Commit Graph

50780 Commits

Author SHA1 Message Date
Jeff King
41a80924ae skip_prefix: add case-insensitive variant
We have the convenient skip_prefix() helper, but if you want
to do case-insensitive matching, you're stuck doing it by
hand. We could add an extra parameter to the function to
let callers ask for this, but the function is small and
somewhat performance-critical. Let's just re-implement it
for the case-insensitive version.

Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Johannes Schindelin
dc2d9ba318 is_{hfs,ntfs}_dotgitmodules: add tests
This tests primarily for NTFS issues, but also adds one example of an
HFS+ issue.

Thanks go to Congyi Wu for coming up with the list of examples where
NTFS would possibly equate the filename with `.gitmodules`.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Johannes Schindelin
e7cb0b4455 is_ntfs_dotgit: match other .git files
When we started to catch NTFS short names that clash with .git, we only
looked for GIT~1. This is sufficient because we only ever clone into an
empty directory, so .git is guaranteed to be the first subdirectory or
file in that directory.

However, even with a fresh clone, .gitmodules is *not* necessarily the
first file to be written that would want the NTFS short name GITMOD~1: a
malicious repository can add .gitmodul0000 and friends, which sorts
before `.gitmodules` and is therefore checked out *first*. For that
reason, we have to test not only for ~1 short names, but for others,
too.

It's hard to just adapt the existing checks in is_ntfs_dotgit(): since
Windows 2000 (i.e., in all Windows versions still supported by Git),
NTFS short names are only generated in the <prefix>~<number> form up to
number 4. After that, a *different* prefix is used, calculated from the
long file name using an undocumented, but stable algorithm.

For example, the short name of .gitmodules would be GITMOD~1, but if it
is taken, and all of ~2, ~3 and ~4 are taken, too, the short name
GI7EBA~1 will be used. From there, collisions are handled by
incrementing the number, shortening the prefix as needed (until ~9999999
is reached, in which case NTFS will not allow the file to be created).

We'd also want to handle .gitignore and .gitattributes, which suffer
from a similar problem, using the fall-back short names GI250A~1 and
GI7D29~1, respectively.

To accommodate for that, we could reimplement the hashing algorithm, but
it is just safer and simpler to provide the known prefixes. This
algorithm has been reverse-engineered and described at
https://usn.pw/blog/gen/2015/06/09/filenames/, which is defunct but
still available via https://web.archive.org/.

These can be recomputed by running the following Perl script:

-- snip --
use warnings;
use strict;

sub compute_short_name_hash ($) {
        my $checksum = 0;
        foreach (split('', $_[0])) {
                $checksum = ($checksum * 0x25 + ord($_)) & 0xffff;
        }

        $checksum = ($checksum * 314159269) & 0xffffffff;
        $checksum = 1 + (~$checksum & 0x7fffffff) if ($checksum & 0x80000000);
        $checksum -= (($checksum * 1152921497) >> 60) * 1000000007;

        return scalar reverse sprintf("%x", $checksum & 0xffff);
}

print compute_short_name_hash($ARGV[0]);
-- snap --

E.g., running that with the argument ".gitignore" will
result in "250a" (which then becomes "gi250a" in the code).

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Jeff King
0fc333ba20 is_hfs_dotgit: match other .git files
Both verify_path() and fsck match ".git", ".GIT", and other
variants specific to HFS+. Let's allow matching other
special files like ".gitmodules", which we'll later use to
enforce extra restrictions via verify_path() and fsck.

Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Jeff King
11a9f4d807 is_ntfs_dotgit: use a size_t for traversing string
We walk through the "name" string using an int, which can
wrap to a negative value and cause us to read random memory
before our array (e.g., by creating a tree with a name >2GB,
since "int" is still 32 bits even on most 64-bit platforms).
Worse, this is easy to trigger during the fsck_tree() check,
which is supposed to be protecting us from malicious
garbage.

Note one bit of trickiness in the existing code: we
sometimes assign -1 to "len" at the end of the loop, and
then rely on the "len++" in the for-loop's increment to take
it back to 0. This is still legal with a size_t, since
assigning -1 will turn into SIZE_MAX, which then wraps
around to 0 on increment.

Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Jeff King
0383bbb901 submodule-config: verify submodule names as paths
Submodule "names" come from the untrusted .gitmodules file,
but we blindly append them to $GIT_DIR/modules to create our
on-disk repo paths. This means you can do bad things by
putting "../" into the name (among other things).

Let's sanity-check these names to avoid building a path that
can be exploited. There are two main decisions:

  1. What should the allowed syntax be?

     It's tempting to reuse verify_path(), since submodule
     names typically come from in-repo paths. But there are
     two reasons not to:

       a. It's technically more strict than what we need, as
          we really care only about breaking out of the
          $GIT_DIR/modules/ hierarchy.  E.g., having a
          submodule named "foo/.git" isn't actually
          dangerous, and it's possible that somebody has
          manually given such a funny name.

       b. Since we'll eventually use this checking logic in
          fsck to prevent downstream repositories, it should
          be consistent across platforms. Because
          verify_path() relies on is_dir_sep(), it wouldn't
          block "foo\..\bar" on a non-Windows machine.

