Commit Graph

51820 Commits

Author SHA1 Message Date
Ævar Arnfjörð Bjarmason
9903623761 receive-pack: fix use-after-free bug
The resolve_ref_unsafe() function can, and sometimes will in the case
of this codepath, return the char * passed to it to the caller. In
this case we construct a strbuf, free it, and then continue using the
dst_name after that free().

The code being fixed dates back to da3efdb17b ("receive-pack: detect
aliased updates which can occur with symrefs", 2010-04-19). When it
was originally added it didn't have this bug, it was introduced when
it was subsequently modified to use strbuf in 6b01ecfe22 ("ref
namespaces: Support remote repositories via upload-pack and
receive-pack", 2011-07-08).

This is theoretically a security issue, the C standard makes no
guarantees that a value you use after free() hasn't been poked at or
changed by something else on the system, but in practice modern OSs
will have mapped the relevant page to this process, so nothing else
would have used it. We do no further allocations between the free()
and use-after-free, so we ourselves didn't corrupt or change the
value.

Jeff investigated that and found: "It probably would be an issue if
the allocation were larger. glibc at least will use mmap()/munmap()
after some cutoff[1], in which case we'd get a segfault from hitting
the unmapped page. But for small allocations, it just bumps brk() and
the memory is still available for further allocations after
free(). [...] If you had a sufficiently large refname you might be
able to trigger the bug [...]. I tried to push such a ref. I had to
manually make a packed-refs file with the long name to avoid
filesystem limits (though probably you could have a long a/b/c/ name
on ext4).  But the result can't actually be pushed, because it all has
to fit into a 64k pkt-line as part of the push protocol.".

An a alternative and more succinct way of implementing this would have
been to do the strbuf_release() at the end of check_aliased_update()
and use "goto out" instead of the early "return" statements. Hopefully
this approach of using a helper instead makes it easier to follow.

1. Jeff: "Weirdly, the mmap() cutoff on my glibc system is 135168
   bytes. Which is...2^17 + 2^12? 33 pages? I'm sure there's a good
   reason for that, but I didn't dig into it."

Reported-by: 王健强 <jianqiang.wang@securitygossip.com>
Helped-by: Jeff King <peff@peff.net>
Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-02-20 15:02:12 -08:00
Junio C Hamano
268fbcd172 Git 2.18.1
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-27 11:48:19 -07:00
Junio C Hamano
44f87dac99 Sync with 2.17.2
* maint-2.17:
  Git 2.17.2
  fsck: detect submodule paths starting with dash
  fsck: detect submodule urls starting with dash
  Git 2.16.5
  Git 2.15.3
  Git 2.14.5
  submodule-config: ban submodule paths that start with a dash
  submodule-config: ban submodule urls that start with dash
  submodule--helper: use "--" to signal end of clone options
2018-09-27 11:45:01 -07:00
Junio C Hamano
6e9e91e9ca Git 2.17.2
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-27 11:44:07 -07:00
Jeff King
1a7fd1fb29 fsck: detect submodule paths starting with dash
As with urls, submodule paths with dashes are ignored by
git, but may end up confusing older versions. Detecting them
via fsck lets us prevent modern versions of git from being a
vector to spread broken .gitmodules to older versions.

Compared to blocking leading-dash urls, though, this
detection may be less of a good idea:

  1. While such paths provide confusing and broken results,
     they don't seem to actually work as option injections
     against anything except "cd". In particular, the
     submodule code seems to canonicalize to an absolute
     path before running "git clone" (so it passes
     /your/clone/-sub).

  2. It's more likely that we may one day make such names
     actually work correctly. Even after we revert this fsck
     check, it will continue to be a hassle until hosting
     servers are all updated.

On the other hand, it's not entirely clear that the behavior
in older versions is safe. And if we do want to eventually
allow this, we may end up doing so with a special syntax
anyway (e.g., writing "./-sub" in the .gitmodules file, and
teaching the submodule code to canonicalize it when
comparing).

