Commit Graph

4124 Commits

Author SHA1 Message Date
Jeff King
b7115a350b receive-pack: convert strncpy to xsnprintf
This strncpy is pointless; we pass the strlen() of the src
string, meaning that it works just like a memcpy. Worse,
though, is that the size has no relation to the destination
buffer, meaning it is a potential overflow.  In practice,
it's not. We pass only short constant strings like
"warning: " and "error: ", which are much smaller than the
destination buffer.

We can make this much simpler by just using xsnprintf, which
will check for overflow and return the size for our next
vsnprintf, without us having to run a separate strlen().

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25 10:18:18 -07:00
Jeff King
ef1286d3c0 use xsnprintf for generating git object headers
We generally use 32-byte buffers to format git's "type size"
header fields. These should not generally overflow unless
you can produce some truly gigantic objects (and our types
come from our internal array of constant strings). But it is
a good idea to use xsnprintf to make sure this is the case.

Note that we slightly modify the interface to
write_sha1_file_prepare, which nows uses "hdrlen" as an "in"
parameter as well as an "out" (on the way in it stores the
allocated size of the header, and on the way out it returns
the ultimate size of the header).

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25 10:18:18 -07:00
Jeff King
5096d4909f convert trivial sprintf / strcpy calls to xsnprintf
We sometimes sprintf into fixed-size buffers when we know
that the buffer is large enough to fit the input (either
because it's a constant, or because it's numeric input that
is bounded in size). Likewise with strcpy of constant
strings.

However, these sites make it hard to audit sprintf and
strcpy calls for buffer overflows, as a reader has to
cross-reference the size of the array with the input. Let's
use xsnprintf instead, which communicates to a reader that
we don't expect this to overflow (and catches the mistake in
case we do).

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25 10:18:18 -07:00
Jeff King
1d895f194f mailsplit: make PATH_MAX buffers dynamic
There are several PATH_MAX-sized buffers in mailsplit, along
with some questionable uses of sprintf.  These are not
really of security interest, as local mailsplit pathnames
are not typically under control of an attacker, and you
could generally only overflow a few numbers at the end of a
path that approaches PATH_MAX (a longer path would choke
mailsplit long before). But it does not hurt to be careful,
and as a bonus we lift some limits for systems with
too-small PATH_MAX varibles.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25 10:18:18 -07:00
Jeff King
c1fd080917 fsck: use strbuf to generate alternate directories
When fsck-ing alternates, we make a copy of the alternate
directory in a fixed PATH_MAX buffer. We memcpy directly,
without any check whether we are overflowing the buffer.
This is OK if PATH_MAX is a true representation of the
maximum path on the system, because any path here will have
already been vetted by the alternates subsystem. But that is
not true on every system, so we should be more careful.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25 10:18:18 -07:00
Jeff King
fbe85e73ce fsck: don't fsck alternates for connectivity-only check
Commit 02976bf (fsck: introduce `git fsck --connectivity-only`,
2015-06-22) recently gave fsck an option to perform only a
subset of the checks, by skipping the fsck_object_dir()
call. However, it does so only for the local object
directory, and we still do expensive checks on any alternate
repos. We should skip them in this case, too.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25 10:18:18 -07:00
Jeff King
d270d7b7a2 mailsplit: fix FILE* leak in split_maildir
If we encounter an error while splitting a maildir, we exit
the function early, leaking the open filehandle. This isn't
a big deal, since we exit the program soon after, but it's
easy enough to be careful.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25 10:18:18 -07:00
Jeff King
7cd17e8057 show-branch: avoid segfault with --reflog of unborn branch
When no branch is given to the "--reflog" option, we resolve
HEAD to get the default branch. However, if HEAD points to
an unborn branch, resolve_ref returns NULL, and we later
segfault trying to access it.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25 10:18:18 -07:00
Junio C Hamano
b8367d1f01 Merge branch 'ah/show-ref-usage-string'
Both "git show-ref -h" and "git show-ref --help" illustrated that the
"--exclude-existing" option makes the command read list of refs
from its standard input.  Change only the "show-ref -h" output to
have a pair of "<>" around the placeholder that designate an input
file, i.e. "git show-ref --exclude-existing < <ref-list>".

