Commit Graph

53152 Commits

Author SHA1 Message Date
brian m. carlson
a2ce0a7526 sha1-file: add a constant for hash block size
There is one place we need the hash algorithm block size: the HMAC code
for push certs.  Expose this constant in struct git_hash_algo and expose
values for SHA-1 and for the largest value of any hash.

Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-11-14 16:54:52 +09:00
brian m. carlson
50c817e0c0 t: make the sha1 test-tool helper generic
Since we're going to have multiple hash algorithms to test, it makes
sense to share as much of the test code as possible.  Convert the sha1
helper for the test-tool to be generic and move it out into its own
module.  This will allow us to share most of this code with our NewHash
implementation.

Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-11-14 16:54:52 +09:00
brian m. carlson
9a3a0ff537 t: add basic tests for our SHA-1 implementation
We have in the past had some unfortunate endianness issues with some
SHA-1 implementations we ship, especially on big-endian machines.  Add
an explicit test using the test helper to catch these issues and point
them out prominently.  This test can also be used as a staging ground
for people testing additional algorithms to verify that their
implementations are working as expected.

Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-11-14 16:54:52 +09:00
brian m. carlson
0dab7129ab cache: make hashcmp and hasheq work with larger hashes
In 183a638b7d ("hashcmp: assert constant hash size", 2018-08-23), we
modified hashcmp to assert that the hash size was always 20 to help it
optimize and inline calls to memcmp.  In a future series, we replaced
many calls to hashcmp and oidcmp with calls to hasheq and oideq to
improve inlining further.

However, we want to support hash algorithms other than SHA-1, namely
SHA-256.  When doing so, we must handle the case where these values are
32 bytes long as well as 20.  Adjust hashcmp to handle two cases:
20-byte matches, and maximum-size matches.  Therefore, when we include
SHA-256, we'll automatically handle it properly, while at the same time
teaching the compiler that there are only two possible options to
consider.  This will allow the compiler to write the most efficient
possible code.

Copy similar code into hasheq and perform an identical transformation.
At least with GCC 8.2.0, making hasheq defer to hashcmp when there are
two branches prevents the compiler from inlining the comparison, while
the code in this patch is inlined properly.  Add a comment to avoid an
accidental performance regression from well-intentioned refactoring.

Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-11-14 16:54:52 +09:00
brian m. carlson
47edb64997 hex: introduce functions to print arbitrary hashes
Currently, we have functions that turn an arbitrary SHA-1 value or an
object ID into hex format, either using a static buffer or with a
user-provided buffer.  Add variants of these functions that can handle
an arbitrary hash algorithm, specified by constant.  Update the
documentation as well.

While we're at it, remove the "extern" declaration from this family of
functions, since it's not needed and our style now recommends against
it.

We use the variant taking the algorithm structure pointer as the
internal variant, since taking an algorithm pointer is the easiest way
to handle all of the variants in use.

Note that we maintain these functions because there are hashes which
must change based on the hash algorithm in use but are not object IDs
(such as pack checksums).

Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-11-14 16:54:52 +09:00
brian m. carlson
2f90b9d9b4 sha1-file: provide functions to look up hash algorithms
There are several ways we might refer to a hash algorithm: by name, such
as in the config file; by format ID, such as in a pack; or internally,
by a pointer to the hash_algos array.  Provide functions to look up hash
algorithms based on these various forms and return the internal constant
used for them.  If conversion to another form is necessary, this
internal constant can be used to look up the proper data in the
hash_algos array.

Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-22 12:59:08 +09:00
brian m. carlson
1ccf07cbb7 sha1-file: rename algorithm to "sha1"
The transition plan anticipates us using a syntax such as "^{sha1}" for
disambiguation.  Since this is a syntax some people will be typing a
lot, it makes sense to provide a short, easy-to-type syntax.  Omitting
the dash doesn't create any ambiguity; however, it does make the syntax
shorter and easier to type, especially for touch typists.  In addition,
the transition plan already uses "sha1" in this context.

Rename the name of SHA-1 implementation to "sha1".

Note that this change creates no backwards compatibility concerns, since
we haven't yet used this field in any configuration settings.

Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-22 12:59:08 +09:00
Junio C Hamano
5a0cc8aca7 Third batch for 2.20
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-10 12:38:03 +09:00
Junio C Hamano
66ec2373fe Merge branch 'ab/fsck-skiplist'
Update fsck.skipList implementation and documentation.

