Commit Graph

41104 Commits

Author SHA1 Message Date
Jeff King
c29edfefb6 notes: use a strbuf in add_non_note
When we are loading a notes tree into our internal hash
table, we also collect any files that are clearly non-notes.
We format the name of the file into a PATH_MAX buffer, but
unlike true notes (which cannot be larger than a fanned-out
sha1 hash), these tree entries can be arbitrarily long,
overflowing our buffer.

We can fix this by switching to a strbuf. It doesn't even
cost us an extra allocation, as we can simply hand ownership
of the buffer over to the non-note struct.

This is of moderate security interest, as you might fetch
notes trees from an untrusted remote. However, we do not do
so by default, so you would have to manually fetch into the
notes namespace.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-04 09:36:28 -07:00
Jeff King
f514ef9787 verify_absent: allow filenames longer than PATH_MAX
When unpack-trees wants to know whether a path will
overwrite anything in the working tree, we use lstat() to
see if there is anything there. But if we are going to write
"foo/bar", we can't just lstat("foo/bar"); we need to look
for leading prefixes (e.g., "foo"). So we use the lstat cache
to find the length of the leading prefix, and copy the
filename up to that length into a temporary buffer (since
the original name is const, we cannot just stick a NUL in
it).

The copy we make goes into a PATH_MAX-sized buffer, which
will overflow if the prefix is longer than PATH_MAX. How
this happens is a little tricky, since in theory PATH_MAX is
the biggest path we will have read from the filesystem. But
this can happen if:

  - the compiled-in PATH_MAX does not accurately reflect
    what the filesystem is capable of

  - the leading prefix is not _quite_ what is on disk; it
    contains the next element from the name we are checking.
    So if we want to write "aaa/bbb/ccc/ddd" and "aaa/bbb"
    exists, the prefix of interest is "aaa/bbb/ccc". If
    "aaa/bbb" approaches PATH_MAX, then "ccc" can overflow
    it.

So this can be triggered, but it's hard to do. In
particular, you cannot just "git clone" a bogus repo. The
verify_absent checks happen before unpack-trees writes
anything to the filesystem, so there are never any leading
prefixes during the initial checkout, and the bug doesn't
trigger. And by definition, these files are larger than
PATH_MAX, so writing them will fail, and clone will
complain (though it may write a partial path, which will
cause a subsequent "git checkout" to hit the bug).

We can fix it by creating the temporary path on the heap.
The extra malloc overhead is not important, as we are
already making at least one stat() call (and probably more
for the prefix discovery).

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-04 08:50:50 -07:00
Junio C Hamano
fb8880dea3 Merge branch 'ee/clean-test-fixes' into maint
* ee/clean-test-fixes:
  t7300: fix broken && chains
2015-09-03 19:18:05 -07:00
Junio C Hamano
5af77d1352 Merge branch 'jk/log-missing-default-HEAD' into maint
"git init empty && git -C empty log" said "bad default revision 'HEAD'",
which was found to be a bit confusing to new users.

* jk/log-missing-default-HEAD:
  log: diagnose empty HEAD more clearly
2015-09-03 19:18:04 -07:00
Junio C Hamano
9d939886db Merge branch 'cc/trailers-corner-case-fix' into maint
The "interpret-trailers" helper mistook a multi-paragraph title of
a commit log message with a colon in it as the end of the trailer
block.

* cc/trailers-corner-case-fix:
  trailer: support multiline title
  trailer: retitle a test and correct an in-comment message
  trailer: ignore first line of message
2015-09-03 19:18:03 -07:00
Junio C Hamano
311e5ce2cc Merge branch 'dt/commit-preserve-base-index-upon-opportunistic-cache-tree-update' into maint
When re-priming the cache-tree opportunistically while committing
the in-core index as-is, we mistakenly invalidated the in-core
index too aggressively, causing the experimental split-index code
to unnecessarily rewrite the on-disk index file(s).

* dt/commit-preserve-base-index-upon-opportunistic-cache-tree-update:
  commit: don't rewrite shared index unnecessarily
2015-09-03 19:18:02 -07:00
Junio C Hamano
1c82039228 Merge branch 'rs/archive-zip-many' into maint
"git archive" did not use zip64 extension when creating an archive
with more than 64k entries, which nobody should need, right ;-)?

* rs/archive-zip-many:
  archive-zip: support more than 65535 entries
  archive-zip: use a local variable to store the creator version
  t5004: test ZIP archives with many entries
2015-09-03 19:18:01 -07:00
Junio C Hamano
ae6ac8483b Merge branch 'jc/calloc-pathspec' into maint
Minor code cleanup.

