Commit Graph

58065 Commits

Author SHA1 Message Date
Jeff King
a52ed76142 fast-import: disallow "feature import-marks" by default
As with export-marks in the previous commit, import-marks can access the
filesystem. This is significantly less dangerous than export-marks
because it only involves reading from arbitrary paths, rather than
writing them. However, it could still be surprising and have security
implications (e.g., exfiltrating data from a service that accepts
fast-import streams).

Let's lump it (and its "if-exists" counterpart) in with export-marks,
and enable the in-stream version only if --allow-unsafe-features is set.

Signed-off-by: Jeff King <peff@peff.net>
2019-12-04 13:20:04 +01:00
Jeff King
68061e3470 fast-import: disallow "feature export-marks" by default
The fast-import stream command "feature export-marks=<path>" lets the
stream write marks to an arbitrary path. This may be surprising if you
are running fast-import against an untrusted input (which otherwise
cannot do anything except update Git objects and refs).

Let's disallow the use of this feature by default, and provide a
command-line option to re-enable it (you can always just use the
command-line --export-marks as well, but the in-stream version provides
an easy way for exporters to control the process).

This is a backwards-incompatible change, since the default is flipping
to the new, safer behavior. However, since the main users of the
in-stream versions would be import/export-based remote helpers, and
since we trust remote helpers already (which are already running
arbitrary code), we'll pass the new option by default when reading a
remote helper's stream. This should minimize the impact.

Note that the implementation isn't totally simple, as we have to work
around the fact that fast-import doesn't parse its command-line options
until after it has read any "feature" lines from the stream. This is how
it lets command-line options override in-stream. But in our case, it's
important to parse the new --allow-unsafe-features first.

There are three options for resolving this:

  1. Do a separate "early" pass over the options. This is easy for us to
     do because there are no command-line options that allow the
     "unstuck" form (so there's no chance of us mistaking an argument
     for an option), though it does introduce a risk of incorrect
     parsing later (e.g,. if we convert to parse-options).

  2. Move the option parsing phase back to the start of the program, but
     teach the stream-reading code never to override an existing value.
     This is tricky, because stream "feature" lines override each other
     (meaning we'd have to start tracking the source for every option).

  3. Accept that we might parse a "feature export-marks" line that is
     forbidden, as long we don't _act_ on it until after we've parsed
     the command line options.

     This would, in fact, work with the current code, but only because
     the previous patch fixed the export-marks parser to avoid touching
     the filesystem.

     So while it works, it does carry risk of somebody getting it wrong
     in the future in a rather subtle and unsafe way.

I've gone with option (1) here as simple, safe, and unlikely to cause
regressions.

This fixes CVE-2019-1348.

Signed-off-by: Jeff King <peff@peff.net>
2019-12-04 13:20:04 +01:00
Jeff King
019683025f fast-import: delay creating leading directories for export-marks
When we parse the --export-marks option, we don't immediately open the
file, but we do create any leading directories. This can be especially
confusing when a command-line option overrides an in-stream one, in
which case we'd create the leading directory for the in-stream file,
even though we never actually write the file.

Let's instead create the directories just before opening the file, which
means we'll create only useful directories. Note that this could change
the handling of relative paths if we chdir() in between, but we don't
actually do so; the only permanent chdir is from setup_git_directory()
which runs before either code path (potentially we should take the
pre-setup dir into account to avoid surprising the user, but that's an
orthogonal change).

The test just adapts the existing "override" test to use paths with
leading directories. This checks both that the correct directory is
created (which worked before but was not tested), and that the
overridden one is not (our new fix here).

While we're here, let's also check the error result of
safe_create_leading_directories(). We'd presumably notice any failure
immediately after when we try to open the file itself, but we can give a
more specific error message in this case.

Signed-off-by: Jeff King <peff@peff.net>
2019-12-04 13:20:04 +01:00
Jeff King
e075dba372 fast-import: stop creating leading directories for import-marks
When asked to import marks from "subdir/file.marks", we create the
leading directory "subdir" if it doesn't exist. This makes no sense for
importing marks, where we only ever open the path for reading.