So on balance, this is probably a good protection.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-27 11:41:31 -07:00
Jeff King
a124133e1e fsck: detect submodule urls starting with dash
Urls with leading dashes can cause mischief on older
versions of Git. We should detect them so that they can be
rejected by receive.fsckObjects, preventing modern versions
of git from being a vector by which attacks can spread.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-27 11:41:26 -07:00
Junio C Hamano
e43aab778c Sync with 2.16.5
* maint-2.16:
  Git 2.16.5
  Git 2.15.3
  Git 2.14.5
  submodule-config: ban submodule paths that start with a dash
  submodule-config: ban submodule urls that start with dash
  submodule--helper: use "--" to signal end of clone options
2018-09-27 11:41:02 -07:00
Junio C Hamano
27d05d1a1a Git 2.16.5
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-27 11:38:32 -07:00
Junio C Hamano
424aac653a Sync with 2.15.3
* maint-2.15:
  Git 2.15.3
  Git 2.14.5
  submodule-config: ban submodule paths that start with a dash
  submodule-config: ban submodule urls that start with dash
  submodule--helper: use "--" to signal end of clone options
2018-09-27 11:35:43 -07:00
Junio C Hamano
924c623e1c Git 2.15.3
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-27 11:33:47 -07:00
Junio C Hamano
902df9f5c4 Sync with Git 2.14.4
* maint-2.14:
  Git 2.14.5
  submodule-config: ban submodule paths that start with a dash
  submodule-config: ban submodule urls that start with dash
  submodule--helper: use "--" to signal end of clone options
2018-09-27 11:20:22 -07:00
Junio C Hamano
d0832b2847 Git 2.14.5
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-27 11:19:11 -07:00
Jeff King
273c61496f submodule-config: ban submodule paths that start with a dash
We recently banned submodule urls that look like
command-line options. This is the matching change to ban
leading-dash paths.

As with the urls, this should not break any use cases that
currently work. Even with our "--" separator passed to
git-clone, git-submodule.sh gets confused. Without the code
portion of this patch, the clone of "-sub" added in t7417
would yield results like:

    /path/to/git-submodule: 410: cd: Illegal option -s
    /path/to/git-submodule: 417: cd: Illegal option -s
    /path/to/git-submodule: 410: cd: Illegal option -s
    /path/to/git-submodule: 417: cd: Illegal option -s
    Fetched in submodule path '-sub', but it did not contain b56243f8f4eb91b2f1f8109452e659f14dd3fbe4. Direct fetching of that commit failed.

Moreover, naively adding such a submodule doesn't work:

  $ git submodule add $url -sub
  The following path is ignored by one of your .gitignore files:
  -sub

even though there is no such ignore pattern (the test script
hacks around this with a well-placed "git mv").

Unlike leading-dash urls, though, it's possible that such a
path _could_ be useful if we eventually made it work. So
this commit should be seen not as recommending a particular
policy, but rather temporarily closing off a broken and
possibly dangerous code-path. We may revisit this decision
later.

There are two minor differences to the tests in t7416 (that
covered urls):

  1. We don't have a "./-sub" escape hatch to make this
     work, since the submodule code expects to be able to
     match canonical index names to the path field (so you
     are free to add submodule config with that path, but we
     would never actually use it, since an index entry would
     never start with "./").

  2. After this patch, cloning actually succeeds. Since we
     ignore the submodule.*.path value, we fail to find a
     config stanza for our submodule at all, and simply
     treat it as inactive. We still check for the "ignoring"
     message.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-27 09:34:59 -07:00
Jeff King
f6adec4e32 submodule-config: ban submodule urls that start with dash
The previous commit taught the submodule code to invoke our
"git clone $url $path" with a "--" separator so that we
aren't confused by urls or paths that start with dashes.

