Sync with 2.17.2

* maint-2.17:
  Git 2.17.2
  fsck: detect submodule paths starting with dash
  fsck: detect submodule urls starting with dash
  Git 2.16.5
  Git 2.15.3
  Git 2.14.5
  submodule-config: ban submodule paths that start with a dash
  submodule-config: ban submodule urls that start with dash
  submodule--helper: use "--" to signal end of clone options
This commit is contained in:
Junio C Hamano 2018-09-27 11:45:01 -07:00
commit 44f87dac99
9 changed files with 142 additions and 0 deletions

View File

@ -0,0 +1,16 @@
Git v2.14.5 Release Notes
=========================
This release is to address the recently reported CVE-2018-17456.
Fixes since v2.14.4
-------------------
* Submodules' "URL"s come from the untrusted .gitmodules file, but
we blindly gave it to "git clone" to clone submodules when "git
clone --recurse-submodules" was used to clone a project that has
such a submodule. The code has been hardened to reject such
malformed URLs (e.g. one that begins with a dash).
Credit for finding and fixing this vulnerability goes to joernchen
and Jeff King, respectively.

View File

@ -0,0 +1,6 @@
Git v2.15.3 Release Notes
=========================
This release merges up the fixes that appear in v2.14.5 to address
the recently reported CVE-2018-17456; see the release notes for that
version for details.

View File

@ -0,0 +1,6 @@
Git v2.16.5 Release Notes
=========================
This release merges up the fixes that appear in v2.14.5 to address
the recently reported CVE-2018-17456; see the release notes for that
version for details.

View File

@ -0,0 +1,12 @@
Git v2.17.2 Release Notes
=========================
This release merges up the fixes that appear in v2.14.5 to address
the recently reported CVE-2018-17456; see the release notes for that
version for details.
In addition, this release also teaches "fsck" and the server side
logic to reject pushes to repositories that attempt to create such a
problematic ".gitmodules" file as tracked contents, to help hosting
sites protect their customers by preventing malicious contents from
spreading.

View File

@ -1090,6 +1090,7 @@ static int clone_submodule(const char *path, const char *gitdir, const char *url
if (gitdir && *gitdir)
argv_array_pushl(&cp.args, "--separate-git-dir", gitdir, NULL);
argv_array_push(&cp.args, "--");
argv_array_push(&cp.args, url);
argv_array_push(&cp.args, path);

14
fsck.c
View File

@ -64,6 +64,8 @@ static struct oidset gitmodules_done = OIDSET_INIT;
FUNC(GITMODULES_PARSE, ERROR) \
FUNC(GITMODULES_NAME, ERROR) \
FUNC(GITMODULES_SYMLINK, ERROR) \
FUNC(GITMODULES_URL, ERROR) \
FUNC(GITMODULES_PATH, ERROR) \
/* warnings */ \
FUNC(BAD_FILEMODE, WARN) \
FUNC(EMPTY_NAME, WARN) \
@ -949,6 +951,18 @@ static int fsck_gitmodules_fn(const char *var, const char *value, void *vdata)
FSCK_MSG_GITMODULES_NAME,
"disallowed submodule name: %s",
name);
if (!strcmp(key, "url") && value &&
looks_like_command_line_option(value))
data->ret |= report(data->options, data->obj,
FSCK_MSG_GITMODULES_URL,
"disallowed submodule url: %s",
value);
if (!strcmp(key, "path") && value &&
looks_like_command_line_option(value))
data->ret |= report(data->options, data->obj,
FSCK_MSG_GITMODULES_PATH,
"disallowed submodule path: %s",
value);
free(name);
return 0;

View File

@ -383,6 +383,12 @@ static void warn_multiple_config(const struct object_id *treeish_name,
commit_string, name, option);
}
static void warn_command_line_option(const char *var, const char *value)
{
warning(_("ignoring '%s' which may be interpreted as"
" a command-line option: %s"), var, value);
}
struct parse_config_parameter {
struct submodule_cache *cache;
const struct object_id *treeish_name;
@ -408,6 +414,8 @@ static int parse_config(const char *var, const char *value, void *data)
if (!strcmp(item.buf, "path")) {
if (!value)
ret = config_error_nonbool(var);
else if (looks_like_command_line_option(value))
warn_command_line_option(var, value);
else if (!me->overwrite && submodule->path)
warn_multiple_config(me->treeish_name, submodule->name,
"path");
@ -448,6 +456,8 @@ static int parse_config(const char *var, const char *value, void *data)
} else if (!strcmp(item.buf, "url")) {
if (!value) {
ret = config_error_nonbool(var);
} else if (looks_like_command_line_option(value)) {
warn_command_line_option(var, value);
} else if (!me->overwrite && submodule->url) {
warn_multiple_config(me->treeish_name, submodule->name,
"url");

49
t/t7416-submodule-dash-url.sh Executable file
View File

@ -0,0 +1,49 @@
#!/bin/sh
test_description='check handling of .gitmodule url with dash'
. ./test-lib.sh
test_expect_success 'create submodule with protected dash in url' '
git init upstream &&
git -C upstream commit --allow-empty -m base &&
mv upstream ./-upstream &&
git submodule add ./-upstream sub &&
git add sub .gitmodules &&
git commit -m submodule
'
test_expect_success 'clone can recurse submodule' '
test_when_finished "rm -rf dst" &&
git clone --recurse-submodules . dst &&
echo base >expect &&
git -C dst/sub log -1 --format=%s >actual &&
test_cmp expect actual
'
test_expect_success 'fsck accepts protected dash' '
test_when_finished "rm -rf dst" &&
git init --bare dst &&
git -C dst config transfer.fsckObjects true &&
git push dst HEAD
'
test_expect_success 'remove ./ protection from .gitmodules url' '
perl -i -pe "s{\./}{}" .gitmodules &&
git commit -am "drop protection"
'
test_expect_success 'clone rejects unprotected dash' '
test_when_finished "rm -rf dst" &&
test_must_fail git clone --recurse-submodules . dst 2>err &&
test_i18ngrep ignoring err
'
test_expect_success 'fsck rejects unprotected dash' '
test_when_finished "rm -rf dst" &&
git init --bare dst &&
git -C dst config transfer.fsckObjects true &&
test_must_fail git push dst HEAD 2>err &&
grep gitmodulesUrl err
'
test_done

28
t/t7417-submodule-path-url.sh Executable file
View File

@ -0,0 +1,28 @@
#!/bin/sh
test_description='check handling of .gitmodule path with dash'
. ./test-lib.sh
test_expect_success 'create submodule with dash in path' '
git init upstream &&
git -C upstream commit --allow-empty -m base &&
git submodule add ./upstream sub &&
git mv sub ./-sub &&
git commit -m submodule
'
test_expect_success 'clone rejects unprotected dash' '
test_when_finished "rm -rf dst" &&
git clone --recurse-submodules . dst 2>err &&
test_i18ngrep ignoring err
'
test_expect_success 'fsck rejects unprotected dash' '
test_when_finished "rm -rf dst" &&
git init --bare dst &&
git -C dst config transfer.fsckObjects true &&
test_must_fail git push dst HEAD 2>err &&
grep gitmodulesPath err
'
test_done