Most of the time this would be a noop, since if the marks file exists,
then the leading directories exist, too. But if it doesn't (e.g.,
because --import-marks-if-exists was used), then we'd create the useless
directory.

This dates back to 580d5f83e7 (fast-import: always create marks_file
directories, 2010-03-29). Even then it was useless, so it seems to have
been added in error alongside the --export-marks case (which _is_
helpful).

Signed-off-by: Jeff King <peff@peff.net>
2019-12-04 13:20:04 +01:00
Jeff King
11e934d56e fast-import: tighten parsing of boolean command line options
We parse options like "--max-pack-size=" using skip_prefix(), which
makes sense to get at the bytes after the "=". However, we also parse
"--quiet" and "--stats" with skip_prefix(), which allows things like
"--quiet-nonsense" to behave like "--quiet".

This was a mistaken conversion in 0f6927c229 (fast-import: put option
parsing code in separate functions, 2009-12-04). Let's tighten this to
an exact match, which was the original intent.

Signed-off-by: Jeff King <peff@peff.net>
2019-12-04 13:20:04 +01:00
Jeff King
816f806786 t9300: create marks files for double-import-marks test
Our tests confirm that providing two "import-marks" options in a
fast-import stream is an error. However, the invoked command would fail
even without covering this case, because the marks files themselves do
not actually exist.  Let's create the files to make sure we fail for the
right reason (we actually do, because the option parsing happens before
we open anything, but this future-proofs our test).

Signed-off-by: Jeff King <peff@peff.net>
2019-12-04 13:20:03 +01:00
Jeff King
f94804c1f2 t9300: drop some useless uses of cat
These waste a process, and make the line longer than it needs to be.

Signed-off-by: Jeff King <peff@peff.net>
2019-12-04 13:20:03 +01:00
Jonathan Tan
4f3e57ef13 submodule--helper: advise on fatal alternate error
When recursively cloning a superproject with some shallow modules
defined in its .gitmodules, then recloning with "--reference=<path>", an
error occurs. For example:

  git clone --recurse-submodules --branch=master -j8 \
    https://android.googlesource.com/platform/superproject \
    master
  git clone --recurse-submodules --branch=master -j8 \
    https://android.googlesource.com/platform/superproject \
    --reference master master2

fails with:

  fatal: submodule '<snip>' cannot add alternate: reference repository
  '<snip>' is shallow

When a alternate computed from the superproject's alternate cannot be
added, whether in this case or another, advise about configuring the
"submodule.alternateErrorStrategy" configuration option and using
"--reference-if-able" instead of "--reference" when cloning.

Signed-off-by: Jonathan Tan <jonathantanmy@google.com>
Acked-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-12-03 08:49:45 -08:00
Jonathan Tan
10c64a0b3c Doc: explain submodule.alternateErrorStrategy
Commit 31224cbdc7 ("clone: recursive and reference option triggers
submodule alternates", 2016-08-17) taught Git to support the
configuration options "submodule.alternateLocation" and
"submodule.alternateErrorStrategy" on a superproject.

If "submodule.alternateLocation" is configured to "superproject" on a
superproject, whenever a submodule of that superproject is cloned, it
instead computes the analogous alternate path for that submodule from
$GIT_DIR/objects/info/alternates of the superproject, and references it.

The "submodule.alternateErrorStrategy" option determines what happens
if that alternate cannot be referenced. However, it is not clear that
the clone proceeds as if no alternate was specified when that option is
not set to "die" (as can be seen in the tests in 31224cbdc7). Therefore,
document it accordingly.

Signed-off-by: Jonathan Tan <jonathantanmy@google.com>
Acked-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-12-03 08:49:41 -08:00
Colin Stolley
ec48540fe8 packfile.c: speed up loading lots of packfiles
When loading packfiles on start-up, we traverse the internal packfile
list once per file to avoid reloading packfiles that have already
been loaded. This check runs in quadratic time, so for poorly
maintained repos with a large number of packfiles, it can be pretty
slow.