However, that's just one code path. It's not clear if there
are others, and it would be an easy mistake to add one in
the future. Moreover, even with the fix in the previous
commit, it's quite hard to actually do anything useful with
such an entry. Any url starting with a dash must fall into
one of three categories:

 - it's meant as a file url, like "-path". But then any
   clone is not going to have the matching path, since it's
   by definition relative inside the newly created clone. If
   you spell it as "./-path", the submodule code sees the
   "/" and translates this to an absolute path, so it at
   least works (assuming the receiver has the same
   filesystem layout as you). But that trick does not apply
   for a bare "-path".

 - it's meant as an ssh url, like "-host:path". But this
   already doesn't work, as we explicitly disallow ssh
   hostnames that begin with a dash (to avoid option
   injection against ssh).

 - it's a remote-helper scheme, like "-scheme::data". This
   _could_ work if the receiver bends over backwards and
   creates a funny-named helper like "git-remote--scheme".
   But normally there would not be any helper that matches.

Since such a url does not work today and is not likely to do
anything useful in the future, let's simply disallow them
entirely. That protects the existing "git clone" path (in a
belt-and-suspenders way), along with any others that might
exist.

Our tests cover two cases:

  1. A file url with "./" continues to work, showing that
     there's an escape hatch for people with truly silly
     repo names.

  2. A url starting with "-" is rejected.

Note that we expect case (2) to fail, but it would have done
so even without this commit, for the reasons given above.
So instead of just expecting failure, let's also check for
the magic word "ignoring" on stderr. That lets us know that
we failed for the right reason.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-27 09:34:58 -07:00
Jeff King
98afac7a7c submodule--helper: use "--" to signal end of clone options
When we clone a submodule, we call "git clone $url $path".
But there's nothing to say that those components can't begin
with a dash themselves, confusing git-clone into thinking
they're options. Let's pass "--" to make it clear what we
expect.

There's no test here, because it's actually quite hard to
make these names work, even with "git clone" parsing them
correctly. And we're going to restrict these cases even
further in future commits. So we'll leave off testing until
then; this is just the minimal fix to prevent us from doing
something stupid with a badly formed entry.

Reported-by: joernchen <joernchen@phenoelit.de>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-27 09:34:55 -07:00
Junio C Hamano
53f9a3e157 Git 2.18
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-06-21 10:00:06 -07:00
Junio C Hamano
1fb9df7248 Merge branch 'en/rename-directory-detection-reboot'
* en/rename-directory-detection-reboot:
  merge-recursive: use xstrdup() instead of fixed buffer
2018-06-19 11:11:03 -07:00
Junio C Hamano
f0ac6e3943 Merge Korean translation for l10n of Git 2.18.0 round 3
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJbKFyNAAoJEMek6Rt1RHooUS0P/3zxiFjtSTlb0dfZ1VFaC3Zm
 vjowFQg4gUzBK37L1G5YD5sCJsdH/sOsfJlB1ZQ5sV2Ml2i8aJIMQYIrIQV9en3t
 Q+/zndp8i+2GdoL7VkPcoYv5kA/dvUaDn3GBohqkyXJy5oe7s6f1DuqXVCSgLBck
 9CSxbIp2lU7eS7Hm0bnV4RTTVmT0xiYT03CA/CPfIuQd59wPSR33o0zxCzrHjtJO
 ZMyDjbWWBTYFKN77KFAQOSSbhvqwcFbarjQCuN61STy+L6R5kXBgt58ZExHY41Gb
 JOmvqWmEHzKtJ0254fWGOyyIWetA7cjaxdYlE2M96p/etao6TIK1LeESLYRQBx2p
 dIGnUnNo2/7sBL4yIt4oq9BNAS+EOt+2uFM+tl+bKBhFvOGxqAMj4pgw1RtR/7kF
 9cFr+hrqliIUd3sBe4yVOaVmjnLK3vN76IYqFKlwtlE5Br8Jl/zz1PhWM+Z+91zm
 8GSqJTgY6ivtd2GSguVqkj5MNTgDOFNe2IOgAHmkXQEW27gkW+5aZ8GCWVAzwNX+
 YiMtNtuG1+TUGmEHM3kRYItUWpclhViNDwZTrqCJtdlBLwNMYXVHqHr+LkwxElhD
 ZSb4EPl4OHrvpEZmjCRTg5g9FWsZgFdUqwvApHLfb0ghYkcrRf1xGgISfiIeO1Xo
 DOpLbg7zcaVZywzVZ0xr
 =APV7
 -----END PGP SIGNATURE-----

