule,
it thought that the git directory already existed (because on Windows,
when you create a directory with the name `b.` it actually creates `b`),
but with this patch, the first submodule's clone will fail because of
the illegal name of the git directory. Therefore, when cloning the
second submodule, Git will take a different code path: a fresh clone
(without an existing git directory). Both code paths fail to clone the
second submodule, both because the the corresponding worktree directory
exists and is not empty, but the error messages are worded differently.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2019-09-05 13:27:53 +02:00
|
|
|
|
|
|
|
if (!is_valid_win32_path(path)) {
|
|
|
|
errno = EINVAL;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2012-03-15 18:21:28 +01:00
|
|
|
if (xutftowcs_path(wpath, path) < 0)
|
|
|
|
return -1;
|
|
|
|
ret = _wmkdir(wpath);
|
mingw: introduce the 'core.hideDotFiles' setting
On Unix (and Linux), files and directories whose names start with a dot
are usually not shown by default. This convention is used by Git: the
.git/ directory should be left alone by regular users, and only accessed
through Git itself.
On Windows, no such convention exists. Instead, there is an explicit flag
to mark files or directories as hidden.
In the early days, Git for Windows did not mark the .git/ directory (or
for that matter, any file or directory whose name starts with a dot)
hidden. This lead to quite a bit of confusion, and even loss of data.
Consequently, Git for Windows introduced the core.hideDotFiles setting,
with three possible values: true, false, and dotGitOnly, defaulting to
marking only the .git/ directory as hidden.
The rationale: users do not need to access .git/ directly, and indeed (as
was demonstrated) should not really see that directory, either. However,
not all dot files should be hidden by default, as e.g. Eclipse does not
show them (and the user would therefore be unable to see, say, a
.gitattributes file).
In over five years since the last attempt to bring this patch into core
Git, a slightly buggy version of this patch has served Git for Windows'
users well: no single report indicated problems with the hidden .git/
directory, and the stream of problems caused by the previously non-hidden
.git/ directory simply stopped. The bugs have been fixed during the
process of getting this patch upstream.
Note that there is a funny quirk we have to pay attention to when
creating hidden files: we use Win32's _wopen() function which
transmogrifies its arguments and hands off to Win32's CreateFile()
function. That latter function errors out with ERROR_ACCESS_DENIED (the
equivalent of EACCES) when the equivalent of the O_CREAT flag was passed
and the file attributes (including the hidden flag) do not match an
existing file's. And _wopen() accepts no parameter that would be
transmogrified into said hidden flag. Therefore, we simply try again
without O_CREAT.
A slightly different method is required for our fopen()/freopen()
function as we cannot even *remove* the implicit O_CREAT flag.
Therefore, we briefly mark existing files as unhidden when opening them
via fopen()/freopen().
The ERROR_ACCESS_DENIED error can also be triggered by opening a file
that is marked as a system file (which is unlikely to be tracked in
Git), and by trying to create a file that has *just* been deleted and is
awaiting the last open handles to be released (which would be handled
better by the "Try again?" logic, a story for a different patch series,
though). In both cases, it does not matter much if we try again without
the O_CREAT flag, read: it does not hurt, either.
For details how ERROR_ACCESS_DENIED can be triggered, see
https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858
Original-patch-by: Erik Faye-Lund <kusmabite@gmail.com>
Initial-Test-By: Pat Thoyts <patthoyts@users.sourceforge.net>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-05-11 10:43:37 +02:00
|
|
|
if (!ret && needs_hiding(path))
|
|
|
|
return set_hidden_flag(wpath, 1);
|
2011-02-07 21:52:34 +01:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2018-09-11 22:06:02 +02:00
|
|
|
/*
|
|
|
|
* Calling CreateFile() using FILE_APPEND_DATA and without FILE_WRITE_DATA
|
|
|
|
* is documented in [1] as opening a writable file handle in append mode.
|
|
|
|
* (It is believed that) this is atomic since it is maintained by the
|
|
|
|
* kernel unlike the O_APPEND flag which is racily maintained by the CRT.
|
|
|
|
*
|
|
|
|
* [1] https://docs.microsoft.com/en-us/windows/desktop/fileio/file-access-rights-constants
|
|
|
|
*
|
|
|
|
* This trick does not appear to work for named pipes. Instead it creates
|
|
|
|
* a named pipe client handle that cannot be written to. Callers should
|
|
|
|
* just use the regular _wopen() for them. (And since client handle gets
|
|
|
|
* bound to a unique server handle, it isn't really an issue.)
|
|
|
|
*/
|
2018-08-13 21:02:50 +02:00
|
|
|
static int mingw_open_append(wchar_t const *wfilename, int oflags, ...)
|
|
|
|
{
|
|
|
|
HANDLE handle;
|
|
|
|
int fd;
|
|
|
|
DWORD create = (oflags & O_CREAT) ? OPEN_ALWAYS : OPEN_EXISTING;
|
|
|
|
|
|
|
|
/* only these flags are supported */
|
|
|
|
if ((oflags & ~O_CREAT) != (O_WRONLY | O_APPEND))
|
|
|
|
return errno = ENOSYS, -1;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* FILE_SHARE_WRITE is required to permit child processes
|
|
|
|
* to append to the file.
|
|
|
|
*/
|
|
|
|
handle = CreateFileW(wfilename, FILE_APPEND_DATA,
|
|
|
|
FILE_SHARE_WRITE | FILE_SHARE_READ,
|
|
|
|
NULL, create, FILE_ATTRIBUTE_NORMAL, NULL);
|
|
|
|
if (handle == INVALID_HANDLE_VALUE)
|
|
|
|
return errno = err_win_to_posix(GetLastError()), -1;
|
2018-09-11 22:06:02 +02:00
|
|
|
|
2018-08-13 21:02:50 +02:00
|
|
|
/*
|
|
|
|
* No O_APPEND here, because the CRT uses it only to reset the
|
2018-09-11 22:06:02 +02:00
|
|
|
* file pointer to EOF before each write(); but that is not
|
|
|
|
* necessary (and may lead to races) for a file created with
|
|
|
|
* FILE_APPEND_DATA.
|
2018-08-13 21:02:50 +02:00
|
|
|
*/
|
|
|
|
fd = _open_osfhandle((intptr_t)handle, O_BINARY);
|
|
|
|
if (fd < 0)
|
|
|
|
CloseHandle(handle);
|
|
|
|
return fd;
|
|
|
|
}
|
|
|
|
|
2018-09-11 22:06:02 +02:00
|
|
|
/*
|
|
|
|
* Does the pathname map to the local named pipe filesystem?
|
|
|
|
* That is, does it have a "//./pipe/" prefix?
|
|
|
|
*/
|
|
|
|
static int is_local_named_pipe_path(const char *filename)
|
|
|
|
{
|
|
|
|
return (is_dir_sep(filename[0]) &&
|
|
|
|
is_dir_sep(filename[1]) &&
|
|
|
|
filename[2] == '.' &&
|
|
|
|
is_dir_sep(filename[3]) &&
|
|
|
|
!strncasecmp(filename+4, "pipe", 4) &&
|
|
|
|
is_dir_sep(filename[8]) &&
|
|
|
|
filename[9]);
|
|
|
|
}
|
|
|
|
|
2007-11-15 22:22:47 +01:00
|
|
|
int mingw_open (const char *filename, int oflags, ...)
|
|
|
|
{
|
2018-08-13 21:02:50 +02:00
|
|
|
typedef int (*open_fn_t)(wchar_t const *wfilename, int oflags, ...);
|
2007-11-15 22:22:47 +01:00
|
|
|
va_list args;
|
|
|
|
unsigned mode;
|
mingw: refuse to access paths with trailing spaces or periods
When creating a directory on Windows whose path ends in a space or a
period (or chains thereof), the Win32 API "helpfully" trims those. For
example, `mkdir("abc ");` will return success, but actually create a
directory called `abc` instead.
This stems back to the DOS days, when all file names had exactly 8
characters plus exactly 3 characters for the file extension, and the
only way to have shorter names was by padding with spaces.
Sadly, this "helpful" behavior is a bit inconsistent: after a successful
`mkdir("abc ");`, a `mkdir("abc /def")` will actually _fail_ (because
the directory `abc ` does not actually exist).
Even if it would work, we now have a serious problem because a Git
repository could contain directories `abc` and `abc `, and on Windows,
they would be "merged" unintentionally.
As these paths are illegal on Windows, anyway, let's disallow any
accesses to such paths on that Operating System.
For practical reasons, this behavior is still guarded by the
config setting `core.protectNTFS`: it is possible (and at least two
regression tests make use of it) to create commits without involving the
worktree. In such a scenario, it is of course possible -- even on
Windows -- to create such file names.
Among other consequences, this patch disallows submodules' paths to end
in spaces on Windows (which would formerly have confused Git enough to
try to write into incorrect paths, anyway).
While this patch does not fix a vulnerability on its own, it prevents an
attack vector that was exploited in demonstrations of a number of
recently-fixed security bugs.
The regression test added to `t/t7417-submodule-path-url.sh` reflects
that attack vector.
Note that we have to adjust the test case "prevent git~1 squatting on
Windows" in `t/t7415-submodule-names.sh` because of a very subtle issue.
It tries to clone two submodules whose names differ only in a trailing
period character, and as a consequence their git directories differ in
the same way. Previously, when Git tried to clone the second submodule,
it thought that the git directory already existed (because on Windows,
when you create a directory with the name `b.` it actually creates `b`),
but with this patch, the first submodule's clone will fail because of
the illegal name of the git directory. Therefore, when cloning the
second submodule, Git will take a different code path: a fresh clone
(without an existing git directory). Both code paths fail to clone the
second submodule, both because the the corresponding worktree directory
exists and is not empty, but the error messages are worded differently.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2019-09-05 13:27:53 +02:00
|
|
|
int fd, create = (oflags & (O_CREAT | O_EXCL)) == (O_CREAT | O_EXCL);
|
2012-03-15 18:21:28 +01:00
|
|
|
wchar_t wfilename[MAX_PATH];
|
2018-08-13 21:02:50 +02:00
|
|
|
open_fn_t open_fn;
|
2009-09-16 10:20:17 +02:00
|
|
|
|
2007-11-15 22:22:47 +01:00
|
|
|
va_start(args, oflags);
|
|
|
|
mode = va_arg(args, int);
|
|
|
|
va_end(args);
|
|
|
|
|
mingw: refuse to access paths with trailing spaces or periods
When creating a directory on Windows whose path ends in a space or a
period (or chains thereof), the Win32 API "helpfully" trims those. For
example, `mkdir("abc ");` will return success, but actually create a
directory called `abc` instead.
This stems back to the DOS days, when all file names had exactly 8
characters plus exactly 3 characters for the file extension, and the
only way to have shorter names was by padding with spaces.
Sadly, this "helpful" behavior is a bit inconsistent: after a successful
`mkdir("abc ");`, a `mkdir("abc /def")` will actually _fail_ (because
the directory `abc ` does not actually exist).
Even if it would work, we now have a serious problem because a Git
repository could contain directories `abc` and `abc `, and on Windows,
they would be "merged" unintentionally.
As these paths are illegal on Windows, anyway, let's disallow any
accesses to such paths on that Operating System.
For practical reasons, this behavior is still guarded by the
config setting `core.protectNTFS`: it is possible (and at least two
regression tests make use of it) to create commits without involving the
worktree. In such a scenario, it is of course possible -- even on
Windows -- to create such file names.
Among other consequences, this patch disallows submodules' paths to end
in spaces on Windows (which would formerly have confused Git enough to
try to write into incorrect paths, anyway).
While this patch does not fix a vulnerability on its own, it prevents an
attack vector that was exploited in demonstrations of a number of
recently-fixed security bugs.
The regression test added to `t/t7417-submodule-path-url.sh` reflects
that attack vector.
Note that we have to adjust the test case "prevent git~1 squatting on
Windows" in `t/t7415-submodule-names.sh` because of a very subtle issue.
It tries to clone two submodules whose names differ only in a trailing
period character, and as a consequence their git directories differ in
the same way. Previously, when Git tried to clone the second submodule,
it thought that the git directory already existed (because on Windows,
when you create a directory with the name `b.` it actually creates `b`),
but with this patch, the first submodule's clone will fail because of
the illegal name of the git directory. Therefore, when cloning the
second submodule, Git will take a different code path: a fresh clone
(without an existing git directory). Both code paths fail to clone the
second submodule, both because the the corresponding worktree directory
exists and is not empty, but the error messages are worded differently.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2019-09-05 13:27:53 +02:00
|
|
|
if (!is_valid_win32_path(filename)) {
|
|
|
|
errno = create ? EINVAL : ENOENT;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2010-09-23 19:35:25 +02:00
|
|
|
if (filename && !strcmp(filename, "/dev/null"))
|
2007-11-15 22:22:47 +01:00
|
|
|
filename = "nul";
|
2009-09-16 10:20:17 +02:00
|
|
|
|
2018-09-11 22:06:02 +02:00
|
|
|
if ((oflags & O_APPEND) && !is_local_named_pipe_path(filename))
|
2018-08-13 21:02:50 +02:00
|
|
|
open_fn = mingw_open_append;
|
|
|
|
else
|
|
|
|
open_fn = _wopen;
|
|
|
|
|
2012-03-15 18:21:28 +01:00
|
|
|
if (xutftowcs_path(wfilename, filename) < 0)
|
|
|
|
return -1;
|
2018-08-13 21:02:50 +02:00
|
|
|
fd = open_fn(wfilename, oflags, mode);
|
2009-09-16 10:20:17 +02:00
|
|
|
|
2014-11-16 22:06:26 +01:00
|
|
|
if (fd < 0 && (oflags & O_ACCMODE) != O_RDONLY && errno == EACCES) {
|
2012-03-15 18:21:28 +01:00
|
|
|
DWORD attrs = GetFileAttributesW(wfilename);
|
2007-11-15 22:22:47 +01:00
|
|
|
if (attrs != INVALID_FILE_ATTRIBUTES && (attrs & FILE_ATTRIBUTE_DIRECTORY))
|
|
|
|
errno = EISDIR;
|
|
|
|
}
|
mingw: introduce the 'core.hideDotFiles' setting
On Unix (and Linux), files and directories whose names start with a dot
are usually not shown by default. This convention is used by Git: the
.git/ directory should be left alone by regular users, and only accessed
through Git itself.
On Windows, no such convention exists. Instead, there is an explicit flag
to mark files or directories as hidden.
In the early days, Git for Windows did not mark the .git/ directory (or
for that matter, any file or directory whose name starts with a dot)
hidden. This lead to quite a bit of confusion, and even loss of data.
Consequently, Git for Windows introduced the core.hideDotFiles setting,
with three possible values: true, false, and dotGitOnly, defaulting to
marking only the .git/ directory as hidden.
The rationale: users do not need to access .git/ directly, and indeed (as
was demonstrated) should not really see that directory, either. However,
not all dot files should be hidden by default, as e.g. Eclipse does not
show them (and the user would therefore be unable to see, say, a
.gitattributes file).
In over five years since the last attempt to bring this patch into core
Git, a slightly buggy version of this patch has served Git for Windows'
users well: no single report indicated problems with the hidden .git/
directory, and the stream of problems caused by the previously non-hidden
.git/ directory simply stopped. The bugs have been fixed during the
process of getting this patch upstream.
Note that there is a funny quirk we have to pay attention to when
creating hidden files: we use Win32's _wopen() function which
transmogrifies its arguments and hands off to Win32's CreateFile()
function. That latter function errors out with ERROR_ACCESS_DENIED (the
equivalent of EACCES) when the equivalent of the O_CREAT flag was passed
and the file attributes (including the hidden flag) do not match an
existing file's. And _wopen() accepts no parameter that would be
transmogrified into said hidden flag. Therefore, we simply try again
without O_CREAT.
A slightly different method is required for our fopen()/freopen()
function as we cannot even *remove* the implicit O_CREAT flag.
Therefore, we briefly mark existing files as unhidden when opening them
via fopen()/freopen().
The ERROR_ACCESS_DENIED error can also be triggered by opening a file
that is marked as a system file (which is unlikely to be tracked in
Git), and by trying to create a file that has *just* been deleted and is
awaiting the last open handles to be released (which would be handled
better by the "Try again?" logic, a story for a different patch series,
though). In both cases, it does not matter much if we try again without
the O_CREAT flag, read: it does not hurt, either.
For details how ERROR_ACCESS_DENIED can be triggered, see
https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858
Original-patch-by: Erik Faye-Lund <kusmabite@gmail.com>
Initial-Test-By: Pat Thoyts <patthoyts@users.sourceforge.net>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-05-11 10:43:37 +02:00
|
|
|
if ((oflags & O_CREAT) && needs_hiding(filename)) {
|
|
|
|
/*
|
|
|
|
* Internally, _wopen() uses the CreateFile() API which errors
|
|
|
|
* out with an ERROR_ACCESS_DENIED if CREATE_ALWAYS was
|
|
|
|
* specified and an already existing file's attributes do not
|
|
|
|
* match *exactly*. As there is no mode or flag we can set that
|
|
|
|
* would correspond to FILE_ATTRIBUTE_HIDDEN, let's just try
|
|
|
|
* again *without* the O_CREAT flag (that corresponds to the
|
|
|
|
* CREATE_ALWAYS flag of CreateFile()).
|
|
|
|
*/
|
|
|
|
if (fd < 0 && errno == EACCES)
|
2018-08-13 21:02:50 +02:00
|
|
|
fd = open_fn(wfilename, oflags & ~O_CREAT, mode);
|
mingw: introduce the 'core.hideDotFiles' setting
On Unix (and Linux), files and directories whose names start with a dot
are usually not shown by default. This convention is used by Git: the
.git/ directory should be left alone by regular users, and only accessed
through Git itself.
On Windows, no such convention exists. Instead, there is an explicit flag
to mark files or directories as hidden.
In the early days, Git for Windows did not mark the .git/ directory (or
for that matter, any file or directory whose name starts with a dot)
hidden. This lead to quite a bit of confusion, and even loss of data.
Consequently, Git for Windows introduced the core.hideDotFiles setting,
with three possible values: true, false, and dotGitOnly, defaulting to
marking only the .git/ directory as hidden.
The rationale: users do not need to access .git/ directly, and indeed (as
was demonstrated) should not really see that directory, either. However,
not all dot files should be hidden by default, as e.g. Eclipse does not
show them (and the user would therefore be unable to see, say, a
.gitattributes file).
In over five years since the last attempt to bring this patch into core
Git, a slightly buggy version of this patch has served Git for Windows'
users well: no single report indicated problems with the hidden .git/
directory, and the stream of problems caused by the previously non-hidden
.git/ directory simply stopped. The bugs have been fixed during the
process of getting this patch upstream.
Note that there is a funny quirk we have to pay attention to when
creating hidden files: we use Win32's _wopen() function which
transmogrifies its arguments and hands off to Win32's CreateFile()
function. That latter function errors out with ERROR_ACCESS_DENIED (the
equivalent of EACCES) when the equivalent of the O_CREAT flag was passed
and the file attributes (including the hidden flag) do not match an
existing file's. And _wopen() accepts no parameter that would be
transmogrified into said hidden flag. Therefore, we simply try again
without O_CREAT.
A slightly different method is required for our fopen()/freopen()
function as we cannot even *remove* the implicit O_CREAT flag.
Therefore, we briefly mark existing files as unhidden when opening them
via fopen()/freopen().
The ERROR_ACCESS_DENIED error can also be triggered by opening a file
that is marked as a system file (which is unlikely to be tracked in
Git), and by trying to create a file that has *just* been deleted and is
awaiting the last open handles to be released (which would be handled
better by the "Try again?" logic, a story for a different patch series,
though). In both cases, it does not matter much if we try again without
the O_CREAT flag, read: it does not hurt, either.
For details how ERROR_ACCESS_DENIED can be triggered, see
https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858
Original-patch-by: Erik Faye-Lund <kusmabite@gmail.com>
Initial-Test-By: Pat Thoyts <patthoyts@users.sourceforge.net>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-05-11 10:43:37 +02:00
|
|
|
if (fd >= 0 && set_hidden_flag(wfilename, 1))
|
|
|
|
warning("could not mark '%s' as hidden.", filename);
|
|
|
|
}
|
2007-11-15 22:22:47 +01:00
|
|
|
return fd;
|
|
|
|
}
|
|
|
|
|
2012-12-04 09:10:38 +01:00
|
|
|
static BOOL WINAPI ctrl_ignore(DWORD type)
|
|
|
|
{
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
|
|
|
|
#undef fgetc
|
|
|
|
int mingw_fgetc(FILE *stream)
|
|
|
|
{
|
|
|
|
int ch;
|
|
|
|
if (!isatty(_fileno(stream)))
|
|
|
|
return fgetc(stream);
|
|
|
|
|
|
|
|
SetConsoleCtrlHandler(ctrl_ignore, TRUE);
|
|
|
|
while (1) {
|
|
|
|
ch = fgetc(stream);
|
|
|
|
if (ch != EOF || GetLastError() != ERROR_OPERATION_ABORTED)
|
|
|
|
break;
|
|
|
|
|
|
|
|
/* Ctrl+C was pressed, simulate SIGINT and retry */
|
|
|
|
mingw_raise(SIGINT);
|
|
|
|
}
|
|
|
|
SetConsoleCtrlHandler(ctrl_ignore, FALSE);
|
|
|
|
return ch;
|
|
|
|
}
|
|
|
|
|
2010-02-25 21:03:44 +01:00
|
|
|
#undef fopen
|
|
|
|
FILE *mingw_fopen (const char *filename, const char *otype)
|
|
|
|
{
|
mingw: introduce the 'core.hideDotFiles' setting
On Unix (and Linux), files and directories whose names start with a dot
are usually not shown by default. This convention is used by Git: the
.git/ directory should be left alone by regular users, and only accessed
through Git itself.
On Windows, no such convention exists. Instead, there is an explicit flag
to mark files or directories as hidden.
In the early days, Git for Windows did not mark the .git/ directory (or
for that matter, any file or directory whose name starts with a dot)
hidden. This lead to quite a bit of confusion, and even loss of data.
Consequently, Git for Windows introduced the core.hideDotFiles setting,
with three possible values: true, false, and dotGitOnly, defaulting to
marking only the .git/ directory as hidden.
The rationale: users do not need to access .git/ directly, and indeed (as
was demonstrated) should not really see that directory, either. However,
not all dot files should be hidden by default, as e.g. Eclipse does not
show them (and the user would therefore be unable to see, say, a
.gitattributes file).
In over five years since the last attempt to bring this patch into core
Git, a slightly buggy version of this patch has served Git for Windows'
users well: no single report indicated problems with the hidden .git/
directory, and the stream of problems caused by the previously non-hidden
.git/ directory simply stopped. The bugs have been fixed during the
process of getting this patch upstream.
Note that there is a funny quirk we have to pay attention to when
creating hidden files: we use Win32's _wopen() function which
transmogrifies its arguments and hands off to Win32's CreateFile()
function. That latter function errors out with ERROR_ACCESS_DENIED (the
equivalent of EACCES) when the equivalent of the O_CREAT flag was passed
and the file attributes (including the hidden flag) do not match an
existing file's. And _wopen() accepts no parameter that would be
transmogrified into said hidden flag. Therefore, we simply try again
without O_CREAT.
A slightly different method is required for our fopen()/freopen()
function as we cannot even *remove* the implicit O_CREAT flag.
Therefore, we briefly mark existing files as unhidden when opening them
via fopen()/freopen().
The ERROR_ACCESS_DENIED error can also be triggered by opening a file
that is marked as a system file (which is unlikely to be tracked in
Git), and by trying to create a file that has *just* been deleted and is
awaiting the last open handles to be released (which would be handled
better by the "Try again?" logic, a story for a different patch series,
though). In both cases, it does not matter much if we try again without
the O_CREAT flag, read: it does not hurt, either.
For details how ERROR_ACCESS_DENIED can be triggered, see
https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858
Original-patch-by: Erik Faye-Lund <kusmabite@gmail.com>
Initial-Test-By: Pat Thoyts <patthoyts@users.sourceforge.net>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-05-11 10:43:37 +02:00
|
|
|
int hide = needs_hiding(filename);
|
2012-03-15 18:21:28 +01:00
|
|
|
FILE *file;
|
|
|
|
wchar_t wfilename[MAX_PATH], wotype[4];
|
mingw: refuse to access paths with trailing spaces or periods
When creating a directory on Windows whose path ends in a space or a
period (or chains thereof), the Win32 API "helpfully" trims those. For
example, `mkdir("abc ");` will return success, but actually create a
directory called `abc` instead.
This stems back to the DOS days, when all file names had exactly 8
characters plus exactly 3 characters for the file extension, and the
only way to have shorter names was by padding with spaces.
Sadly, this "helpful" behavior is a bit inconsistent: after a successful
`mkdir("abc ");`, a `mkdir("abc /def")` will actually _fail_ (because
the directory `abc ` does not actually exist).
Even if it would work, we now have a serious problem because a Git
repository could contain directories `abc` and `abc `, and on Windows,
they would be "merged" unintentionally.
As these paths are illegal on Windows, anyway, let's disallow any
accesses to such paths on that Operating System.
For practical reasons, this behavior is still guarded by the
config setting `core.protectNTFS`: it is possible (and at least two
regression tests make use of it) to create commits without involving the
worktree. In such a scenario, it is of course possible -- even on
Windows -- to create such file names.
Among other consequences, this patch disallows submodules' paths to end
in spaces on Windows (which would formerly have confused Git enough to
try to write into incorrect paths, anyway).
While this patch does not fix a vulnerability on its own, it prevents an
attack vector that was exploited in demonstrations of a number of
recently-fixed security bugs.
The regression test added to `t/t7417-submodule-path-url.sh` reflects
that attack vector.
Note that we have to adjust the test case "prevent git~1 squatting on
Windows" in `t/t7415-submodule-names.sh` because of a very subtle issue.
It tries to clone two submodules whose names differ only in a trailing
period character, and as a consequence their git directories differ in
the same way. Previously, when Git tried to clone the second submodule,
it thought that the git directory already existed (because on Windows,
when you create a directory with the name `b.` it actually creates `b`),
but with this patch, the first submodule's clone will fail because of
the illegal name of the git directory. Therefore, when cloning the
second submodule, Git will take a different code path: a fresh clone
(without an existing git directory). Both code paths fail to clone the
second submodule, both because the the corresponding worktree directory
exists and is not empty, but the error messages are worded differently.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2019-09-05 13:27:53 +02:00
|
|
|
if (!is_valid_win32_path(filename)) {
|
|
|
|
int create = otype && strchr(otype, 'w');
|
|
|
|
errno = create ? EINVAL : ENOENT;
|
|
|
|
return NULL;
|
|
|
|
}
|
2010-09-23 19:35:25 +02:00
|
|
|
if (filename && !strcmp(filename, "/dev/null"))
|
2010-02-25 21:03:44 +01:00
|
|
|
filename = "nul";
|
2012-03-15 18:21:28 +01:00
|
|
|
if (xutftowcs_path(wfilename, filename) < 0 ||
|
|
|
|
xutftowcs(wotype, otype, ARRAY_SIZE(wotype)) < 0)
|
|
|
|
return NULL;
|
mingw: introduce the 'core.hideDotFiles' setting
On Unix (and Linux), files and directories whose names start with a dot
are usually not shown by default. This convention is used by Git: the
.git/ directory should be left alone by regular users, and only accessed
through Git itself.