Add a hashmap containing the packfile names as we load them so that
the average runtime cost of checking for already-loaded packs becomes
constant.

Add a perf test to p5303 to show speed-up.

The existing p5303 test runtimes are dominated by other factors and do
not show an appreciable speed-up. The new test in p5303 clearly exposes
a speed-up in bad cases. In this test we create 10,000 packfiles and
measure the start-up time of git rev-parse, which does little else
besides load in the packs.

Here are the numbers for the new p5303 test:

Test                         HEAD^             HEAD
---------------------------------------------------------------------
5303.12: load 10,000 packs   1.03(0.92+0.10)   0.12(0.02+0.09) -88.3%

Signed-off-by: Colin Stolley <cstolley@runbox.com>
Helped-by: Jeff King <peff@peff.net>
[jc: squashed the change to call hashmap in install_packed_git() by peff]
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-12-03 07:59:45 -08:00
Johannes Schindelin
3ba3720b3f mingw: forbid translating ERROR_SUCCESS to an errno value
Johannes Sixt pointed out that the `err_win_to_posix()` function
mishandles `ERROR_SUCCESS`: it maps it to `ENOSYS`.

The only purpose of this function is to map Win32 API errors to `errno`
ones, and there is actually no equivalent to `ERROR_SUCCESS`: the idea
of `errno` is that it will only be set in case of an error, and left
alone in case of success.

Therefore, as pointed out by Junio Hamano, it is a bug to call this
function when there was not even any error to map.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-12-02 11:05:36 -08:00
Johannes Schindelin
a4fb016ba1 pkt-line: fix a typo
This typo was introduced in 2153d478b7 (pkt-line: introduce
packet_read_with_status, 2018-03-14).

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-12-02 08:48:56 -08:00
Doan Tran Cong Danh
0109d676f9 mingw: use {gm,local}time_s as backend for {gm,local}time_r
Since Windows doesn't provide gmtime_r(3) and localtime_r(3),
we're providing a compat version by using non-reentrant gmtime(3) and
localtime(3) as backend. Then, we copy the returned data into the
buffer.

By doing that, in case of failure, we will dereference a NULL pointer
returned by gmtime(3), and localtime(3), and we always return a valid
pointer instead of NULL.

Drop the memcpy(3) by using gmtime_s(), and use localtime_s() as the
backend on Windows, and make sure we will return NULL in case of
failure.

Cc: Johannes Sixt <j6t@kdbg.org>
Cc: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Signed-off-by: Doan Tran Cong Danh <congdanhqx@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-12-01 22:26:25 -08:00
Todd Zullinger
e714b898c6 t7812: expect failure for grep -i with invalid UTF-8 data
When the 'grep with invalid UTF-8 data' tests were added/adjusted in
8a5999838e (grep: stess test PCRE v2 on invalid UTF-8 data, 2019-07-26)
and 870eea8166 (grep: do not enter PCRE2_UTF mode on fixed matching,
2019-07-26) they lacked a redirect which caused them to falsely succeed
on most systems.  The 'grep -i' test failed on systems where JIT was
disabled as it never reached the portion which was missing the redirect.

A recent patch added the missing redirect and exposed the fact that the
'PCRE v2: grep non-ASCII from invalid UTF-8 data with -i' test fails
regardless of whether JIT is enabled.

Based on the final paragraph in in 870eea8166:

    When grepping a non-ASCII fixed string. This is a more general problem
    that's hard to fix, but we can at least fix the most common case of
    grepping for a fixed string without "-i". I can't think of a reason
    for why we'd turn on PCRE2_UTF when matching byte-for-byte like that.

it seems that we don't expect that the case-insensitive grep will
succeed.  Adjust the test to reflect that expectation.