Merge tag 'l10n-2.18.0-rnd3.1' of git://github.com/git-l10n/git-po

Merge Korean translation for l10n of Git 2.18.0 round 3

* tag 'l10n-2.18.0-rnd3.1' of git://github.com/git-l10n/git-po:
  l10n: ko.po: Update Korean translation
2018-06-19 09:29:23 -07:00
Junio C Hamano
bd73c3f13f Merge branch 'cf/submodule-progress-dissociate'
* cf/submodule-progress-dissociate:
  t7400: encapsulate setup code in test_expect_success
2018-06-19 09:26:59 -07:00
Junio C Hamano
6b55779afc Merge branch 'js/rebase-i-root-fix'
* js/rebase-i-root-fix:
  t3404: check root commit in 'rebase -i --root reword root commit'
2018-06-19 09:26:28 -07:00
Stefan Beller
83f5fa58e8 t7400: encapsulate setup code in test_expect_success
When running t7400 in a shell you observe more output than expected:

    ...
    ok 8 - setup - hide init subdirectory
    ok 9 - setup - repository to add submodules to
    ok 10 - submodule add
    [master (root-commit) d79ce16] one
     Author: A U Thor <author@example.com>
     1 file changed, 1 insertion(+)
     create mode 100644 one.t
    ok 11 - redirected submodule add does not show progress
    ok 12 - redirected submodule add --progress does show progress
    ok 13 - submodule add to .gitignored path fails
    ...

Fix the output by encapsulating the setup code in test_expect_success

Signed-off-by: Stefan Beller <sbeller@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-06-19 09:25:56 -07:00
Todd Zullinger
878810552b t3404: check root commit in 'rebase -i --root reword root commit'
When testing a reworded root commit, ensure that the squash-onto commit
which is created and amended is still the root commit.

Suggested-by: Phillip Wood <phillip.wood@talktalk.net>
Helped-by: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Signed-off-by: Todd Zullinger <tmz@pobox.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-06-19 09:14:33 -07:00
Karthikeyan Singaravelan
1f2abe68d0 doc: fix typos in documentation and release notes
Signed-off-by: Karthikeyan Singaravelan <tir.karthi@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-06-19 09:01:12 -07:00
Junio C Hamano
242ba98e44 Almost 2.18 final
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-06-18 11:24:21 -07:00
Junio C Hamano
da34dd49bb Merge branch 'es/make-no-iconv'
"make NO_ICONV=NoThanks" did not override NEEDS_LIBICONV
(i.e. linkage of -lintl, -liconv, etc. that are platform-specific
tweaks), which has been corrected.

* es/make-no-iconv:
  Makefile: make NO_ICONV really mean "no iconv"
2018-06-18 11:23:24 -07:00
Junio C Hamano
cc2beafc4b Merge branch 'sg/t7406-chain-fix'
Test fix.

* sg/t7406-chain-fix:
  t7406-submodule-update: fix broken &&-chains
2018-06-18 11:23:24 -07:00
Junio C Hamano
4229478639 Merge branch 'ks/branch-set-upstream'
A test title has been reworded to clarify it.

* ks/branch-set-upstream:
  t3200: clarify description of --set-upstream test
2018-06-18 11:23:23 -07:00
Junio C Hamano
f300f5681e Merge branch 'js/rebase-i-root-fix'
A regression to "rebase -i --root" introduced during this cycle has
been fixed.