* jc/calloc-pathspec:
  ps_matched: xcalloc() takes nmemb and then element size
2015-09-03 19:18:00 -07:00
Junio C Hamano
8136099a31 Merge branch 'ss/fix-config-fd-leak' into maint
* ss/fix-config-fd-leak:
  config: close config file handle in case of error
2015-09-03 19:17:59 -07:00
Junio C Hamano
dc4e7b0244 Merge branch 'sg/wt-status-header-inclusion' into maint
* sg/wt-status-header-inclusion:
  wt-status: move #include "pathspec.h" to the header
2015-09-03 19:17:57 -07:00
Junio C Hamano
659227be2e Merge branch 'po/po-readme' into maint
Doc updates for i18n.

* po/po-readme:
  po/README: Update directions for l10n contributors
2015-09-03 19:17:56 -07:00
Junio C Hamano
57a2bb1f92 Merge branch 'sg/t3020-typofix' into maint
* sg/t3020-typofix:
  t3020: fix typo in test description
2015-09-03 19:17:55 -07:00
Junio C Hamano
c1fa16b193 Merge branch 'as/docfix-reflog-expire-unreachable' into maint
Docfix.

* as/docfix-reflog-expire-unreachable:
  Documentation/config: fix inconsistent label on gc.*.reflogExpireUnreachable
2015-09-03 19:17:53 -07:00
Junio C Hamano
d6c196abfd Merge branch 'nd/fixup-linked-gitdir' into maint
The code in "multiple-worktree" support that attempted to recover
from an inconsistent state updated an incorrect file.

* nd/fixup-linked-gitdir:
  setup: update the right file in multiple checkouts
2015-09-03 19:17:53 -07:00
Junio C Hamano
e654e3b574 Merge branch 'jk/rev-list-has-no-notes' into maint
"git rev-list" does not take "--notes" option, but did not complain
when one is given.

* jk/rev-list-has-no-notes:
  rev-list: make it obvious that we do not support notes
2015-09-03 19:17:53 -07:00
Junio C Hamano
fa6d3749ed Merge branch 'jk/fix-alias-pager-config-key-warnings' into maint
Because the configuration system does not allow "alias.0foo" and
"pager.0foo" as the configuration key, the user cannot use '0foo'
as a custom command name anyway, but "git 0foo" tried to look these
keys up and emitted useless warnings before saying '0foo is not a
git command'.  These warning messages have been squelched.

* jk/fix-alias-pager-config-key-warnings:
  config: silence warnings for command names with invalid keys
2015-09-03 19:17:52 -07:00
Junio C Hamano
0b2cef2805 Merge branch 'nd/dwim-wildcards-as-pathspecs' into maint
Test updates for Windows.

* nd/dwim-wildcards-as-pathspecs:
  t2019: skip test requiring '*' in a file name non Windows
2015-09-03 19:17:51 -07:00
Junio C Hamano
969560bddc Merge branch 'sg/help-group' into maint
We rewrote one of the build scripts in Perl but this reimplements
in Bourne shell.

* sg/help-group:
  generate-cmdlist: re-implement as shell script
2015-09-03 19:17:51 -07:00
Junio C Hamano
d11448f685 Merge branch 'ps/t1509-chroot-test-fixup' into maint
t1509 test that requires a dedicated VM environment had some
bitrot, which has been corrected.

* ps/t1509-chroot-test-fixup:
  tests: fix cleanup after tests in t1509-root-worktree
  tests: fix broken && chains in t1509-root-worktree
2015-09-03 19:17:50 -07:00
Junio C Hamano
8b2707101a Merge branch 'jh/strbuf-read-use-read-in-full' into maint
strbuf_read() used to have one extra iteration (and an unnecessary
strbuf_grow() of 8kB), which was eliminated.

* jh/strbuf-read-use-read-in-full:
  strbuf_read(): skip unnecessary strbuf_grow() at eof
2015-09-03 19:17:50 -07:00
Junio C Hamano
6c0850f2dd Merge branch 'jk/long-error-messages' into maint
The codepath to produce error messages had a hard-coded limit to
the size of the message, primarily to avoid memory allocation while
calling die().