Signed-off-by: Todd Zullinger <tmz@pobox.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-12-01 22:09:07 -08:00
Junio C Hamano
228f53135a The second batch
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-12-01 09:04:41 -08:00
Junio C Hamano
6c630f237e Merge branch 'jk/gitweb-anti-xss'
Some codepaths in "gitweb" that forgot to escape URLs generated
based on end-user input have been corrected.

* jk/gitweb-anti-xss:
  gitweb: escape URLs generated by href()
  t/gitweb-lib.sh: set $REQUEST_URI
  t/gitweb-lib.sh: drop confusing quotes
  t9502: pass along all arguments in xss helper
2019-12-01 09:04:41 -08:00
Junio C Hamano
3288d99c92 Merge branch 'ar/install-doc-update-cmds-needing-the-shell'
Doc update.

* ar/install-doc-update-cmds-needing-the-shell:
  INSTALL: use existing shell scripts as example
2019-12-01 09:04:41 -08:00
Junio C Hamano
4775e02a5c Merge branch 'ma/t7004'
Test fix.

* ma/t7004:
  t7004: check existence of correct tag
2019-12-01 09:04:41 -08:00
Junio C Hamano
a6c6f8d02a Merge branch 'js/complete-svn-recursive'
The completion script (in contrib/) has been taught that "git svn"
supports the "--recursive" option.

* js/complete-svn-recursive:
  completion: tab-complete "git svn --recursive"
2019-12-01 09:04:40 -08:00
Junio C Hamano
3ae8defaf9 Merge branch 'jk/send-pack-remote-failure'
Error handling after "git push" finishes sending the packdata and
waits for the response to the remote side has been improved.

* jk/send-pack-remote-failure:
  send-pack: check remote ref status on pack-objects failure
2019-12-01 09:04:40 -08:00
Junio C Hamano
aec3b2e24f Merge branch 'jc/fsmonitor-sanity-fix'
Remove an incorrect BUG() that should not trigger.

* jc/fsmonitor-sanity-fix:
  fsmonitor: do not compare bitmap size with size of split index
2019-12-01 09:04:39 -08:00
Junio C Hamano
4ab9616c76 Merge branch 'sg/skip-skipped-prereq'
Test update to avoid wasted cycles.

* sg/skip-skipped-prereq:
  test-lib: don't check prereqs of test cases that won't be run anyway
2019-12-01 09:04:39 -08:00
Junio C Hamano
723a8adba5 Merge branch 'ds/test-read-graph'
Dev support for commit-graph feature.

* ds/test-read-graph:
  test-tool: use 'read-graph' helper
2019-12-01 09:04:39 -08:00
Junio C Hamano
9da3948781 Merge branch 'rs/use-copy-array-in-mingw-shell-command-preparation'
Code cleanup.

* rs/use-copy-array-in-mingw-shell-command-preparation:
  mingw: use COPY_ARRAY for copying array
2019-12-01 09:04:39 -08:00
Junio C Hamano
406ca29e0d Merge branch 'rs/parse-options-dup-null-fix'
Code cleanup.

* rs/parse-options-dup-null-fix:
  parse-options: avoid arithmetic on pointer that's potentially NULL
2019-12-01 09:04:38 -08:00
Junio C Hamano
fce9e836d3 Merge branch 'jt/fetch-remove-lazy-fetch-plugging'
"git fetch" codepath had a big "do not lazily fetch missing objects
when I ask if something exists" switch.  This has been corrected by
marking the "does this thing exist?" calls with "if not please do not
lazily fetch it" flag.

* jt/fetch-remove-lazy-fetch-plugging:
  promisor-remote: remove fetch_if_missing=0
  clone: remove fetch_if_missing=0
  fetch: remove fetch_if_missing=0
2019-12-01 09:04:38 -08:00
Junio C Hamano
8faff3899e Merge branch 'jk/optim-in-pack-idx-conversion'
Code clean-up.