* ab/fsck-skiplist:
  fsck: support comments & empty lines in skipList
  fsck: use oidset instead of oid_array for skipList
  fsck: use strbuf_getline() to read skiplist file
  fsck: add a performance test for skipList
  fsck: add a performance test
  fsck: document that skipList input must be unabbreviated
  fsck: document and test commented & empty line skipList input
  fsck: document and test sorted skipList input
  fsck tests: add a test for no skipList input
  fsck tests: setup of bogus commit object
2018-10-10 12:37:16 +09:00
Junio C Hamano
468b322137 Merge branch 'ds/multi-pack-verify'
"git multi-pack-index" learned to detect corruption in the .midx
file it uses, and this feature has been integrated into "git fsck".

* ds/multi-pack-verify:
  fsck: verify multi-pack-index
  multi-pack-index: report progress during 'verify'
  multi-pack-index: verify object offsets
  multi-pack-index: fix 32-bit vs 64-bit size check
  multi-pack-index: verify oid lookup order
  multi-pack-index: verify oid fanout order
  multi-pack-index: verify missing pack
  multi-pack-index: verify packname order
  multi-pack-index: verify corrupt chunk lookup table
  multi-pack-index: verify bad header
  multi-pack-index: add 'verify' verb
2018-10-10 12:37:16 +09:00
Junio C Hamano
d555663f16 Merge branch 'bc/hash-independent-tests'
Various tests have been updated to make it easier to swap the
hash function used for object identification.

* bc/hash-independent-tests:
  t5318: use test_oid for HASH_LEN
  t1407: make hash size independent
  t1406: make hash-size independent
  t1405: make hash size independent
  t1400: switch hard-coded object ID to variable
  t1006: make hash size independent
  t0064: make hash size independent
  t0002: abstract away SHA-1 specific constants
  t0000: update tests for SHA-256
  t0000: use hash translation table
  t: add test functions to translate hash-related values
2018-10-10 12:37:16 +09:00
Junio C Hamano
77b5046ae3 Merge branch 'nd/test-tool'
Test helper binaries clean-up.

* nd/test-tool:
  Makefile: add a hint about TEST_BUILTINS_OBJS
  t/helper: merge test-dump-fsmonitor into test-tool
  t/helper: merge test-parse-options into test-tool
  t/helper: merge test-pkt-line into test-tool
  t/helper: merge test-dump-untracked-cache into test-tool
  t/helper: keep test-tool command list sorted
2018-10-10 12:37:16 +09:00
Junio C Hamano
3ba371f9df Merge branch 'nd/config-split'
Split Documentation/config.txt for easier maintenance.

* nd/config-split:
  config.txt: move submodule part out to a separate file
  config.txt: move sequence.editor out of "core" part
  config.txt: move sendemail part out to a separate file
  config.txt: move receive part out to a separate file
  config.txt: move push part out to a separate file
  config.txt: move pull part out to a separate file
  config.txt: move gui part out to a separate file
  config.txt: move gitcvs part out to a separate file
  config.txt: move format part out to a separate file
  config.txt: move fetch part out to a separate file
  config.txt: follow camelCase naming
2018-10-10 12:37:15 +09:00
Junio C Hamano
2efbb7f521 Declare that the next one will be named 2.20
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-10 09:20:03 +09:00
Junio C Hamano
f84b9b09d4 Sync with 2.19.1
* maint:
  Git 2.19.1
  Git 2.18.1
  Git 2.17.2
  fsck: detect submodule paths starting with dash
  fsck: detect submodule urls starting with dash
  Git 2.16.5
  Git 2.15.3
  Git 2.14.5
  submodule-config: ban submodule paths that start with a dash
  submodule-config: ban submodule urls that start with dash
  submodule--helper: use "--" to signal end of clone options
2018-09-27 11:53:39 -07:00
Junio C Hamano
cae598d998 Git 2.19.1
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-27 11:52:33 -07:00
Junio C Hamano
1958ad504b Sync with 2.18.1
* maint-2.18:
  Git 2.18.1
  Git 2.17.2
  fsck: detect submodule paths starting with dash
  fsck: detect submodule urls starting with dash
  Git 2.16.5
  Git 2.15.3
  Git 2.14.5
  submodule-config: ban submodule paths that start with a dash
  submodule-config: ban submodule urls that start with dash
  submodule--helper: use "--" to signal end of clone options
2018-09-27 11:50:45 -07:00
Junio C Hamano
268fbcd172 Git 2.18.1
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-27 11:48:19 -07:00
Junio C Hamano
44f87dac99 Sync with 2.17.2
* maint-2.17:
  Git 2.17.2
  fsck: detect submodule paths starting with dash
  fsck: detect submodule urls starting with dash
  Git 2.16.5
  Git 2.15.3
  Git 2.14.5
  submodule-config: ban submodule paths that start with a dash
  submodule-config: ban submodule urls that start with dash
  submodule--helper: use "--" to signal end of clone options
2018-09-27 11:45:01 -07:00
Junio C Hamano
6e9e91e9ca Git 2.17.2
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-27 11:44:07 -07:00
Jeff King
1a7fd1fb29 fsck: detect submodule paths starting with dash
As with urls, submodule paths with dashes are ignored by
git, but may end up confusing older versions. Detecting them
via fsck lets us prevent modern versions of git from being a
vector to spread broken .gitmodules to older versions.