* jk/long-error-messages:
  vreportf: avoid intermediate buffer
  vreportf: report to arbitrary filehandles
2015-09-03 19:17:49 -07:00
Junio C Hamano
cbcd3dcaa8 Merge branch 'cb/open-noatime-clear-errno' into maint
When trying to see that an object does not exist, a state errno
leaked from our "first try to open a packfile with O_NOATIME and
then if it fails retry without it" logic on a system that refuses
O_NOATIME.  This confused us and caused us to die, saying that the
packfile is unreadable, when we should have just reported that the
object does not exist in that packfile to the caller.

* cb/open-noatime-clear-errno:
  git_open_noatime: return with errno=0 on success
2015-09-03 19:17:49 -07:00
Junio C Hamano
03ea02771a Merge branch 'mh/get-remote-group-fix' into maint
An off-by-one error made "git remote" to mishandle a remote with a
single letter nickname.

* mh/get-remote-group-fix:
  get_remote_group(): use skip_prefix()
  get_remote_group(): eliminate superfluous call to strcspn()
  get_remote_group(): rename local variable "space" to "wordlen"
  get_remote_group(): handle remotes with single-character names
2015-09-03 19:17:48 -07:00
Jeff King
1c9b659d98 pack-protocol: clarify LF-handling in PKT-LINE()
The spec is very inconsistent about which PKT-LINE() parts
of the grammar include a LF. On top of that, the code is not
consistent, either (e.g., send-pack does not put newlines
into the ref-update commands it sends).

Let's make explicit the long-standing expectation that we
generally expect pkt-lines to end in a newline, but that
receivers should be lenient. This makes the spec consistent,
and matches what git already does (though it does not always
fulfill the SHOULD).

We do make an exception for the push-cert, where the
receiving code is currently a bit pickier. This is a
reasonable way to be, as the data needs to be byte-for-byte
compatible with what was signed. We _could_ make up some
rules about signing a canonicalized version including
newlines, but that would require a code change, and is out
of scope for this patch.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-03 15:18:12 -07:00
Junio C Hamano
7662973ea3 Merge branch 'jk/am-rerere-lock-fix'
Recent "git am" introduced a double-locking failure when used with
the "--3way" option that invokes rerere machinery.

* jk/am-rerere-lock-fix:
  rerere: release lockfile in non-writing functions
2015-09-03 14:14:01 -07:00
Junio C Hamano
16ffa6443e Git 2.6-rc0
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-02 12:55:28 -07:00
Junio C Hamano
cdd00dfe94 Merge branch 'cc/trailers-corner-case-fix'
The "interpret-trailers" helper mistook a multi-paragraph title of
a commit log message with a colon in it as the end of the trailer
block.

* cc/trailers-corner-case-fix:
  trailer: support multiline title
2015-09-02 12:50:21 -07:00
Junio C Hamano
8f8386eeb4 Merge branch 'sb/read-cache-one-indent-style-fix'
* sb/read-cache-one-indent-style-fix:
  read-cache: fix indentation in read_index_from
2015-09-02 12:50:18 -07:00
Junio C Hamano
83d9092f95 Merge branch 'ee/clean-test-fixes'
* ee/clean-test-fixes:
  t7300: fix broken && chains
2015-09-02 12:50:16 -07:00
Junio C Hamano
699a0f3748 Merge branch 'jk/log-missing-default-HEAD'
"git init empty && git -C empty log" said "bad default revision 'HEAD'",
which was found to be a bit confusing to new users.

* jk/log-missing-default-HEAD:
  log: diagnose empty HEAD more clearly
2015-09-02 12:50:10 -07:00
Matthieu Prat
b894d3e788 t7060: actually test "git diff-index --cached -M"
A test was designed for "git diff-index --cached -M" but the command is
run without the "-M" option (which makes the test essentially identical
to its preceding counterpart).

Signed-off-by: Matthieu Prat <matthieuprat@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-02 12:23:30 -07:00
Junio C Hamano
7aa67f62c7 Ninth batch for 2.6
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-01 16:31:58 -07:00
Junio C Hamano
81d0e33a22 Merge branch 'dt/commit-preserve-base-index-upon-opportunistic-cache-tree-update'
When re-priming the cache-tree opportunistically while committing
the in-core index as-is, we mistakenly invalidated the in-core
index too aggressively, causing the experimental split-index code
to unnecessarily rewrite the on-disk index file(s).