* jk/optim-in-pack-idx-conversion:
  pack-objects: avoid pointless oe_map_new_pack() calls
2019-12-01 09:04:38 -08:00
Junio C Hamano
ef8f621045 Merge branch 'dl/complete-rebase-onto'
The completion script (in contrib/) learned that the "--onto"
option of "git rebase" can take its argument as the value of the
option.

* dl/complete-rebase-onto:
  completion: learn to complete `git rebase --onto=`
2019-12-01 09:04:37 -08:00
Junio C Hamano
3c3e5d0ea2 Merge branch 'tg/stash-refresh-index'
Recent update to "git stash pop" made the command empty the index
when run with the "--quiet" option, which has been corrected.

* tg/stash-refresh-index:
  stash: make sure we have a valid index before writing it
2019-12-01 09:04:37 -08:00
Junio C Hamano
43c5fe1c1d Merge branch 'nn/doc-rebase-merges'
Doc update.

* nn/doc-rebase-merges:
  doc: improve readability of --rebase-merges in git-rebase
2019-12-01 09:04:37 -08:00
Junio C Hamano
6511cb33c9 Merge branch 'dd/sequencer-utf8'
Handling of commit objects that use non UTF-8 encoding during
"rebase -i" has been improved.

* dd/sequencer-utf8:
  sequencer: reencode commit message for am/rebase --show-current-patch
  sequencer: reencode old merge-commit message
  sequencer: reencode squashing commit's message
  sequencer: reencode revert/cherry-pick's todo list
  sequencer: reencode to utf-8 before arrange rebase's todo list
  t3900: demonstrate git-rebase problem with multi encoding
  configure.ac: define ICONV_OMITS_BOM if necessary
  t0028: eliminate non-standard usage of printf
2019-12-01 09:04:36 -08:00
Junio C Hamano
f165457618 Merge branch 'jk/remove-sha1-to-hex'
Code clean-up.

* jk/remove-sha1-to-hex:
  hex: drop sha1_to_hex()
  hex: drop sha1_to_hex_r()
2019-12-01 09:04:36 -08:00
Junio C Hamano
a774064fb0 Merge branch 'dj/typofix-merge-strat'
Typofix.

* dj/typofix-merge-strat:
  merge-strategies: fix typo "reflected to" to "reflected in"
2019-12-01 09:04:36 -08:00
Junio C Hamano
ca5c8aa8e1 Merge branch 'rj/bundle-ui-updates'
"git bundle" has been taught to use the parse options API.  "git
bundle verify" learned "--quiet" and "git bundle create" learned
options to control the progress output.

* rj/bundle-ui-updates:
  bundle-verify: add --quiet
  bundle-create: progress output control
  bundle: framework for options before bundle file
2019-12-01 09:04:36 -08:00
Junio C Hamano
d2489ce92c Merge branch 'rs/skip-iprefix'
Code simplification.

* rs/skip-iprefix:
  convert: use skip_iprefix() in validate_encoding()
  utf8: use skip_iprefix() in same_utf_encoding()
2019-12-01 09:04:36 -08:00
Junio C Hamano
376e7309e1 Merge branch 'ln/userdiff-elixir'
The patterns to detect function boundary for Elixir language has
been added.

* ln/userdiff-elixir:
  userdiff: add Elixir to supported userdiff languages
2019-12-01 09:04:36 -08:00
Junio C Hamano
9a5d34c6dc Merge branch 'py/shortlog-list-options-for-log'
Documentation pages for "git shortlog" now lists commit limiting
options explicitly.

* py/shortlog-list-options-for-log:
  git-shortlog.txt: include commit limiting options
2019-12-01 09:04:35 -08:00
Junio C Hamano
d3096d2ba6 Merge branch 'en/doc-typofix'
Docfix.