Compared to blocking leading-dash urls, though, this
detection may be less of a good idea:

  1. While such paths provide confusing and broken results,
     they don't seem to actually work as option injections
     against anything except "cd". In particular, the
     submodule code seems to canonicalize to an absolute
     path before running "git clone" (so it passes
     /your/clone/-sub).

  2. It's more likely that we may one day make such names
     actually work correctly. Even after we revert this fsck
     check, it will continue to be a hassle until hosting
     servers are all updated.

On the other hand, it's not entirely clear that the behavior
in older versions is safe. And if we do want to eventually
allow this, we may end up doing so with a special syntax
anyway (e.g., writing "./-sub" in the .gitmodules file, and
teaching the submodule code to canonicalize it when
comparing).

So on balance, this is probably a good protection.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-27 11:41:31 -07:00
Jeff King
a124133e1e fsck: detect submodule urls starting with dash
Urls with leading dashes can cause mischief on older
versions of Git. We should detect them so that they can be
rejected by receive.fsckObjects, preventing modern versions
of git from being a vector by which attacks can spread.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-27 11:41:26 -07:00
Junio C Hamano
e43aab778c Sync with 2.16.5
* maint-2.16:
  Git 2.16.5
  Git 2.15.3
  Git 2.14.5
  submodule-config: ban submodule paths that start with a dash
  submodule-config: ban submodule urls that start with dash
  submodule--helper: use "--" to signal end of clone options
2018-09-27 11:41:02 -07:00
Junio C Hamano
27d05d1a1a Git 2.16.5
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-27 11:38:32 -07:00
Junio C Hamano
424aac653a Sync with 2.15.3
* maint-2.15:
  Git 2.15.3
  Git 2.14.5
  submodule-config: ban submodule paths that start with a dash
  submodule-config: ban submodule urls that start with dash
  submodule--helper: use "--" to signal end of clone options
2018-09-27 11:35:43 -07:00
Junio C Hamano
924c623e1c Git 2.15.3
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-27 11:33:47 -07:00
Junio C Hamano
902df9f5c4 Sync with Git 2.14.4
* maint-2.14:
  Git 2.14.5
  submodule-config: ban submodule paths that start with a dash
  submodule-config: ban submodule urls that start with dash
  submodule--helper: use "--" to signal end of clone options
2018-09-27 11:20:22 -07:00
Junio C Hamano
d0832b2847 Git 2.14.5
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-27 11:19:11 -07:00
Jeff King
273c61496f submodule-config: ban submodule paths that start with a dash
We recently banned submodule urls that look like
command-line options. This is the matching change to ban
leading-dash paths.

As with the urls, this should not break any use cases that
currently work. Even with our "--" separator passed to
git-clone, git-submodule.sh gets confused. Without the code
portion of this patch, the clone of "-sub" added in t7417
would yield results like:

    /path/to/git-submodule: 410: cd: Illegal option -s
    /path/to/git-submodule: 417: cd: Illegal option -s
    /path/to/git-submodule: 410: cd: Illegal option -s
    /path/to/git-submodule: 417: cd: Illegal option -s
    Fetched in submodule path '-sub', but it did not contain b56243f8f4eb91b2f1f8109452e659f14dd3fbe4. Direct fetching of that commit failed.

Moreover, naively adding such a submodule doesn't work:

  $ git submodule add $url -sub
  The following path is ignored by one of your .gitignore files:
  -sub

even though there is no such ignore pattern (the test script
hacks around this with a well-placed "git mv").