* ah/show-ref-usage-string:
  show-ref: place angle brackets around variables in usage string
2015-09-14 14:59:06 -07:00
Junio C Hamano
153ec926b6 Merge branch 'rt/help-strings-fix'
* rt/help-strings-fix:
  tag, update-ref: improve description of option "create-reflog"
  pull: don't mark values for option "rebase" for translation
2015-09-14 14:59:04 -07:00
Junio C Hamano
e0eeba263c Merge branch 'gb/apply-comment-typofix'
* gb/apply-comment-typofix:
  apply: comment grammar fix
2015-09-14 11:44:44 -07:00
Ralf Thielow
98c32bd889 tag, update-ref: improve description of option "create-reflog"
The description of option "create-reflog" is "create_reflog", which
is neither a good description, nor a sensible string to translate.
Change it to a more meaningful message.

Signed-off-by: Ralf Thielow <ralf.thielow@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-11 09:50:02 -07:00
Ralf Thielow
7306b39f5a pull: don't mark values for option "rebase" for translation
"false|true|preserve" are actual values for option "rebase"
of the "git-pull" command and should therefore not be marked
for translation.

Signed-off-by: Ralf Thielow <ralf.thielow@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-11 09:50:00 -07:00
Junio C Hamano
f0bc854623 Sync with 2.5.2 2015-09-09 14:30:35 -07:00
Junio C Hamano
d6a2b05cbb Merge branch 'jc/builtin-am-signoff-regression-fix'
Recent "git am" had regression when adding a Signed-off-by line
with its "-s" option by an unintended tightening of how an existing
trailer block is detected.

* jc/builtin-am-signoff-regression-fix:
  am: match --signoff to the original scripted version
2015-09-08 15:35:05 -07:00
Junio C Hamano
aab845424e am: match --signoff to the original scripted version
Linus noticed that the recently reimplemented "git am -s" defines
the trailer block too rigidly, resulting in an unnecessary blank
line between the existing sign-offs and his new sign-off.  An e-mail
submission sent to Linus in real life ends with mixture of sign-offs
and commentaries, e.g.

	title here

	message here

	Signed-off-by: Original Author <original@auth.or>
	[rv: tweaked frotz and nitfol]
	Signed-off-by: Re Viewer <rv@ew.er>
	Signed-off-by: Other Reviewer <other@rev.ewer>
	---
	patch here

Because the reimplementation reused append_signoff() helper that is
used by other codepaths, which is unaware that people intermix such
comments with their sign-offs in the trailer block, such a message
was judged to end with a non-trailer, resulting in an extra blank
line before adding a new sign-off.

The original scripted version of "git am" used a lot looser
definition, i.e. "if and only if there is no line that begins with
Signed-off-by:, add a blank line before adding a new sign-off".  For
the upcoming release, stop using the append_signoff() in "git am"
and reimplement the looser definition used by the scripted version
to use only in "git am" to fix this regression in "am" while
avoiding new regressions to other users of append_signoff().

In the longer term, we should look into loosening append_signoff()
so that other codepaths that add a new sign-off behave the same way
as "git am -s", but that is a task for post-release.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-06 19:59:40 -07:00
Junio C Hamano
3d3caf0b78 Sync with 2.4.9 2015-09-04 10:43:23 -07:00
Junio C Hamano
ef0e938a1a Sync with 2.3.9 2015-09-04 10:34:19 -07:00
Junio C Hamano
8267cd11d6 Sync with 2.2.3 2015-09-04 10:29:28 -07:00
Jeff King
78f23bdf68 show-branch: use a strbuf for reflog descriptions
When we show "branch@{0}", we format into a fixed-size
buffer using sprintf. This can overflow if you have long
branch names. We can fix it by using a temporary strbuf.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-04 09:48:26 -07:00
Junio C Hamano
311e5ce2cc Merge branch 'dt/commit-preserve-base-index-upon-opportunistic-cache-tree-update' into maint
When re-priming the cache-tree opportunistically while committing
the in-core index as-is, we mistakenly invalidated the in-core
index too aggressively, causing the experimental split-index code
to unnecessarily rewrite the on-disk index file(s).

* dt/commit-preserve-base-index-upon-opportunistic-cache-tree-update:
  commit: don't rewrite shared index unnecessarily
2015-09-03 19:18:02 -07:00
Junio C Hamano
ae6ac8483b Merge branch 'jc/calloc-pathspec' into maint
Minor code cleanup.

* jc/calloc-pathspec:
  ps_matched: xcalloc() takes nmemb and then element size
2015-09-03 19:18:00 -07:00
Junio C Hamano
e654e3b574 Merge branch 'jk/rev-list-has-no-notes' into maint
"git rev-list" does not take "--notes" option, but did not complain
when one is given.

* jk/rev-list-has-no-notes:
  rev-list: make it obvious that we do not support notes
2015-09-03 19:17:53 -07:00
Junio C Hamano
03ea02771a Merge branch 'mh/get-remote-group-fix' into maint
An off-by-one error made "git remote" to mishandle a remote with a
single letter nickname.