* en/doc-typofix:
  Fix spelling errors in no-longer-updated-from-upstream modules
  multimail: fix a few simple spelling errors
  sha1dc: fix trivial comment spelling error
  Fix spelling errors in test commands
  Fix spelling errors in messages shown to users
  Fix spelling errors in names of tests
  Fix spelling errors in comments of testcases
  Fix spelling errors in code comments
  Fix spelling errors in documentation outside of Documentation/
  Documentation: fix a bunch of typos, both old and new
2019-12-01 09:04:35 -08:00
Junio C Hamano
26f20fa3fc Merge branch 'ns/test-desc-typofix'
Typofix.

* ns/test-desc-typofix:
  t: fix typo in test descriptions
2019-12-01 09:04:34 -08:00
Junio C Hamano
ffd130a363 Merge branch 'en/t6024-style'
Test updates.

* en/t6024-style:
  t6024: modernize style
2019-12-01 09:04:34 -08:00
Junio C Hamano
5149902ff9 Merge branch 'en/misc-doc-fixes'
Misc doc fixes.

* en/misc-doc-fixes:
  name-hash.c: remove duplicate word in comment
  hashmap: fix documentation misuses of -> versus .
  git-filter-branch.txt: correct argument name typo
2019-12-01 09:04:34 -08:00
Junio C Hamano
bcb06e204c Merge branch 'js/fetch-multi-lockfix'
Fetching from multiple remotes into the same repository in parallel
had a bad interaction with the recent change to (optionally) update
the commit-graph after a fetch job finishes, as these parallel
fetches compete with each other.  Which has been corrected.

* js/fetch-multi-lockfix:
  fetch: avoid locking issues between fetch.jobs/fetch.writeCommitGraph
  fetch: add the command-line option `--write-commit-graph`
2019-12-01 09:04:33 -08:00
Junio C Hamano
d08daec001 Merge branch 'rs/trace2-dots'
Code cleanup.

* rs/trace2-dots:
  trace2: add dots directly to strbuf in perf_fmt_prepare()
2019-12-01 09:04:33 -08:00
Junio C Hamano
fc7b26c907 Merge branch 'kw/fsmonitor-watchman-fix'
The watchman integration for fsmonitor was racy, which has been
corrected to be more conservative.

* kw/fsmonitor-watchman-fix:
  fsmonitor: fix watchman integration
2019-12-01 09:04:33 -08:00
Junio C Hamano
bad5ed39cd Merge branch 'cb/curl-use-xmalloc'
HTTP transport had possible allocator/deallocator mismatch, which
has been corrected.

* cb/curl-use-xmalloc:
  remote-curl: unbreak http.extraHeader with custom allocators
2019-12-01 09:04:33 -08:00
Junio C Hamano
7ab2088255 Merge branch 'rt/fetch-message-fix'
A small message update.

* rt/fetch-message-fix:
  fetch.c: fix typo in a warning message
2019-12-01 09:04:32 -08:00
Junio C Hamano
f089ddd56a Merge branch 'es/myfirstcontrib-updates'
Doc updates.

* es/myfirstcontrib-updates:
  myfirstcontrib: hint to find gitgitgadget allower
  myfirstcontrib: add dependency installation step
  myfirstcontrib: add 'psuh' to command-list.txt
2019-12-01 09:04:32 -08:00
Junio C Hamano
3c90710c0c Merge branch 'hw/config-doc-in-header'
Follow recent push to move API docs from Documentation/ to header
files and update config.h

* hw/config-doc-in-header:
  config: move documentation to config.h
2019-12-01 09:04:32 -08:00
Junio C Hamano
d4924ea7c3 Merge branch 'dl/doc-diff-no-index-implies-exit-code'
Doc update.

* dl/doc-diff-no-index-implies-exit-code:
  git-diff.txt: document return code of `--no-index`
2019-12-01 09:04:31 -08:00
Junio C Hamano
5444d52866 Merge branch 'js/vreportf-wo-buffering'
Messages from die() etc. can be mixed up from multiple processes
without even line buffering on Windows, which has been worked
around.

* js/vreportf-wo-buffering:
  vreportf(): avoid relying on stdio buffering
2019-12-01 09:04:31 -08:00