Unlike leading-dash urls, though, it's possible that such a
path _could_ be useful if we eventually made it work. So
this commit should be seen not as recommending a particular
policy, but rather temporarily closing off a broken and
possibly dangerous code-path. We may revisit this decision
later.

There are two minor differences to the tests in t7416 (that
covered urls):

  1. We don't have a "./-sub" escape hatch to make this
     work, since the submodule code expects to be able to
     match canonical index names to the path field (so you
     are free to add submodule config with that path, but we
     would never actually use it, since an index entry would
     never start with "./").

  2. After this patch, cloning actually succeeds. Since we
     ignore the submodule.*.path value, we fail to find a
     config stanza for our submodule at all, and simply
     treat it as inactive. We still check for the "ignoring"
     message.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-27 09:34:59 -07:00
Jeff King
f6adec4e32 submodule-config: ban submodule urls that start with dash
The previous commit taught the submodule code to invoke our
"git clone $url $path" with a "--" separator so that we
aren't confused by urls or paths that start with dashes.

However, that's just one code path. It's not clear if there
are others, and it would be an easy mistake to add one in
the future. Moreover, even with the fix in the previous
commit, it's quite hard to actually do anything useful with
such an entry. Any url starting with a dash must fall into
one of three categories:

 - it's meant as a file url, like "-path". But then any
   clone is not going to have the matching path, since it's
   by definition relative inside the newly created clone. If
   you spell it as "./-path", the submodule code sees the
   "/" and translates this to an absolute path, so it at
   least works (assuming the receiver has the same
   filesystem layout as you). But that trick does not apply
   for a bare "-path".

 - it's meant as an ssh url, like "-host:path". But this
   already doesn't work, as we explicitly disallow ssh
   hostnames that begin with a dash (to avoid option
   injection against ssh).

 - it's a remote-helper scheme, like "-scheme::data". This
   _could_ work if the receiver bends over backwards and
   creates a funny-named helper like "git-remote--scheme".
   But normally there would not be any helper that matches.

Since such a url does not work today and is not likely to do
anything useful in the future, let's simply disallow them
entirely. That protects the existing "git clone" path (in a
belt-and-suspenders way), along with any others that might
exist.

Our tests cover two cases:

  1. A file url with "./" continues to work, showing that
     there's an escape hatch for people with truly silly
     repo names.

  2. A url starting with "-" is rejected.

Note that we expect case (2) to fail, but it would have done
so even without this commit, for the reasons given above.
So instead of just expecting failure, let's also check for
the magic word "ignoring" on stderr. That lets us know that
we failed for the right reason.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-27 09:34:58 -07:00
Jeff King
98afac7a7c submodule--helper: use "--" to signal end of clone options
When we clone a submodule, we call "git clone $url $path".
But there's nothing to say that those components can't begin
with a dash themselves, confusing git-clone into thinking
they're options. Let's pass "--" to make it clear what we
expect.

There's no test here, because it's actually quite hard to
make these names work, even with "git clone" parsing them
correctly. And we're going to restrict these cases even
further in future commits. So we'll leave off testing until
then; this is just the minimal fix to prevent us from doing
something stupid with a badly formed entry.

Reported-by: joernchen <joernchen@phenoelit.de>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-27 09:34:55 -07:00
Junio C Hamano
fe8321ec05 Second batch post 2.19 2018-09-24 10:31:26 -07:00
Junio C Hamano
51bbcda1c7 Merge branch 'tg/range-diff-corner-case-fix'
Recently added "range-diff" had a corner-case bug to cause it
segfault, which has been corrected.

* tg/range-diff-corner-case-fix:
  linear-assignment: fix potential out of bounds memory access
2018-09-24 10:30:53 -07:00
Junio C Hamano
cff90bdc5c Merge branch 'sg/split-index-test'
Test updates.

* sg/split-index-test:
  t0090: disable GIT_TEST_SPLIT_INDEX for the test checking split index
  t1700-split-index: drop unnecessary 'grep'
2018-09-24 10:30:53 -07:00
Junio C Hamano
f52b7eea44 Merge branch 'en/update-ref-no-deref-stdin'
"git update-ref" learned to make both "--no-deref" and "--stdin"
work at the same time.

* en/update-ref-no-deref-stdin:
  update-ref: allow --no-deref with --stdin
  update-ref: fix type of update_flags variable to match its usage
2018-09-24 10:30:53 -07:00
Junio C Hamano
00d5f665a0 Merge branch 'ms/remote-error-message-update'
Update error messages given by "git remote" and make them consistent.