* dt/commit-preserve-base-index-upon-opportunistic-cache-tree-update:
  commit: don't rewrite shared index unnecessarily
2015-09-01 16:31:29 -07:00
Junio C Hamano
0fb8e24234 Merge branch 'rt/remove-hold-lockfile-for-append'
* rt/remove-hold-lockfile-for-append:
  lockfile: remove function "hold_lock_file_for_append"
2015-09-01 16:31:27 -07:00
Junio C Hamano
565f575791 Merge branch 'rs/archive-zip-many'
"git archive" did not use zip64 extension when creating an archive
with more than 64k entries, which nobody should need, right ;-)?

* rs/archive-zip-many:
  archive-zip: support more than 65535 entries
  archive-zip: use a local variable to store the creator version
  t5004: test ZIP archives with many entries
2015-09-01 16:31:24 -07:00
Junio C Hamano
bb84dceb04 Merge branch 'ls/p4-fold-case-client-specs'
On case insensitive systems, "git p4" did not work well with client
specs.

* ls/p4-fold-case-client-specs:
  git-p4: honor core.ignorecase when using P4 client specs
2015-09-01 16:31:22 -07:00
Junio C Hamano
2953140a65 Merge branch 'ah/submodule-typofix-in-error'
Error string fix.

* ah/submodule-typofix-in-error:
  git-submodule: remove extraneous space from error message
2015-09-01 16:31:21 -07:00
Junio C Hamano
bc1c6009c6 Merge branch 'ah/reflog-typofix-in-error'
Error string fix.

* ah/reflog-typofix-in-error:
  reflog: add missing single quote to error message
2015-09-01 16:31:18 -07:00
Junio C Hamano
0b20a4680b Merge branch 'ah/read-tree-usage-string'
Usage string fix.

* ah/read-tree-usage-string:
  read-tree: replace bracket set with parentheses to clarify usage
2015-09-01 16:31:16 -07:00
Junio C Hamano
8746e30541 Merge branch 'ah/pack-objects-usage-strings'
Usage string fix.

* ah/pack-objects-usage-strings:
  pack-objects: place angle brackets around placeholders in usage strings
2015-09-01 16:31:12 -07:00
Junio C Hamano
49c15c0e4a Merge branch 'br/svn-doc-include-paths-config'
* br/svn-doc-include-paths-config:
  git-svn doc: mention "svn-remote.<name>.include-paths"
2015-09-01 16:31:10 -07:00
Junio C Hamano
91d54694a4 Merge branch 'nd/fixup-linked-gitdir'
The code in "multiple-worktree" support that attempted to recover
from an inconsistent state updated an incorrect file.

* nd/fixup-linked-gitdir:
  setup: update the right file in multiple checkouts
2015-09-01 16:31:07 -07:00
Jeff King
9dd330e6ca rerere: release lockfile in non-writing functions
There's a bug in builtin/am.c in which we take a lock on
MERGE_RR recursively. But rather than fix am.c, this patch
fixes the confusing interface from rerere.c that caused the
bug. Read on for the gory details.

The setup_rerere() function both reads the existing MERGE_RR
file, and takes MERGE_RR.lock. In the rerere() and
rerere_forget() functions, we end up in write_rr(), which
will then commit the lock file.

But for functions like rerere_clear() that do not write to
MERGE_RR, we expect the caller to have handled
setup_rerere(). That caller would then need to release the
lockfile, but it can't; the lock struct is local to
rerere.c.

For builtin/rerere.c, this is OK. We run a single rerere
operation and then exit immediately, which has the side
effect of rolling back the lockfile.

But in builtin/am.c, this is actively wrong. If we run "git
am -3 --skip", we call setup-rerere twice without releasing
the lock:

  1. The "--skip" causes us to call am_rerere_clear(), which
     calls setup_rerere(), but never drops the lock.

  2. We then proceed to the next patch.

  3. The "--3way" may cause us to call rerere() to handle
     conflicts in that patch, but we are already holding the
     lock. The lockfile code dies with:

     BUG: prepare_tempfile_object called for active object

We could fix this by having rerere_clear() call
rollback_lock_file(). But it feels a bit odd for it to roll
back a lockfile that it did not itself take. So let's
simplify the interface further, and handle setup_rerere in
the function itself, taking away the question from the
caller over whether they need to do so.

We can give rerere_gc() the same treatment, as well (even
though it doesn't have any callers besides builtin/rerere.c
at this point). Note that these functions don't take flags
from their callers to pass along to setup_rerere; that's OK,
because the flags would not be meaningful for what they are
doing.