On Windows, no such convention exists. Instead, there is an explicit flag
to mark files or directories as hidden.
In the early days, Git for Windows did not mark the .git/ directory (or
for that matter, any file or directory whose name starts with a dot)
hidden. This lead to quite a bit of confusion, and even loss of data.
Consequently, Git for Windows introduced the core.hideDotFiles setting,
with three possible values: true, false, and dotGitOnly, defaulting to
marking only the .git/ directory as hidden.
The rationale: users do not need to access .git/ directly, and indeed (as
was demonstrated) should not really see that directory, either. However,
not all dot files should be hidden by default, as e.g. Eclipse does not
show them (and the user would therefore be unable to see, say, a
.gitattributes file).
In over five years since the last attempt to bring this patch into core
Git, a slightly buggy version of this patch has served Git for Windows'
users well: no single report indicated problems with the hidden .git/
directory, and the stream of problems caused by the previously non-hidden
.git/ directory simply stopped. The bugs have been fixed during the
process of getting this patch upstream.
Note that there is a funny quirk we have to pay attention to when
creating hidden files: we use Win32's _wopen() function which
transmogrifies its arguments and hands off to Win32's CreateFile()
function. That latter function errors out with ERROR_ACCESS_DENIED (the
equivalent of EACCES) when the equivalent of the O_CREAT flag was passed
and the file attributes (including the hidden flag) do not match an
existing file's. And _wopen() accepts no parameter that would be
transmogrified into said hidden flag. Therefore, we simply try again
without O_CREAT.
A slightly different method is required for our fopen()/freopen()
function as we cannot even *remove* the implicit O_CREAT flag.
Therefore, we briefly mark existing files as unhidden when opening them
via fopen()/freopen().
The ERROR_ACCESS_DENIED error can also be triggered by opening a file
that is marked as a system file (which is unlikely to be tracked in
Git), and by trying to create a file that has *just* been deleted and is
awaiting the last open handles to be released (which would be handled
better by the "Try again?" logic, a story for a different patch series,
though). In both cases, it does not matter much if we try again without
the O_CREAT flag, read: it does not hurt, either.
For details how ERROR_ACCESS_DENIED can be triggered, see
https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858
Original-patch-by: Erik Faye-Lund <kusmabite@gmail.com>
Initial-Test-By: Pat Thoyts <patthoyts@users.sourceforge.net>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-05-11 10:43:37 +02:00
|
|
|
if (hide && !access(filename, F_OK) && set_hidden_flag(wfilename, 0)) {
|
|
|
|
error("could not unhide %s", filename);
|
|
|
|
return NULL;
|
|
|
|
}
|
2012-03-15 18:21:28 +01:00
|
|
|
file = _wfopen(wfilename, wotype);
|
2017-05-29 22:27:35 +02:00
|
|
|
if (!file && GetLastError() == ERROR_INVALID_NAME)
|
|
|
|
errno = ENOENT;
|
mingw: introduce the 'core.hideDotFiles' setting
On Unix (and Linux), files and directories whose names start with a dot
are usually not shown by default. This convention is used by Git: the
.git/ directory should be left alone by regular users, and only accessed
through Git itself.
On Windows, no such convention exists. Instead, there is an explicit flag
to mark files or directories as hidden.
In the early days, Git for Windows did not mark the .git/ directory (or
for that matter, any file or directory whose name starts with a dot)
hidden. This lead to quite a bit of confusion, and even loss of data.
Consequently, Git for Windows introduced the core.hideDotFiles setting,
with three possible values: true, false, and dotGitOnly, defaulting to
marking only the .git/ directory as hidden.
The rationale: users do not need to access .git/ directly, and indeed (as
was demonstrated) should not really see that directory, either. However,
not all dot files should be hidden by default, as e.g. Eclipse does not
show them (and the user would therefore be unable to see, say, a
.gitattributes file).
In over five years since the last attempt to bring this patch into core
Git, a slightly buggy version of this patch has served Git for Windows'
users well: no single report indicated problems with the hidden .git/
directory, and the stream of problems caused by the previously non-hidden
.git/ directory simply stopped. The bugs have been fixed during the
process of getting this patch upstream.
Note that there is a funny quirk we have to pay attention to when
creating hidden files: we use Win32's _wopen() function which
transmogrifies its arguments and hands off to Win32's CreateFile()
function. That latter function errors out with ERROR_ACCESS_DENIED (the
equivalent of EACCES) when the equivalent of the O_CREAT flag was passed
and the file attributes (including the hidden flag) do not match an
existing file's. And _wopen() accepts no parameter that would be
transmogrified into said hidden flag. Therefore, we simply try again
without O_CREAT.
A slightly different method is required for our fopen()/freopen()
function as we cannot even *remove* the implicit O_CREAT flag.
Therefore, we briefly mark existing files as unhidden when opening them
via fopen()/freopen().
The ERROR_ACCESS_DENIED error can also be triggered by opening a file
that is marked as a system file (which is unlikely to be tracked in
Git), and by trying to create a file that has *just* been deleted and is
awaiting the last open handles to be released (which would be handled
better by the "Try again?" logic, a story for a different patch series,
though). In both cases, it does not matter much if we try again without
the O_CREAT flag, read: it does not hurt, either.
For details how ERROR_ACCESS_DENIED can be triggered, see
https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858
Original-patch-by: Erik Faye-Lund <kusmabite@gmail.com>
Initial-Test-By: Pat Thoyts <patthoyts@users.sourceforge.net>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-05-11 10:43:37 +02:00
|
|
|
if (file && hide && set_hidden_flag(wfilename, 1))
|
|
|
|
warning("could not mark '%s' as hidden.", filename);
|
2012-03-15 18:21:28 +01:00
|
|
|
return file;
|
2010-02-25 21:03:44 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
FILE *mingw_freopen (const char *filename, const char *otype, FILE *stream)
|
|
|
|
{
|
mingw: introduce the 'core.hideDotFiles' setting
On Unix (and Linux), files and directories whose names start with a dot
are usually not shown by default. This convention is used by Git: the
.git/ directory should be left alone by regular users, and only accessed
through Git itself.
On Windows, no such convention exists. Instead, there is an explicit flag
to mark files or directories as hidden.
In the early days, Git for Windows did not mark the .git/ directory (or
for that matter, any file or directory whose name starts with a dot)
hidden. This lead to quite a bit of confusion, and even loss of data.
Consequently, Git for Windows introduced the core.hideDotFiles setting,
with three possible values: true, false, and dotGitOnly, defaulting to
marking only the .git/ directory as hidden.
The rationale: users do not need to access .git/ directly, and indeed (as
was demonstrated) should not really see that directory, either. However,
not all dot files should be hidden by default, as e.g. Eclipse does not
show them (and the user would therefore be unable to see, say, a
.gitattributes file).
In over five years since the last attempt to bring this patch into core
Git, a slightly buggy version of this patch has served Git for Windows'
users well: no single report indicated problems with the hidden .git/
directory, and the stream of problems caused by the previously non-hidden
.git/ directory simply stopped. The bugs have been fixed during the
process of getting this patch upstream.
Note that there is a funny quirk we have to pay attention to when
creating hidden files: we use Win32's _wopen() function which
transmogrifies its arguments and hands off to Win32's CreateFile()
function. That latter function errors out with ERROR_ACCESS_DENIED (the
equivalent of EACCES) when the equivalent of the O_CREAT flag was passed
and the file attributes (including the hidden flag) do not match an
existing file's. And _wopen() accepts no parameter that would be
transmogrified into said hidden flag. Therefore, we simply try again
without O_CREAT.
A slightly different method is required for our fopen()/freopen()
function as we cannot even *remove* the implicit O_CREAT flag.
Therefore, we briefly mark existing files as unhidden when opening them
via fopen()/freopen().
The ERROR_ACCESS_DENIED error can also be triggered by opening a file
that is marked as a system file (which is unlikely to be tracked in
Git), and by trying to create a file that has *just* been deleted and is
awaiting the last open handles to be released (which would be handled
better by the "Try again?" logic, a story for a different patch series,
though). In both cases, it does not matter much if we try again without
the O_CREAT flag, read: it does not hurt, either.
For details how ERROR_ACCESS_DENIED can be triggered, see
https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858
Original-patch-by: Erik Faye-Lund <kusmabite@gmail.com>
Initial-Test-By: Pat Thoyts <patthoyts@users.sourceforge.net>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-05-11 10:43:37 +02:00
|
|
|
int hide = needs_hiding(filename);
|
2012-03-15 18:21:28 +01:00
|
|
|
FILE *file;
|
|
|
|
wchar_t wfilename[MAX_PATH], wotype[4];
|
mingw: refuse to access paths with trailing spaces or periods
When creating a directory on Windows whose path ends in a space or a
period (or chains thereof), the Win32 API "helpfully" trims those. For
example, `mkdir("abc ");` will return success, but actually create a
directory called `abc` instead.
This stems back to the DOS days, when all file names had exactly 8
characters plus exactly 3 characters for the file extension, and the
only way to have shorter names was by padding with spaces.
Sadly, this "helpful" behavior is a bit inconsistent: after a successful
`mkdir("abc ");`, a `mkdir("abc /def")` will actually _fail_ (because
the directory `abc ` does not actually exist).
Even if it would work, we now have a serious problem because a Git
repository could contain directories `abc` and `abc `, and on Windows,
they would be "merged" unintentionally.
As these paths are illegal on Windows, anyway, let's disallow any
accesses to such paths on that Operating System.
For practical reasons, this behavior is still guarded by the
config setting `core.protectNTFS`: it is possible (and at least two
regression tests make use of it) to create commits without involving the
worktree. In such a scenario, it is of course possible -- even on
Windows -- to create such file names.
Among other consequences, this patch disallows submodules' paths to end
in spaces on Windows (which would formerly have confused Git enough to
try to write into incorrect paths, anyway).
While this patch does not fix a vulnerability on its own, it prevents an
attack vector that was exploited in demonstrations of a number of
recently-fixed security bugs.
The regression test added to `t/t7417-submodule-path-url.sh` reflects
that attack vector.
Note that we have to adjust the test case "prevent git~1 squatting on
Windows" in `t/t7415-submodule-names.sh` because of a very subtle issue.
It tries to clone two submodules whose names differ only in a trailing
period character, and as a consequence their git directories differ in
the same way. Previously, when Git tried to clone the second submodule,
it thought that the git directory already existed (because on Windows,
when you create a directory with the name `b.` it actually creates `b`),
but with this patch, the first submodule's clone will fail because of
the illegal name of the git directory. Therefore, when cloning the
second submodule, Git will take a different code path: a fresh clone
(without an existing git directory). Both code paths fail to clone the
second submodule, both because the the corresponding worktree directory
exists and is not empty, but the error messages are worded differently.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2019-09-05 13:27:53 +02:00
|
|
|
if (!is_valid_win32_path(filename)) {
|
|
|
|
int create = otype && strchr(otype, 'w');
|
|
|
|
errno = create ? EINVAL : ENOENT;
|
|
|
|
return NULL;
|
|
|
|
}
|
2010-02-25 21:03:44 +01:00
|
|
|
if (filename && !strcmp(filename, "/dev/null"))
|
|
|
|
filename = "nul";
|
2012-03-15 18:21:28 +01:00
|
|
|
if (xutftowcs_path(wfilename, filename) < 0 ||
|
|
|
|
xutftowcs(wotype, otype, ARRAY_SIZE(wotype)) < 0)
|
|
|
|
return NULL;
|
mingw: introduce the 'core.hideDotFiles' setting
On Unix (and Linux), files and directories whose names start with a dot
are usually not shown by default. This convention is used by Git: the
.git/ directory should be left alone by regular users, and only accessed
through Git itself.
On Windows, no such convention exists. Instead, there is an explicit flag
to mark files or directories as hidden.
In the early days, Git for Windows did not mark the .git/ directory (or
for that matter, any file or directory whose name starts with a dot)
hidden. This lead to quite a bit of confusion, and even loss of data.
Consequently, Git for Windows introduced the core.hideDotFiles setting,
with three possible values: true, false, and dotGitOnly, defaulting to
marking only the .git/ directory as hidden.
The rationale: users do not need to access .git/ directly, and indeed (as
was demonstrated) should not really see that directory, either. However,
not all dot files should be hidden by default, as e.g. Eclipse does not
show them (and the user would therefore be unable to see, say, a
.gitattributes file).
In over five years since the last attempt to bring this patch into core
Git, a slightly buggy version of this patch has served Git for Windows'
users well: no single report indicated problems with the hidden .git/
directory, and the stream of problems caused by the previously non-hidden
.git/ directory simply stopped. The bugs have been fixed during the
process of getting this patch upstream.
Note that there is a funny quirk we have to pay attention to when
creating hidden files: we use Win32's _wopen() function which
transmogrifies its arguments and hands off to Win32's CreateFile()
function. That latter function errors out with ERROR_ACCESS_DENIED (the
equivalent of EACCES) when the equivalent of the O_CREAT flag was passed
and the file attributes (including the hidden flag) do not match an
existing file's. And _wopen() accepts no parameter that would be
transmogrified into said hidden flag. Therefore, we simply try again
without O_CREAT.
A slightly different method is required for our fopen()/freopen()
function as we cannot even *remove* the implicit O_CREAT flag.
Therefore, we briefly mark existing files as unhidden when opening them
via fopen()/freopen().
The ERROR_ACCESS_DENIED error can also be triggered by opening a file
that is marked as a system file (which is unlikely to be tracked in
Git), and by trying to create a file that has *just* been deleted and is
awaiting the last open handles to be released (which would be handled
better by the "Try again?" logic, a story for a different patch series,
though). In both cases, it does not matter much if we try again without
the O_CREAT flag, read: it does not hurt, either.
For details how ERROR_ACCESS_DENIED can be triggered, see
https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858
Original-patch-by: Erik Faye-Lund <kusmabite@gmail.com>
Initial-Test-By: Pat Thoyts <patthoyts@users.sourceforge.net>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-05-11 10:43:37 +02:00
|
|
|
if (hide && !access(filename, F_OK) && set_hidden_flag(wfilename, 0)) {
|
|
|
|
error("could not unhide %s", filename);
|
|
|
|
return NULL;
|
|
|
|
}
|
2012-03-15 18:21:28 +01:00
|
|
|
file = _wfreopen(wfilename, wotype, stream);
|
mingw: introduce the 'core.hideDotFiles' setting
On Unix (and Linux), files and directories whose names start with a dot
are usually not shown by default. This convention is used by Git: the
.git/ directory should be left alone by regular users, and only accessed
through Git itself.
On Windows, no such convention exists. Instead, there is an explicit flag
to mark files or directories as hidden.
In the early days, Git for Windows did not mark the .git/ directory (or
for that matter, any file or directory whose name starts with a dot)
hidden. This lead to quite a bit of confusion, and even loss of data.
Consequently, Git for Windows introduced the core.hideDotFiles setting,
with three possible values: true, false, and dotGitOnly, defaulting to
marking only the .git/ directory as hidden.
The rationale: users do not need to access .git/ directly, and indeed (as
was demonstrated) should not really see that directory, either. However,
not all dot files should be hidden by default, as e.g. Eclipse does not
show them (and the user would therefore be unable to see, say, a
.gitattributes file).
In over five years since the last attempt to bring this patch into core
Git, a slightly buggy version of this patch has served Git for Windows'
users well: no single report indicated problems with the hidden .git/
directory, and the stream of problems caused by the previously non-hidden
.git/ directory simply stopped. The bugs have been fixed during the
process of getting this patch upstream.
Note that there is a funny quirk we have to pay attention to when
creating hidden files: we use Win32's _wopen() function which
transmogrifies its arguments and hands off to Win32's CreateFile()
function. That latter function errors out with ERROR_ACCESS_DENIED (the
equivalent of EACCES) when the equivalent of the O_CREAT flag was passed
and the file attributes (including the hidden flag) do not match an
existing file's. And _wopen() accepts no parameter that would be
transmogrified into said hidden flag. Therefore, we simply try again
without O_CREAT.
A slightly different method is required for our fopen()/freopen()
function as we cannot even *remove* the implicit O_CREAT flag.
Therefore, we briefly mark existing files as unhidden when opening them
via fopen()/freopen().
The ERROR_ACCESS_DENIED error can also be triggered by opening a file
that is marked as a system file (which is unlikely to be tracked in
Git), and by trying to create a file that has *just* been deleted and is
awaiting the last open handles to be released (which would be handled
better by the "Try again?" logic, a story for a different patch series,
though). In both cases, it does not matter much if we try again without
the O_CREAT flag, read: it does not hurt, either.
For details how ERROR_ACCESS_DENIED can be triggered, see
https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858
Original-patch-by: Erik Faye-Lund <kusmabite@gmail.com>
Initial-Test-By: Pat Thoyts <patthoyts@users.sourceforge.net>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-05-11 10:43:37 +02:00
|
|
|
if (file && hide && set_hidden_flag(wfilename, 1))
|
|
|
|
warning("could not mark '%s' as hidden.", filename);
|
2012-03-15 18:21:28 +01:00
|
|
|
return file;
|
2010-02-25 21:03:44 +01:00
|
|
|
}
|
|
|
|
|
2012-10-17 09:05:51 +02:00
|
|
|
#undef fflush
|
|
|
|
int mingw_fflush(FILE *stream)
|
|
|
|
{
|
|
|
|
int ret = fflush(stream);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* write() is used behind the scenes of stdio output functions.
|
|
|
|
* Since git code does not check for errors after each stdio write
|
|
|
|
* operation, it can happen that write() is called by a later
|
|
|
|
* stdio function even if an earlier write() call failed. In the
|
|
|
|
* case of a pipe whose readable end was closed, only the first
|
|
|
|
* call to write() reports EPIPE on Windows. Subsequent write()
|
|
|
|
* calls report EINVAL. It is impossible to notice whether this
|
|
|
|
* fflush invocation triggered such a case, therefore, we have to
|
|
|
|
* catch all EINVAL errors whole-sale.
|
|
|
|
*/
|
|
|
|
if (ret && errno == EINVAL)
|
|
|
|
errno = EPIPE;
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2015-12-17 18:08:15 +01:00
|
|
|
#undef write
|
|
|
|
ssize_t mingw_write(int fd, const void *buf, size_t len)
|
|
|
|
{
|
|
|
|
ssize_t result = write(fd, buf, len);
|
|
|
|
|
|
|
|
if (result < 0 && errno == EINVAL && buf) {
|
|
|
|
/* check if fd is a pipe */
|
|
|
|
HANDLE h = (HANDLE) _get_osfhandle(fd);
|
|
|
|
if (GetFileType(h) == FILE_TYPE_PIPE)
|
|
|
|
errno = EPIPE;
|
|
|
|
else
|
|
|
|
errno = EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
2012-03-15 18:21:28 +01:00
|
|
|
int mingw_access(const char *filename, int mode)
|
|
|
|
{
|
|
|
|
wchar_t wfilename[MAX_PATH];
|
|
|
|
if (xutftowcs_path(wfilename, filename) < 0)
|
|
|
|
return -1;
|
|
|
|
/* X_OK is not supported by the MSVCRT version */
|
|
|
|
return _waccess(wfilename, mode & ~X_OK);
|
|
|
|
}
|
|
|
|
|
|
|
|
int mingw_chdir(const char *dirname)
|
|
|
|
{
|
|
|
|
wchar_t wdirname[MAX_PATH];
|
|
|
|
if (xutftowcs_path(wdirname, dirname) < 0)
|
|
|
|
return -1;
|
|
|
|
return _wchdir(wdirname);
|
|
|
|
}
|
|
|
|
|
|
|
|
int mingw_chmod(const char *filename, int mode)
|
|
|
|
{
|
|
|
|
wchar_t wfilename[MAX_PATH];
|
|
|
|
if (xutftowcs_path(wfilename, filename) < 0)
|
|
|
|
return -1;
|
|
|
|
return _wchmod(wfilename, mode);
|
|
|
|
}
|
|
|
|
|
2010-01-15 21:12:21 +01:00
|
|
|
/*
|
|
|
|
* The unit of FILETIME is 100-nanoseconds since January 1, 1601, UTC.
|
|
|
|
* Returns the 100-nanoseconds ("hekto nanoseconds") since the epoch.
|
|
|
|
*/
|
|
|
|
static inline long long filetime_to_hnsec(const FILETIME *ft)
|
2007-09-03 20:40:26 +02:00
|
|
|
{
|
|
|
|
long long winTime = ((long long)ft->dwHighDateTime << 32) + ft->dwLowDateTime;
|
2010-01-15 21:12:21 +01:00
|
|
|
/* Windows to Unix Epoch conversion */
|
|
|
|
return winTime - 116444736000000000LL;
|
|
|
|
}
|
|
|
|
|
2018-10-23 12:23:22 +02:00
|
|
|
static inline void filetime_to_timespec(const FILETIME *ft, struct timespec *ts)
|
2010-01-15 21:12:21 +01:00
|
|
|
{
|
2018-10-23 12:23:22 +02:00
|
|
|
long long hnsec = filetime_to_hnsec(ft);
|
|
|
|
ts->tv_sec = (time_t)(hnsec / 10000000);
|
|
|
|
ts->tv_nsec = (hnsec % 10000000) * 100;
|
2007-09-03 20:40:26 +02:00
|
|
|
}
|
|
|
|
|
2016-01-26 15:34:52 +01:00
|
|
|
/**
|
|
|
|
* Verifies that safe_create_leading_directories() would succeed.
|
|
|
|
*/
|
|
|
|
static int has_valid_directory_prefix(wchar_t *wfilename)
|
|
|
|
{
|
|
|
|
int n = wcslen(wfilename);
|
|
|
|
|
|
|
|
while (n > 0) {
|
|
|
|
wchar_t c = wfilename[--n];
|
|
|
|
DWORD attributes;
|
|
|
|
|
|
|
|
if (!is_dir_sep(c))
|
|
|
|
continue;
|
|
|
|
|
|
|
|
wfilename[n] = L'\0';
|
|
|
|
attributes = GetFileAttributesW(wfilename);
|
|
|
|
wfilename[n] = c;
|
|
|
|
if (attributes == FILE_ATTRIBUTE_DIRECTORY ||
|
|
|
|
attributes == FILE_ATTRIBUTE_DEVICE)
|
|
|
|
return 1;
|
|
|
|
if (attributes == INVALID_FILE_ATTRIBUTES)
|
|
|
|
switch (GetLastError()) {
|
|
|
|
case ERROR_PATH_NOT_FOUND:
|
|
|
|
continue;
|
|
|
|
case ERROR_FILE_NOT_FOUND:
|
|
|
|
/* This implies parent directory exists. */
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2007-09-03 20:40:26 +02:00
|
|
|
/* We keep the do_lstat code in a separate function to avoid recursion.
|
|
|
|
* When a path ends with a slash, the stat will fail with ENOENT. In
|
|
|
|
* this case, we strip the trailing slashes and stat again.
|
2010-03-17 16:17:34 +01:00
|
|
|
*
|
|
|
|
* If follow is true then act like stat() and report on the link
|
|
|
|
* target. Otherwise report on the link itself.
|
2007-09-03 20:40:26 +02:00
|
|
|
*/
|
2010-03-17 16:17:34 +01:00
|
|
|
static int do_lstat(int follow, const char *file_name, struct stat *buf)
|
2007-09-03 20:40:26 +02:00
|
|
|
{
|
|
|
|
WIN32_FILE_ATTRIBUTE_DATA fdata;
|
2012-03-15 18:21:28 +01:00
|
|
|
wchar_t wfilename[MAX_PATH];
|
|
|
|
if (xutftowcs_path(wfilename, file_name) < 0)
|
|
|
|
return -1;
|
2007-09-03 20:40:26 +02:00
|
|
|
|
2012-03-15 18:21:28 +01:00
|
|
|
if (GetFileAttributesExW(wfilename, GetFileExInfoStandard, &fdata)) {
|
2007-09-03 20:40:26 +02:00
|
|
|
buf->st_ino = 0;
|
|
|
|
buf->st_gid = 0;
|
|
|
|
buf->st_uid = 0;
|
2008-08-18 22:01:06 +02:00
|
|
|
buf->st_nlink = 1;
|
2008-09-27 10:43:01 +02:00
|
|
|
buf->st_mode = file_attr_to_st_mode(fdata.dwFileAttributes);
|
2009-03-05 17:05:12 +01:00
|
|
|
buf->st_size = fdata.nFileSizeLow |
|
|
|
|
(((off_t)fdata.nFileSizeHigh)<<32);
|
2008-09-27 10:39:45 +02:00
|
|
|
buf->st_dev = buf->st_rdev = 0; /* not used by Git */
|
2018-10-23 12:23:22 +02:00
|
|
|
filetime_to_timespec(&(fdata.ftLastAccessTime), &(buf->st_atim));
|
|
|
|
filetime_to_timespec(&(fdata.ftLastWriteTime), &(buf->st_mtim));
|
|
|
|
filetime_to_timespec(&(fdata.ftCreationTime), &(buf->st_ctim));
|
2010-03-17 16:17:34 +01:00
|
|
|
if (fdata.dwFileAttributes & FILE_ATTRIBUTE_REPARSE_POINT) {
|
2012-03-15 18:21:28 +01:00
|
|
|
WIN32_FIND_DATAW findbuf;
|
|
|
|
HANDLE handle = FindFirstFileW(wfilename, &findbuf);
|
2010-03-17 16:17:34 +01:00
|
|
|
if (handle != INVALID_HANDLE_VALUE) {
|
|
|
|
if ((findbuf.dwFileAttributes & FILE_ATTRIBUTE_REPARSE_POINT) &&
|
|
|
|
(findbuf.dwReserved0 == IO_REPARSE_TAG_SYMLINK)) {
|
|
|
|
if (follow) {
|
|
|
|
char buffer[MAXIMUM_REPARSE_DATA_BUFFER_SIZE];
|
|
|
|
buf->st_size = readlink(file_name, buffer, MAXIMUM_REPARSE_DATA_BUFFER_SIZE);
|
|
|
|
} else {
|
|
|
|
buf->st_mode = S_IFLNK;
|
|
|
|
}
|
|
|
|
buf->st_mode |= S_IREAD;
|
|
|
|
if (!(findbuf.dwFileAttributes & FILE_ATTRIBUTE_READONLY))
|
|
|
|
buf->st_mode |= S_IWRITE;
|
|
|
|
}
|
|
|
|
FindClose(handle);
|
|
|
|
}
|
|
|
|
}
|
2007-09-03 20:40:26 +02:00
|
|
|
return 0;
|
|
|
|
}
|
2012-03-15 18:21:28 +01:00
|
|
|
switch (GetLastError()) {
|
|
|
|
case ERROR_ACCESS_DENIED:
|
|
|
|
case ERROR_SHARING_VIOLATION:
|
|
|
|
case ERROR_LOCK_VIOLATION:
|
|
|
|
case ERROR_SHARING_BUFFER_EXCEEDED:
|
|
|
|
errno = EACCES;
|
|
|
|
break;
|
|
|
|
case ERROR_BUFFER_OVERFLOW:
|
|
|
|
errno = ENAMETOOLONG;
|
|
|
|
break;
|
|
|
|
case ERROR_NOT_ENOUGH_MEMORY:
|
|
|
|
errno = ENOMEM;
|
|
|
|
break;
|
2016-01-26 15:34:52 +01:00
|
|
|
case ERROR_PATH_NOT_FOUND:
|
|
|
|
if (!has_valid_directory_prefix(wfilename)) {
|
|
|
|
errno = ENOTDIR;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
/* fallthru */
|
2012-03-15 18:21:28 +01:00
|
|
|
default:
|
|
|
|
errno = ENOENT;
|
|
|
|
break;
|
|
|
|
}
|
2007-09-03 20:40:26 +02:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* We provide our own lstat/fstat functions, since the provided
|
|
|
|
* lstat/fstat functions are so slow. These stat functions are
|
|
|
|
* tailored for Git's usage (read: fast), and are not meant to be
|
|
|
|
* complete. Note that Git stat()s are redirected to mingw_lstat()
|
|
|
|
* too, since Windows doesn't really handle symlinks that well.