* ms/remote-error-message-update:
  builtin/remote: quote remote name on error to display empty name
2018-09-24 10:30:52 -07:00
Junio C Hamano
ee99ba7afb Merge branch 'jt/lazy-object-fetch-fix'
The code to backfill objects in lazily cloned repository did not
work correctly, which has been corrected.

* jt/lazy-object-fetch-fix:
  fetch-object: set exact_oid when fetching
  fetch-object: unify fetch_object[s] functions
2018-09-24 10:30:52 -07:00
Junio C Hamano
4af130af0c Merge branch 'en/sequencer-empty-edit-result-aborts'
"git rebase" etc. in Git 2.19 fails to abort when given an empty
commit log message as result of editing, which has been corrected.

* en/sequencer-empty-edit-result-aborts:
  sequencer: fix --allow-empty-message behavior, make it smarter
2018-09-24 10:30:52 -07:00
Junio C Hamano
0f7ac90dbe Merge branch 'ds/reachable'
Recent update broke the reachability algorithm when refs (e.g.
tags) that point at objects that are not commit were involved,
which has been fixed.

* ds/reachable:
  commit-reach: fix memory and flag leaks
  commit-reach: properly peel tags
2018-09-24 10:30:52 -07:00
Junio C Hamano
faadedb195 Merge branch 'nd/attr-pathspec-fix'
"git add ':(attr:foo)'" is not supported and is supposed to be
rejected while the command line arguments are parsed, but we fail
to reject such a command line upfront.

* nd/attr-pathspec-fix:
  add: do not accept pathspec magic 'attr'
2018-09-24 10:30:51 -07:00
Junio C Hamano
5b39d49515 Merge branch 'bw/protocol-v2'
Doc fix.

* bw/protocol-v2:
  config: document value 2 for protocol.version
2018-09-24 10:30:51 -07:00
Junio C Hamano
f8649f8cfc Merge branch 'sb/string-list-remove-unused'
Code clean-up.

* sb/string-list-remove-unused:
  string-list: remove unused function print_string_list
2018-09-24 10:30:50 -07:00
Junio C Hamano
2bdbe4a2c3 Merge branch 'jk/dev-build-format-security'
Build tweak to help developers.

* jk/dev-build-format-security:
  config.mak.dev: add -Wformat-security
2018-09-24 10:30:49 -07:00
Junio C Hamano
4e08e3498a Merge branch 'sg/t3701-tighten-trace'
Test update.

* sg/t3701-tighten-trace:
  t3701-add-interactive: tighten the check of trace output
2018-09-24 10:30:49 -07:00
Junio C Hamano
dda26650bf Merge branch 'sb/diff-color-move-more'
Bugfix.

* sb/diff-color-move-more:
  diff: fix --color-moved-ws=allow-indentation-change
2018-09-24 10:30:48 -07:00
Junio C Hamano
bd3941a0ae Merge branch 'en/rerere-multi-stage-1-fix'
A corner case bugfix in "git rerere" code.

* en/rerere-multi-stage-1-fix:
  rerere: avoid buffer overrun
  t4200: demonstrate rerere segfault on specially crafted merge
2018-09-24 10:30:48 -07:00
Junio C Hamano
e3d4ff037d Merge branch 'js/mingw-o-append'
Further fix for O_APPEND emulation on Windows

* js/mingw-o-append:
  mingw: fix mingw_open_append to work with named pipes
  t0051: test GIT_TRACE to a windows named pipe
2018-09-24 10:30:47 -07:00
Junio C Hamano
ae109a9789 Merge branch 'en/double-semicolon-fix'
Code clean-up.

* en/double-semicolon-fix:
  Remove superfluous trailing semicolons
2018-09-24 10:30:47 -07:00
Junio C Hamano
48a81ed297 Merge branch 'jk/reopen-tempfile-truncate'
Fix for a long-standing bug that leaves the index file corrupt when
it shrinks during a partial commit.

* jk/reopen-tempfile-truncate:
  reopen_tempfile(): truncate opened file
2018-09-24 10:30:46 -07:00
Junio C Hamano
9715f10e42 Merge branch 'bp/mv-submodules-with-fsmonitor'
When fsmonitor is in use, after operation on submodules updates
.gitmodules, we lost track of the fact that we did so and relied on
stale fsmonitor data.

* bp/mv-submodules-with-fsmonitor:
  git-mv: allow submodules and fsmonitor to work together
2018-09-24 10:30:46 -07:00