* js/rebase-i-root-fix:
  rebase --root: fix amending root commit messages
  rebase --root: demonstrate a bug while amending root commit messages
2018-06-18 11:23:22 -07:00
Junio C Hamano
f35f43f565 Merge branch 'jk/ewah-bounds-check'
The code to read compressed bitmap was not careful to avoid reading
past the end of the file, which has been corrected.

* jk/ewah-bounds-check:
  ewah: adjust callers of ewah_read_mmap()
  ewah_read_mmap: bounds-check mmap reads
2018-06-18 11:23:22 -07:00
Junio C Hamano
1663e2ba68 l10n for Git 2.18.0 round 3
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJbJo13AAoJEMek6Rt1RHooQngQAIDuLczx9KUC03Ig5ekbVeyb
 c9l/6DA3D03b6vG++T+C/Ro/rCtbmVWamf2VRXkTjtTk9zMo2oSoVxw3vWoIveQq
 AZ8dcT2js3otY0XUnIznsf0sVWGIN19lxvnwGspVm/1M3uu4/dVBOs84rbEvPPqi
 NtwwmBvFFMSfc7H/EIP4NzMNDWFbMNd2eJwu6rvasIP8RLnk2WaMToibfI9JNV0F
 XDcb3xpIMu3UEePzjOzdG7562pr7SAxOi3TEIP6ToRqo1HRFVIXJspIdOHlc9Lm+
 i1hV8iKnptj9GF/VyKBYdyzHHlQPUiZ+diZiZd5se6DlaE7Cpl4Cx7F1MPq07u0B
 +RKFfHzHguLljUgwEVO4LiZt/U+fWcGu++BkwzIPmTpolxqdaoW8oArBn5KPMY2k
 L3mE2M4ck71VytTrdG+rcQ/jzC9n2fb+65u9J908QV0KL797XGxlzd4E7vPmklaB
 9Ed0yRzndJgMe/aOv1J9RtG7ITpGnxffT1B73R0aOmrPuyu77cJnHY7q6clAqBOH
 vYH0/2VHTRT1qRhUZQTtCC2iYbDAu+ZMW1D6/oG3eC6cMqw2UFMM8yu1WRR1RI/N
 EZl5jLZqyVOulxDoo6f5ZXAohxbQjrBrxE6UOMnsC6Xi+nhng182snfXcahZA7O6
 DD7yY8hJPVIKQiMjXqqy
 =iiA9
 -----END PGP SIGNATURE-----

Merge tag 'l10n-2.18.0-rnd3' of git://github.com/git-l10n/git-po

l10n for Git 2.18.0 round 3

* tag 'l10n-2.18.0-rnd3' of git://github.com/git-l10n/git-po:
  l10n: zh_CN: for git v2.18.0 l10n round 1 to 3
  l10n: bg.po: Updated Bulgarian translation (3608t)
  l10n: vi.po(3608t): Update Vietnamese translation for v2.18.0 round 3
  l10n: fr.po v2.18.0 round 3
  l10n: es.po: Spanish update for v2.18.0 round 3
  l10n: git.pot: v2.18.0 round 3 (1 new, 1 removed)
  l10n: vi.po(3608t): Update Vietnamese translation for v2.18.0 round2
  l10n: bg.po: Updated Bulgarian translation (3608t)
  l10n: es.po: Spanish update for v2.18.0 round 2
  l10n: sv.po: Update Swedish translation (3608t0f0u)
  l10n: sv.po: Update Swedish translation (3470t0f0u)
  l10n: git.pot: v2.18.0 round 2 (144 new, 6 removed)
  l10n: fr.po v2.18 round 1
  l10n: vi(3470t): Updated Vietnamese translation for v2.18.0
  l10n: es.po: Spanish update for v2.18.0 round 1
  l10n: git.pot: v2.18.0 round 1 (108 new, 14 removed)
  l10n: TEAMS: remove inactive de team members
  l10n: de.po: fix typos
  l10n: Update Catalan translation
2018-06-18 10:21:24 -07:00
Junio C Hamano
1022379886 A bunch of micro-fixes before going 2.18 final
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-06-18 10:20:42 -07:00
Changwoo Ryu
4898dd2513 l10n: ko.po: Update Korean translation
Update the Korean translation and change the team leader to Gwan-gyeong
Mun.