|
|
|
|
*/
|
2010-03-17 16:17:34 +01:00
|
|
|
static int do_stat_internal(int follow, const char *file_name, struct stat *buf)
|
2007-09-03 20:40:26 +02:00
|
|
|
{
|
|
|
|
int namelen;
|
2011-01-07 18:04:16 +01:00
|
|
|
char alt_name[PATH_MAX];
|
2007-09-03 20:40:26 +02:00
|
|
|
|
2010-03-17 16:17:34 +01:00
|
|
|
if (!do_lstat(follow, file_name, buf))
|
2007-09-03 20:40:26 +02:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
/* if file_name ended in a '/', Windows returned ENOENT;
|
|
|
|
* try again without trailing slashes
|
|
|
|
*/
|
|
|
|
if (errno != ENOENT)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
namelen = strlen(file_name);
|
|
|
|
if (namelen && file_name[namelen-1] != '/')
|
|
|
|
return -1;
|
|
|
|
while (namelen && file_name[namelen-1] == '/')
|
|
|
|
--namelen;
|
|
|
|
if (!namelen || namelen >= PATH_MAX)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
memcpy(alt_name, file_name, namelen);
|
|
|
|
alt_name[namelen] = 0;
|
2010-03-17 16:17:34 +01:00
|
|
|
return do_lstat(follow, alt_name, buf);
|
|
|
|
}
|
|
|
|
|
2018-10-23 12:23:19 +02:00
|
|
|
static int get_file_info_by_handle(HANDLE hnd, struct stat *buf)
|
|
|
|
{
|
|
|
|
BY_HANDLE_FILE_INFORMATION fdata;
|
|
|
|
|
|
|
|
if (!GetFileInformationByHandle(hnd, &fdata)) {
|
|
|
|
errno = err_win_to_posix(GetLastError());
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
buf->st_ino = 0;
|
|
|
|
buf->st_gid = 0;
|
|
|
|
buf->st_uid = 0;
|
|
|
|
buf->st_nlink = 1;
|
|
|
|
buf->st_mode = file_attr_to_st_mode(fdata.dwFileAttributes);
|
|
|
|
buf->st_size = fdata.nFileSizeLow |
|
|
|
|
(((off_t)fdata.nFileSizeHigh)<<32);
|
|
|
|
buf->st_dev = buf->st_rdev = 0; /* not used by Git */
|
2018-10-23 12:23:22 +02:00
|
|
|
filetime_to_timespec(&(fdata.ftLastAccessTime), &(buf->st_atim));
|
|
|
|
filetime_to_timespec(&(fdata.ftLastWriteTime), &(buf->st_mtim));
|
|
|
|
filetime_to_timespec(&(fdata.ftCreationTime), &(buf->st_ctim));
|
2018-10-23 12:23:19 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2010-03-17 16:17:34 +01:00
|
|
|
int mingw_lstat(const char *file_name, struct stat *buf)
|
|
|
|
{
|
|
|
|
return do_stat_internal(0, file_name, buf);
|
|
|
|
}
|
|
|
|
int mingw_stat(const char *file_name, struct stat *buf)
|
|
|
|
{
|
|
|
|
return do_stat_internal(1, file_name, buf);
|
2007-09-03 20:40:26 +02:00
|
|
|
}
|
|
|
|
|
2008-08-18 22:01:06 +02:00
|
|
|
int mingw_fstat(int fd, struct stat *buf)
|
2007-09-03 20:40:26 +02:00
|
|
|
{
|
|
|
|
HANDLE fh = (HANDLE)_get_osfhandle(fd);
|
2018-10-23 12:23:21 +02:00
|
|
|
DWORD avail, type = GetFileType(fh) & ~FILE_TYPE_REMOTE;
|
2007-09-03 20:40:26 +02:00
|
|
|
|
2018-10-23 12:23:21 +02:00
|
|
|
switch (type) {
|
|
|
|
case FILE_TYPE_DISK:
|
|
|
|
return get_file_info_by_handle(fh, buf);
|
2007-09-03 20:40:26 +02:00
|
|
|
|
2018-10-23 12:23:21 +02:00
|
|
|
case FILE_TYPE_CHAR:
|
|
|
|
case FILE_TYPE_PIPE:
|
|
|
|
/* initialize stat fields */
|
|
|
|
memset(buf, 0, sizeof(*buf));
|
2008-08-18 22:01:06 +02:00
|
|
|
buf->st_nlink = 1;
|
2018-10-23 12:23:21 +02:00
|
|
|
|
|
|
|
if (type == FILE_TYPE_CHAR) {
|
|
|
|
buf->st_mode = _S_IFCHR;
|
|
|
|
} else {
|
|
|
|
buf->st_mode = _S_IFIFO;
|
|
|
|
if (PeekNamedPipe(fh, NULL, 0, NULL, &avail, NULL))
|
|
|
|
buf->st_size = avail;
|
|
|
|
}
|
2007-09-03 20:40:26 +02:00
|
|
|
return 0;
|
2018-10-23 12:23:19 +02:00
|
|
|
|
2018-10-23 12:23:21 +02:00
|
|
|
default:
|
|
|
|
errno = EBADF;
|
|
|
|
return -1;
|
2007-09-03 20:40:26 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2007-09-07 13:05:00 +02:00
|
|
|
static inline void time_t_to_filetime(time_t t, FILETIME *ft)
|
|
|
|
{
|
|
|
|
long long winTime = t * 10000000LL + 116444736000000000LL;
|
|
|
|
ft->dwLowDateTime = winTime;
|
|
|
|
ft->dwHighDateTime = winTime >> 32;
|
|
|
|
}
|
|
|
|
|
|
|
|
int mingw_utime (const char *file_name, const struct utimbuf *times)
|
|
|
|
{
|
|
|
|
FILETIME mft, aft;
|
|
|
|
int fh, rc;
|
2012-03-15 18:21:28 +01:00
|
|
|
DWORD attrs;
|
|
|
|
wchar_t wfilename[MAX_PATH];
|
|
|
|
if (xutftowcs_path(wfilename, file_name) < 0)
|
|
|
|
return -1;
|
2007-09-07 13:05:00 +02:00
|
|
|
|
|
|
|
/* must have write permission */
|
2012-03-15 18:21:28 +01:00
|
|
|
attrs = GetFileAttributesW(wfilename);
|
2010-03-30 09:46:23 +02:00
|
|
|
if (attrs != INVALID_FILE_ATTRIBUTES &&
|
|
|
|
(attrs & FILE_ATTRIBUTE_READONLY)) {
|
|
|
|
/* ignore errors here; open() will report them */
|
2012-03-15 18:21:28 +01:00
|
|
|
SetFileAttributesW(wfilename, attrs & ~FILE_ATTRIBUTE_READONLY);
|
2010-03-30 09:46:23 +02:00
|
|
|
}
|
|
|
|
|
2012-03-15 18:21:28 +01:00
|
|
|
if ((fh = _wopen(wfilename, O_RDWR | O_BINARY)) < 0) {
|
2010-03-30 09:46:23 +02:00
|
|
|
rc = -1;
|
|
|
|
goto revert_attrs;
|
|
|
|
}
|
2007-09-07 13:05:00 +02:00
|
|
|
|
2010-07-13 01:42:03 +02:00
|
|
|
if (times) {
|
|
|
|
time_t_to_filetime(times->modtime, &mft);
|
|
|
|
time_t_to_filetime(times->actime, &aft);
|
|
|
|
} else {
|
|
|
|
GetSystemTimeAsFileTime(&mft);
|
|
|
|
aft = mft;
|
|
|
|
}
|
2007-09-07 13:05:00 +02:00
|
|
|
if (!SetFileTime((HANDLE)_get_osfhandle(fh), NULL, &aft, &mft)) {
|
|
|
|
errno = EINVAL;
|
|
|
|
rc = -1;
|
|
|
|
} else
|
|
|
|
rc = 0;
|
|
|
|
close(fh);
|
2010-03-30 09:46:23 +02:00
|
|
|
|
|
|
|
revert_attrs:
|
|
|
|
if (attrs != INVALID_FILE_ATTRIBUTES &&
|
|
|
|
(attrs & FILE_ATTRIBUTE_READONLY)) {
|
|
|
|
/* ignore errors again */
|
2012-03-15 18:21:28 +01:00
|
|
|
SetFileAttributesW(wfilename, attrs);
|
2010-03-30 09:46:23 +02:00
|
|
|
}
|
2007-09-07 13:05:00 +02:00
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
|
mingw: abort on invalid strftime formats
On Windows, strftime() does not silently ignore invalid formats, but
warns about them and then returns 0 and sets errno to EINVAL.
Unfortunately, Git does not expect such a behavior, as it disagrees
with strftime()'s semantics on Linux. As a consequence, Git
misinterprets the return value 0 as "I need more space" and grows the
buffer. As the larger buffer does not fix the format, the buffer grows
and grows and grows until we are out of memory and abort.
Ideally, we would switch off the parameter validation just for
strftime(), but we cannot even override the invalid parameter handler
via _set_thread_local_invalid_parameter_handler() using MINGW because
that function is not declared. Even _set_invalid_parameter_handler(),
which *is* declared, does not help, as it simply does... nothing.
So let's just bite the bullet and override strftime() for MINGW and
abort on an invalid format string. While this does not provide the
best user experience, it is the best we can do.
See https://msdn.microsoft.com/en-us/library/fe06s4ak.aspx for more
details.
This fixes https://github.com/git-for-windows/git/issues/863
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-03-19 17:49:22 +01:00
|
|
|
#undef strftime
|
|
|
|
size_t mingw_strftime(char *s, size_t max,
|
|
|
|
const char *format, const struct tm *tm)
|
|
|
|
{
|
|
|
|
size_t ret = strftime(s, max, format, tm);
|
|
|
|
|
|
|
|
if (!ret && errno == EINVAL)
|
|
|
|
die("invalid strftime format: '%s'", format);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2007-12-01 21:24:59 +01:00
|
|
|
unsigned int sleep (unsigned int seconds)
|
|
|
|
{
|
|
|
|
Sleep(seconds*1000);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2012-03-15 18:21:28 +01:00
|
|
|
char *mingw_mktemp(char *template)
|
|
|
|
{
|
|
|
|
wchar_t wtemplate[MAX_PATH];
|
|
|
|
if (xutftowcs_path(wtemplate, template) < 0)
|
|
|
|
return NULL;
|
|
|
|
if (!_wmktemp(wtemplate))
|
|
|
|
return NULL;
|
|
|
|
if (xwcstoutf(template, wtemplate, strlen(template) + 1) < 0)
|
|
|
|
return NULL;
|
|
|
|
return template;
|
|
|
|
}
|
|
|
|
|
2007-12-01 21:24:59 +01:00
|
|
|
int mkstemp(char *template)
|
|
|
|
{
|
|
|
|
char *filename = mktemp(template);
|
|
|
|
if (filename == NULL)
|
|
|
|
return -1;
|
|
|
|
return open(filename, O_RDWR | O_CREAT, 0600);
|
|
|
|
}
|
|
|
|
|
|
|
|
int gettimeofday(struct timeval *tv, void *tz)
|
|
|
|
{
|
2010-01-15 21:12:21 +01:00
|
|
|
FILETIME ft;
|
|
|
|
long long hnsec;
|
|
|
|
|
|
|
|
GetSystemTimeAsFileTime(&ft);
|
|
|
|
hnsec = filetime_to_hnsec(&ft);
|
|
|
|
tv->tv_sec = hnsec / 10000000;
|
|
|
|
tv->tv_usec = (hnsec % 10000000) / 10;
|
2007-12-01 21:51:20 +01:00
|
|
|
return 0;
|
2007-12-01 21:24:59 +01:00
|
|
|
}
|
|
|
|
|
Windows: A pipe() replacement whose ends are not inherited to children.
On Unix the idiom to use a pipe is as follows:
pipe(fd);
pid = fork();
if (!pid) {
dup2(fd[1], 1);
close(fd[1]);
close(fd[0]);
...
}
close(fd[1]);
i.e. the child process closes the both pipe ends after duplicating one
to the file descriptors where they are needed.
On Windows, which does not have fork(), we never have an opportunity to
(1) duplicate a pipe end in the child, (2) close unused pipe ends. Instead,
we must use this idiom:
save1 = dup(1);
pipe(fd);
dup2(fd[1], 1);
spawn(...);
dup2(save1, 1);
close(fd[1]);
i.e. save away the descriptor at the destination slot, replace by the pipe
end, spawn process, restore the saved file.
But there is a problem: Notice that the child did not only inherit the
dup2()ed descriptor, but also *both* original pipe ends. Although the one
end that was dup()ed could be closed before the spawn(), we cannot close
the other end - the child inherits it, no matter what.
The solution is to generate non-inheritable pipes. At the first glance,
this looks strange: The purpose of pipes is usually to be inherited to
child processes. But notice that in the course of actions as outlined
above, the pipe descriptor that we want to inherit to the child is
dup2()ed, and as it so happens, Windows's dup2() creates inheritable
duplicates.
Signed-off-by: Johannes Sixt <johannes.sixt@telecom.at>
2007-12-07 22:05:36 +01:00
|
|
|
int pipe(int filedes[2])
|
|
|
|
{
|
2010-01-15 21:12:17 +01:00
|
|
|
HANDLE h[2];
|
Windows: A pipe() replacement whose ends are not inherited to children.
On Unix the idiom to use a pipe is as follows:
pipe(fd);
pid = fork();
if (!pid) {
dup2(fd[1], 1);
close(fd[1]);
close(fd[0]);
...
}
close(fd[1]);
i.e. the child process closes the both pipe ends after duplicating one
to the file descriptors where they are needed.
On Windows, which does not have fork(), we never have an opportunity to
(1) duplicate a pipe end in the child, (2) close unused pipe ends. Instead,
we must use this idiom:
save1 = dup(1);
pipe(fd);
dup2(fd[1], 1);
spawn(...);
dup2(save1, 1);
close(fd[1]);
i.e. save away the descriptor at the destination slot, replace by the pipe
end, spawn process, restore the saved file.
But there is a problem: Notice that the child did not only inherit the
dup2()ed descriptor, but also *both* original pipe ends. Although the one
end that was dup()ed could be closed before the spawn(), we cannot close
the other end - the child inherits it, no matter what.
The solution is to generate non-inheritable pipes. At the first glance,
this looks strange: The purpose of pipes is usually to be inherited to
child processes. But notice that in the course of actions as outlined
above, the pipe descriptor that we want to inherit to the child is
dup2()ed, and as it so happens, Windows's dup2() creates inheritable
duplicates.
Signed-off-by: Johannes Sixt <johannes.sixt@telecom.at>
2007-12-07 22:05:36 +01:00
|
|
|
|
2010-01-15 21:12:17 +01:00
|
|
|
/* this creates non-inheritable handles */
|
|
|
|
if (!CreatePipe(&h[0], &h[1], NULL, 8192)) {
|
|
|
|
errno = err_win_to_posix(GetLastError());
|
Windows: A pipe() replacement whose ends are not inherited to children.
On Unix the idiom to use a pipe is as follows:
pipe(fd);
pid = fork();
if (!pid) {
dup2(fd[1], 1);
close(fd[1]);
close(fd[0]);
...
}
close(fd[1]);
i.e. the child process closes the both pipe ends after duplicating one
to the file descriptors where they are needed.
On Windows, which does not have fork(), we never have an opportunity to
(1) duplicate a pipe end in the child, (2) close unused pipe ends. Instead,
we must use this idiom:
save1 = dup(1);
pipe(fd);
dup2(fd[1], 1);
spawn(...);
dup2(save1, 1);
close(fd[1]);
i.e. save away the descriptor at the destination slot, replace by the pipe
end, spawn process, restore the saved file.
But there is a problem: Notice that the child did not only inherit the
dup2()ed descriptor, but also *both* original pipe ends. Although the one
end that was dup()ed could be closed before the spawn(), we cannot close
the other end - the child inherits it, no matter what.
The solution is to generate non-inheritable pipes. At the first glance,
this looks strange: The purpose of pipes is usually to be inherited to
child processes. But notice that in the course of actions as outlined
above, the pipe descriptor that we want to inherit to the child is
dup2()ed, and as it so happens, Windows's dup2() creates inheritable
duplicates.
Signed-off-by: Johannes Sixt <johannes.sixt@telecom.at>
2007-12-07 22:05:36 +01:00
|
|
|
return -1;
|
|
|
|
}
|
2016-01-15 14:24:34 +01:00
|
|
|
filedes[0] = _open_osfhandle(HCAST(int, h[0]), O_NOINHERIT);
|
2010-01-15 21:12:17 +01:00
|
|
|
if (filedes[0] < 0) {
|
Windows: A pipe() replacement whose ends are not inherited to children.
On Unix the idiom to use a pipe is as follows:
pipe(fd);
pid = fork();
if (!pid) {
dup2(fd[1], 1);
close(fd[1]);
close(fd[0]);
...
}
close(fd[1]);
i.e. the child process closes the both pipe ends after duplicating one
to the file descriptors where they are needed.
On Windows, which does not have fork(), we never have an opportunity to
(1) duplicate a pipe end in the child, (2) close unused pipe ends. Instead,
we must use this idiom:
save1 = dup(1);
pipe(fd);
dup2(fd[1], 1);
spawn(...);
dup2(save1, 1);
close(fd[1]);
i.e. save away the descriptor at the destination slot, replace by the pipe
end, spawn process, restore the saved file.
But there is a problem: Notice that the child did not only inherit the
dup2()ed descriptor, but also *both* original pipe ends. Although the one
end that was dup()ed could be closed before the spawn(), we cannot close
the other end - the child inherits it, no matter what.
The solution is to generate non-inheritable pipes. At the first glance,
this looks strange: The purpose of pipes is usually to be inherited to
child processes. But notice that in the course of actions as outlined
above, the pipe descriptor that we want to inherit to the child is
dup2()ed, and as it so happens, Windows's dup2() creates inheritable
duplicates.
Signed-off-by: Johannes Sixt <johannes.sixt@telecom.at>
2007-12-07 22:05:36 +01:00
|
|
|
CloseHandle(h[0]);
|
|
|
|
CloseHandle(h[1]);
|
|
|
|
return -1;
|
|
|
|
}
|
2016-01-15 14:24:34 +01:00
|
|
|
filedes[1] = _open_osfhandle(HCAST(int, h[1]), O_NOINHERIT);
|
2015-08-28 11:43:37 +02:00
|
|
|
if (filedes[1] < 0) {
|
Windows: A pipe() replacement whose ends are not inherited to children.
On Unix the idiom to use a pipe is as follows:
pipe(fd);
pid = fork();
if (!pid) {
dup2(fd[1], 1);
close(fd[1]);
close(fd[0]);
...
}
close(fd[1]);
i.e. the child process closes the both pipe ends after duplicating one
to the file descriptors where they are needed.
On Windows, which does not have fork(), we never have an opportunity to
(1) duplicate a pipe end in the child, (2) close unused pipe ends. Instead,
we must use this idiom:
save1 = dup(1);
pipe(fd);
dup2(fd[1], 1);
spawn(...);
dup2(save1, 1);
close(fd[1]);
i.e. save away the descriptor at the destination slot, replace by the pipe
end, spawn process, restore the saved file.
But there is a problem: Notice that the child did not only inherit the
dup2()ed descriptor, but also *both* original pipe ends. Although the one
end that was dup()ed could be closed before the spawn(), we cannot close
the other end - the child inherits it, no matter what.
The solution is to generate non-inheritable pipes. At the first glance,
this looks strange: The purpose of pipes is usually to be inherited to
child processes. But notice that in the course of actions as outlined
above, the pipe descriptor that we want to inherit to the child is
dup2()ed, and as it so happens, Windows's dup2() creates inheritable
duplicates.
Signed-off-by: Johannes Sixt <johannes.sixt@telecom.at>
2007-12-07 22:05:36 +01:00
|
|
|
close(filedes[0]);
|
|
|
|
CloseHandle(h[1]);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2007-12-01 21:24:59 +01:00
|
|
|
struct tm *gmtime_r(const time_t *timep, struct tm *result)
|
|
|
|
{
|
|
|
|
/* gmtime() in MSVCRT.DLL is thread-safe, but not reentrant */
|
|
|
|
memcpy(result, gmtime(timep), sizeof(struct tm));
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
|
|
|
struct tm *localtime_r(const time_t *timep, struct tm *result)
|
|
|
|
{
|
|
|
|
/* localtime() in MSVCRT.DLL is thread-safe, but not reentrant */
|
|
|
|
memcpy(result, localtime(timep), sizeof(struct tm));
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
2008-03-05 21:51:27 +01:00
|
|
|
char *mingw_getcwd(char *pointer, int len)
|
|
|
|
{
|
2018-10-23 12:52:48 +02:00
|
|
|
wchar_t cwd[MAX_PATH], wpointer[MAX_PATH];
|
|
|
|
DWORD ret = GetCurrentDirectoryW(ARRAY_SIZE(cwd), cwd);
|
|
|
|
|
|
|
|
if (!ret || ret >= ARRAY_SIZE(cwd)) {
|
|
|
|
errno = ret ? ENAMETOOLONG : err_win_to_posix(GetLastError());
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
ret = GetLongPathNameW(cwd, wpointer, ARRAY_SIZE(wpointer));
|
2018-10-23 12:52:49 +02:00
|
|
|
if (!ret && GetLastError() == ERROR_ACCESS_DENIED) {
|
|
|
|
HANDLE hnd = CreateFileW(cwd, 0,
|
|
|
|
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL,
|
|
|
|
OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
|
|
|
|
if (hnd == INVALID_HANDLE_VALUE)
|
|
|
|
return NULL;
|
|
|
|
ret = GetFinalPathNameByHandleW(hnd, wpointer, ARRAY_SIZE(wpointer), 0);
|
|
|
|
CloseHandle(hnd);
|
|
|
|
if (!ret || ret >= ARRAY_SIZE(wpointer))
|
|
|
|
return NULL;
|
|
|
|
if (xwcstoutf(pointer, normalize_ntpath(wpointer), len) < 0)
|
|
|
|
return NULL;
|
|
|
|
return pointer;
|
|
|
|
}
|
2018-10-23 12:52:48 +02:00
|
|
|
if (!ret || ret >= ARRAY_SIZE(wpointer))
|
2012-03-15 18:21:28 +01:00
|
|
|
return NULL;
|
|
|
|
if (xwcstoutf(pointer, wpointer, len) < 0)
|
|
|
|
return NULL;
|
2016-04-02 21:03:14 +02:00
|
|
|
convert_slashes(pointer);
|
2012-03-15 18:21:28 +01:00
|
|
|
return pointer;
|
2008-03-05 21:51:27 +01:00
|
|
|
}
|
|
|
|
|
2007-11-24 22:49:16 +01:00
|
|
|
/*
|
2018-11-15 12:22:40 +01:00
|
|
|
* See "Parsing C++ Command-Line Arguments" at Microsoft's Docs:
|
|
|
|
* https://docs.microsoft.com/en-us/cpp/cpp/parsing-cpp-command-line-arguments
|
2007-11-24 22:49:16 +01:00
|
|
|
*/
|
mingw: special-case arguments to `sh`
The MSYS2 runtime does its best to emulate the command-line wildcard
expansion and de-quoting which would be performed by the calling Unix
shell on Unix systems.
Those Unix shell quoting rules differ from the quoting rules applying to
Windows' cmd and Powershell, making it a little awkward to quote
command-line parameters properly when spawning other processes.
In particular, git.exe passes arguments to subprocesses that are *not*
intended to be interpreted as wildcards, and if they contain
backslashes, those are not to be interpreted as escape characters, e.g.
when passing Windows paths.
Note: this is only a problem when calling MSYS2 executables, not when
calling MINGW executables such as git.exe. However, we do call MSYS2
executables frequently, most notably when setting the use_shell flag in
the child_process structure.
There is no elegant way to determine whether the .exe file to be
executed is an MSYS2 program or a MINGW one. But since the use case of
passing a command line through the shell is so prevalent, we need to
work around this issue at least when executing sh.exe.
Let's introduce an ugly, hard-coded test whether argv[0] is "sh", and
whether it refers to the MSYS2 Bash, to determine whether we need to
quote the arguments differently than usual.
That still does not fix the issue completely, but at least it is
something.
Incidentally, this also fixes the problem where `git clone \\server\repo`
failed due to incorrect handling of the backslashes when handing the path
to the git-upload-pack process.
Further, we need to take care to quote not only whitespace and
backslashes, but also curly brackets. As aliases frequently go through
the MSYS2 Bash, and as aliases frequently get parameters such as
HEAD@{yesterday}, this is really important. As an early version of this
patch broke this, let's make sure that this does not regress by adding a
test case for that.
