read-cache: optionally disallow NTFS .git variants

The point of disallowing ".git" in the index is that we
would never want to accidentally overwrite files in the
repository directory. But this means we need to respect the
filesystem's idea of when two paths are equal. The prior
commit added a helper to make such a comparison for NTFS
and FAT32; let's use it in verify_path().

We make this check optional for two reasons:

  1. It restricts the set of allowable filenames, which is
     unnecessary for people who are not on NTFS nor FAT32.
     In practice this probably doesn't matter, though, as
     the restricted names are rather obscure and almost
     certainly would never come up in practice.

  2. It has a minor performance penalty for every path we
     insert into the index.

This patch ties the check to the core.protectNTFS config
option. Though this is expected to be most useful on Windows,
we allow it to be set everywhere, as NTFS may be mounted on
other platforms. The variable does default to on for Windows,
though.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
Johannes Schindelin 2014-12-16 23:46:59 +01:00 committed by Junio C Hamano
parent 1d1d69bc52
commit 2b4c6efc82
7 changed files with 34 additions and 0 deletions

View File

@ -239,6 +239,12 @@ core.protectHFS::
be considered equivalent to `.git` on an HFS+ filesystem. be considered equivalent to `.git` on an HFS+ filesystem.
Defaults to `true` on Mac OS, and `false` elsewhere. Defaults to `true` on Mac OS, and `false` elsewhere.
core.protectNTFS::
If set to true, do not allow checkout of paths that would
cause problems with the NTFS filesystem, e.g. conflict with
8.3 "short" names.
Defaults to `true` on Windows, and `false` elsewhere.
core.trustctime:: core.trustctime::
If false, the ctime differences between the index and the If false, the ctime differences between the index and the
working tree are ignored; useful when the inode change time working tree are ignored; useful when the inode change time

View File

@ -585,6 +585,7 @@ extern int core_preload_index;
extern int core_apply_sparse_checkout; extern int core_apply_sparse_checkout;
extern int precomposed_unicode; extern int precomposed_unicode;
extern int protect_hfs; extern int protect_hfs;
extern int protect_ntfs;
/* /*
* The character that begins a commented line in user-editable file * The character that begins a commented line in user-editable file

View File

@ -886,6 +886,11 @@ static int git_default_core_config(const char *var, const char *value)
return 0; return 0;
} }
if (!strcmp(var, "core.protectntfs")) {
protect_ntfs = git_config_bool(var, value);
return 0;
}
/* Add other config variables here and to Documentation/config.txt. */ /* Add other config variables here and to Documentation/config.txt. */
return 0; return 0;
} }

View File

@ -362,6 +362,7 @@ ifeq ($(uname_S),Windows)
EXTLIBS = user32.lib advapi32.lib shell32.lib wininet.lib ws2_32.lib EXTLIBS = user32.lib advapi32.lib shell32.lib wininet.lib ws2_32.lib
PTHREAD_LIBS = PTHREAD_LIBS =
lib = lib =
BASIC_CFLAGS += -DPROTECT_NTFS_DEFAULT=1
ifndef DEBUG ifndef DEBUG
BASIC_CFLAGS += -GL -Os -MT BASIC_CFLAGS += -GL -Os -MT
BASIC_LDFLAGS += -LTCG BASIC_LDFLAGS += -LTCG
@ -506,6 +507,7 @@ ifneq (,$(findstring MINGW,$(uname_S)))
COMPAT_OBJS += compat/mingw.o compat/winansi.o \ COMPAT_OBJS += compat/mingw.o compat/winansi.o \
compat/win32/pthread.o compat/win32/syslog.o \ compat/win32/pthread.o compat/win32/syslog.o \
compat/win32/dirent.o compat/win32/dirent.o
BASIC_CFLAGS += -DPROTECT_NTFS_DEFAULT=1
BASIC_LDFLAGS += -Wl,--large-address-aware BASIC_LDFLAGS += -Wl,--large-address-aware
EXTLIBS += -lws2_32 EXTLIBS += -lws2_32
GITLIBS += git.res GITLIBS += git.res

View File

@ -68,6 +68,11 @@ unsigned long pack_size_limit_cfg;
#endif #endif
int protect_hfs = PROTECT_HFS_DEFAULT; int protect_hfs = PROTECT_HFS_DEFAULT;
#ifndef PROTECT_NTFS_DEFAULT
#define PROTECT_NTFS_DEFAULT 0
#endif
int protect_ntfs = PROTECT_NTFS_DEFAULT;
/* /*
* The character that begins a commented line in user-editable file * The character that begins a commented line in user-editable file
* that is subject to stripspace. * that is subject to stripspace.

View File

@ -789,6 +789,8 @@ int verify_path(const char *path)
inside: inside:
if (protect_hfs && is_hfs_dotgit(path)) if (protect_hfs && is_hfs_dotgit(path))
return 0; return 0;
if (protect_ntfs && is_ntfs_dotgit(path))
return 0;
c = *path++; c = *path++;
if ((c == '.' && !verify_dotfile(path)) || if ((c == '.' && !verify_dotfile(path)) ||
is_dir_sep(c) || c == '\0') is_dir_sep(c) || c == '\0')

View File

@ -15,8 +15,17 @@ test_expect_success 'enable core.protectHFS for rejection tests' '
git config core.protectHFS true git config core.protectHFS true
' '
test_expect_success 'enable core.protectNTFS for rejection tests' '
git config core.protectNTFS true
'
while read path pretty; do while read path pretty; do
: ${pretty:=$path} : ${pretty:=$path}
case "$path" in
*SPACE)
path="${path%SPACE} "
;;
esac
test_expect_success "reject $pretty at end of path" ' test_expect_success "reject $pretty at end of path" '
printf "100644 blob %s\t%s" "$blob" "$path" >tree && printf "100644 blob %s\t%s" "$blob" "$path" >tree &&
bogus=$(git mktree <tree) && bogus=$(git mktree <tree) &&
@ -36,6 +45,10 @@ done <<-EOF
${u200c}.Git {u200c}.Git ${u200c}.Git {u200c}.Git
.gI${u200c}T .gI{u200c}T .gI${u200c}T .gI{u200c}T
.GiT${u200c} .GiT{u200c} .GiT${u200c} .GiT{u200c}
git~1
.git.SPACE .git.{space}
.\\\\.GIT\\\\foobar backslashes
.git\\\\foobar backslashes2
EOF EOF
test_expect_success 'utf-8 paths allowed with core.protectHFS off' ' test_expect_success 'utf-8 paths allowed with core.protectHFS off' '