Signed-off-by: Gwan-gyeong Mun <elongbug@gmail.com>
Signed-off-by: Changwoo Ryu <cwryu@debian.org>
Reviewed-by: Gwan-gyeong Mun <elongbug@gmail.com>
2018-06-19 02:19:42 +09:00
Junio C Hamano
698eb031bb Merge branch 'sb/blame-color'
Leakfix.

* sb/blame-color:
  blame: release string_list after use in parse_color_fields()
2018-06-18 10:18:45 -07:00
Junio C Hamano
23fc55a90c Merge branch 'mw/doc-merge-enumfix'
Fix old merge glitch in Documentation during v2.13-rc0 era.

* mw/doc-merge-enumfix:
  doc: update the order of the syntax `git merge --continue`
2018-06-18 10:18:45 -07:00
Junio C Hamano
f72432d64e Merge branch 'en/rename-directory-detection'
Newly added codepath in merge-recursive had potential buffer
overrun, which has been fixed.

* en/rename-directory-detection:
  merge-recursive: use xstrdup() instead of fixed buffer
2018-06-18 10:18:44 -07:00
Junio C Hamano
929c097548 Merge branch 'rd/doc-remote-tracking-with-hyphen'
Doc update.

* rd/doc-remote-tracking-with-hyphen:
  Use hyphenated "remote-tracking branch" (docs and comments)
2018-06-18 10:18:43 -07:00
Junio C Hamano
faff81287b Merge branch 'jl/zlib-restore-nul-termination'
Make zlib inflate codepath more robust against versions of zlib
that clobber unused portion of outbuf.

* jl/zlib-restore-nul-termination:
  packfile: correct zlib buffer handling
2018-06-18 10:18:43 -07:00
Junio C Hamano
094381ed79 Merge branch 'ab/cred-netrc-no-autodie'
Hotfix for contrib/ stuff broken by this cycle.

* ab/cred-netrc-no-autodie:
  git-credential-netrc: remove use of "autodie"
2018-06-18 10:18:42 -07:00
Junio C Hamano
a626082629 Merge branch 'km/doc-workflows-typofix'
Typofix.

* km/doc-workflows-typofix:
  gitworkflows: fix grammar in 'Merge upwards' rule
2018-06-18 10:18:42 -07:00
Junio C Hamano
e638899470 Merge branch 'ld/git-p4-updates'
"git p4" updates.

* ld/git-p4-updates:
  git-p4: auto-size the block
  git-p4: narrow the scope of exceptions caught when parsing an int
  git-p4: raise exceptions from p4CmdList based on error from p4 server
  git-p4: better error reporting when p4 fails
  git-p4: add option to disable syncing of p4/master with p4
  git-p4: disable-rebase: allow setting this via configuration
  git-p4: add options --commit and --disable-rebase
2018-06-18 10:18:41 -07:00
Junio C Hamano
d676cc512a Merge branch 'rd/diff-options-typofix'
Typofix.

* rd/diff-options-typofix:
  diff-options.txt: fix minor typos, font inconsistencies, in docs
2018-06-18 10:18:41 -07:00
Junio C Hamano
1bd0e6779a Merge branch 'rd/comment-typofix-in-sha1-file'
In code comment typofix

* rd/comment-typofix-in-sha1-file:
  sha1-file.c: correct $GITDIR to $GIT_DIR in a comment
2018-06-18 10:18:40 -07:00
René Scharfe
94eff2b69a merge-recursive: use xstrdup() instead of fixed buffer
Paths can be longer than PATH_MAX.  Avoid a buffer overrun in
check_dir_renamed() by using xstrdup() to make a private copy safely.