Helped-by: Kim Gybels <kgybels@infogroep.be>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-01-17 21:14:48 +01:00
|
|
|
static const char *quote_arg_msvc(const char *arg)
|
2007-11-24 22:49:16 +01:00
|
|
|
{
|
|
|
|
/* count chars to quote */
|
|
|
|
int len = 0, n = 0;
|
|
|
|
int force_quotes = 0;
|
|
|
|
char *q, *d;
|
|
|
|
const char *p = arg;
|
|
|
|
if (!*p) force_quotes = 1;
|
|
|
|
while (*p) {
|
2009-03-24 21:43:02 +01:00
|
|
|
if (isspace(*p) || *p == '*' || *p == '?' || *p == '{' || *p == '\'')
|
2007-11-24 22:49:16 +01:00
|
|
|
force_quotes = 1;
|
|
|
|
else if (*p == '"')
|
|
|
|
n++;
|
|
|
|
else if (*p == '\\') {
|
|
|
|
int count = 0;
|
|
|
|
while (*p == '\\') {
|
|
|
|
count++;
|
|
|
|
p++;
|
|
|
|
len++;
|
|
|
|
}
|
mingw: fix quoting of arguments
We need to be careful to follow proper quoting rules. For example, if an
argument contains spaces, we have to quote them. Double-quotes need to
be escaped. Backslashes need to be escaped, but only if they are
followed by a double-quote character.
We need to be _extra_ careful to consider the case where an argument
ends in a backslash _and_ needs to be quoted: in this case, we append a
double-quote character, i.e. the backslash now has to be escaped!
The current code, however, fails to recognize that, and therefore can
turn an argument that ends in a single backslash into a quoted argument
that now ends in an escaped double-quote character. This allows
subsequent command-line parameters to be split and part of them being
mistaken for command-line options, e.g. through a maliciously-crafted
submodule URL during a recursive clone.
Technically, we would not need to quote _all_ arguments which end in a
backslash _unless_ the argument needs to be quoted anyway. For example,
`test\` would not need to be quoted, while `test \` would need to be.
To keep the code simple, however, and therefore easier to reason about
and ensure its correctness, we now _always_ quote an argument that ends
in a backslash.
This addresses CVE-2019-1350.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2019-09-13 16:32:43 +02:00
|
|
|
if (*p == '"' || !*p)
|
2007-11-24 22:49:16 +01:00
|
|
|
n += count*2 + 1;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
len++;
|
|
|
|
p++;
|
|
|
|
}
|
|
|
|
if (!force_quotes && n == 0)
|
|
|
|
return arg;
|
|
|
|
|
|
|
|
/* insert \ where necessary */
|
2016-02-22 23:44:35 +01:00
|
|
|
d = q = xmalloc(st_add3(len, n, 3));
|
2007-11-24 22:49:16 +01:00
|
|
|
*d++ = '"';
|
|
|
|
while (*arg) {
|
|
|
|
if (*arg == '"')
|
|
|
|
*d++ = '\\';
|
|
|
|
else if (*arg == '\\') {
|
|
|
|
int count = 0;
|
|
|
|
while (*arg == '\\') {
|
|
|
|
count++;
|
|
|
|
*d++ = *arg++;
|
|
|
|
}
|
mingw: fix quoting of arguments
We need to be careful to follow proper quoting rules. For example, if an
argument contains spaces, we have to quote them. Double-quotes need to
be escaped. Backslashes need to be escaped, but only if they are
followed by a double-quote character.
We need to be _extra_ careful to consider the case where an argument
ends in a backslash _and_ needs to be quoted: in this case, we append a
double-quote character, i.e. the backslash now has to be escaped!
The current code, however, fails to recognize that, and therefore can
turn an argument that ends in a single backslash into a quoted argument
that now ends in an escaped double-quote character. This allows
subsequent command-line parameters to be split and part of them being
mistaken for command-line options, e.g. through a maliciously-crafted
submodule URL during a recursive clone.
Technically, we would not need to quote _all_ arguments which end in a
backslash _unless_ the argument needs to be quoted anyway. For example,
`test\` would not need to be quoted, while `test \` would need to be.
To keep the code simple, however, and therefore easier to reason about
and ensure its correctness, we now _always_ quote an argument that ends
in a backslash.
This addresses CVE-2019-1350.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2019-09-13 16:32:43 +02:00
|
|
|
if (*arg == '"' || !*arg) {
|
2007-11-24 22:49:16 +01:00
|
|
|
while (count-- > 0)
|
|
|
|
*d++ = '\\';
|
mingw: fix quoting of arguments
We need to be careful to follow proper quoting rules. For example, if an
argument contains spaces, we have to quote them. Double-quotes need to
be escaped. Backslashes need to be escaped, but only if they are
followed by a double-quote character.
We need to be _extra_ careful to consider the case where an argument
ends in a backslash _and_ needs to be quoted: in this case, we append a
double-quote character, i.e. the backslash now has to be escaped!
The current code, however, fails to recognize that, and therefore can
turn an argument that ends in a single backslash into a quoted argument
that now ends in an escaped double-quote character. This allows
subsequent command-line parameters to be split and part of them being
mistaken for command-line options, e.g. through a maliciously-crafted
submodule URL during a recursive clone.
Technically, we would not need to quote _all_ arguments which end in a
backslash _unless_ the argument needs to be quoted anyway. For example,
`test\` would not need to be quoted, while `test \` would need to be.
To keep the code simple, however, and therefore easier to reason about
and ensure its correctness, we now _always_ quote an argument that ends
in a backslash.
This addresses CVE-2019-1350.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2019-09-13 16:32:43 +02:00
|
|
|
/* don't escape the surrounding end quote */
|
|
|
|
if (!*arg)
|
|
|
|
break;
|
2007-11-24 22:49:16 +01:00
|
|
|
*d++ = '\\';
|
|
|
|
}
|
|
|
|
}
|
|
|
|
*d++ = *arg++;
|
|
|
|
}
|
|
|
|
*d++ = '"';
|
mingw: fix quoting of arguments
We need to be careful to follow proper quoting rules. For example, if an
argument contains spaces, we have to quote them. Double-quotes need to
be escaped. Backslashes need to be escaped, but only if they are
followed by a double-quote character.
We need to be _extra_ careful to consider the case where an argument
ends in a backslash _and_ needs to be quoted: in this case, we append a
double-quote character, i.e. the backslash now has to be escaped!
The current code, however, fails to recognize that, and therefore can
turn an argument that ends in a single backslash into a quoted argument
that now ends in an escaped double-quote character. This allows
subsequent command-line parameters to be split and part of them being
mistaken for command-line options, e.g. through a maliciously-crafted
submodule URL during a recursive clone.
Technically, we would not need to quote _all_ arguments which end in a
backslash _unless_ the argument needs to be quoted anyway. For example,
`test\` would not need to be quoted, while `test \` would need to be.
To keep the code simple, however, and therefore easier to reason about
and ensure its correctness, we now _always_ quote an argument that ends
in a backslash.
This addresses CVE-2019-1350.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2019-09-13 16:32:43 +02:00
|
|
|
*d++ = '\0';
|
2007-11-24 22:49:16 +01:00
|
|
|
return q;
|
|
|
|
}
|
|
|
|
|
mingw: special-case arguments to `sh`
The MSYS2 runtime does its best to emulate the command-line wildcard
expansion and de-quoting which would be performed by the calling Unix
shell on Unix systems.
Those Unix shell quoting rules differ from the quoting rules applying to
Windows' cmd and Powershell, making it a little awkward to quote
command-line parameters properly when spawning other processes.
In particular, git.exe passes arguments to subprocesses that are *not*
intended to be interpreted as wildcards, and if they contain
backslashes, those are not to be interpreted as escape characters, e.g.
when passing Windows paths.
Note: this is only a problem when calling MSYS2 executables, not when
calling MINGW executables such as git.exe. However, we do call MSYS2
executables frequently, most notably when setting the use_shell flag in
the child_process structure.
There is no elegant way to determine whether the .exe file to be
executed is an MSYS2 program or a MINGW one. But since the use case of
passing a command line through the shell is so prevalent, we need to
work around this issue at least when executing sh.exe.
Let's introduce an ugly, hard-coded test whether argv[0] is "sh", and
whether it refers to the MSYS2 Bash, to determine whether we need to
quote the arguments differently than usual.
That still does not fix the issue completely, but at least it is
something.
Incidentally, this also fixes the problem where `git clone \\server\repo`
failed due to incorrect handling of the backslashes when handing the path
to the git-upload-pack process.
Further, we need to take care to quote not only whitespace and
backslashes, but also curly brackets. As aliases frequently go through
the MSYS2 Bash, and as aliases frequently get parameters such as
HEAD@{yesterday}, this is really important. As an early version of this
patch broke this, let's make sure that this does not regress by adding a
test case for that.
Helped-by: Kim Gybels <kgybels@infogroep.be>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-01-17 21:14:48 +01:00
|
|
|
#include "quote.h"
|
|
|
|
|
|
|
|
static const char *quote_arg_msys2(const char *arg)
|
|
|
|
{
|
|
|
|
struct strbuf buf = STRBUF_INIT;
|
|
|
|
const char *p2 = arg, *p;
|
|
|
|
|
|
|
|
for (p = arg; *p; p++) {
|
|
|
|
int ws = isspace(*p);
|
2019-09-19 23:43:03 +02:00
|
|
|
if (!ws && *p != '\\' && *p != '"' && *p != '{' && *p != '\'' &&
|
|
|
|
*p != '?' && *p != '*' && *p != '~')
|
mingw: special-case arguments to `sh`
The MSYS2 runtime does its best to emulate the command-line wildcard
expansion and de-quoting which would be performed by the calling Unix
shell on Unix systems.
Those Unix shell quoting rules differ from the quoting rules applying to
Windows' cmd and Powershell, making it a little awkward to quote
command-line parameters properly when spawning other processes.
In particular, git.exe passes arguments to subprocesses that are *not*
intended to be interpreted as wildcards, and if they contain
backslashes, those are not to be interpreted as escape characters, e.g.
when passing Windows paths.
Note: this is only a problem when calling MSYS2 executables, not when
calling MINGW executables such as git.exe. However, we do call MSYS2
executables frequently, most notably when setting the use_shell flag in
the child_process structure.
There is no elegant way to determine whether the .exe file to be
executed is an MSYS2 program or a MINGW one. But since the use case of
passing a command line through the shell is so prevalent, we need to
work around this issue at least when executing sh.exe.
Let's introduce an ugly, hard-coded test whether argv[0] is "sh", and
whether it refers to the MSYS2 Bash, to determine whether we need to
quote the arguments differently than usual.
That still does not fix the issue completely, but at least it is
something.
Incidentally, this also fixes the problem where `git clone \\server\repo`
failed due to incorrect handling of the backslashes when handing the path
to the git-upload-pack process.
Further, we need to take care to quote not only whitespace and
backslashes, but also curly brackets. As aliases frequently go through
the MSYS2 Bash, and as aliases frequently get parameters such as
HEAD@{yesterday}, this is really important. As an early version of this
patch broke this, let's make sure that this does not regress by adding a
test case for that.
Helped-by: Kim Gybels <kgybels@infogroep.be>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-01-17 21:14:48 +01:00
|
|
|
continue;
|
|
|
|
if (!buf.len)
|
|
|
|
strbuf_addch(&buf, '"');
|
|
|
|
if (p != p2)
|
|
|
|
strbuf_add(&buf, p2, p - p2);
|
2019-09-19 23:43:03 +02:00
|
|
|
if (*p == '\\' || *p == '"')
|
mingw: special-case arguments to `sh`
The MSYS2 runtime does its best to emulate the command-line wildcard
expansion and de-quoting which would be performed by the calling Unix
shell on Unix systems.
Those Unix shell quoting rules differ from the quoting rules applying to
Windows' cmd and Powershell, making it a little awkward to quote
command-line parameters properly when spawning other processes.
In particular, git.exe passes arguments to subprocesses that are *not*
intended to be interpreted as wildcards, and if they contain
backslashes, those are not to be interpreted as escape characters, e.g.
when passing Windows paths.
Note: this is only a problem when calling MSYS2 executables, not when
calling MINGW executables such as git.exe. However, we do call MSYS2
executables frequently, most notably when setting the use_shell flag in
the child_process structure.
There is no elegant way to determine whether the .exe file to be
executed is an MSYS2 program or a MINGW one. But since the use case of
passing a command line through the shell is so prevalent, we need to
work around this issue at least when executing sh.exe.
Let's introduce an ugly, hard-coded test whether argv[0] is "sh", and
whether it refers to the MSYS2 Bash, to determine whether we need to
quote the arguments differently than usual.
That still does not fix the issue completely, but at least it is
something.
Incidentally, this also fixes the problem where `git clone \\server\repo`
failed due to incorrect handling of the backslashes when handing the path
to the git-upload-pack process.
Further, we need to take care to quote not only whitespace and
backslashes, but also curly brackets. As aliases frequently go through
the MSYS2 Bash, and as aliases frequently get parameters such as
HEAD@{yesterday}, this is really important. As an early version of this
patch broke this, let's make sure that this does not regress by adding a
test case for that.
Helped-by: Kim Gybels <kgybels@infogroep.be>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-01-17 21:14:48 +01:00
|
|
|
strbuf_addch(&buf, '\\');
|
|
|
|
p2 = p;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (p == arg)
|
|
|
|
strbuf_addch(&buf, '"');
|
|
|
|
else if (!buf.len)
|
|
|
|
return arg;
|
|
|
|
else
|
2019-09-19 23:38:33 +02:00
|
|
|
strbuf_add(&buf, p2, p - p2);
|
mingw: special-case arguments to `sh`
The MSYS2 runtime does its best to emulate the command-line wildcard
expansion and de-quoting which would be performed by the calling Unix
shell on Unix systems.
Those Unix shell quoting rules differ from the quoting rules applying to
Windows' cmd and Powershell, making it a little awkward to quote
command-line parameters properly when spawning other processes.
In particular, git.exe passes arguments to subprocesses that are *not*
intended to be interpreted as wildcards, and if they contain
backslashes, those are not to be interpreted as escape characters, e.g.
when passing Windows paths.
Note: this is only a problem when calling MSYS2 executables, not when
calling MINGW executables such as git.exe. However, we do call MSYS2
executables frequently, most notably when setting the use_shell flag in
the child_process structure.
There is no elegant way to determine whether the .exe file to be
executed is an MSYS2 program or a MINGW one. But since the use case of
passing a command line through the shell is so prevalent, we need to
work around this issue at least when executing sh.exe.
Let's introduce an ugly, hard-coded test whether argv[0] is "sh", and
whether it refers to the MSYS2 Bash, to determine whether we need to
quote the arguments differently than usual.
That still does not fix the issue completely, but at least it is
something.
Incidentally, this also fixes the problem where `git clone \\server\repo`
failed due to incorrect handling of the backslashes when handing the path
to the git-upload-pack process.
Further, we need to take care to quote not only whitespace and
backslashes, but also curly brackets. As aliases frequently go through
the MSYS2 Bash, and as aliases frequently get parameters such as
HEAD@{yesterday}, this is really important. As an early version of this
patch broke this, let's make sure that this does not regress by adding a
test case for that.
Helped-by: Kim Gybels <kgybels@infogroep.be>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-01-17 21:14:48 +01:00
|
|
|
|
|
|
|
strbuf_addch(&buf, '"');
|
|
|
|
return strbuf_detach(&buf, 0);
|
|
|
|
}
|
|
|
|
|
2007-12-04 12:38:32 +01:00
|
|
|
static const char *parse_interpreter(const char *cmd)
|
|
|
|
{
|
|
|
|
static char buf[100];
|
|
|
|
char *p, *opt;
|
|
|
|
int n, fd;
|
|
|
|
|
|
|
|
/* don't even try a .exe */
|
|
|
|
n = strlen(cmd);
|
|
|
|
if (n >= 4 && !strcasecmp(cmd+n-4, ".exe"))
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
fd = open(cmd, O_RDONLY);
|
|
|
|
if (fd < 0)
|
|
|
|
return NULL;
|
|
|
|
n = read(fd, buf, sizeof(buf)-1);
|
|
|
|
close(fd);
|
|
|
|
if (n < 4) /* at least '#!/x' and not error */
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
if (buf[0] != '#' || buf[1] != '!')
|
|
|
|
return NULL;
|
|
|
|
buf[n] = '\0';
|
2009-05-23 10:04:47 +02:00
|
|
|
p = buf + strcspn(buf, "\r\n");
|
|
|
|
if (!*p)
|
2007-12-04 12:38:32 +01:00
|
|
|
return NULL;
|
|
|
|
|
|
|
|
*p = '\0';
|
|
|
|
if (!(p = strrchr(buf+2, '/')) && !(p = strrchr(buf+2, '\\')))
|
|
|
|
return NULL;
|
|
|
|
/* strip options */
|
|
|
|
if ((opt = strchr(p+1, ' ')))
|
|
|
|
*opt = '\0';
|
|
|
|
return p+1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* exe_only means that we only want to detect .exe files, but not scripts
|
|
|
|
* (which do not have an extension)
|
|
|
|
*/
|
2017-05-20 21:35:37 +02:00
|
|
|
static char *lookup_prog(const char *dir, int dirlen, const char *cmd,
|
|
|
|
int isexe, int exe_only)
|
2007-12-04 12:38:32 +01:00
|
|
|
{
|
|
|
|
char path[MAX_PATH];
|
2019-08-25 00:38:56 +02:00
|
|
|
wchar_t wpath[MAX_PATH];
|
2017-05-20 21:35:37 +02:00
|
|
|
snprintf(path, sizeof(path), "%.*s\\%s.exe", dirlen, dir, cmd);
|
2007-12-04 12:38:32 +01:00
|
|
|
|
2019-08-25 00:38:56 +02:00
|
|
|
if (xutftowcs_path(wpath, path) < 0)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
if (!isexe && _waccess(wpath, F_OK) == 0)
|
2007-12-04 12:38:32 +01:00
|
|
|
return xstrdup(path);
|
2019-08-25 00:38:56 +02:00
|
|
|
wpath[wcslen(wpath)-4] = '\0';
|
|
|
|
if ((!exe_only || isexe) && _waccess(wpath, F_OK) == 0) {
|
|
|
|
if (!(GetFileAttributesW(wpath) & FILE_ATTRIBUTE_DIRECTORY)) {
|
|
|
|
path[strlen(path)-4] = '\0';
|
2008-07-18 09:34:42 +02:00
|
|
|
return xstrdup(path);
|
2019-08-25 00:38:56 +02:00
|
|
|
}
|
|
|
|
}
|
2007-12-04 12:38:32 +01:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2010-08-22 13:12:12 +02:00
|
|
|
* Determines the absolute path of cmd using the split path in path.
|
2007-12-04 12:38:32 +01:00
|
|
|
* If cmd contains a slash or backslash, no lookup is performed.
|
|
|
|
*/
|
2017-05-20 21:35:37 +02:00
|
|
|
static char *path_lookup(const char *cmd, int exe_only)
|
2007-12-04 12:38:32 +01:00
|
|
|
{
|
2017-05-20 21:35:37 +02:00
|
|
|
const char *path;
|
2007-12-04 12:38:32 +01:00
|
|
|
char *prog = NULL;
|
|
|
|
int len = strlen(cmd);
|
|
|
|
int isexe = len >= 4 && !strcasecmp(cmd+len-4, ".exe");
|
|
|
|
|
|
|
|
if (strchr(cmd, '/') || strchr(cmd, '\\'))
|
2017-05-20 21:35:37 +02:00
|
|
|
return xstrdup(cmd);
|
|
|
|
|
|
|
|
path = mingw_getenv("PATH");
|
|
|
|
if (!path)
|
|
|
|
return NULL;
|
2007-12-04 12:38:32 +01:00
|
|
|
|
2017-05-20 21:35:37 +02:00
|
|
|
while (!prog) {
|
|
|
|
const char *sep = strchrnul(path, ';');
|
|
|
|
int dirlen = sep - path;
|
|
|
|
if (dirlen)
|
|
|
|
prog = lookup_prog(path, dirlen, cmd, isexe, exe_only);
|
|
|
|
if (!*sep)
|
|
|
|
break;
|
|
|
|
path = sep + 1;
|
|
|
|
}
|
2007-12-04 12:38:32 +01:00
|
|
|
|
|
|
|
return prog;
|
|
|
|
}
|
|
|
|
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
static const wchar_t *wcschrnul(const wchar_t *s, wchar_t c)
|
|
|
|
{
|
|
|
|
while (*s && *s != c)
|
|
|
|
s++;
|
|
|
|
return s;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Compare only keys */
|
|
|
|
static int wenvcmp(const void *a, const void *b)
|
|
|
|
{
|
|
|
|
wchar_t *p = *(wchar_t **)a, *q = *(wchar_t **)b;
|
|
|
|
size_t p_len, q_len;
|
|
|
|
|
|
|
|
/* Find the keys */
|
|
|
|
p_len = wcschrnul(p, L'=') - p;
|
|
|
|
q_len = wcschrnul(q, L'=') - q;
|
2014-07-17 17:38:02 +02:00
|
|
|
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
/* If the length differs, include the shorter key's NUL */
|
|
|
|
if (p_len < q_len)
|
|
|
|
p_len++;
|
|
|
|
else if (p_len > q_len)
|
|
|
|
p_len = q_len + 1;
|
|
|
|
|
|
|
|
return _wcsnicmp(p, q, p_len);
|
|
|
|
}
|
2014-07-17 17:38:02 +02:00
|
|
|
|
2014-07-17 17:38:00 +02:00
|
|
|
/*
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
* Build an environment block combining the inherited environment
|
|
|
|
* merged with the given list of settings.
|
|
|
|
*
|
|
|
|
* Values of the form "KEY=VALUE" in deltaenv override inherited values.
|
|
|
|
* Values of the form "KEY" in deltaenv delete inherited values.
|
|
|
|
*
|
|
|
|
* Multiple entries in deltaenv for the same key are explicitly allowed.
|
|
|
|
*
|
|
|
|
* We return a contiguous block of UNICODE strings with a final trailing
|
|
|
|
* zero word.
|
2014-07-17 17:38:00 +02:00
|
|
|
*/
|
2014-07-17 17:38:01 +02:00
|
|
|
static wchar_t *make_environment_block(char **deltaenv)
|
2007-11-24 22:49:16 +01:00
|
|
|
{
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
wchar_t *wenv = GetEnvironmentStringsW(), *wdeltaenv, *result, *p;
|
|
|
|
size_t wlen, s, delta_size, size;
|
2014-07-17 17:38:00 +02:00
|
|
|
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
wchar_t **array = NULL;
|
|
|
|
size_t alloc = 0, nr = 0, i;
|
2014-07-17 17:38:00 +02:00
|
|
|
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
size = 1; /* for extra NUL at the end */
|
|
|
|
|
|
|
|
/* If there is no deltaenv to apply, simply return a copy. */
|
|
|
|
if (!deltaenv || !*deltaenv) {
|
|
|
|
for (p = wenv; p && *p; ) {
|
|
|
|
size_t s = wcslen(p) + 1;
|
|
|
|
size += s;
|
|
|
|
p += s;
|
|
|
|
}
|
2014-07-17 17:38:01 +02:00
|
|
|
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
ALLOC_ARRAY(result, size);
|
2019-09-04 13:09:45 +02:00
|
|
|
COPY_ARRAY(result, wenv, size);
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
FreeEnvironmentStringsW(wenv);
|
|
|
|
return result;
|
|
|
|
}
|
2014-07-17 17:38:01 +02:00
|
|
|
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
/*
|
|
|
|
* If there is a deltaenv, let's accumulate all keys into `array`,
|
2019-09-30 19:21:54 +02:00
|
|
|
* sort them using the stable git_stable_qsort() and then copy,
|
|
|
|
* skipping duplicate keys
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
*/
|
|
|
|
for (p = wenv; p && *p; ) {
|
|
|
|
ALLOC_GROW(array, nr + 1, alloc);
|
|
|
|
s = wcslen(p) + 1;
|
|
|
|
array[nr++] = p;
|
|
|
|
p += s;
|
|
|
|
size += s;
|
2014-07-17 17:38:00 +02:00
|
|
|
}
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
|
|
|
|
/* (over-)assess size needed for wchar version of deltaenv */
|
|
|
|
for (delta_size = 0, i = 0; deltaenv[i]; i++)
|
|
|
|
delta_size += strlen(deltaenv[i]) * 2 + 1;
|
|
|
|
ALLOC_ARRAY(wdeltaenv, delta_size);
|
|
|
|
|
|
|
|
/* convert the deltaenv, appending to array */
|
|
|
|
for (i = 0, p = wdeltaenv; deltaenv[i]; i++) {
|
|
|
|
ALLOC_GROW(array, nr + 1, alloc);
|
|
|
|
wlen = xutftowcs(p, deltaenv[i], wdeltaenv + delta_size - p);
|
|
|
|
array[nr++] = p;
|
|
|
|
p += wlen + 1;
|
|
|
|
}
|
2014-07-17 17:38:00 +02:00
|
|
|
|
2019-09-30 19:21:54 +02:00
|
|
|
git_stable_qsort(array, nr, sizeof(*array), wenvcmp);
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
ALLOC_ARRAY(result, size + delta_size);
|
2014-07-17 17:38:00 +02:00
|
|
|
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
for (p = result, i = 0; i < nr; i++) {
|
|
|
|
/* Skip any duplicate keys; last one wins */
|
|
|
|
while (i + 1 < nr && !wenvcmp(array + i, array + i + 1))
|
|
|
|
i++;
|
2014-07-17 17:38:01 +02:00
|
|
|
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
/* Skip "to delete" entry */
|
|
|
|
if (!wcschr(array[i], L'='))
|
|
|
|
continue;
|
2014-07-17 17:38:01 +02:00
|
|
|
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
size = wcslen(array[i]) + 1;
|
2019-09-04 13:09:45 +02:00
|
|
|
COPY_ARRAY(p, array[i], size);
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
p += size;
|
2014-07-17 17:38:00 +02:00
|
|
|
}
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
*p = L'\0';
|
|
|
|
|
|
|
|
free(array);
|
|
|
|
free(wdeltaenv);
|
|
|
|
FreeEnvironmentStringsW(wenv);
|
|
|
|
return result;
|
2007-11-24 22:49:16 +01:00
|
|
|
}
|
|
|
|
|
2018-10-30 19:40:07 +01:00
|
|
|
static void do_unset_environment_variables(void)
|
|
|
|
{
|
|
|
|
static int done;
|
|
|
|
char *p = unset_environment_variables;
|
|
|
|
|
|
|
|
if (done || !p)
|
|
|
|
return;
|
|
|
|
done = 1;
|
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
char *comma = strchr(p, ',');
|
|
|
|
|
|
|
|
if (comma)
|
|
|
|
*comma = '\0';
|
|
|
|
unsetenv(p);
|
|
|
|
if (!comma)
|
|
|
|
break;
|
|
|
|
p = comma + 1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2010-11-04 02:35:13 +01:00
|
|
|
struct pinfo_t {
|
|
|
|
struct pinfo_t *next;
|
|
|
|
pid_t pid;
|
|
|
|
HANDLE proc;
|
2013-04-27 21:18:55 +02:00
|
|
|
};
|
|
|
|
static struct pinfo_t *pinfo = NULL;
|
2010-11-04 02:35:13 +01:00
|
|
|
CRITICAL_SECTION pinfo_cs;
|
|
|
|
|
mingw: special-case arguments to `sh`
The MSYS2 runtime does its best to emulate the command-line wildcard
expansion and de-quoting which would be performed by the calling Unix
shell on Unix systems.
