Commit Graph

26 Commits

Author SHA1 Message Date
Junio C Hamano
e7a7be8831 git_mkstemp(): be careful not to overflow the path buffer.
If user's TMPDIR is insanely long, return negative after
setting errno to ENAMETOOLONG, pretending that the underlying
mkstemp() choked on a temporary file path that is too long.

Signed-off-by: Junio C Hamano <gitster@pobox.com>
2007-07-25 21:34:53 -07:00
Matthias Lederhofer
7627943a1b getenv/setenv: use constants if available
There were places using "GIT_DIR" instead of GIT_DIR_ENVIRONMENT and
"GIT_CONFIG" instead of CONFIG_ENVIRONMENT.  This makes it easier to
find all places touching an environment variable using git grep or
similar tools.

Signed-off-by: Matthias Lederhofer <matled@gmx.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2007-07-02 01:33:44 -07:00
Shawn O. Pearce
3a55602eec General const correctness fixes
We shouldn't attempt to assign constant strings into char*, as the
string is not writable at runtime.  Likewise we should always be
treating unsigned values as unsigned values, not as signed values.

Most of these are very straightforward.  The only exception is the
(unnecessary) xstrdup/free in builtin-branch.c for the detached
head case.  Since this is a user-level interactive type program
and that particular code path is executed no more than once, I feel
that the extra xstrdup call is well worth the easy elimination of
this warning.

Signed-off-by: Shawn O. Pearce <spearce@spearce.org>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-03-07 10:47:10 -08:00
Junio C Hamano
c388761c15 Merge branch 'jc/detached-head'
* jc/detached-head:
  git-checkout: handle local changes sanely when detaching HEAD
  git-checkout: safety check for detached HEAD checks existing refs
  git-checkout: fix branch name output from the command
  git-checkout: safety when coming back from the detached HEAD state.
  git-checkout: rewording comments regarding detached HEAD.
  git-checkout: do not warn detaching HEAD when it is already detached.
  Detached HEAD (experimental)
  git-branch: show detached HEAD
  git-status: show detached HEAD
2007-01-11 16:47:34 -08:00
Andy Whitcroft
93d26e4cb9 short i/o: fix calls to read to use xread or read_in_full
We have a number of badly checked read() calls.  Often we are
expecting read() to read exactly the size we requested or fail, this
fails to handle interrupts or short reads.  Add a read_in_full()
providing those semantics.  Otherwise we at a minimum need to check
for EINTR and EAGAIN, where this is appropriate use xread().

Signed-off-by: Andy Whitcroft <apw@shadowen.org>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-08 15:44:47 -08:00
Junio C Hamano
c847f53712 Detached HEAD (experimental)
This allows "git checkout v1.4.3" to dissociate the HEAD of
repository from any branch.  After this point, "git branch"
starts reporting that you are not on any branch.  You can go
back to an existing branch by saying "git checkout master", for
example.

This is still experimental.  While I think it makes sense to
allow commits on top of detached HEAD, it is rather dangerous
unless you are careful in the current form.  Next "git checkout
master" will obviously lose what you have done, so we might want
to require "git checkout -f" out of a detached HEAD if we find
that the HEAD commit is not an ancestor of any other branches.
There is no such safety valve implemented right now.

On the other hand, the reason the user did not start the ad-hoc
work on a new branch with "git checkout -b" was probably because
the work was of a throw-away nature, so the convenience of not
having that safety valve might be even better.  The user, after
accumulating some commits on top of a detached HEAD, can always
create a new branch with "git checkout -b" not to lose useful
work done while the HEAD was detached.

We'll see.

Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-08 03:02:11 -08:00
Junio C Hamano
85023577a8 simplify inclusion of system header files.
This is a mechanical clean-up of the way *.c files include
system header files.

 (1) sources under compat/, platform sha-1 implementations, and
     xdelta code are exempt from the following rules;

 (2) the first #include must be "git-compat-util.h" or one of
     our own header file that includes it first (e.g. config.h,
     builtin.h, pkt-line.h);

 (3) system headers that are included in "git-compat-util.h"
     need not be included in individual C source files.

 (4) "git-compat-util.h" does not have to include subsystem
     specific header files (e.g. expat.h).

Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-12-20 09:51:35 -08:00
Junio C Hamano
fe732edee1 adjust_shared_perm: chmod() only when needed.
When widening permission for files and directories in a 'shared'
repository for a user with inappropriate umask() setting for
shared work, make sure we call chmod() only when we actually
need to.

The primary idea owes credit to Johannes.

Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-11-05 18:36:36 -08:00
Linus Torvalds
e7676d2f64 Allow multiple "git_path()" uses
This allows you to maintain a few filesystem pathnames concurrently, by
simply replacing the single static "pathname" buffer with a LRU of four
buffers.

We did exactly the same thing with sha1_to_hex(), for pretty much exactly
the same reason. Sometimes you want to use two pathnames, and while it's
easy enough to xstrdup() them, why not just do the LU buffer thing.

Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-09-16 02:21:11 -07:00
Peter Eriksen
817151e61a Rename safe_strncpy() to strlcpy().
This cleans up the use of safe_strncpy() even more.  Since it has the
same semantics as strlcpy() use this name instead.  Also move the
definition from inside path.c to its own file compat/strlcpy.c, and use
it conditionally at compile time, since some platforms already has
strlcpy().  It's included in the same way as compat/setenv.c.

Signed-off-by: Peter Eriksen <s022018@student.dtu.dk>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-06-24 23:16:25 -07:00
Junio C Hamano
fc5201ac9f Merge branch 'js/diff' 2006-06-17 17:08:36 -07:00
Peter Eriksen
bfbd0bb6ec Implement safe_strncpy() as strlcpy() and use it more.
Signed-off-by: Peter Eriksen <s022018@student.dtu.dk>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-06-16 22:45:12 -07:00
Junio C Hamano
94df2506ed shared repository: optionally allow reading to "others".
This enhances core.sharedrepository to have additionally
specify that read and exec permissions to be given to others as
well.  It is useful when serving a repository via gitweb and
git-daemon that runs as a user outside the project group.

The configuration item can take the following values:

    [core]
	sharedrepository 	 ; the same as "group"
	sharedrepository = true  ; ditto
	sharedrepository = 1	 ; ditto
	sharedrepository = group ; allow rwx to group
	sharedrepository = all   ; allow rwx to group, allow rx to other
	sharedrepository = umask ; not shared - use umask

It also extends "git init-db" to take "--shared=all" and friends
from the command line.

Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-06-10 01:31:31 -07:00
Junio C Hamano
138086a725 shared repository - add a few missing calls to adjust_shared_perm().
There were a few calls to adjust_shared_perm() that were
missing:

 - init-db creates refs, refs/heads, and refs/tags before
   reading from templates that could specify sharedrepository in
   the config file;

 - updating config file created it under user's umask without
   adjusting;

 - updating refs created it under user's umask without
   adjusting;

 - switching branches created .git/HEAD under user's umask
   without adjusting.

This moves adjust_shared_perm() from sha1_file.c to path.c,
since a few SIMPLE_PROGRAM need to call repository configuration
functions which in turn need to call adjust_shared_perm().
sha1_file.c needs to link with SHA1 computation library which
is usually not linked to SIMPLE_PROGRAM.

Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-06-09 22:15:50 -07:00
Junio C Hamano
d79374c7b5 [PATCH] daemon.c and path.enter_repo(): revamp path validation.
The whitelist of git-daemon is checked against return value from
enter_repo(), and enter_repo() used to return the value obtained
from getcwd() to avoid directory aliasing issues as discussed
earier (mid October 2005).

Unfortunately, it did not go well as we hoped.

For example, /pub on a kernel.org public machine is a symlink to
its real mountpoint, and it is understandable that the
administrator does not want to adjust the whitelist every time
/pub needs to point at a different partition for storage
allcation or whatever reasons.  Being able to keep using
/pub/scm as the whitelist is a desirable property.

So this version of enter_repo() reports what it used to chdir()
and validate, but does not use getcwd() to canonicalize the
directory name.  When it sees a user relative path ~user/path,
it internally resolves it to try chdir() there, but it still
reports ~user/path (possibly after appending .git if allowed to
do so, in which case it would report ~user/path.git).