Signed-off-by: Rene Scharfe <l.s.r@web.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-06-18 10:03:38 -07:00
SZEDER Gábor
2e157d134c RelNotes 2.18: minor fix to entry about dynamically loading completions
It was not "newer versions of bash" but newer versions of
bash-completion that made commit 085e2ee0e6 (completion: load
completion file for external subcommand, 2018-04-29) both necessary
and possible.

Update the corresponding RelNotes entry accordingly.

Signed-off-by: SZEDER Gábor <szeder.dev@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-06-18 09:50:56 -07:00
SZEDER Gábor
8de19d6be8 t7406-submodule-update: fix broken &&-chains
Three tests in 't7406-submodule-update' contain broken &&-chains, but
since they are all in subshells, chain-lint couldn't notice them.

Signed-off-by: SZEDER Gábor <szeder.dev@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-06-18 09:48:10 -07:00
Johannes Schindelin
76fda6ebbc rebase --root: fix amending root commit messages
The code path that triggered that "BUG" really does not want to run
without an explicit commit message. In the case where we want to amend a
commit message, we have an *implicit* commit message, though: the one of
the commit to amend. Therefore, this code path should not even be
entered.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-06-18 09:36:58 -07:00
Todd Zullinger
3a36ca0881 rebase --root: demonstrate a bug while amending root commit messages
When splitting a repository, running `git rebase -i --root` to reword
the initial commit, Git dies with

	BUG: sequencer.c:795: root commit without message.

Signed-off-by: Todd Zullinger <tmz@pobox.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-06-18 09:22:18 -07:00
Jeff King
1140bf01ec ewah: adjust callers of ewah_read_mmap()
The return value of ewah_read_mmap() is now an ssize_t,
since we could (in theory) process up to 32GB of data. This
would never happen in practice, but a corrupt or malicious
.bitmap or index file could convince us to do so.

Let's make sure that we don't stuff the value into an int,
which would cause us to incorrectly move our pointer
forward.  We'd always move too little, since negative values
are used for reporting errors. So the worst case is just
that we end up reporting a corrupt file, not an
out-of-bounds read.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-06-18 09:13:57 -07:00
Jeff King
9d2e330b17 ewah_read_mmap: bounds-check mmap reads
The on-disk ewah format tells us how big the ewah data is,
and we blindly read that much from the buffer without
considering whether the mmap'd data is long enough, which
can lead to out-of-bound reads.

Let's make sure we have data available before reading it,
both for the ewah header/footer as well as for the bit data
itself. In particular:

  - keep our ptr/len pair in sync as we move through the
    buffer, and check it before each read

  - check the size for integer overflow (this should be
    impossible on 64-bit, as the size is given as a 32-bit
    count of 8-byte words, but is possible on a 32-bit
    system)

  - return the number of bytes read as an ssize_t instead of
    an int, again to prevent integer overflow

  - compute the return value using a pointer difference;
    this should yield the same result as the existing code,
    but makes it more obvious that we got our computations
    right

The included test is far from comprehensive, as it just
picks a static point at which to truncate the generated
bitmap. But in practice this will hit in the middle of an
ewah and make sure we're at least exercising this code.

Reported-by: Luat Nguyen <root@l4w.io>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-06-18 09:13:57 -07:00
Kaartic Sivaraam
cf317877e3 t3200: clarify description of --set-upstream test
Support for the --set-upstream option was removed in 52668846ea
(builtin/branch: stop supporting the "--set-upstream" option,
2017-08-17). The change did not completely remove the command
due to an issue noted in the commit's log message.

So, a test was added to ensure that a command which uses the
'--set-upstream' option fails instead of silently acting as an alias
for the '--set-upstream-to' option due to option parsing features.

To avoid confusion, clarify that the option is disabled intentionally
in the corresponding test description.

The test is expected to be around as long as we intentionally fail
on seeing the '--set-upstream' option which in turn we expect to
do for a period of time after which we can be sure that existing
users of '--set-upstream' are aware that the option is no
longer supported.

Signed-off-by: Kaartic Sivaraam <kaartic.sivaraam@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-06-18 08:54:40 -07:00