Those Unix shell quoting rules differ from the quoting rules applying to
Windows' cmd and Powershell, making it a little awkward to quote
command-line parameters properly when spawning other processes.
In particular, git.exe passes arguments to subprocesses that are *not*
intended to be interpreted as wildcards, and if they contain
backslashes, those are not to be interpreted as escape characters, e.g.
when passing Windows paths.
Note: this is only a problem when calling MSYS2 executables, not when
calling MINGW executables such as git.exe. However, we do call MSYS2
executables frequently, most notably when setting the use_shell flag in
the child_process structure.
There is no elegant way to determine whether the .exe file to be
executed is an MSYS2 program or a MINGW one. But since the use case of
passing a command line through the shell is so prevalent, we need to
work around this issue at least when executing sh.exe.
Let's introduce an ugly, hard-coded test whether argv[0] is "sh", and
whether it refers to the MSYS2 Bash, to determine whether we need to
quote the arguments differently than usual.
That still does not fix the issue completely, but at least it is
something.
Incidentally, this also fixes the problem where `git clone \\server\repo`
failed due to incorrect handling of the backslashes when handing the path
to the git-upload-pack process.
Further, we need to take care to quote not only whitespace and
backslashes, but also curly brackets. As aliases frequently go through
the MSYS2 Bash, and as aliases frequently get parameters such as
HEAD@{yesterday}, this is really important. As an early version of this
patch broke this, let's make sure that this does not regress by adding a
test case for that.
Helped-by: Kim Gybels <kgybels@infogroep.be>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-01-17 21:14:48 +01:00
|
|
|
/* Used to match and chomp off path components */
|
|
|
|
static inline int match_last_path_component(const char *path, size_t *len,
|
|
|
|
const char *component)
|
|
|
|
{
|
|
|
|
size_t component_len = strlen(component);
|
|
|
|
if (*len < component_len + 1 ||
|
|
|
|
!is_dir_sep(path[*len - component_len - 1]) ||
|
|
|
|
fspathncmp(path + *len - component_len, component, component_len))
|
|
|
|
return 0;
|
|
|
|
*len -= component_len + 1;
|
|
|
|
/* chomp off repeated dir separators */
|
|
|
|
while (*len > 0 && is_dir_sep(path[*len - 1]))
|
|
|
|
(*len)--;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int is_msys2_sh(const char *cmd)
|
|
|
|
{
|
2019-09-19 17:05:21 +02:00
|
|
|
if (!cmd)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (!strcmp(cmd, "sh")) {
|
mingw: special-case arguments to `sh`
The MSYS2 runtime does its best to emulate the command-line wildcard
expansion and de-quoting which would be performed by the calling Unix
shell on Unix systems.
Those Unix shell quoting rules differ from the quoting rules applying to
Windows' cmd and Powershell, making it a little awkward to quote
command-line parameters properly when spawning other processes.
In particular, git.exe passes arguments to subprocesses that are *not*
intended to be interpreted as wildcards, and if they contain
backslashes, those are not to be interpreted as escape characters, e.g.
when passing Windows paths.
Note: this is only a problem when calling MSYS2 executables, not when
calling MINGW executables such as git.exe. However, we do call MSYS2
executables frequently, most notably when setting the use_shell flag in
the child_process structure.
There is no elegant way to determine whether the .exe file to be
executed is an MSYS2 program or a MINGW one. But since the use case of
passing a command line through the shell is so prevalent, we need to
work around this issue at least when executing sh.exe.
Let's introduce an ugly, hard-coded test whether argv[0] is "sh", and
whether it refers to the MSYS2 Bash, to determine whether we need to
quote the arguments differently than usual.
That still does not fix the issue completely, but at least it is
something.
Incidentally, this also fixes the problem where `git clone \\server\repo`
failed due to incorrect handling of the backslashes when handing the path
to the git-upload-pack process.
Further, we need to take care to quote not only whitespace and
backslashes, but also curly brackets. As aliases frequently go through
the MSYS2 Bash, and as aliases frequently get parameters such as
HEAD@{yesterday}, this is really important. As an early version of this
patch broke this, let's make sure that this does not regress by adding a
test case for that.
Helped-by: Kim Gybels <kgybels@infogroep.be>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-01-17 21:14:48 +01:00
|
|
|
static int ret = -1;
|
|
|
|
char *p;
|
|
|
|
|
|
|
|
if (ret >= 0)
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
p = path_lookup(cmd, 0);
|
|
|
|
if (!p)
|
|
|
|
ret = 0;
|
|
|
|
else {
|
|
|
|
size_t len = strlen(p);
|
|
|
|
|
|
|
|
ret = match_last_path_component(p, &len, "sh.exe") &&
|
|
|
|
match_last_path_component(p, &len, "bin") &&
|
|
|
|
match_last_path_component(p, &len, "usr");
|
|
|
|
free(p);
|
|
|
|
}
|
|
|
|
return ret;
|
|
|
|
}
|
2019-09-19 17:05:21 +02:00
|
|
|
|
|
|
|
if (ends_with(cmd, "\\sh.exe")) {
|
|
|
|
static char *sh;
|
|
|
|
|
|
|
|
if (!sh)
|
|
|
|
sh = path_lookup("sh", 0);
|
|
|
|
|
|
|
|
return !fspathcmp(cmd, sh);
|
|
|
|
}
|
|
|
|
|
mingw: special-case arguments to `sh`
The MSYS2 runtime does its best to emulate the command-line wildcard
expansion and de-quoting which would be performed by the calling Unix
shell on Unix systems.
Those Unix shell quoting rules differ from the quoting rules applying to
Windows' cmd and Powershell, making it a little awkward to quote
command-line parameters properly when spawning other processes.
In particular, git.exe passes arguments to subprocesses that are *not*
intended to be interpreted as wildcards, and if they contain
backslashes, those are not to be interpreted as escape characters, e.g.
when passing Windows paths.
Note: this is only a problem when calling MSYS2 executables, not when
calling MINGW executables such as git.exe. However, we do call MSYS2
executables frequently, most notably when setting the use_shell flag in
the child_process structure.
There is no elegant way to determine whether the .exe file to be
executed is an MSYS2 program or a MINGW one. But since the use case of
passing a command line through the shell is so prevalent, we need to
work around this issue at least when executing sh.exe.
Let's introduce an ugly, hard-coded test whether argv[0] is "sh", and
whether it refers to the MSYS2 Bash, to determine whether we need to
quote the arguments differently than usual.
That still does not fix the issue completely, but at least it is
something.
Incidentally, this also fixes the problem where `git clone \\server\repo`
failed due to incorrect handling of the backslashes when handing the path
to the git-upload-pack process.
Further, we need to take care to quote not only whitespace and
backslashes, but also curly brackets. As aliases frequently go through
the MSYS2 Bash, and as aliases frequently get parameters such as
HEAD@{yesterday}, this is really important. As an early version of this
patch broke this, let's make sure that this does not regress by adding a
test case for that.
Helped-by: Kim Gybels <kgybels@infogroep.be>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-01-17 21:14:48 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2014-07-17 17:38:01 +02:00
|
|
|
static pid_t mingw_spawnve_fd(const char *cmd, const char **argv, char **deltaenv,
|
2010-04-11 22:40:12 +02:00
|
|
|
const char *dir,
|
Windows: avoid the "dup dance" when spawning a child process
When stdin, stdout, or stderr must be redirected for a child process that
on Windows is spawned using one of the spawn() functions of Microsoft's
C runtime, then there is no choice other than to
1. make a backup copy of fd 0,1,2 with dup
2. dup2 the redirection source fd into 0,1,2
3. spawn
4. dup2 the backup back into 0,1,2
5. close the backup copy and the redirection source
We used this idiom as well -- but we are not using the spawn() functions
anymore!
Instead, we have our own implementation. We had hardcoded that stdin,
stdout, and stderr of the child process were inherited from the parent's
fds 0, 1, and 2. But we can actually specify any fd.
With this patch, the fds to inherit are passed from start_command()'s
WIN32 section to our spawn implementation. This way, we can avoid the
backup copies of the fds.
The backup copies were a bug waiting to surface: The OS handles underlying
the dup()ed fds were inherited by the child process (but were not
associated with a file descriptor in the child). Consequently, the file or
pipe represented by the OS handle remained open even after the backup copy
was closed in the parent process until the child exited.
Since our implementation of pipe() creates non-inheritable OS handles, we
still dup() file descriptors in start_command() because dup() happens to
create inheritable duplicates. (A nice side effect is that the fd cleanup
in start_command is the same for Windows and Unix and remains unchanged.)
Signed-off-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2010-01-15 21:12:18 +01:00
|
|
|
int prepend_cmd, int fhin, int fhout, int fherr)
|
2007-11-24 22:49:16 +01:00
|
|
|
{
|
2011-01-16 18:27:53 +01:00
|
|
|
STARTUPINFOW si;
|
2007-11-24 22:49:16 +01:00
|
|
|
PROCESS_INFORMATION pi;
|
2014-07-17 17:37:55 +02:00
|
|
|
struct strbuf args;
|
|
|
|
wchar_t wcmd[MAX_PATH], wdir[MAX_PATH], *wargs, *wenvblk = NULL;
|
|
|
|
unsigned flags = CREATE_UNICODE_ENVIRONMENT;
|
2007-11-24 22:49:16 +01:00
|
|
|
BOOL ret;
|
2018-10-30 19:40:07 +01:00
|
|
|
HANDLE cons;
|
mingw: special-case arguments to `sh`
The MSYS2 runtime does its best to emulate the command-line wildcard
expansion and de-quoting which would be performed by the calling Unix
shell on Unix systems.
Those Unix shell quoting rules differ from the quoting rules applying to
Windows' cmd and Powershell, making it a little awkward to quote
command-line parameters properly when spawning other processes.
In particular, git.exe passes arguments to subprocesses that are *not*
intended to be interpreted as wildcards, and if they contain
backslashes, those are not to be interpreted as escape characters, e.g.
when passing Windows paths.
Note: this is only a problem when calling MSYS2 executables, not when
calling MINGW executables such as git.exe. However, we do call MSYS2
executables frequently, most notably when setting the use_shell flag in
the child_process structure.
There is no elegant way to determine whether the .exe file to be
executed is an MSYS2 program or a MINGW one. But since the use case of
passing a command line through the shell is so prevalent, we need to
work around this issue at least when executing sh.exe.
Let's introduce an ugly, hard-coded test whether argv[0] is "sh", and
whether it refers to the MSYS2 Bash, to determine whether we need to
quote the arguments differently than usual.
That still does not fix the issue completely, but at least it is
something.
Incidentally, this also fixes the problem where `git clone \\server\repo`
failed due to incorrect handling of the backslashes when handing the path
to the git-upload-pack process.
Further, we need to take care to quote not only whitespace and
backslashes, but also curly brackets. As aliases frequently go through
the MSYS2 Bash, and as aliases frequently get parameters such as
HEAD@{yesterday}, this is really important. As an early version of this
patch broke this, let's make sure that this does not regress by adding a
test case for that.
Helped-by: Kim Gybels <kgybels@infogroep.be>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-01-17 21:14:48 +01:00
|
|
|
const char *(*quote_arg)(const char *arg) =
|
2019-09-19 17:05:45 +02:00
|
|
|
is_msys2_sh(cmd ? cmd : *argv) ?
|
|
|
|
quote_arg_msys2 : quote_arg_msvc;
|
2018-10-30 19:40:07 +01:00
|
|
|
|
|
|
|
do_unset_environment_variables();
|
2007-11-24 22:49:16 +01:00
|
|
|
|
|
|
|
/* Determine whether or not we are associated to a console */
|
mingw: use Unicode functions explicitly
Many Win32 API functions actually exist in two variants: one with
the `A` suffix that takes ANSI parameters (`char *` or `const char *`)
and one with the `W` suffix that takes Unicode parameters (`wchar_t *`
or `const wchar_t *`).
The ANSI variant assumes that the strings are encoded according to
whatever is the current locale. This is not what Git wants to use on
Windows: we assume that `char *` variables point to strings encoded in
UTF-8.
There is a pseudo UTF-8 locale on Windows, but it does not work
as one might expect. In addition, if we overrode the user's locale, that
would modify the behavior of programs spawned by Git (such as editors,
difftools, etc), therefore we cannot use that pseudo locale.
Further, it is actually highly encouraged to use the Unicode versions
instead of the ANSI versions, so let's do precisely that.
Note: when calling the Win32 API functions _without_ any suffix, it
depends whether the `UNICODE` constant is defined before the relevant
headers are #include'd. Without that constant, the ANSI variants are
used. Let's be explicit and avoid that ambiguity.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-06-27 11:37:19 +02:00
|
|
|
cons = CreateFileW(L"CONOUT$", GENERIC_WRITE,
|
2007-11-24 22:49:16 +01:00
|
|
|
FILE_SHARE_WRITE, NULL, OPEN_EXISTING,
|
|
|
|
FILE_ATTRIBUTE_NORMAL, NULL);
|
|
|
|
if (cons == INVALID_HANDLE_VALUE) {
|
|
|
|
/* There is no console associated with this process.
|
|
|
|
* Since the child is a console process, Windows
|
|
|
|
* would normally create a console window. But
|
|
|
|
* since we'll be redirecting std streams, we do
|
|
|
|
* not need the console.
|
2008-11-02 18:11:13 +01:00
|
|
|
* It is necessary to use DETACHED_PROCESS
|
|
|
|
* instead of CREATE_NO_WINDOW to make ssh
|
|
|
|
* recognize that it has no console.
|
2007-11-24 22:49:16 +01:00
|
|
|
*/
|
2014-07-17 17:37:55 +02:00
|
|
|
flags |= DETACHED_PROCESS;
|
2007-11-24 22:49:16 +01:00
|
|
|
} else {
|
|
|
|
/* There is already a console. If we specified
|
2008-11-02 18:11:13 +01:00
|
|
|
* DETACHED_PROCESS here, too, Windows would
|
2007-11-24 22:49:16 +01:00
|
|
|
* disassociate the child from the console.
|
2008-11-02 18:11:13 +01:00
|
|
|
* The same is true for CREATE_NO_WINDOW.
|
2007-11-24 22:49:16 +01:00
|
|
|
* Go figure!
|
|
|
|
*/
|
|
|
|
CloseHandle(cons);
|
|
|
|
}
|
|
|
|
memset(&si, 0, sizeof(si));
|
|
|
|
si.cb = sizeof(si);
|
|
|
|
si.dwFlags = STARTF_USESTDHANDLES;
|
Win32: Thread-safe windows console output
Winansi.c has many static variables that are accessed and modified from
the [v][f]printf / fputs functions overridden in the file. This may cause
multi threaded git commands that print to the console to produce corrupted
output or even crash.
Additionally, winansi.c doesn't override all functions that can be used to
print to the console (e.g. fwrite, write, fputc are missing), so that ANSI
escapes don't work properly for some git commands (e.g. git-grep).
Instead of doing ANSI emulation in just a few wrapped functions on top of
the IO API, let's plug into the IO system and take advantage of the thread
safety inherent to the IO system.
Redirect stdout and stderr to a pipe if they point to the console. A
background thread reads from the pipe, handles ANSI escape sequences and
UTF-8 to UTF-16 conversion, then writes to the console.
The pipe-based stdout and stderr replacements must be set to unbuffered, as
MSVCRT doesn't support line buffering and fully buffered streams are
inappropriate for console output.
Due to the byte-oriented pipe, ANSI escape sequences and multi-byte UTF-8
sequences can no longer be expected to arrive in one piece. Replace the
string-based ansi_emulate() with a simple stateful parser (this also fixes
colored diff hunk headers, which were broken as of commit 2efcc977).
Override isatty to return true for the pipes redirecting to the console.
Exec/spawn obtain the original console handle to pass to the next process
via winansi_get_osfhandle().
All other overrides are gone, the default stdio implementations work as
expected with the piped stdout/stderr descriptors.
Global variables are either initialized on startup (single threaded) or
exclusively modified by the background thread. Threads communicate through
the pipe, no further synchronization is necessary.
The background thread is terminated by disonnecting the pipe after flushing
the stdio and pipe buffers. This doesn't work for anonymous pipes (created
via CreatePipe), as DisconnectNamedPipe only works on the read end, which
discards remaining data. Thus we have to setup the pipe manually, with the
write end beeing the server (opened with CreateNamedPipe) and the read end
the client (opened with CreateFile).
Limitations: doesn't track reopened or duped file descriptors, i.e.:
- fdopen(1/2) returns fully buffered streams
- dup(1/2), dup2(1/2) returns normal pipe descriptors (i.e. isatty() =
false, winansi_get_osfhandle won't return the original console handle)
Currently, only the git-format-patch command uses xfdopen(xdup(1)) (see
"realstdout" in builtin/log.c), but works well with these limitations.
Many thanks to Atsushi Nakagawa <atnak@chejz.com> for suggesting and
reviewing the thread-exit-mechanism.
Signed-off-by: Karsten Blees <blees@dcon.de>
Signed-off-by: Stepan Kasal <kasal@ucw.cz>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2012-01-14 22:24:19 +01:00
|
|
|
si.hStdInput = winansi_get_osfhandle(fhin);
|
|
|
|
si.hStdOutput = winansi_get_osfhandle(fhout);
|
|
|
|
si.hStdError = winansi_get_osfhandle(fherr);
|
2007-11-24 22:49:16 +01:00
|
|
|
|
2019-07-16 16:03:12 +02:00
|
|
|
if (*argv && !strcmp(cmd, *argv))
|
|
|
|
wcmd[0] = L'\0';
|
|
|
|
else if (xutftowcs_path(wcmd, cmd) < 0)
|
2011-01-16 18:27:53 +01:00
|
|
|
return -1;
|
|
|
|
if (dir && xutftowcs_path(wdir, dir) < 0)
|
|
|
|
return -1;
|
|
|
|
|
2007-11-24 22:49:16 +01:00
|
|
|
/* concatenate argv, quoting args as we go */
|
|
|
|
strbuf_init(&args, 0);
|
|
|
|
if (prepend_cmd) {
|
|
|
|
char *quoted = (char *)quote_arg(cmd);
|
|
|
|
strbuf_addstr(&args, quoted);
|
|
|
|
if (quoted != cmd)
|
|
|
|
free(quoted);
|
|
|
|
}
|
|
|
|
for (; *argv; argv++) {
|
|
|
|
char *quoted = (char *)quote_arg(*argv);
|
|
|
|
if (*args.buf)
|
|
|
|
strbuf_addch(&args, ' ');
|
|
|
|
strbuf_addstr(&args, quoted);
|
|
|
|
if (quoted != *argv)
|
|
|
|
free(quoted);
|
|
|
|
}
|
|
|
|
|
2016-02-29 11:02:59 +01:00
|
|
|
ALLOC_ARRAY(wargs, st_add(st_mult(2, args.len), 1));
|
2011-01-16 18:27:53 +01:00
|
|
|
xutftowcs(wargs, args.buf, 2 * args.len + 1);
|
|
|
|
strbuf_release(&args);
|
|
|
|
|
2014-07-17 17:38:01 +02:00
|
|
|
wenvblk = make_environment_block(deltaenv);
|
2007-11-24 22:49:16 +01:00
|
|
|
|
|
|
|
memset(&pi, 0, sizeof(pi));
|
2019-07-16 16:03:12 +02:00
|
|
|
ret = CreateProcessW(*wcmd ? wcmd : NULL, wargs, NULL, NULL, TRUE,
|
|
|
|
flags, wenvblk, dir ? wdir : NULL, &si, &pi);
|
2007-11-24 22:49:16 +01:00
|
|
|
|
2014-07-17 17:37:55 +02:00
|
|
|
free(wenvblk);
|
2011-01-16 18:27:53 +01:00
|
|
|
free(wargs);
|
2007-11-24 22:49:16 +01:00
|
|
|
|
|
|
|
if (!ret) {
|
|
|
|
errno = ENOENT;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
CloseHandle(pi.hThread);
|
2010-11-04 02:35:13 +01:00
|
|
|
|
|
|
|
/*
|
|
|
|
* The process ID is the human-readable identifier of the process
|
|
|
|
* that we want to present in log and error messages. The handle
|
|
|
|
* is not useful for this purpose. But we cannot close it, either,
|
|
|
|
* because it is not possible to turn a process ID into a process
|
|
|
|
* handle after the process terminated.
|
|
|
|
* Keep the handle in a list for waitpid.
|
|
|
|
*/
|
|
|
|
EnterCriticalSection(&pinfo_cs);
|
|
|
|
{
|
|
|
|
struct pinfo_t *info = xmalloc(sizeof(struct pinfo_t));
|
|
|
|
info->pid = pi.dwProcessId;
|
|
|
|
info->proc = pi.hProcess;
|
|
|
|
info->next = pinfo;
|
|
|
|
pinfo = info;
|
|
|
|
}
|
|
|
|
LeaveCriticalSection(&pinfo_cs);
|
|
|
|
|
|
|
|
return (pid_t)pi.dwProcessId;
|
2007-11-24 22:49:16 +01:00
|
|
|
}
|
|
|
|
|
2011-11-25 21:33:17 +01:00
|
|
|
static pid_t mingw_spawnv(const char *cmd, const char **argv, int prepend_cmd)
|
Windows: avoid the "dup dance" when spawning a child process
When stdin, stdout, or stderr must be redirected for a child process that
on Windows is spawned using one of the spawn() functions of Microsoft's
C runtime, then there is no choice other than to
1. make a backup copy of fd 0,1,2 with dup
2. dup2 the redirection source fd into 0,1,2
3. spawn
4. dup2 the backup back into 0,1,2
5. close the backup copy and the redirection source
We used this idiom as well -- but we are not using the spawn() functions
anymore!
Instead, we have our own implementation. We had hardcoded that stdin,
stdout, and stderr of the child process were inherited from the parent's
fds 0, 1, and 2. But we can actually specify any fd.
With this patch, the fds to inherit are passed from start_command()'s
WIN32 section to our spawn implementation. This way, we can avoid the
backup copies of the fds.
The backup copies were a bug waiting to surface: The OS handles underlying
the dup()ed fds were inherited by the child process (but were not
associated with a file descriptor in the child). Consequently, the file or
pipe represented by the OS handle remained open even after the backup copy
was closed in the parent process until the child exited.
Since our implementation of pipe() creates non-inheritable OS handles, we
still dup() file descriptors in start_command() because dup() happens to
create inheritable duplicates. (A nice side effect is that the fd cleanup
in start_command is the same for Windows and Unix and remains unchanged.)
Signed-off-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2010-01-15 21:12:18 +01:00
|
|
|
{
|
2014-07-17 17:38:01 +02:00
|
|
|
return mingw_spawnve_fd(cmd, argv, NULL, NULL, prepend_cmd, 0, 1, 2);
|
Windows: avoid the "dup dance" when spawning a child process
When stdin, stdout, or stderr must be redirected for a child process that
on Windows is spawned using one of the spawn() functions of Microsoft's
C runtime, then there is no choice other than to
1. make a backup copy of fd 0,1,2 with dup
2. dup2 the redirection source fd into 0,1,2
3. spawn
4. dup2 the backup back into 0,1,2
5. close the backup copy and the redirection source
We used this idiom as well -- but we are not using the spawn() functions
anymore!
Instead, we have our own implementation. We had hardcoded that stdin,
stdout, and stderr of the child process were inherited from the parent's
fds 0, 1, and 2. But we can actually specify any fd.
With this patch, the fds to inherit are passed from start_command()'s
WIN32 section to our spawn implementation. This way, we can avoid the
backup copies of the fds.
The backup copies were a bug waiting to surface: The OS handles underlying
the dup()ed fds were inherited by the child process (but were not
associated with a file descriptor in the child). Consequently, the file or
pipe represented by the OS handle remained open even after the backup copy
was closed in the parent process until the child exited.
Since our implementation of pipe() creates non-inheritable OS handles, we
still dup() file descriptors in start_command() because dup() happens to
create inheritable duplicates. (A nice side effect is that the fd cleanup
in start_command is the same for Windows and Unix and remains unchanged.)
Signed-off-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2010-01-15 21:12:18 +01:00
|
|
|
}
|
|
|
|
|
2014-07-17 17:38:01 +02:00
|
|
|
pid_t mingw_spawnvpe(const char *cmd, const char **argv, char **deltaenv,
|
2010-04-11 22:40:12 +02:00
|
|
|
const char *dir,
|
Windows: avoid the "dup dance" when spawning a child process
When stdin, stdout, or stderr must be redirected for a child process that
on Windows is spawned using one of the spawn() functions of Microsoft's
C runtime, then there is no choice other than to
1. make a backup copy of fd 0,1,2 with dup
2. dup2 the redirection source fd into 0,1,2
3. spawn
4. dup2 the backup back into 0,1,2
5. close the backup copy and the redirection source
We used this idiom as well -- but we are not using the spawn() functions
anymore!
Instead, we have our own implementation. We had hardcoded that stdin,
stdout, and stderr of the child process were inherited from the parent's
fds 0, 1, and 2. But we can actually specify any fd.
With this patch, the fds to inherit are passed from start_command()'s
WIN32 section to our spawn implementation. This way, we can avoid the
backup copies of the fds.
The backup copies were a bug waiting to surface: The OS handles underlying
the dup()ed fds were inherited by the child process (but were not
associated with a file descriptor in the child). Consequently, the file or
pipe represented by the OS handle remained open even after the backup copy
was closed in the parent process until the child exited.
Since our implementation of pipe() creates non-inheritable OS handles, we
still dup() file descriptors in start_command() because dup() happens to
create inheritable duplicates. (A nice side effect is that the fd cleanup
in start_command is the same for Windows and Unix and remains unchanged.)