* mh/get-remote-group-fix:
  get_remote_group(): use skip_prefix()
  get_remote_group(): eliminate superfluous call to strcspn()
  get_remote_group(): rename local variable "space" to "wordlen"
  get_remote_group(): handle remotes with single-character names
2015-09-03 19:17:48 -07:00
Junio C Hamano
7662973ea3 Merge branch 'jk/am-rerere-lock-fix'
Recent "git am" introduced a double-locking failure when used with
the "--3way" option that invokes rerere machinery.

* jk/am-rerere-lock-fix:
  rerere: release lockfile in non-writing functions
2015-09-03 14:14:01 -07:00
Junio C Hamano
81d0e33a22 Merge branch 'dt/commit-preserve-base-index-upon-opportunistic-cache-tree-update'
When re-priming the cache-tree opportunistically while committing
the in-core index as-is, we mistakenly invalidated the in-core
index too aggressively, causing the experimental split-index code
to unnecessarily rewrite the on-disk index file(s).

* dt/commit-preserve-base-index-upon-opportunistic-cache-tree-update:
  commit: don't rewrite shared index unnecessarily
2015-09-01 16:31:29 -07:00
Junio C Hamano
bc1c6009c6 Merge branch 'ah/reflog-typofix-in-error'
Error string fix.

* ah/reflog-typofix-in-error:
  reflog: add missing single quote to error message
2015-09-01 16:31:18 -07:00
Junio C Hamano
0b20a4680b Merge branch 'ah/read-tree-usage-string'
Usage string fix.

* ah/read-tree-usage-string:
  read-tree: replace bracket set with parentheses to clarify usage
2015-09-01 16:31:16 -07:00
Junio C Hamano
8746e30541 Merge branch 'ah/pack-objects-usage-strings'
Usage string fix.

* ah/pack-objects-usage-strings:
  pack-objects: place angle brackets around placeholders in usage strings
2015-09-01 16:31:12 -07:00
Jeff King
9dd330e6ca rerere: release lockfile in non-writing functions
There's a bug in builtin/am.c in which we take a lock on
MERGE_RR recursively. But rather than fix am.c, this patch
fixes the confusing interface from rerere.c that caused the
bug. Read on for the gory details.

The setup_rerere() function both reads the existing MERGE_RR
file, and takes MERGE_RR.lock. In the rerere() and
rerere_forget() functions, we end up in write_rr(), which
will then commit the lock file.

But for functions like rerere_clear() that do not write to
MERGE_RR, we expect the caller to have handled
setup_rerere(). That caller would then need to release the
lockfile, but it can't; the lock struct is local to
rerere.c.

For builtin/rerere.c, this is OK. We run a single rerere
operation and then exit immediately, which has the side
effect of rolling back the lockfile.

But in builtin/am.c, this is actively wrong. If we run "git
am -3 --skip", we call setup-rerere twice without releasing
the lock:

  1. The "--skip" causes us to call am_rerere_clear(), which
     calls setup_rerere(), but never drops the lock.

  2. We then proceed to the next patch.

  3. The "--3way" may cause us to call rerere() to handle
     conflicts in that patch, but we are already holding the
     lock. The lockfile code dies with:

     BUG: prepare_tempfile_object called for active object

We could fix this by having rerere_clear() call
rollback_lock_file(). But it feels a bit odd for it to roll
back a lockfile that it did not itself take. So let's
simplify the interface further, and handle setup_rerere in
the function itself, taking away the question from the
caller over whether they need to do so.

We can give rerere_gc() the same treatment, as well (even
though it doesn't have any callers besides builtin/rerere.c
at this point). Note that these functions don't take flags
from their callers to pass along to setup_rerere; that's OK,
because the flags would not be meaningful for what they are
doing.

Both of those functions need to hold the lock because even
though they do not write to MERGE_RR, they are still writing
and should be protected from a simultaneous "rerere" run.
But rerere_remaining(), "rerere diff", and "rerere status"
are all read-only operations. They want to setup_rerere(),
but do not care about taking the lock in the first place.
Since our update of MERGE_RR is the usual atomic rename done
by commit_lock_file, they can just do a lockless read. For
that, we teach setup_rerere a READONLY flag to avoid the
lock.

As a bonus, this pushes builtin/rerere.c's setup_rerere call
closer to the functions that use it. Which means that "git
rerere totally-bogus-command" will no longer silently
exit(0) in a repository without rerere enabled.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-01 15:52:54 -07:00
Junio C Hamano
e95c3fb54f Merge branch 'sg/describe-contains'
"git describe" without argument defaulted to describe the HEAD
commit, but "git describe --contains" didn't.  Arguably, in a
repository used for active development, such defaulting would not
be very useful as the tip of branch is typically not tagged, but it
is better to be consistent.