Both of those functions need to hold the lock because even
though they do not write to MERGE_RR, they are still writing
and should be protected from a simultaneous "rerere" run.
But rerere_remaining(), "rerere diff", and "rerere status"
are all read-only operations. They want to setup_rerere(),
but do not care about taking the lock in the first place.
Since our update of MERGE_RR is the usual atomic rename done
by commit_lock_file, they can just do a lockless read. For
that, we teach setup_rerere a READONLY flag to avoid the
lock.

As a bonus, this pushes builtin/rerere.c's setup_rerere call
closer to the functions that use it. Which means that "git
rerere totally-bogus-command" will no longer silently
exit(0) in a repository without rerere enabled.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-01 15:52:54 -07:00
Junio C Hamano
16163602ba Eighth batch for 2.6
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-08-31 15:40:24 -07:00
Junio C Hamano
e95c3fb54f Merge branch 'sg/describe-contains'
"git describe" without argument defaulted to describe the HEAD
commit, but "git describe --contains" didn't.  Arguably, in a
repository used for active development, such defaulting would not
be very useful as the tip of branch is typically not tagged, but it
is better to be consistent.

* sg/describe-contains:
  describe --contains: default to HEAD when no commit-ish is given
2015-08-31 15:39:10 -07:00
Junio C Hamano
b21089db6a Merge branch 'db/push-sign-if-asked'
The client side codepaths in "git push" have been cleaned up
and the user can request to perform an optional "signed push",
i.e. sign only when the other end accepts signed push.

* db/push-sign-if-asked:
  push: add a config option push.gpgSign for default signed pushes
  push: support signing pushes iff the server supports it
  builtin/send-pack.c: use parse_options API
  config.c: rename git_config_maybe_bool_text and export it as git_parse_maybe_bool
  transport: remove git_transport_options.push_cert
  gitremote-helpers.txt: document pushcert option
  Documentation/git-send-pack.txt: document --signed
  Documentation/git-send-pack.txt: wrap long synopsis line
  Documentation/git-push.txt: document when --signed may fail
2015-08-31 15:39:08 -07:00
Junio C Hamano
5b6211aee1 Merge branch 'jk/notes-merge-config'
"git notes merge" can be told with "--strategy=<how>" option how to
automatically handle conflicts; this can now be configured by
setting notes.mergeStrategy configuration variable.

* jk/notes-merge-config:
  notes: teach git-notes about notes.<name>.mergeStrategy option
  notes: add notes.mergeStrategy option to select default strategy
  notes: add tests for --commit/--abort/--strategy exclusivity
  notes: extract parse_notes_merge_strategy to notes-utils
  notes: extract enum notes_merge_strategy to notes-utils.h
  notes: document cat_sort_uniq rewriteMode
2015-08-31 15:39:05 -07:00
Junio C Hamano
d75bb73bcf Merge branch 'jc/am-state-fix'
Recent reimplementation of "git am" changed the format of state
files kept in $GIT_DIR/rebase-apply/ without meaning to do so,
primarily because write_file() API was cumbersome to use and it was
easy to mistakenly make text files with incomplete lines.  Update
write_file() interface to make it harder to misuse.

* jc/am-state-fix:
  write_file(): drop caller-supplied LF from calls to create a one-liner file
  write_file_v(): do not leave incomplete line at the end
  write_file(): drop "fatal" parameter
  builtin/am: make sure state files are text
  builtin/am: introduce write_state_*() helper functions
2015-08-31 15:39:03 -07:00
Junio C Hamano
2ba6183b0b Merge branch 'jc/log-p-cc'
"git log --cc" did not show any patch, even though most of the time
the user meant "git log --cc -p -m" to see patch output for commits
with a single parent, and combined diff for merge commits.  The
command is taught to DWIM "--cc" (without "--raw" and other forms
of output specification) to "--cc -p -m".

* jc/log-p-cc:
  builtin/log.c: minor reformat
  log: show merge commit when --cc is given
  log: when --cc is given, default to -p unless told otherwise
  log: rename "tweak" helpers
2015-08-31 15:38:59 -07:00
Junio C Hamano
7b7c10bf5e Merge branch 'jk/fix-alias-pager-config-key-warnings'
Because the configuration system does not allow "alias.0foo" and
"pager.0foo" as the configuration key, the user cannot use '0foo'
as a custom command name anyway, but "git 0foo" tried to look these
keys up and emitted useless warnings before saying '0foo is not a
git command'.  These warning messages have been squelched.

* jk/fix-alias-pager-config-key-warnings:
  config: silence warnings for command names with invalid keys
2015-08-31 15:38:57 -07:00