Signed-off-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2010-01-15 21:12:18 +01:00
|
|
|
int fhin, int fhout, int fherr)
|
2007-11-24 22:49:16 +01:00
|
|
|
{
|
|
|
|
pid_t pid;
|
2017-05-20 21:35:37 +02:00
|
|
|
char *prog = path_lookup(cmd, 0);
|
2007-11-24 22:49:16 +01:00
|
|
|
|
|
|
|
if (!prog) {
|
|
|
|
errno = ENOENT;
|
|
|
|
pid = -1;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
const char *interpr = parse_interpreter(prog);
|
|
|
|
|
|
|
|
if (interpr) {
|
|
|
|
const char *argv0 = argv[0];
|
2017-05-20 21:35:37 +02:00
|
|
|
char *iprog = path_lookup(interpr, 1);
|
2007-11-24 22:49:16 +01:00
|
|
|
argv[0] = prog;
|
|
|
|
if (!iprog) {
|
|
|
|
errno = ENOENT;
|
|
|
|
pid = -1;
|
|
|
|
}
|
|
|
|
else {
|
2014-07-17 17:38:01 +02:00
|
|
|
pid = mingw_spawnve_fd(iprog, argv, deltaenv, dir, 1,
|
Windows: avoid the "dup dance" when spawning a child process
When stdin, stdout, or stderr must be redirected for a child process that
on Windows is spawned using one of the spawn() functions of Microsoft's
C runtime, then there is no choice other than to
1. make a backup copy of fd 0,1,2 with dup
2. dup2 the redirection source fd into 0,1,2
3. spawn
4. dup2 the backup back into 0,1,2
5. close the backup copy and the redirection source
We used this idiom as well -- but we are not using the spawn() functions
anymore!
Instead, we have our own implementation. We had hardcoded that stdin,
stdout, and stderr of the child process were inherited from the parent's
fds 0, 1, and 2. But we can actually specify any fd.
With this patch, the fds to inherit are passed from start_command()'s
WIN32 section to our spawn implementation. This way, we can avoid the
backup copies of the fds.
The backup copies were a bug waiting to surface: The OS handles underlying
the dup()ed fds were inherited by the child process (but were not
associated with a file descriptor in the child). Consequently, the file or
pipe represented by the OS handle remained open even after the backup copy
was closed in the parent process until the child exited.
Since our implementation of pipe() creates non-inheritable OS handles, we
still dup() file descriptors in start_command() because dup() happens to
create inheritable duplicates. (A nice side effect is that the fd cleanup
in start_command is the same for Windows and Unix and remains unchanged.)
Signed-off-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2010-01-15 21:12:18 +01:00
|
|
|
fhin, fhout, fherr);
|
2007-11-24 22:49:16 +01:00
|
|
|
free(iprog);
|
|
|
|
}
|
|
|
|
argv[0] = argv0;
|
|
|
|
}
|
|
|
|
else
|
2014-07-17 17:38:01 +02:00
|
|
|
pid = mingw_spawnve_fd(prog, argv, deltaenv, dir, 0,
|
Windows: avoid the "dup dance" when spawning a child process
When stdin, stdout, or stderr must be redirected for a child process that
on Windows is spawned using one of the spawn() functions of Microsoft's
C runtime, then there is no choice other than to
1. make a backup copy of fd 0,1,2 with dup
2. dup2 the redirection source fd into 0,1,2
3. spawn
4. dup2 the backup back into 0,1,2
5. close the backup copy and the redirection source
We used this idiom as well -- but we are not using the spawn() functions
anymore!
Instead, we have our own implementation. We had hardcoded that stdin,
stdout, and stderr of the child process were inherited from the parent's
fds 0, 1, and 2. But we can actually specify any fd.
With this patch, the fds to inherit are passed from start_command()'s
WIN32 section to our spawn implementation. This way, we can avoid the
backup copies of the fds.
The backup copies were a bug waiting to surface: The OS handles underlying
the dup()ed fds were inherited by the child process (but were not
associated with a file descriptor in the child). Consequently, the file or
pipe represented by the OS handle remained open even after the backup copy
was closed in the parent process until the child exited.
Since our implementation of pipe() creates non-inheritable OS handles, we
still dup() file descriptors in start_command() because dup() happens to
create inheritable duplicates. (A nice side effect is that the fd cleanup
in start_command is the same for Windows and Unix and remains unchanged.)
Signed-off-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2010-01-15 21:12:18 +01:00
|
|
|
fhin, fhout, fherr);
|
2007-11-24 22:49:16 +01:00
|
|
|
free(prog);
|
|
|
|
}
|
|
|
|
return pid;
|
|
|
|
}
|
|
|
|
|
2011-11-25 21:33:17 +01:00
|
|
|
static int try_shell_exec(const char *cmd, char *const *argv)
|
2007-12-04 12:38:32 +01:00
|
|
|
{
|
|
|
|
const char *interpr = parse_interpreter(cmd);
|
|
|
|
char *prog;
|
|
|
|
int pid = 0;
|
|
|
|
|
|
|
|
if (!interpr)
|
|
|
|
return 0;
|
2017-05-20 21:35:37 +02:00
|
|
|
prog = path_lookup(interpr, 1);
|
2007-12-04 12:38:32 +01:00
|
|
|
if (prog) {
|
2019-02-22 23:25:01 +01:00
|
|
|
int exec_id;
|
2007-12-04 12:38:32 +01:00
|
|
|
int argc = 0;
|
2019-06-19 23:06:02 +02:00
|
|
|
#ifndef _MSC_VER
|
|
|
|
const
|
|
|
|
#endif
|
|
|
|
char **argv2;
|
2007-12-04 12:38:32 +01:00
|
|
|
while (argv[argc]) argc++;
|
2016-02-22 23:44:25 +01:00
|
|
|
ALLOC_ARRAY(argv2, argc + 1);
|
2007-11-24 22:49:16 +01:00
|
|
|
argv2[0] = (char *)cmd; /* full path to the script file */
|
2019-11-12 22:41:14 +01:00
|
|
|
COPY_ARRAY(&argv2[1], &argv[1], argc);
|
2019-02-22 23:25:01 +01:00
|
|
|
exec_id = trace2_exec(prog, argv2);
|
2011-11-25 21:33:17 +01:00
|
|
|
pid = mingw_spawnv(prog, argv2, 1);
|
2007-12-04 12:38:32 +01:00
|
|
|
if (pid >= 0) {
|
|
|
|
int status;
|
|
|
|
if (waitpid(pid, &status, 0) < 0)
|
|
|
|
status = 255;
|
2019-02-22 23:25:01 +01:00
|
|
|
trace2_exec_result(exec_id, status);
|
2007-12-04 12:38:32 +01:00
|
|
|
exit(status);
|
|
|
|
}
|
2019-02-22 23:25:01 +01:00
|
|
|
trace2_exec_result(exec_id, -1);
|
2007-12-04 12:38:32 +01:00
|
|
|
pid = 1; /* indicate that we tried but failed */
|
|
|
|
free(prog);
|
|
|
|
free(argv2);
|
|
|
|
}
|
|
|
|
return pid;
|
|
|
|
}
|
|
|
|
|
2011-11-25 21:33:17 +01:00
|
|
|
int mingw_execv(const char *cmd, char *const *argv)
|
2007-12-04 12:38:32 +01:00
|
|
|
{
|
|
|
|
/* check if git_command is a shell script */
|
2011-11-25 21:33:17 +01:00
|
|
|
if (!try_shell_exec(cmd, argv)) {
|
2007-12-04 12:38:32 +01:00
|
|
|
int pid, status;
|
2019-02-22 23:25:01 +01:00
|
|
|
int exec_id;
|
2007-12-04 12:38:32 +01:00
|
|
|
|
2019-02-22 23:25:01 +01:00
|
|
|
exec_id = trace2_exec(cmd, (const char **)argv);
|
2011-11-25 21:33:17 +01:00
|
|
|
pid = mingw_spawnv(cmd, (const char **)argv, 0);
|
2019-02-22 23:25:01 +01:00
|
|
|
if (pid < 0) {
|
|
|
|
trace2_exec_result(exec_id, -1);
|
2012-05-29 04:21:39 +02:00
|
|
|
return -1;
|
2019-02-22 23:25:01 +01:00
|
|
|
}
|
2007-12-04 12:38:32 +01:00
|
|
|
if (waitpid(pid, &status, 0) < 0)
|
|
|
|
status = 255;
|
2019-02-22 23:25:01 +01:00
|
|
|
trace2_exec_result(exec_id, status);
|
2007-12-04 12:38:32 +01:00
|
|
|
exit(status);
|
|
|
|
}
|
2012-05-29 04:21:39 +02:00
|
|
|
return -1;
|
2007-12-04 12:38:32 +01:00
|
|
|
}
|
|
|
|
|
2012-04-05 19:48:46 +02:00
|
|
|
int mingw_execvp(const char *cmd, char *const *argv)
|
2007-12-04 12:38:32 +01:00
|
|
|
{
|
2017-05-20 21:35:37 +02:00
|
|
|
char *prog = path_lookup(cmd, 0);
|
2007-12-04 12:38:32 +01:00
|
|
|
|
|
|
|
if (prog) {
|
2011-11-25 21:33:17 +01:00
|
|
|
mingw_execv(prog, argv);
|
2007-12-04 12:38:32 +01:00
|
|
|
free(prog);
|
|
|
|
} else
|
|
|
|
errno = ENOENT;
|
|
|
|
|
2012-04-05 19:48:46 +02:00
|
|
|
return -1;
|
2007-12-04 12:38:32 +01:00
|
|
|
}
|
|
|
|
|
2010-11-04 02:35:15 +01:00
|
|
|
int mingw_kill(pid_t pid, int sig)
|
|
|
|
{
|
|
|
|
if (pid > 0 && sig == SIGTERM) {
|
|
|
|
HANDLE h = OpenProcess(PROCESS_TERMINATE, FALSE, pid);
|
|
|
|
|
|
|
|
if (TerminateProcess(h, -1)) {
|
|
|
|
CloseHandle(h);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
errno = err_win_to_posix(GetLastError());
|
|
|
|
CloseHandle(h);
|
|
|
|
return -1;
|
2013-08-08 13:05:38 +02:00
|
|
|
} else if (pid > 0 && sig == 0) {
|
|
|
|
HANDLE h = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
|
|
|
|
if (h) {
|
|
|
|
CloseHandle(h);
|
|
|
|
return 0;
|
|
|
|
}
|
2010-11-04 02:35:15 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
errno = EINVAL;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2014-07-17 17:38:04 +02:00
|
|
|
/*
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
* UTF-8 versions of getenv(), putenv() and unsetenv().
|
|
|
|
* Internally, they use the CRT's stock UNICODE routines
|
|
|
|
* to avoid data loss.
|
2014-07-17 17:38:04 +02:00
|
|
|
*/
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
char *mingw_getenv(const char *name)
|
2014-07-17 17:38:04 +02:00
|
|
|
{
|
mingw: safe-guard a bit more against getenv() problems
Running up to v2.21.0, we fixed two bugs that were made prominent by the
Windows-specific change to retain copies of only the 30 latest getenv()
calls' returned strings, invalidating any copies of previous getenv()
calls' return values.
While this really shines a light onto bugs of the form where we hold
onto getenv()'s return values without copying them, it is also a real
problem for users.
And even if Jeff King's patches merged via 773e408881 (Merge branch
'jk/save-getenv-result', 2019-01-29) provide further work on that front,
we are far from done. Just one example: on Windows, we unset environment
variables when spawning new processes, which potentially invalidates
strings that were previously obtained via getenv(), and therefore we
have to duplicate environment values that are somehow involved in
spawning new processes (e.g. GIT_MAN_VIEWER in show_man_page()).
We do not have a chance to investigate, let address, all of those issues
in time for v2.21.0, so let's at least help Windows users by increasing
the number of getenv() calls' return values that are kept valid. The
number 64 was determined by looking at the average number of getenv()
calls per process in the entire test suite run on Windows (which is
around 40) and then adding a bit for good measure. And it is a power of
two (which would have hit yesterday's theme perfectly).
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-02-15 16:17:45 +01:00
|
|
|
#define GETENV_MAX_RETAIN 64
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
static char *values[GETENV_MAX_RETAIN];
|
|
|
|
static int value_counter;
|
|
|
|
int len_key, len_value;
|
|
|
|
wchar_t *w_key;
|
|
|
|
char *value;
|
|
|
|
wchar_t w_value[32768];
|
2014-07-17 17:38:04 +02:00
|
|
|
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
if (!name || !*name)
|
|
|
|
return NULL;
|
2007-12-07 22:08:59 +01:00
|
|
|
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
len_key = strlen(name) + 1;
|
|
|
|
/* We cannot use xcalloc() here because that uses getenv() itself */
|
|
|
|
w_key = calloc(len_key, sizeof(wchar_t));
|
|
|
|
if (!w_key)
|
|
|
|
die("Out of memory, (tried to allocate %u wchar_t's)", len_key);
|
|
|
|
xutftowcs(w_key, name, len_key);
|
2019-10-04 17:09:30 +02:00
|
|
|
/* GetEnvironmentVariableW() only sets the last error upon failure */
|
|
|
|
SetLastError(ERROR_SUCCESS);
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
len_value = GetEnvironmentVariableW(w_key, w_value, ARRAY_SIZE(w_value));
|
|
|
|
if (!len_value && GetLastError() == ERROR_ENVVAR_NOT_FOUND) {
|
|
|
|
free(w_key);
|
|
|
|
return NULL;
|
2007-12-07 22:08:59 +01:00
|
|
|
}
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
free(w_key);
|
|
|
|
|
|
|
|
len_value = len_value * 3 + 1;
|
|
|
|
/* We cannot use xcalloc() here because that uses getenv() itself */
|
|
|
|
value = calloc(len_value, sizeof(char));
|
|
|
|
if (!value)
|
|
|
|
die("Out of memory, (tried to allocate %u bytes)", len_value);
|
|
|
|
xwcstoutf(value, w_value, len_value);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We return `value` which is an allocated value and the caller is NOT
|
|
|
|
* expecting to have to free it, so we keep a round-robin array,
|
|
|
|
* invalidating the buffer after GETENV_MAX_RETAIN getenv() calls.
|
|
|
|
*/
|
|
|
|
free(values[value_counter]);
|
|
|
|
values[value_counter++] = value;
|
|
|
|
if (value_counter >= ARRAY_SIZE(values))
|
|
|
|
value_counter = 0;
|
|
|
|
|
|
|
|
return value;
|
2007-12-07 22:08:59 +01:00
|
|
|
}
|
|
|
|
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
int mingw_putenv(const char *namevalue)
|
2007-12-07 22:08:59 +01:00
|
|
|
{
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
int size;
|
|
|
|
wchar_t *wide, *equal;
|
|
|
|
BOOL result;
|
2007-12-07 22:08:59 +01:00
|
|
|
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
if (!namevalue || !*namevalue)
|
|
|
|
return 0;
|
2007-12-07 22:08:59 +01:00
|
|
|
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
size = strlen(namevalue) * 2 + 1;
|
|
|
|
wide = calloc(size, sizeof(wchar_t));
|
|
|
|
if (!wide)
|
|
|
|
die("Out of memory, (tried to allocate %u wchar_t's)", size);
|
|
|
|
xutftowcs(wide, namevalue, size);
|
|
|
|
equal = wcschr(wide, L'=');
|
|
|
|
if (!equal)
|
|
|
|
result = SetEnvironmentVariableW(wide, NULL);
|
|
|
|
else {
|
|
|
|
*equal = L'\0';
|
|
|
|
result = SetEnvironmentVariableW(wide, equal + 1);
|
2007-12-07 22:08:59 +01:00
|
|
|
}
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
free(wide);
|
2009-09-11 19:40:08 +02:00
|
|
|
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
if (!result)
|
|
|
|
errno = err_win_to_posix(GetLastError());
|
2011-06-06 09:08:13 +02:00
|
|
|
|
mingw: reencode environment variables on the fly (UTF-16 <-> UTF-8)
On Windows, the authoritative environment is encoded in UTF-16. In Git
for Windows, we convert that to UTF-8 (because UTF-16 is *such* a
foreign idea to Git that its source code is unprepared for it).
Previously, out of performance concerns, we converted the entire
environment to UTF-8 in one fell swoop at the beginning, and upon
putenv() and run_command() converted it back.
Having a private copy of the environment comes with its own perils: when
a library used by Git's source code tries to modify the environment, it
does not really work (in Git for Windows' case, libcurl, see
https://github.com/git-for-windows/git/compare/bcad1e6d58^...bcad1e6d58^2
for a glimpse of the issues).
Hence, it makes our environment handling substantially more robust if we
switch to on-the-fly-conversion in `getenv()`/`putenv()` calls. Based
on an initial version in the MSVC context by Jeff Hostetler, this patch
makes it so.
Surprisingly, this has a *positive* effect on speed: at the time when
the current code was written, we tested the performance, and there were
*so many* `getenv()` calls that it seemed better to convert everything
in one go. In the meantime, though, Git has obviously been cleaned up a
bit with regards to `getenv()` calls so that the Git processes spawned
by the test suite use an average of only 40 `getenv()`/`putenv()` calls
over the process lifetime.
Speaking of the entire test suite: the total time spent in the
re-encoding in the current code takes about 32.4 seconds (out of 113
minutes runtime), whereas the code introduced in this patch takes only
about 8.2 seconds in total. Not much, but it proves that we need not be
concerned about the performance impact introduced by this patch.
Helped-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-30 10:22:30 +01:00
|
|
|
return result ? 0 : -1;
|
2011-06-06 09:06:02 +02:00
|
|
|
}
|
|
|
|
|
2009-11-23 23:55:12 +01:00
|
|
|
static void ensure_socket_initialization(void)
|
2007-12-26 13:51:18 +01:00
|
|
|
{
|
|
|
|
WSADATA wsa;
|
2009-11-23 23:55:12 +01:00
|
|
|
static int initialized = 0;
|
|
|
|
|
|
|
|
if (initialized)
|
|
|
|
return;
|
2007-12-26 13:51:18 +01:00
|
|
|
|
|
|
|
if (WSAStartup(MAKEWORD(2,2), &wsa))
|
|
|
|
die("unable to initialize winsock subsystem, error %d",
|
|
|
|
WSAGetLastError());
|
2009-11-23 23:55:50 +01:00
|
|
|
|
2019-02-27 09:43:13 +01:00
|
|
|
atexit((void(*)(void)) WSACleanup);
|
2009-11-23 23:55:12 +01:00
|
|
|
initialized = 1;
|
|
|
|
}
|
|
|
|
|
2011-10-15 16:05:20 +02:00
|
|
|
#undef gethostname
|
|
|
|
int mingw_gethostname(char *name, int namelen)
|
|
|
|
{
|
|
|
|
ensure_socket_initialization();
|
|
|
|
return gethostname(name, namelen);
|
|
|
|
}
|
|
|
|
|
2009-11-23 23:55:12 +01:00
|
|
|
#undef gethostbyname
|
|
|
|
struct hostent *mingw_gethostbyname(const char *host)
|
|
|
|
{
|
|
|
|
ensure_socket_initialization();
|
2007-12-26 13:51:18 +01:00
|
|
|
return gethostbyname(host);
|
|
|
|
}
|
|
|
|
|
2019-02-27 09:43:13 +01:00
|
|
|
#undef getaddrinfo
|
2009-11-23 23:55:50 +01:00
|
|
|
int mingw_getaddrinfo(const char *node, const char *service,
|
|
|
|
const struct addrinfo *hints, struct addrinfo **res)
|
|
|
|
{
|
|
|
|
ensure_socket_initialization();
|
2019-02-27 09:43:13 +01:00
|
|
|
return getaddrinfo(node, service, hints, res);
|
2009-11-23 23:55:50 +01:00
|
|
|
}
|
|
|
|
|
2007-12-26 13:51:18 +01:00
|
|
|
int mingw_socket(int domain, int type, int protocol)
|
|
|
|
{
|
|
|
|
int sockfd;
|
2010-11-04 02:35:09 +01:00
|
|
|
SOCKET s;
|
|
|
|
|
|
|
|
ensure_socket_initialization();
|
|
|
|
s = WSASocket(domain, type, protocol, NULL, 0, 0);
|
2007-12-26 13:51:18 +01:00
|
|
|
if (s == INVALID_SOCKET) {
|
|
|
|
/*
|
|
|
|
* WSAGetLastError() values are regular BSD error codes
|
|
|
|
* biased by WSABASEERR.
|
|
|
|
* However, strerror() does not know about networking
|
|
|
|
* specific errors, which are values beginning at 38 or so.
|
|
|
|
* Therefore, we choose to leave the biased error code
|
|
|
|
* in errno so that _if_ someone looks up the code somewhere,
|
|
|
|
* then it is at least the number that are usually listed.
|
|
|
|
*/
|
|
|
|
errno = WSAGetLastError();
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
/* convert into a file descriptor */
|
|
|
|
if ((sockfd = _open_osfhandle(s, O_RDWR|O_BINARY)) < 0) {
|
|
|
|
closesocket(s);
|
|
|
|
return error("unable to make a socket file descriptor: %s",
|
|
|
|
strerror(errno));
|
|
|
|
}
|
|
|
|
return sockfd;
|
|
|
|
}
|
|
|
|
|
|
|
|
#undef connect
|
|
|
|
int mingw_connect(int sockfd, struct sockaddr *sa, size_t sz)
|
|
|
|
{
|
|
|
|
SOCKET s = (SOCKET)_get_osfhandle(sockfd);
|
|
|
|
return connect(s, sa, sz);
|
|
|
|
}
|
|
|
|
|
2010-11-04 02:35:09 +01:00
|
|
|
#undef bind
|
|
|
|
int mingw_bind(int sockfd, struct sockaddr *sa, size_t sz)
|
|
|
|
{
|
|
|
|
SOCKET s = (SOCKET)_get_osfhandle(sockfd);
|
|
|
|
return bind(s, sa, sz);
|
|
|
|
}
|
|
|
|
|
|
|
|
#undef setsockopt
|
|
|
|
int mingw_setsockopt(int sockfd, int lvl, int optname, void *optval, int optlen)
|
|
|
|
{
|
|
|
|
SOCKET s = (SOCKET)_get_osfhandle(sockfd);
|
|
|
|
return setsockopt(s, lvl, optname, (const char*)optval, optlen);
|
|
|
|
}
|
|
|
|
|
2011-05-18 22:24:37 +02:00
|
|
|
#undef shutdown
|
|
|
|
int mingw_shutdown(int sockfd, int how)
|
|
|
|
{
|
|
|
|
SOCKET s = (SOCKET)_get_osfhandle(sockfd);
|
|
|
|
return shutdown(s, how);
|
|
|
|
}
|
|
|
|
|
2010-11-04 02:35:09 +01:00
|
|
|
#undef listen
|
|
|
|
int mingw_listen(int sockfd, int backlog)
|
|
|
|
{
|
|
|
|
SOCKET s = (SOCKET)_get_osfhandle(sockfd);
|
|
|
|
return listen(s, backlog);
|
|
|
|
}
|
|
|
|
|
|
|
|
#undef accept
|
|
|
|
int mingw_accept(int sockfd1, struct sockaddr *sa, socklen_t *sz)
|
|
|
|
{
|
|
|
|
int sockfd2;
|
|
|
|
|
|
|
|
SOCKET s1 = (SOCKET)_get_osfhandle(sockfd1);
|
|
|
|
SOCKET s2 = accept(s1, sa, sz);
|
|
|
|
|
|
|
|
/* convert into a file descriptor */
|
|
|
|
if ((sockfd2 = _open_osfhandle(s2, O_RDWR|O_BINARY)) < 0) {
|
|
|
|
int err = errno;
|
|
|
|
closesocket(s2);
|
|
|
|
return error("unable to make a socket file descriptor: %s",
|
|
|
|
strerror(err));
|
|
|
|
}
|
|
|
|
return sockfd2;
|
|
|
|
}
|
|
|
|
|
2007-12-07 22:19:40 +01:00
|
|
|
#undef rename
|
|
|
|
int mingw_rename(const char *pold, const char *pnew)
|
|
|
|
{
|
2009-04-03 08:49:59 +02:00
|
|
|
DWORD attrs, gle;
|
|
|
|
int tries = 0;
|
2012-03-15 18:21:28 +01:00
|
|
|
wchar_t wpold[MAX_PATH], wpnew[MAX_PATH];
|
|
|
|
if (xutftowcs_path(wpold, pold) < 0 || xutftowcs_path(wpnew, pnew) < 0)
|
|
|
|
return -1;
|
2008-11-19 17:25:27 +01:00
|
|
|
|
2007-12-07 22:19:40 +01:00
|
|
|
/*
|
|
|
|
* Try native rename() first to get errno right.
|
|
|
|
* It is based on MoveFile(), which cannot overwrite existing files.
|
|
|
|
*/
|
2012-03-15 18:21:28 +01:00
|
|
|
if (!_wrename(wpold, wpnew))
|
2007-12-07 22:19:40 +01:00
|
|
|
return 0;
|
|
|
|
if (errno != EEXIST)
|
|
|
|
return -1;
|
2009-04-03 08:49:59 +02:00
|
|
|
repeat:
|
2012-03-15 18:21:28 +01:00
|
|
|
if (MoveFileExW(wpold, wpnew, MOVEFILE_REPLACE_EXISTING))
|
2007-12-07 22:19:40 +01:00
|
|
|
return 0;
|
|
|
|
/* TODO: translate more errors */
|
2009-04-03 08:49:59 +02:00
|
|
|
gle = GetLastError();
|
|
|
|
if (gle == ERROR_ACCESS_DENIED &&
|
2012-03-15 18:21:28 +01:00
|
|
|
(attrs = GetFileAttributesW(wpnew)) != INVALID_FILE_ATTRIBUTES) {
|
2008-11-19 17:25:27 +01:00
|
|
|
if (attrs & FILE_ATTRIBUTE_DIRECTORY) {
|
2016-01-26 15:34:47 +01:00
|
|
|
DWORD attrsold = GetFileAttributesW(wpold);
|
|
|
|
if (attrsold == INVALID_FILE_ATTRIBUTES ||
|
|
|
|
!(attrsold & FILE_ATTRIBUTE_DIRECTORY))
|
|
|
|
errno = EISDIR;
|
|
|
|
else if (!_wrmdir(wpnew))
|
|
|
|
goto repeat;
|
2007-12-07 22:19:40 +01:00
|
|
|
return -1;
|
|
|
|
}
|
2008-11-19 17:25:27 +01:00
|
|
|
if ((attrs & FILE_ATTRIBUTE_READONLY) &&
|
2012-03-15 18:21:28 +01:00
|
|
|
SetFileAttributesW(wpnew, attrs & ~FILE_ATTRIBUTE_READONLY)) {
|
|
|
|
if (MoveFileExW(wpold, wpnew, MOVEFILE_REPLACE_EXISTING))
|
2008-11-19 17:25:27 +01:00
|
|
|
return 0;
|
2009-04-03 08:49:59 +02:00
|
|
|
gle = GetLastError();
|
2008-11-19 17:25:27 +01:00
|
|
|
/* revert file attributes on failure */
|
2012-03-15 18:21:28 +01:00
|
|
|
SetFileAttributesW(wpnew, attrs);
|
2008-11-19 17:25:27 +01:00
|
|
|
}
|
2007-12-07 22:19:40 +01:00
|
|
|
}
|
2009-04-03 08:49:59 +02:00
|
|
|
if (tries < ARRAY_SIZE(delay) && gle == ERROR_ACCESS_DENIED) {
|
|
|
|
/*
|
|
|
|
* We assume that some other process had the source or
|
|
|
|
* destination file open at the wrong moment and retry.