* sg/describe-contains:
  describe --contains: default to HEAD when no commit-ish is given
2015-08-31 15:39:10 -07:00
Junio C Hamano
b21089db6a Merge branch 'db/push-sign-if-asked'
The client side codepaths in "git push" have been cleaned up
and the user can request to perform an optional "signed push",
i.e. sign only when the other end accepts signed push.

* db/push-sign-if-asked:
  push: add a config option push.gpgSign for default signed pushes
  push: support signing pushes iff the server supports it
  builtin/send-pack.c: use parse_options API
  config.c: rename git_config_maybe_bool_text and export it as git_parse_maybe_bool
  transport: remove git_transport_options.push_cert
  gitremote-helpers.txt: document pushcert option
  Documentation/git-send-pack.txt: document --signed
  Documentation/git-send-pack.txt: wrap long synopsis line
  Documentation/git-push.txt: document when --signed may fail
2015-08-31 15:39:08 -07:00
Junio C Hamano
5b6211aee1 Merge branch 'jk/notes-merge-config'
"git notes merge" can be told with "--strategy=<how>" option how to
automatically handle conflicts; this can now be configured by
setting notes.mergeStrategy configuration variable.

* jk/notes-merge-config:
  notes: teach git-notes about notes.<name>.mergeStrategy option
  notes: add notes.mergeStrategy option to select default strategy
  notes: add tests for --commit/--abort/--strategy exclusivity
  notes: extract parse_notes_merge_strategy to notes-utils
  notes: extract enum notes_merge_strategy to notes-utils.h
  notes: document cat_sort_uniq rewriteMode
2015-08-31 15:39:05 -07:00
Junio C Hamano
d75bb73bcf Merge branch 'jc/am-state-fix'
Recent reimplementation of "git am" changed the format of state
files kept in $GIT_DIR/rebase-apply/ without meaning to do so,
primarily because write_file() API was cumbersome to use and it was
easy to mistakenly make text files with incomplete lines.  Update
write_file() interface to make it harder to misuse.

* jc/am-state-fix:
  write_file(): drop caller-supplied LF from calls to create a one-liner file
  write_file_v(): do not leave incomplete line at the end
  write_file(): drop "fatal" parameter
  builtin/am: make sure state files are text
  builtin/am: introduce write_state_*() helper functions
2015-08-31 15:39:03 -07:00
Junio C Hamano
2ba6183b0b Merge branch 'jc/log-p-cc'
"git log --cc" did not show any patch, even though most of the time
the user meant "git log --cc -p -m" to see patch output for commits
with a single parent, and combined diff for merge commits.  The
command is taught to DWIM "--cc" (without "--raw" and other forms
of output specification) to "--cc -p -m".

* jc/log-p-cc:
  builtin/log.c: minor reformat
  log: show merge commit when --cc is given
  log: when --cc is given, default to -p unless told otherwise
  log: rename "tweak" helpers
2015-08-31 15:38:59 -07:00
Junio C Hamano
0bb71fb36d Merge branch 'jk/rev-list-has-no-notes'
"git rev-list" does not take "--notes" option, but did not complain
when one is given.

* jk/rev-list-has-no-notes:
  rev-list: make it obvious that we do not support notes
2015-08-31 15:38:55 -07:00
Junio C Hamano
5a4f07b322 Merge branch 'hv/submodule-config'
The gitmodules API accessed from the C code learned to cache stuff
lazily.

* hv/submodule-config:
  submodule: allow erroneous values for the fetchRecurseSubmodules option
  submodule: use new config API for worktree configurations
  submodule: extract functions for config set and lookup
  submodule: implement a config API for lookup of .gitmodules values
2015-08-31 15:38:52 -07:00
Junio C Hamano
fc9dfda1be Merge branch 'sg/config-name-only'
"git config --list" output was hard to parse when values consist of
multiple lines.  "--name-only" option is added to help this.

* sg/config-name-only:
  get_urlmatch: avoid useless strbuf write
  format_config: simplify buffer handling
  format_config: don't init strbuf
  config: restructure format_config() for better control flow
  completion: list variable names reliably with 'git config --name-only'
  config: add '--name-only' option to list only variable names
2015-08-31 15:38:50 -07:00
Alex Henrie
cc75addd23 show-ref: place angle brackets around variables in usage string
Signed-off-by: Alex Henrie <alexhenrie24@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-08-31 09:33:53 -07:00
David Turner
475a34451f commit: don't rewrite shared index unnecessarily
Remove a cache invalidation which would cause the shared index to be
rewritten on as-is commits.