What this means is that if a whitelist wants to allow a user
relative path, it needs to say "~" (for all users) or list user
home directories like "~alice" "~bob".  And no, you cannot say
/home if the advertised way to access user home directories are
~alice,~bob, etc.  The whole point of this is to avoid
unnecessary aliasing issues.

Anyway, because of this, daemon needs to do a bit more work to
guard itself.  Namely, it needs to make sure that the accessor
does not try to exploit its leading path match rule by inserting
/../ in the middle or hanging /.. at the end.  I resurrected the
belts and suspender paranoia code HPA did for this purpose.

This check cannot be done in the enter_repo() unconditionally,
because there are valid callers of enter_repo() that want to
honor /../; authorized users coming over ssh to run send-pack
and fetch-pack should be allowed to do so.

Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-12-03 23:17:42 -08:00
Junio C Hamano
1644162ad5 Check repository format version in enter_repo().
After daemon, upload-pack and receive-pack find out where the
git directory is and chdir() there, make sure that repository is
in a format we understand, after putenv("GIT_DIR=.") so that it
knows to pick up the configuration file from there.

Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-11-27 01:32:59 -08:00
Junio C Hamano
e0a87193d3 Fix "do not DWIM" patch to enter_repo"
We wanted --strict to mean "do not DWIM", but the code required to
see absolute path.  daemon does its own path verification and chdirs
to the verified repository, so enter_repo() called from upload-pack
will always enter ".".  Requiring absolute path does not make any sense.

Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-11-20 23:37:13 -08:00
Timo Hirvonen
bd22c904a0 Fix sparse warnings
Make some functions static and convert func() function prototypes to to
func(void).  Fix declaration after statement, missing declaration and
redundant declaration warnings.

Signed-off-by: Timo Hirvonen <tihirvon@gmail.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-11-20 22:14:16 -08:00
Junio C Hamano
0870ca7fab Do not DWIM in userpath library under strict mode.
This should force git-daemon administrator's job a bit harder
because the exact paths need to be given in the whitelist, but
at the same time makes the auditing easier.

This moves validate_symref() from refs.c to path.c, because we
need to link path.c with git-daemon for its "enter_repo()", but
we do not want to link the daemon with the rest of git libraries
and its requirements.

Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-11-19 20:50:38 -08:00
Andreas Ericsson
54f4b87454 Library code for user-relative paths, take three.
This patch provides the work-horse of the user-relative paths feature,
using Linus' idea of a blind chdir() and getcwd() which makes it
remarkably simple.

Signed-off-by: Andreas Ericsson <ae@op5.se>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-11-19 20:50:37 -08:00
Sven Verdoolaege
5da1606d0b [PATCH] Provide access to git_dir through get_git_dir().
Signed-off-by: Sven Verdoolaege <skimo@kotnet.org>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-09-27 00:16:39 -07:00
Junio C Hamano
a9ab586a5d Retire support for old environment variables.
We have deprecated the old environment variable names for quite a
while and now it's time to remove them.  Gone are:

    SHA1_FILE_DIRECTORIES AUTHOR_DATE AUTHOR_EMAIL AUTHOR_NAME
    COMMIT_AUTHOR_EMAIL COMMIT_AUTHOR_NAME SHA1_FILE_DIRECTORY

Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-09-09 14:48:54 -07:00
Jason Riedy
c7c81b3a51 Fix ?: statements.
Omitting the first branch in ?: is a GNU extension.  Cute,
but not supported by other compilers.  Replaced mostly
by explicit tests.  Calls to getenv() simply are repeated
on non-GNU compilers.

Signed-off-by: Jason Riedy <ejr@cs.berkeley.edu>
2005-08-23 20:41:12 -07:00
Holger Eitzenberger
35c3c62983 [PATCH] git_mkstemp() fix
git_mkstemp() attempted to use TMPDIR environment variable, but it botched
copying the templates.

[jc: Holger, please add your own Signed-off-by line, and also if you can,
send in future patches as non attachments.]

Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-08-08 22:51:44 -07:00
Holger Eitzenberger
f2db68eda8 [PATCH] git: add git_mkstemp()
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-08-05 23:06:58 -07:00
Linus Torvalds
26c8a533af Add "mkpath()" helper function
I'm bored with doing it by hand all the time.
2005-07-08 16:20:59 -07:00