|
|
|
|
* In order to give the other process a higher chance to
|
|
|
|
* complete its operation, we give up our time slice now.
|
|
|
|
* If we have to retry again, we do sleep a bit.
|
|
|
|
*/
|
|
|
|
Sleep(delay[tries]);
|
|
|
|
tries++;
|
|
|
|
goto repeat;
|
|
|
|
}
|
2011-02-07 21:51:21 +01:00
|
|
|
if (gle == ERROR_ACCESS_DENIED &&
|
|
|
|
ask_yes_no_if_possible("Rename from '%s' to '%s' failed. "
|
|
|
|
"Should I try again?", pold, pnew))
|
|
|
|
goto repeat;
|
|
|
|
|
2007-12-07 22:19:40 +01:00
|
|
|
errno = EACCES;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2009-11-07 21:10:31 +01:00
|
|
|
/*
|
|
|
|
* Note that this doesn't return the actual pagesize, but
|
|
|
|
* the allocation granularity. If future Windows specific git code
|
|
|
|
* needs the real getpagesize function, we need to find another solution.
|
|
|
|
*/
|
|
|
|
int mingw_getpagesize(void)
|
|
|
|
{
|
|
|
|
SYSTEM_INFO si;
|
|
|
|
GetSystemInfo(&si);
|
|
|
|
return si.dwAllocationGranularity;
|
|
|
|
}
|
|
|
|
|
2018-10-15 11:47:06 +02:00
|
|
|
/* See https://msdn.microsoft.com/en-us/library/windows/desktop/ms724435.aspx */
|
|
|
|
enum EXTENDED_NAME_FORMAT {
|
|
|
|
NameDisplay = 3,
|
|
|
|
NameUserPrincipal = 8
|
|
|
|
};
|
|
|
|
|
|
|
|
static char *get_extended_user_info(enum EXTENDED_NAME_FORMAT type)
|
|
|
|
{
|
|
|
|
DECLARE_PROC_ADDR(secur32.dll, BOOL, GetUserNameExW,
|
|
|
|
enum EXTENDED_NAME_FORMAT, LPCWSTR, PULONG);
|
|
|
|
static wchar_t wbuffer[1024];
|
|
|
|
DWORD len;
|
|
|
|
|
|
|
|
if (!INIT_PROC_ADDR(GetUserNameExW))
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
len = ARRAY_SIZE(wbuffer);
|
|
|
|
if (GetUserNameExW(type, wbuffer, &len)) {
|
|
|
|
char *converted = xmalloc((len *= 3));
|
|
|
|
if (xwcstoutf(converted, wbuffer, len) >= 0)
|
|
|
|
return converted;
|
|
|
|
free(converted);
|
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2018-10-15 11:47:08 +02:00
|
|
|
char *mingw_query_user_email(void)
|
|
|
|
{
|
|
|
|
return get_extended_user_info(NameUserPrincipal);
|
|
|
|
}
|
|
|
|
|
2007-12-01 21:24:59 +01:00
|
|
|
struct passwd *getpwuid(int uid)
|
|
|
|
{
|
2018-10-15 11:47:05 +02:00
|
|
|
static unsigned initialized;
|
2007-12-01 22:09:17 +01:00
|
|
|
static char user_name[100];
|
2018-10-15 11:47:05 +02:00
|
|
|
static struct passwd *p;
|
2019-06-27 11:37:18 +02:00
|
|
|
wchar_t buf[100];
|
2018-10-15 11:47:05 +02:00
|
|
|
DWORD len;
|
2007-12-01 22:09:17 +01:00
|
|
|
|
2018-10-15 11:47:05 +02:00
|
|
|
if (initialized)
|
|
|
|
return p;
|
2007-12-01 22:09:17 +01:00
|
|
|
|
2019-07-05 00:36:57 +02:00
|
|
|
len = ARRAY_SIZE(buf);
|
2019-06-27 11:37:18 +02:00
|
|
|
if (!GetUserNameW(buf, &len)) {
|
|
|
|
initialized = 1;
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (xwcstoutf(user_name, buf, sizeof(user_name)) < 0) {
|
2018-10-15 11:47:05 +02:00
|
|
|
initialized = 1;
|
2007-12-01 22:09:17 +01:00
|
|
|
return NULL;
|
2018-10-15 11:47:05 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
p = xmalloc(sizeof(*p));
|
|
|
|
p->pw_name = user_name;
|
2018-10-15 11:47:06 +02:00
|
|
|
p->pw_gecos = get_extended_user_info(NameDisplay);
|
|
|
|
if (!p->pw_gecos)
|
|
|
|
p->pw_gecos = "unknown";
|
2018-10-15 11:47:05 +02:00
|
|
|
p->pw_dir = NULL;
|
|
|
|
|
|
|
|
initialized = 1;
|
|
|
|
return p;
|
2007-12-01 21:24:59 +01:00
|
|
|
}
|
|
|
|
|
2007-11-13 10:14:45 +01:00
|
|
|
static HANDLE timer_event;
|
|
|
|
static HANDLE timer_thread;
|
|
|
|
static int timer_interval;
|
|
|
|
static int one_shot;
|
2012-12-04 09:10:38 +01:00
|
|
|
static sig_handler_t timer_fn = SIG_DFL, sigint_fn = SIG_DFL;
|
2007-11-13 10:14:45 +01:00
|
|
|
|
|
|
|
/* The timer works like this:
|
|
|
|
* The thread, ticktack(), is a trivial routine that most of the time
|
|
|
|
* only waits to receive the signal to terminate. The main thread tells
|
|
|
|
* the thread to terminate by setting the timer_event to the signalled
|
|
|
|
* state.
|
|
|
|
* But ticktack() interrupts the wait state after the timer's interval
|
|
|
|
* length to call the signal handler.
|
|
|
|
*/
|
|
|
|
|
2009-09-16 10:20:21 +02:00
|
|
|
static unsigned __stdcall ticktack(void *dummy)
|
2007-11-13 10:14:45 +01:00
|
|
|
{
|
|
|
|
while (WaitForSingleObject(timer_event, timer_interval) == WAIT_TIMEOUT) {
|
2012-12-04 09:10:38 +01:00
|
|
|
mingw_raise(SIGALRM);
|
2007-11-13 10:14:45 +01:00
|
|
|
if (one_shot)
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int start_timer_thread(void)
|
|
|
|
{
|
|
|
|
timer_event = CreateEvent(NULL, FALSE, FALSE, NULL);
|
|
|
|
if (timer_event) {
|
|
|
|
timer_thread = (HANDLE) _beginthreadex(NULL, 0, ticktack, NULL, 0, NULL);
|
|
|
|
if (!timer_thread )
|
|
|
|
return errno = ENOMEM,
|
|
|
|
error("cannot start timer thread");
|
|
|
|
} else
|
|
|
|
return errno = ENOMEM,
|
|
|
|
error("cannot allocate resources for timer");
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void stop_timer_thread(void)
|
|
|
|
{
|
|
|
|
if (timer_event)
|
|
|
|
SetEvent(timer_event); /* tell thread to terminate */
|
|
|
|
if (timer_thread) {
|
2019-01-29 15:19:31 +01:00
|
|
|
int rc = WaitForSingleObject(timer_thread, 10000);
|
2007-11-13 10:14:45 +01:00
|
|
|
if (rc == WAIT_TIMEOUT)
|
|
|
|
error("timer thread did not terminate timely");
|
|
|
|
else if (rc != WAIT_OBJECT_0)
|
|
|
|
error("waiting for timer thread failed: %lu",
|
|
|
|
GetLastError());
|
|
|
|
CloseHandle(timer_thread);
|
|
|
|
}
|
|
|
|
if (timer_event)
|
|
|
|
CloseHandle(timer_event);
|
|
|
|
timer_event = NULL;
|
|
|
|
timer_thread = NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int is_timeval_eq(const struct timeval *i1, const struct timeval *i2)
|
|
|
|
{
|
|
|
|
return i1->tv_sec == i2->tv_sec && i1->tv_usec == i2->tv_usec;
|
|
|
|
}
|
|
|
|
|
2007-12-01 21:24:59 +01:00
|
|
|
int setitimer(int type, struct itimerval *in, struct itimerval *out)
|
|
|
|
{
|
2007-11-13 10:14:45 +01:00
|
|
|
static const struct timeval zero;
|
|
|
|
static int atexit_done;
|
|
|
|
|
|
|
|
if (out != NULL)
|
|
|
|
return errno = EINVAL,
|
|
|
|
error("setitimer param 3 != NULL not implemented");
|
|
|
|
if (!is_timeval_eq(&in->it_interval, &zero) &&
|
|
|
|
!is_timeval_eq(&in->it_interval, &in->it_value))
|
|
|
|
return errno = EINVAL,
|
|
|
|
error("setitimer: it_interval must be zero or eq it_value");
|
|
|
|
|
|
|
|
if (timer_thread)
|
|
|
|
stop_timer_thread();
|
|
|
|
|
|
|
|
if (is_timeval_eq(&in->it_value, &zero) &&
|
|
|
|
is_timeval_eq(&in->it_interval, &zero))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
timer_interval = in->it_value.tv_sec * 1000 + in->it_value.tv_usec / 1000;
|
|
|
|
one_shot = is_timeval_eq(&in->it_interval, &zero);
|
|
|
|
if (!atexit_done) {
|
|
|
|
atexit(stop_timer_thread);
|
|
|
|
atexit_done = 1;
|
|
|
|
}
|
|
|
|
return start_timer_thread();
|
2007-12-01 21:24:59 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
int sigaction(int sig, struct sigaction *in, struct sigaction *out)
|
|
|
|
{
|
2007-11-13 10:14:45 +01:00
|
|
|
if (sig != SIGALRM)
|
|
|
|
return errno = EINVAL,
|
|
|
|
error("sigaction only implemented for SIGALRM");
|
|
|
|
if (out != NULL)
|
|
|
|
return errno = EINVAL,
|
|
|
|
error("sigaction: param 3 != NULL not implemented");
|
|
|
|
|
|
|
|
timer_fn = in->sa_handler;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
#undef signal
|
|
|
|
sig_handler_t mingw_signal(int sig, sig_handler_t handler)
|
|
|
|
{
|
2013-06-10 07:48:17 +02:00
|
|
|
sig_handler_t old;
|
2012-12-04 09:10:38 +01:00
|
|
|
|
|
|
|
switch (sig) {
|
|
|
|
case SIGALRM:
|
2013-06-10 07:48:17 +02:00
|
|
|
old = timer_fn;
|
2012-12-04 09:10:38 +01:00
|
|
|
timer_fn = handler;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case SIGINT:
|
2013-06-10 07:48:17 +02:00
|
|
|
old = sigint_fn;
|
2012-12-04 09:10:38 +01:00
|
|
|
sigint_fn = handler;
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
2007-11-13 10:14:45 +01:00
|
|
|
return signal(sig, handler);
|
2012-12-04 09:10:38 +01:00
|
|
|
}
|
|
|
|
|
2007-11-13 10:14:45 +01:00
|
|
|
return old;
|
2007-12-01 21:24:59 +01:00
|
|
|
}
|
2008-07-13 22:31:20 +02:00
|
|
|
|
2012-12-04 09:10:38 +01:00
|
|
|
#undef raise
|
|
|
|
int mingw_raise(int sig)
|
|
|
|
{
|
|
|
|
switch (sig) {
|
|
|
|
case SIGALRM:
|
|
|
|
if (timer_fn == SIG_DFL) {
|
|
|
|
if (isatty(STDERR_FILENO))
|
|
|
|
fputs("Alarm clock\n", stderr);
|
|
|
|
exit(128 + SIGALRM);
|
|
|
|
} else if (timer_fn != SIG_IGN)
|
|
|
|
timer_fn(SIGALRM);
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
case SIGINT:
|
|
|
|
if (sigint_fn == SIG_DFL)
|
|
|
|
exit(128 + SIGINT);
|
|
|
|
else if (sigint_fn != SIG_IGN)
|
|
|
|
sigint_fn(SIGINT);
|
|
|
|
return 0;
|
|
|
|
|
2019-06-25 16:49:41 +02:00
|
|
|
#if defined(_MSC_VER)
|
|
|
|
case SIGILL:
|
|
|
|
case SIGFPE:
|
|
|
|
case SIGSEGV:
|
|
|
|
case SIGTERM:
|
|
|
|
case SIGBREAK:
|
|
|
|
case SIGABRT:
|
|
|
|
case SIGABRT_COMPAT:
|
|
|
|
/*
|
|
|
|
* The <signal.h> header in the MS C Runtime defines 8 signals
|
|
|
|
* as being supported on the platform. Anything else causes an
|
|
|
|
* "Invalid signal or error" (which in DEBUG builds causes the
|
|
|
|
* Abort/Retry/Ignore dialog). We by-pass the CRT for things we
|
|
|
|
* already know will fail.
|
|
|
|
*/
|
|
|
|
return raise(sig);
|
|
|
|
default:
|
|
|
|
errno = EINVAL;
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
#else
|
|
|
|
|
2012-12-04 09:10:38 +01:00
|
|
|
default:
|
|
|
|
return raise(sig);
|
2019-06-25 16:49:41 +02:00
|
|
|
|
|
|
|
#endif
|
|
|
|
|
2012-12-04 09:10:38 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2009-01-24 15:04:39 +01:00
|
|
|
int link(const char *oldpath, const char *newpath)
|
|
|
|
{
|
2012-03-15 18:21:28 +01:00
|
|
|
wchar_t woldpath[MAX_PATH], wnewpath[MAX_PATH];
|
|
|
|
if (xutftowcs_path(woldpath, oldpath) < 0 ||
|
|
|
|
xutftowcs_path(wnewpath, newpath) < 0)
|
|
|
|
return -1;
|
|
|
|
|
2018-11-13 15:37:02 +01:00
|
|
|
if (!CreateHardLinkW(wnewpath, woldpath, NULL)) {
|
2009-01-24 15:04:39 +01:00
|
|
|
errno = err_win_to_posix(GetLastError());
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
2009-05-23 10:04:50 +02:00
|
|
|
|
2011-12-08 20:39:57 +01:00
|
|
|
pid_t waitpid(pid_t pid, int *status, int options)
|
2010-11-04 02:35:13 +01:00
|
|
|
{
|
|
|
|
HANDLE h = OpenProcess(SYNCHRONIZE | PROCESS_QUERY_INFORMATION,
|
|
|
|
FALSE, pid);
|
|
|
|
if (!h) {
|
|
|
|
errno = ECHILD;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2010-11-04 02:35:14 +01:00
|
|
|
if (pid > 0 && options & WNOHANG) {
|
|
|
|
if (WAIT_OBJECT_0 != WaitForSingleObject(h, 0)) {
|
|
|
|
CloseHandle(h);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
options &= ~WNOHANG;
|
|
|
|
}
|
|
|
|
|
2010-11-04 02:35:13 +01:00
|
|
|
if (options == 0) {
|
|
|
|
struct pinfo_t **ppinfo;
|
|
|
|
if (WaitForSingleObject(h, INFINITE) != WAIT_OBJECT_0) {
|
|
|
|
CloseHandle(h);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (status)
|
|
|
|
GetExitCodeProcess(h, (LPDWORD)status);
|
|
|
|
|
|
|
|
EnterCriticalSection(&pinfo_cs);
|
|
|
|
|
|
|
|
ppinfo = &pinfo;
|
|
|
|
while (*ppinfo) {
|
|
|
|
struct pinfo_t *info = *ppinfo;
|
|
|
|
if (info->pid == pid) {
|
|
|
|
CloseHandle(info->proc);
|
|
|
|
*ppinfo = info->next;
|
|
|
|
free(info);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
ppinfo = &info->next;
|
|
|
|
}
|
|
|
|
|
|
|
|
LeaveCriticalSection(&pinfo_cs);
|
|
|
|
|
|
|
|
CloseHandle(h);
|
|
|
|
return pid;
|
|
|
|
}
|
|
|
|
CloseHandle(h);
|
|
|
|
|
|
|
|
errno = EINVAL;
|
|
|
|
return -1;
|
|
|
|
}
|
2010-07-13 16:17:43 +02:00
|
|
|
|
2011-11-25 21:05:06 +01:00
|
|
|
int xutftowcsn(wchar_t *wcs, const char *utfs, size_t wcslen, int utflen)
|
|
|
|
{
|
|
|
|
int upos = 0, wpos = 0;
|
|
|
|
const unsigned char *utf = (const unsigned char*) utfs;
|
|
|
|
if (!utf || !wcs || wcslen < 1) {
|
|
|
|
errno = EINVAL;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
/* reserve space for \0 */
|
|
|
|
wcslen--;
|
|
|
|
if (utflen < 0)
|
|
|
|
utflen = INT_MAX;
|
|
|
|
|
|
|
|
while (upos < utflen) {
|
|
|
|
int c = utf[upos++] & 0xff;
|
|
|
|
if (utflen == INT_MAX && c == 0)
|
|
|
|
break;
|
|
|
|
|
|
|
|
if (wpos >= wcslen) {
|
|
|
|
wcs[wpos] = 0;
|
|
|
|
errno = ERANGE;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (c < 0x80) {
|
|
|
|
/* ASCII */
|
|
|
|
wcs[wpos++] = c;
|
|
|
|
} else if (c >= 0xc2 && c < 0xe0 && upos < utflen &&
|
|
|
|
(utf[upos] & 0xc0) == 0x80) {
|
|
|
|
/* 2-byte utf-8 */
|
|
|
|
c = ((c & 0x1f) << 6);
|
|
|
|
c |= (utf[upos++] & 0x3f);
|
|
|
|
wcs[wpos++] = c;
|
|
|
|
} else if (c >= 0xe0 && c < 0xf0 && upos + 1 < utflen &&
|
|
|
|
!(c == 0xe0 && utf[upos] < 0xa0) && /* over-long encoding */
|
|
|
|
(utf[upos] & 0xc0) == 0x80 &&
|
|
|
|
(utf[upos + 1] & 0xc0) == 0x80) {
|
|
|
|
/* 3-byte utf-8 */
|
|
|
|
c = ((c & 0x0f) << 12);
|
|
|
|
c |= ((utf[upos++] & 0x3f) << 6);
|
|
|
|
c |= (utf[upos++] & 0x3f);
|
|
|
|
wcs[wpos++] = c;
|
|
|
|
} else if (c >= 0xf0 && c < 0xf5 && upos + 2 < utflen &&
|
|
|
|
wpos + 1 < wcslen &&
|
|
|
|
!(c == 0xf0 && utf[upos] < 0x90) && /* over-long encoding */
|
|
|
|
!(c == 0xf4 && utf[upos] >= 0x90) && /* > \u10ffff */
|
|
|
|
(utf[upos] & 0xc0) == 0x80 &&
|
|
|
|
(utf[upos + 1] & 0xc0) == 0x80 &&
|
|
|
|
(utf[upos + 2] & 0xc0) == 0x80) {
|
|
|
|
/* 4-byte utf-8: convert to \ud8xx \udcxx surrogate pair */
|
|
|
|
c = ((c & 0x07) << 18);
|
|
|
|
c |= ((utf[upos++] & 0x3f) << 12);
|
|
|
|
c |= ((utf[upos++] & 0x3f) << 6);
|
|
|
|
c |= (utf[upos++] & 0x3f);
|
|
|
|
c -= 0x10000;
|
|
|
|
wcs[wpos++] = 0xd800 | (c >> 10);
|
|
|
|
wcs[wpos++] = 0xdc00 | (c & 0x3ff);
|
|
|
|
} else if (c >= 0xa0) {
|
|
|
|
/* invalid utf-8 byte, printable unicode char: convert 1:1 */
|
|
|
|
wcs[wpos++] = c;
|
|
|
|
} else {
|
|
|
|
/* invalid utf-8 byte, non-printable unicode: convert to hex */
|
|
|
|
static const char *hex = "0123456789abcdef";
|
|
|
|
wcs[wpos++] = hex[c >> 4];
|
|
|
|
if (wpos < wcslen)
|
|
|
|
wcs[wpos++] = hex[c & 0x0f];
|
|
|
|
}
|
|
|
|
}
|
|
|
|
wcs[wpos] = 0;
|
|
|
|
return wpos;
|
|
|
|
}
|
|
|
|
|
|
|
|
int xwcstoutf(char *utf, const wchar_t *wcs, size_t utflen)
|
|
|
|
{
|
|
|
|
if (!wcs || !utf || utflen < 1) {
|
|
|
|
errno = EINVAL;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
utflen = WideCharToMultiByte(CP_UTF8, 0, wcs, -1, utf, utflen, NULL, NULL);
|
|
|
|
if (utflen)
|
|
|
|
return utflen - 1;
|
|
|
|
errno = ERANGE;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2016-06-18 14:38:36 +02:00
|
|
|
static void setup_windows_environment(void)
|
2016-01-26 15:34:38 +01:00
|
|
|
{
|
2016-01-26 15:34:43 +01:00
|
|
|
char *tmp = getenv("TMPDIR");
|
|
|
|
|
2016-01-26 15:34:38 +01:00
|
|
|
/* on Windows it is TMP and TEMP */
|
2016-01-26 15:34:43 +01:00
|
|
|
if (!tmp) {
|
|
|
|
if (!(tmp = getenv("TMP")))
|
2016-01-26 15:34:38 +01:00
|
|
|
tmp = getenv("TEMP");
|
2016-01-26 15:34:43 +01:00
|
|
|
if (tmp) {
|
2016-01-26 15:34:38 +01:00
|
|
|
setenv("TMPDIR", tmp, 1);
|
2016-01-26 15:34:43 +01:00
|
|
|
tmp = getenv("TMPDIR");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (tmp) {
|
|
|
|
/*
|
|
|
|
* Convert all dir separators to forward slashes,
|
|
|
|
* to help shell commands called from the Git
|
|
|
|
* executable (by not mistaking the dir separators
|
|
|
|
* for escape characters).
|
|
|
|
*/
|
2016-04-02 21:03:14 +02:00
|
|
|
convert_slashes(tmp);
|
2016-01-26 15:34:38 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
/* simulate TERM to enable auto-color (see color.c) */
|
|
|
|
if (!getenv("TERM"))
|
|
|
|
setenv("TERM", "cygwin", 1);
|
2019-07-04 11:20:33 +02:00
|
|
|
|
|
|
|
/* calculate HOME if not set */
|
|
|
|
if (!getenv("HOME")) {
|
|
|
|
/*
|
|
|
|
* try $HOMEDRIVE$HOMEPATH - the home share may be a network
|
|
|
|
* location, thus also check if the path exists (i.e. is not
|
|
|
|
* disconnected)
|
|
|
|
*/
|
|
|
|
if ((tmp = getenv("HOMEDRIVE"))) {
|
|
|
|
struct strbuf buf = STRBUF_INIT;
|
|
|
|
strbuf_addstr(&buf, tmp);
|
|
|
|
if ((tmp = getenv("HOMEPATH"))) {
|
|
|
|
strbuf_addstr(&buf, tmp);
|
|
|
|
if (is_directory(buf.buf))
|
|
|
|
setenv("HOME", buf.buf, 1);
|
|
|
|
else
|
|
|
|
tmp = NULL; /* use $USERPROFILE */
|
|
|
|
}
|
|
|
|
strbuf_release(&buf);
|
|
|
|
}
|
|
|
|
/* use $USERPROFILE if the home share is not available */
|
|
|
|
if (!tmp && (tmp = getenv("USERPROFILE")))
|
|
|
|
setenv("HOME", tmp, 1);
|
|
|
|
}
|
2016-01-26 15:34:38 +01:00
|
|
|
}
|
|
|
|
|
mingw: refuse to access paths with trailing spaces or periods
When creating a directory on Windows whose path ends in a space or a
period (or chains thereof), the Win32 API "helpfully" trims those. For
example, `mkdir("abc ");` will return success, but actually create a
directory called `abc` instead.
This stems back to the DOS days, when all file names had exactly 8
characters plus exactly 3 characters for the file extension, and the
only way to have shorter names was by padding with spaces.
Sadly, this "helpful" behavior is a bit inconsistent: after a successful
`mkdir("abc ");`, a `mkdir("abc /def")` will actually _fail_ (because
the directory `abc ` does not actually exist).
Even if it would work, we now have a serious problem because a Git
repository could contain directories `abc` and `abc `, and on Windows,
they would be "merged" unintentionally.
As these paths are illegal on Windows, anyway, let's disallow any
accesses to such paths on that Operating System.
For practical reasons, this behavior is still guarded by the
config setting `core.protectNTFS`: it is possible (and at least two
regression tests make use of it) to create commits without involving the
worktree. In such a scenario, it is of course possible -- even on
Windows -- to create such file names.
Among other consequences, this patch disallows submodules' paths to end
in spaces on Windows (which would formerly have confused Git enough to
try to write into incorrect paths, anyway).
While this patch does not fix a vulnerability on its own, it prevents an
attack vector that was exploited in demonstrations of a number of
recently-fixed security bugs.
The regression test added to `t/t7417-submodule-path-url.sh` reflects
that attack vector.
Note that we have to adjust the test case "prevent git~1 squatting on
Windows" in `t/t7415-submodule-names.sh` because of a very subtle issue.
It tries to clone two submodules whose names differ only in a trailing
period character, and as a consequence their git directories differ in
the same way. Previously, when Git tried to clone the second submodule,
it thought that the git directory already existed (because on Windows,
when you create a directory with the name `b.` it actually creates `b`),
but with this patch, the first submodule's clone will fail because of
the illegal name of the git directory. Therefore, when cloning the
second submodule, Git will take a different code path: a fresh clone
(without an existing git directory). Both code paths fail to clone the
second submodule, both because the the corresponding worktree directory
exists and is not empty, but the error messages are worded differently.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2019-09-05 13:27:53 +02:00
|
|
|
int is_valid_win32_path(const char *path)
|
|
|
|
{
|
|
|
|
int preceding_space_or_period = 0, i = 0, periods = 0;
|
|
|
|
|
|
|
|
if (!protect_ntfs)
|
|
|
|
return 1;
|
|
|
|
|
mingw: refuse to access paths with illegal characters
Certain characters are not admissible in file names on Windows, even if
Cygwin/MSYS2 (and therefore, Git for Windows' Bash) pretend that they
are, e.g. `:`, `<`, `>`, etc
Let's disallow those characters explicitly in Windows builds of Git.
Note: just like trailing spaces or periods, it _is_ possible on Windows
to create commits adding files with such illegal characters, as long as
the operation leaves the worktree untouched. To allow for that, we
continue to guard `is_valid_win32_path()` behind the config setting
`core.protectNTFS`, so that users _can_ continue to do that, as long as
they turn the protections off via that config setting.