When the cache-tree has changed, we need to update it.  But we don't
necessarily need to update the shared index.  So setting
active_cache_changed to SOMETHING_CHANGED is unnecessary.  Instead, we
let update_main_cache_tree just update the CACHE_TREE_CHANGED bit.

In order to test this, make test-dump-split-index not segfault on
missing replace_bitmap/delete_bitmap.  This new codepath is not called
now that the test passes, but is necessary to avoid a segfault when the
new test is run with the old builtin/commit.c code.

Signed-off-by: David Turner <dturner@twopensource.com>
Acked-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-08-31 08:41:07 -07:00
Alex Henrie
9476c2c39e read-tree: replace bracket set with parentheses to clarify usage
-u and -i can only be given if -m, --reset, or --prefix is given.
Without parentheses, it looks like -u and -i can be used no matter
what, and the second pair of brackets is confusing.

Signed-off-by: Alex Henrie <alexhenrie24@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-08-28 12:01:37 -07:00
Alex Henrie
b8c1d27577 pack-objects: place angle brackets around placeholders in usage strings
Signed-off-by: Alex Henrie <alexhenrie24@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-08-28 11:59:10 -07:00
Alex Henrie
99885bc0ef reflog: add missing single quote to error message
The error message can be seen by running
`git config gc.reflogexpire foo` and then `git reflog expire`.

Signed-off-by: Alex Henrie <alexhenrie24@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-08-28 09:42:13 -07:00
Junio C Hamano
88bd19be2f Merge branch 'jc/calloc-pathspec'
* jc/calloc-pathspec:
  ps_matched: xcalloc() takes nmemb and then element size
2015-08-26 15:45:34 -07:00
Junio C Hamano
74702c3825 Merge branch 'pt/am-builtin'
Rewrite "am" in "C".

* pt/am-builtin:
  i18n: am: fix typo in description of -b option
2015-08-26 15:45:33 -07:00
Junio C Hamano
b7d2a15b9f Merge branch 'pt/am-builtin-abort-fix'
"git am" that was recently reimplemented in C had a performance
regression in "git am --abort" that goes back to the version before
an attempted (and failed) patch application.

* pt/am-builtin-abort-fix:
  am --skip/--abort: merge HEAD/ORIG_HEAD tree into index
2015-08-26 15:45:32 -07:00
Jiang Xin
1fb5a0ea96 i18n: am: fix typo in description of -b option
Signed-off-by: Jiang Xin <worldhello.net@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-08-26 12:51:43 -07:00
Junio C Hamano
52f6893d35 Merge branch 'jk/guess-repo-name-regression-fix' into maint
"git clone $URL" in recent releases of Git contains a regression in
the code that invents a new repository name incorrectly based on
the $URL.  This has been corrected.

* jk/guess-repo-name-regression-fix:
  clone: use computed length in guess_dir_name
  clone: add tests for output directory
2015-08-25 16:09:17 -07:00
Junio C Hamano
db86e61cbb Merge branch 'mh/tempfile'
The "lockfile" API has been rebuilt on top of a new "tempfile" API.

* mh/tempfile:
  credential-cache--daemon: use tempfile module
  credential-cache--daemon: delete socket from main()
  gc: use tempfile module to handle gc.pid file
  lock_repo_for_gc(): compute the path to "gc.pid" only once
  diff: use tempfile module
  setup_temporary_shallow(): use tempfile module
  write_shared_index(): use tempfile module
  register_tempfile(): new function to handle an existing temporary file
  tempfile: add several functions for creating temporary files
  prepare_tempfile_object(): new function, extracted from create_tempfile()
  tempfile: a new module for handling temporary files
  commit_lock_file(): use get_locked_file_path()
  lockfile: add accessor get_lock_file_path()
  lockfile: add accessors get_lock_file_fd() and get_lock_file_fp()
  create_bundle(): duplicate file descriptor to avoid closing it twice
  lockfile: move documentation to lockfile.h and lockfile.c
2015-08-25 14:57:09 -07:00
Junio C Hamano
424f89f098 Merge branch 'pt/am-builtin-options'
After "git am --opt1" stops, running "git am --opt2" pays attention
to "--opt2" only for the patch that caused the original invocation
to stop.

* pt/am-builtin-options:
  am: let --signoff override --no-signoff
  am: let command-line options override saved options
  test_terminal: redirect child process' stdin to a pty
2015-08-25 14:57:08 -07:00