Among other problems, this prevents Git from trying to write to an "NTFS
Alternate Data Stream" (which refers to metadata stored alongside a
file, under a special name: "<filename>:<stream-name>"). This fix
therefore also prevents an attack vector that was exploited in
demonstrations of a number of recently-fixed security bugs.
Further reading on illegal characters in Win32 filenames:
https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2019-09-05 13:44:21 +02:00
|
|
|
skip_dos_drive_prefix((char **)&path);
|
|
|
|
|
mingw: refuse to access paths with trailing spaces or periods
When creating a directory on Windows whose path ends in a space or a
period (or chains thereof), the Win32 API "helpfully" trims those. For
example, `mkdir("abc ");` will return success, but actually create a
directory called `abc` instead.
This stems back to the DOS days, when all file names had exactly 8
characters plus exactly 3 characters for the file extension, and the
only way to have shorter names was by padding with spaces.
Sadly, this "helpful" behavior is a bit inconsistent: after a successful
`mkdir("abc ");`, a `mkdir("abc /def")` will actually _fail_ (because
the directory `abc ` does not actually exist).
Even if it would work, we now have a serious problem because a Git
repository could contain directories `abc` and `abc `, and on Windows,
they would be "merged" unintentionally.
As these paths are illegal on Windows, anyway, let's disallow any
accesses to such paths on that Operating System.
For practical reasons, this behavior is still guarded by the
config setting `core.protectNTFS`: it is possible (and at least two
regression tests make use of it) to create commits without involving the
worktree. In such a scenario, it is of course possible -- even on
Windows -- to create such file names.
Among other consequences, this patch disallows submodules' paths to end
in spaces on Windows (which would formerly have confused Git enough to
try to write into incorrect paths, anyway).
While this patch does not fix a vulnerability on its own, it prevents an
attack vector that was exploited in demonstrations of a number of
recently-fixed security bugs.
The regression test added to `t/t7417-submodule-path-url.sh` reflects
that attack vector.
Note that we have to adjust the test case "prevent git~1 squatting on
Windows" in `t/t7415-submodule-names.sh` because of a very subtle issue.
It tries to clone two submodules whose names differ only in a trailing
period character, and as a consequence their git directories differ in
the same way. Previously, when Git tried to clone the second submodule,
it thought that the git directory already existed (because on Windows,
when you create a directory with the name `b.` it actually creates `b`),
but with this patch, the first submodule's clone will fail because of
the illegal name of the git directory. Therefore, when cloning the
second submodule, Git will take a different code path: a fresh clone
(without an existing git directory). Both code paths fail to clone the
second submodule, both because the the corresponding worktree directory
exists and is not empty, but the error messages are worded differently.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2019-09-05 13:27:53 +02:00
|
|
|
for (;;) {
|
|
|
|
char c = *(path++);
|
|
|
|
switch (c) {
|
|
|
|
case '\0':
|
|
|
|
case '/': case '\\':
|
|
|
|
/* cannot end in ` ` or `.`, except for `.` and `..` */
|
|
|
|
if (preceding_space_or_period &&
|
|
|
|
(i != periods || periods > 2))
|
|
|
|
return 0;
|
|
|
|
if (!c)
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
i = periods = preceding_space_or_period = 0;
|
|
|
|
continue;
|
|
|
|
case '.':
|
|
|
|
periods++;
|
|
|
|
/* fallthru */
|
|
|
|
case ' ':
|
|
|
|
preceding_space_or_period = 1;
|
|
|
|
i++;
|
|
|
|
continue;
|
mingw: refuse to access paths with illegal characters
Certain characters are not admissible in file names on Windows, even if
Cygwin/MSYS2 (and therefore, Git for Windows' Bash) pretend that they
are, e.g. `:`, `<`, `>`, etc
Let's disallow those characters explicitly in Windows builds of Git.
Note: just like trailing spaces or periods, it _is_ possible on Windows
to create commits adding files with such illegal characters, as long as
the operation leaves the worktree untouched. To allow for that, we
continue to guard `is_valid_win32_path()` behind the config setting
`core.protectNTFS`, so that users _can_ continue to do that, as long as
they turn the protections off via that config setting.
Among other problems, this prevents Git from trying to write to an "NTFS
Alternate Data Stream" (which refers to metadata stored alongside a
file, under a special name: "<filename>:<stream-name>"). This fix
therefore also prevents an attack vector that was exploited in
demonstrations of a number of recently-fixed security bugs.
Further reading on illegal characters in Win32 filenames:
https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2019-09-05 13:44:21 +02:00
|
|
|
case ':': /* DOS drive prefix was already skipped */
|
|
|
|
case '<': case '>': case '"': case '|': case '?': case '*':
|
|
|
|
/* illegal character */
|
|
|
|
return 0;
|
|
|
|
default:
|
|
|
|
if (c > '\0' && c < '\x20')
|
|
|
|
/* illegal character */
|
|
|
|
return 0;
|
mingw: refuse to access paths with trailing spaces or periods
When creating a directory on Windows whose path ends in a space or a
period (or chains thereof), the Win32 API "helpfully" trims those. For
example, `mkdir("abc ");` will return success, but actually create a
directory called `abc` instead.
This stems back to the DOS days, when all file names had exactly 8
characters plus exactly 3 characters for the file extension, and the
only way to have shorter names was by padding with spaces.
Sadly, this "helpful" behavior is a bit inconsistent: after a successful
`mkdir("abc ");`, a `mkdir("abc /def")` will actually _fail_ (because
the directory `abc ` does not actually exist).
Even if it would work, we now have a serious problem because a Git
repository could contain directories `abc` and `abc `, and on Windows,
they would be "merged" unintentionally.
As these paths are illegal on Windows, anyway, let's disallow any
accesses to such paths on that Operating System.
For practical reasons, this behavior is still guarded by the
config setting `core.protectNTFS`: it is possible (and at least two
regression tests make use of it) to create commits without involving the
worktree. In such a scenario, it is of course possible -- even on
Windows -- to create such file names.
Among other consequences, this patch disallows submodules' paths to end
in spaces on Windows (which would formerly have confused Git enough to
try to write into incorrect paths, anyway).
While this patch does not fix a vulnerability on its own, it prevents an
attack vector that was exploited in demonstrations of a number of
recently-fixed security bugs.
The regression test added to `t/t7417-submodule-path-url.sh` reflects
that attack vector.
Note that we have to adjust the test case "prevent git~1 squatting on
Windows" in `t/t7415-submodule-names.sh` because of a very subtle issue.
It tries to clone two submodules whose names differ only in a trailing
period character, and as a consequence their git directories differ in
the same way. Previously, when Git tried to clone the second submodule,
it thought that the git directory already existed (because on Windows,
when you create a directory with the name `b.` it actually creates `b`),
but with this patch, the first submodule's clone will fail because of
the illegal name of the git directory. Therefore, when cloning the
second submodule, Git will take a different code path: a fresh clone
(without an existing git directory). Both code paths fail to clone the
second submodule, both because the the corresponding worktree directory
exists and is not empty, but the error messages are worded differently.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2019-09-05 13:27:53 +02:00
|
|
|
}
|
|
|
|
preceding_space_or_period = 0;
|
|
|
|
i++;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
mingw: replace mingw_startup() hack
Git for Windows has special code to retrieve the command-line parameters
(and even the environment) in UTF-16 encoding, so that they can be
converted to UTF-8. This is necessary because Git for Windows wants to
use UTF-8 encoded strings throughout its code, and the main() function
does not get the parameters in that encoding.
To do that, we used the __wgetmainargs() function, which is not even a
Win32 API function, but provided by the MINGW "runtime" instead.
Obviously, this method would not work with any compiler other than GCC,
and in preparation for compiling with Visual C++, we would like to avoid
precisely that.
Lucky us, there is a much more elegant way: we can simply implement the
UTF-16 variant of `main()`: `wmain()`.
To make that work, we need to link with -municode. The command-line
parameters are passed to `wmain()` encoded in UTF-16, as desired, and
this method also works with GCC, and also with Visual C++ after
adjusting the MSVC linker flags to force it to use `wmain()`.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-06-19 23:05:59 +02:00
|
|
|
#if !defined(_MSC_VER)
|
2011-01-07 19:52:20 +01:00
|
|
|
/*
|
|
|
|
* Disable MSVCRT command line wildcard expansion (__getmainargs called from
|
|
|
|
* mingw startup code, see init.c in mingw runtime).
|
|
|
|
*/
|
|
|
|
int _CRT_glob = 0;
|
mingw: replace mingw_startup() hack
Git for Windows has special code to retrieve the command-line parameters
(and even the environment) in UTF-16 encoding, so that they can be
converted to UTF-8. This is necessary because Git for Windows wants to
use UTF-8 encoded strings throughout its code, and the main() function
does not get the parameters in that encoding.
To do that, we used the __wgetmainargs() function, which is not even a
Win32 API function, but provided by the MINGW "runtime" instead.
Obviously, this method would not work with any compiler other than GCC,
and in preparation for compiling with Visual C++, we would like to avoid
precisely that.
Lucky us, there is a much more elegant way: we can simply implement the
UTF-16 variant of `main()`: `wmain()`.
To make that work, we need to link with -municode. The command-line
parameters are passed to `wmain()` encoded in UTF-16, as desired, and
this method also works with GCC, and also with Visual C++ after
adjusting the MSVC linker flags to force it to use `wmain()`.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-06-19 23:05:59 +02:00
|
|
|
#endif
|
2011-01-16 18:28:27 +01:00
|
|
|
|
2016-06-18 14:38:36 +02:00
|
|
|
static NORETURN void die_startup(void)
|
2011-01-16 18:28:27 +01:00
|
|
|
{
|
|
|
|
fputs("fatal: not enough memory for initialization", stderr);
|
|
|
|
exit(128);
|
|
|
|
}
|
|
|
|
|
2014-07-17 17:38:03 +02:00
|
|
|
static void *malloc_startup(size_t size)
|
|
|
|
{
|
|
|
|
void *result = malloc(size);
|
|
|
|
if (!result)
|
|
|
|
die_startup();
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
|
|
|
static char *wcstoutfdup_startup(char *buffer, const wchar_t *wcs, size_t len)
|
|
|
|
{
|
|
|
|
len = xwcstoutf(buffer, wcs, len) + 1;
|
|
|
|
return memcpy(malloc_startup(len), buffer, len);
|
|
|
|
}
|
|
|
|
|
2017-11-01 18:10:25 +01:00
|
|
|
static void maybe_redirect_std_handle(const wchar_t *key, DWORD std_id, int fd,
|
|
|
|
DWORD desired_access, DWORD flags)
|
|
|
|
{
|
|
|
|
DWORD create_flag = fd ? OPEN_ALWAYS : OPEN_EXISTING;
|
|
|
|
wchar_t buf[MAX_PATH];
|
|
|
|
DWORD max = ARRAY_SIZE(buf);
|
|
|
|
HANDLE handle;
|
|
|
|
DWORD ret = GetEnvironmentVariableW(key, buf, max);
|
|
|
|
|
|
|
|
if (!ret || ret >= max)
|
|
|
|
return;
|
|
|
|
|
|
|
|
/* make sure this does not leak into child processes */
|
|
|
|
SetEnvironmentVariableW(key, NULL);
|
|
|
|
if (!wcscmp(buf, L"off")) {
|
|
|
|
close(fd);
|
|
|
|
handle = GetStdHandle(std_id);
|
|
|
|
if (handle != INVALID_HANDLE_VALUE)
|
|
|
|
CloseHandle(handle);
|
|
|
|
return;
|
|
|
|
}
|
2017-11-01 18:10:30 +01:00
|
|
|
if (std_id == STD_ERROR_HANDLE && !wcscmp(buf, L"2>&1")) {
|
|
|
|
handle = GetStdHandle(STD_OUTPUT_HANDLE);
|
|
|
|
if (handle == INVALID_HANDLE_VALUE) {
|
|
|
|
close(fd);
|
|
|
|
handle = GetStdHandle(std_id);
|
|
|
|
if (handle != INVALID_HANDLE_VALUE)
|
|
|
|
CloseHandle(handle);
|
|
|
|
} else {
|
|
|
|
int new_fd = _open_osfhandle((intptr_t)handle, O_BINARY);
|
|
|
|
SetStdHandle(std_id, handle);
|
|
|
|
dup2(new_fd, fd);
|
|
|
|
/* do *not* close the new_fd: that would close stdout */
|
|
|
|
}
|
|
|
|
return;
|
|
|
|
}
|
2017-11-01 18:10:25 +01:00
|
|
|
handle = CreateFileW(buf, desired_access, 0, NULL, create_flag,
|
|
|
|
flags, NULL);
|
|
|
|
if (handle != INVALID_HANDLE_VALUE) {
|
|
|
|
int new_fd = _open_osfhandle((intptr_t)handle, O_BINARY);
|
|
|
|
SetStdHandle(std_id, handle);
|
|
|
|
dup2(new_fd, fd);
|
|
|
|
close(new_fd);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static void maybe_redirect_std_handles(void)
|
|
|
|
{
|
|
|
|
maybe_redirect_std_handle(L"GIT_REDIRECT_STDIN", STD_INPUT_HANDLE, 0,
|
|
|
|
GENERIC_READ, FILE_ATTRIBUTE_NORMAL);
|
|
|
|
maybe_redirect_std_handle(L"GIT_REDIRECT_STDOUT", STD_OUTPUT_HANDLE, 1,
|
|
|
|
GENERIC_WRITE, FILE_ATTRIBUTE_NORMAL);
|
|
|
|
maybe_redirect_std_handle(L"GIT_REDIRECT_STDERR", STD_ERROR_HANDLE, 2,
|
|
|
|
GENERIC_WRITE, FILE_FLAG_NO_BUFFERING);
|
|
|
|
}
|
|
|
|
|
2019-06-25 16:49:39 +02:00
|
|
|
#ifdef _MSC_VER
|
|
|
|
#ifdef _DEBUG
|
|
|
|
#include <crtdbg.h>
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
|
mingw: replace mingw_startup() hack
Git for Windows has special code to retrieve the command-line parameters
(and even the environment) in UTF-16 encoding, so that they can be
converted to UTF-8. This is necessary because Git for Windows wants to
use UTF-8 encoded strings throughout its code, and the main() function
does not get the parameters in that encoding.
To do that, we used the __wgetmainargs() function, which is not even a
Win32 API function, but provided by the MINGW "runtime" instead.
Obviously, this method would not work with any compiler other than GCC,
and in preparation for compiling with Visual C++, we would like to avoid
precisely that.
Lucky us, there is a much more elegant way: we can simply implement the
UTF-16 variant of `main()`: `wmain()`.
To make that work, we need to link with -municode. The command-line
parameters are passed to `wmain()` encoded in UTF-16, as desired, and
this method also works with GCC, and also with Visual C++ after
adjusting the MSVC linker flags to force it to use `wmain()`.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-06-19 23:05:59 +02:00
|
|
|
/*
|
|
|
|
* We implement wmain() and compile with -municode, which would
|
|
|
|
* normally ignore main(), but we call the latter from the former
|
|
|
|
* so that we can handle non-ASCII command-line parameters
|
|
|
|
* appropriately.
|
|
|
|
*
|
|
|
|
* To be more compatible with the core git code, we convert
|
|
|
|
* argv into UTF8 and pass them directly to main().
|
|
|
|
*/
|
|
|
|
int wmain(int argc, const wchar_t **wargv)
|
2011-01-07 19:47:23 +01:00
|
|
|
{
|
mingw: replace mingw_startup() hack
Git for Windows has special code to retrieve the command-line parameters
(and even the environment) in UTF-16 encoding, so that they can be
converted to UTF-8. This is necessary because Git for Windows wants to
use UTF-8 encoded strings throughout its code, and the main() function
does not get the parameters in that encoding.
To do that, we used the __wgetmainargs() function, which is not even a
Win32 API function, but provided by the MINGW "runtime" instead.
Obviously, this method would not work with any compiler other than GCC,
and in preparation for compiling with Visual C++, we would like to avoid
precisely that.
Lucky us, there is a much more elegant way: we can simply implement the
UTF-16 variant of `main()`: `wmain()`.
To make that work, we need to link with -municode. The command-line
parameters are passed to `wmain()` encoded in UTF-16, as desired, and
this method also works with GCC, and also with Visual C++ after
adjusting the MSVC linker flags to force it to use `wmain()`.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-06-19 23:05:59 +02:00
|
|
|
int i, maxlen, exit_status;
|
|
|
|
char *buffer, **save;
|
|
|
|
const char **argv;
|
2011-01-16 18:28:27 +01:00
|
|
|
|
2019-04-15 22:39:43 +02:00
|
|
|
trace2_initialize_clock();
|
|
|
|
|
2019-06-25 16:49:40 +02:00
|
|
|
#ifdef _MSC_VER
|
2019-06-25 16:49:42 +02:00
|
|
|
#ifdef _DEBUG
|
|
|
|
_CrtSetReportMode(_CRT_ASSERT, _CRTDBG_MODE_DEBUG);
|
|
|
|
#endif
|
|
|
|
|
2019-06-25 16:49:40 +02:00
|
|
|
#ifdef USE_MSVC_CRTDBG
|
|
|
|
_CrtSetDbgFlag(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_LEAK_CHECK_DF);
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
|
2017-11-01 18:10:25 +01:00
|
|
|
maybe_redirect_std_handles();
|
|
|
|
|
2011-01-16 18:28:27 +01:00
|
|
|
/* determine size of argv and environ conversion buffer */
|
2018-04-10 17:05:46 +02:00
|
|
|
maxlen = wcslen(wargv[0]);
|
2011-01-16 18:28:27 +01:00
|
|
|
for (i = 1; i < argc; i++)
|
|
|
|
maxlen = max(maxlen, wcslen(wargv[i]));
|
|
|
|
|
|
|
|
/* allocate buffer (wchar_t encodes to max 3 UTF-8 bytes) */
|
|
|
|
maxlen = 3 * maxlen + 1;
|
2014-07-17 17:38:03 +02:00
|
|
|
buffer = malloc_startup(maxlen);
|
2011-01-16 18:28:27 +01:00
|
|
|
|
mingw: replace mingw_startup() hack
Git for Windows has special code to retrieve the command-line parameters
(and even the environment) in UTF-16 encoding, so that they can be
converted to UTF-8. This is necessary because Git for Windows wants to
use UTF-8 encoded strings throughout its code, and the main() function
does not get the parameters in that encoding.
To do that, we used the __wgetmainargs() function, which is not even a
Win32 API function, but provided by the MINGW "runtime" instead.
Obviously, this method would not work with any compiler other than GCC,
and in preparation for compiling with Visual C++, we would like to avoid
precisely that.
Lucky us, there is a much more elegant way: we can simply implement the
UTF-16 variant of `main()`: `wmain()`.
To make that work, we need to link with -municode. The command-line
parameters are passed to `wmain()` encoded in UTF-16, as desired, and
this method also works with GCC, and also with Visual C++ after
adjusting the MSVC linker flags to force it to use `wmain()`.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-06-19 23:05:59 +02:00
|
|
|
/*
|
|
|
|
* Create a UTF-8 version of w_argv. Also create a "save" copy
|
|
|
|
* to remember all the string pointers because parse_options()
|
|
|
|
* will remove claimed items from the argv that we pass down.
|
|
|
|
*/
|
|
|
|
ALLOC_ARRAY(argv, argc + 1);
|
|
|
|
ALLOC_ARRAY(save, argc + 1);
|
2018-04-10 17:05:46 +02:00
|
|
|
for (i = 0; i < argc; i++)
|
mingw: replace mingw_startup() hack
Git for Windows has special code to retrieve the command-line parameters
(and even the environment) in UTF-16 encoding, so that they can be
converted to UTF-8. This is necessary because Git for Windows wants to
use UTF-8 encoded strings throughout its code, and the main() function
does not get the parameters in that encoding.
To do that, we used the __wgetmainargs() function, which is not even a
Win32 API function, but provided by the MINGW "runtime" instead.
Obviously, this method would not work with any compiler other than GCC,
and in preparation for compiling with Visual C++, we would like to avoid
precisely that.
Lucky us, there is a much more elegant way: we can simply implement the
UTF-16 variant of `main()`: `wmain()`.
To make that work, we need to link with -municode. The command-line
parameters are passed to `wmain()` encoded in UTF-16, as desired, and
this method also works with GCC, and also with Visual C++ after
adjusting the MSVC linker flags to force it to use `wmain()`.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-06-19 23:05:59 +02:00
|
|
|
argv[i] = save[i] = wcstoutfdup_startup(buffer, wargv[i], maxlen);
|
|
|
|
argv[i] = save[i] = NULL;
|
2011-01-16 18:28:27 +01:00
|
|
|
free(buffer);
|
2011-01-07 19:47:23 +01:00
|
|
|
|
2014-07-17 17:38:05 +02:00
|
|
|
/* fix Windows specific environment settings */
|
2016-01-26 15:34:38 +01:00
|
|
|
setup_windows_environment();
|
2014-07-17 17:38:06 +02:00
|
|
|
|
2018-10-30 19:40:07 +01:00
|
|
|
unset_environment_variables = xstrdup("PERL5LIB");
|
|
|
|
|
2011-01-07 19:47:23 +01:00
|
|
|
/* initialize critical section for waitpid pinfo_t list */
|
|
|
|
InitializeCriticalSection(&pinfo_cs);
|
|
|
|
|
|
|
|
/* set up default file mode and file modes for stdin/out/err */
|
|
|
|
_fmode = _O_BINARY;
|
|
|
|
_setmode(_fileno(stdin), _O_BINARY);
|
|
|
|
_setmode(_fileno(stdout), _O_BINARY);
|
|
|
|
_setmode(_fileno(stderr), _O_BINARY);
|
Win32: Thread-safe windows console output
Winansi.c has many static variables that are accessed and modified from
the [v][f]printf / fputs functions overridden in the file. This may cause
multi threaded git commands that print to the console to produce corrupted
output or even crash.
Additionally, winansi.c doesn't override all functions that can be used to
print to the console (e.g. fwrite, write, fputc are missing), so that ANSI
escapes don't work properly for some git commands (e.g. git-grep).
Instead of doing ANSI emulation in just a few wrapped functions on top of
the IO API, let's plug into the IO system and take advantage of the thread
safety inherent to the IO system.
Redirect stdout and stderr to a pipe if they point to the console. A
background thread reads from the pipe, handles ANSI escape sequences and
UTF-8 to UTF-16 conversion, then writes to the console.
The pipe-based stdout and stderr replacements must be set to unbuffered, as
MSVCRT doesn't support line buffering and fully buffered streams are
inappropriate for console output.
Due to the byte-oriented pipe, ANSI escape sequences and multi-byte UTF-8
sequences can no longer be expected to arrive in one piece. Replace the
string-based ansi_emulate() with a simple stateful parser (this also fixes
colored diff hunk headers, which were broken as of commit 2efcc977).
Override isatty to return true for the pipes redirecting to the console.
Exec/spawn obtain the original console handle to pass to the next process
via winansi_get_osfhandle().
All other overrides are gone, the default stdio implementations work as
expected with the piped stdout/stderr descriptors.
Global variables are either initialized on startup (single threaded) or
exclusively modified by the background thread. Threads communicate through
the pipe, no further synchronization is necessary.
The background thread is terminated by disonnecting the pipe after flushing
the stdio and pipe buffers. This doesn't work for anonymous pipes (created
via CreatePipe), as DisconnectNamedPipe only works on the read end, which
discards remaining data. Thus we have to setup the pipe manually, with the
write end beeing the server (opened with CreateNamedPipe) and the read end
the client (opened with CreateFile).
Limitations: doesn't track reopened or duped file descriptors, i.e.:
- fdopen(1/2) returns fully buffered streams
- dup(1/2), dup2(1/2) returns normal pipe descriptors (i.e. isatty() =
false, winansi_get_osfhandle won't return the original console handle)
Currently, only the git-format-patch command uses xfdopen(xdup(1)) (see
"realstdout" in builtin/log.c), but works well with these limitations.
Many thanks to Atsushi Nakagawa <atnak@chejz.com> for suggesting and
reviewing the thread-exit-mechanism.
Signed-off-by: Karsten Blees <blees@dcon.de>
Signed-off-by: Stepan Kasal <kasal@ucw.cz>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2012-01-14 22:24:19 +01:00
|
|
|
|
|
|
|
/* initialize Unicode console */
|
|
|
|
winansi_init();
|
mingw: replace mingw_startup() hack
Git for Windows has special code to retrieve the command-line parameters
(and even the environment) in UTF-16 encoding, so that they can be
converted to UTF-8. This is necessary because Git for Windows wants to
use UTF-8 encoded strings throughout its code, and the main() function
does not get the parameters in that encoding.
To do that, we used the __wgetmainargs() function, which is not even a
Win32 API function, but provided by the MINGW "runtime" instead.
Obviously, this method would not work with any compiler other than GCC,
and in preparation for compiling with Visual C++, we would like to avoid
precisely that.
Lucky us, there is a much more elegant way: we can simply implement the
UTF-16 variant of `main()`: `wmain()`.
To make that work, we need to link with -municode. The command-line
parameters are passed to `wmain()` encoded in UTF-16, as desired, and
this method also works with GCC, and also with Visual C++ after
adjusting the MSVC linker flags to force it to use `wmain()`.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-06-19 23:05:59 +02:00
|
|
|
|
|
|
|
/* invoke the real main() using our utf8 version of argv. */
|
|
|
|
exit_status = main(argc, argv);
|
|
|
|
|
|
|
|
for (i = 0; i < argc; i++)
|
|
|
|
free(save[i]);
|
|
|
|
free(save);
|
|
|
|
free(argv);
|
|
|
|
|
|
|
|
return exit_status;
|
2011-01-07 19:47:23 +01:00
|
|
|
}
|
2015-03-08 11:12:45 +01:00
|
|
|
|
|
|
|
int uname(struct utsname *buf)
|
|
|
|
{
|
2015-10-23 08:02:52 +02:00
|
|
|
unsigned v = (unsigned)GetVersion();
|
2015-03-08 11:12:45 +01:00
|
|
|
memset(buf, 0, sizeof(*buf));
|
2015-09-24 23:06:08 +02:00
|
|
|
xsnprintf(buf->sysname, sizeof(buf->sysname), "Windows");
|
|
|
|
xsnprintf(buf->release, sizeof(buf->release),
|
|
|
|
"%u.%u", v & 0xff, (v >> 8) & 0xff);
|
2015-03-08 11:12:45 +01:00
|
|
|
/* assuming NT variants only.. */
|
2015-09-24 23:06:08 +02:00
|
|
|
xsnprintf(buf->version, sizeof(buf->version),
|
|
|
|
"%u", (v >> 16) & 0x7fff);
|
2015-03-08 11:12:45 +01:00
|
|
|
return 0;
|
|
|
|
}
|