  2. Where should we enforce it? These days most of the
     .gitmodules reads go through submodule-config.c, so
     I've put it there in the reading step. That should
     cover all of the C code.

     We also construct the name for "git submodule add"
     inside the git-submodule.sh script. This is probably
     not a big deal for security since the name is coming
     from the user anyway, but it would be polite to remind
     them if the name they pick is invalid (and we need to
     expose the name-checker to the shell anyway for our
     test scripts).

     This patch issues a warning when reading .gitmodules
     and just ignores the related config entry completely.
     This will generally end up producing a sensible error,
     as it works the same as a .gitmodules file which is
     missing a submodule entry (so "submodule update" will
     barf, but "git clone --recurse-submodules" will print
     an error but not abort the clone.

     There is one minor oddity, which is that we print the
     warning once per malformed config key (since that's how
     the config subsystem gives us the entries). So in the
     new test, for example, the user would see three
     warnings. That's OK, since the intent is that this case
     should never come up outside of malicious repositories
     (and then it might even benefit the user to see the
     message multiple times).

Credit for finding this vulnerability and the proof of
concept from which the test script was adapted goes to
Etienne Stalmans.

Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Junio C Hamano
468165c1d8 Git 2.17
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-04-02 10:13:35 -07:00
Junio C Hamano
1614dd0fbc l10n for Git 2.17.0 round 1
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJawLbqAAoJEMek6Rt1RHoou0AP/RKpAATgtMBPprgvwbMoJ1Mu
 Q1Lh56tRweg8ZjbXTJkRL15vRZNYwv3j+hM8H5wc7HHf8QFTYfQNK9KjWH5vyD5a
 ZR/akqdpVugiHt1mdCSRbp/A+qoj8mpX0SRTMqzYNX0BiZSb31ScShy1bCTY/BJl
 rmyWwmFtdgrzOrhDCYKVcoruRD1B13ZBvxmlcXrUiGuC5EwVHwR5GCcrG4hWILyq
 2MblmVrJU1liA9q0F8rBkTZYTk4rMo9g/Tz+xZvCVUTttwVvvMUA4V680ECIHL30
 wiip1nAhEBDGL9RyB4aOlNu75fzY6RJ8KL/yBBwG4FfckQ0LIQg5f3UecqV2gAdx
 P+LA70hU+0FguVn2GtOJZWg1m/adnc3aovp1wxQlUOmp+TiaOPmTl8CRdMxgu8dz
 O8hnorvTP9MFCySkJ0QB2ZkFJU9+szgF0AqoxT627byAv6/ROSLYUxAbOnUoboxL
 ec09C/vzSj6qkP6I+CX/hZBeFAqTN2j9CnJwXhm/niArkH+yTVQ/JBSesjygVvu0
 NilepolgTpfSpGQEJvIQOIHMQbueP3XII0YJE3oDn5vWl/ZYaCVXhyTAlElmP/pa
 lttgIYJ8bK2zJGspLN/FydGXCgOTr9OoE/202q1CaHKeRhKTVC4RuBpoei+ik9SZ
 xVBykNEymi5S0CRUeJlP
 =xKC7
 -----END PGP SIGNATURE-----

Merge tag 'l10n-2.17.0-rnd1' of git://github.com/git-l10n/git-po

l10n for Git 2.17.0 round 1

* tag 'l10n-2.17.0-rnd1' of git://github.com/git-l10n/git-po:
  l10n: de.po: translate 132 new messages
  l10n: zh_CN: review for git v2.17.0 l10n round 1
  l10n: zh_CN: for git v2.17.0 l10n round 1
  l10n: ko.po: Update Korean translation
  l10n: fr.po: v2.17.0 no fuzzy
  l10n: sv.po: Update Swedish translation (3376t0f0u)
  l10n: Update Catalan translation
  l10n: fr.po v2.17.0 round 1
  l10n: vi.po(3376t): Updated Vietnamese translation for v2.17
  l10n: bg.po: Updated Bulgarian translation (3376t)
  l10n: es.po: Update Spanish translation 2.17.0
  l10n: git.pot: v2.17.0 round 1 (132 new, 44 removed)
  l10n: es.po: fixes to Spanish translation
2018-04-02 10:12:38 -07:00
Junio C Hamano
5f9441769f Merge branch 'pw/add-p-single'
Hotfix.

* pw/add-p-single:
  add -p: fix 2.17.0-rc* regression due to moved code
2018-04-02 10:10:55 -07:00
Ævar Arnfjörð Bjarmason
fd2fb4aa0c add -p: fix 2.17.0-rc* regression due to moved code
Fix a regression in 88f6ffc1c2 ("add -p: only bind search key if
there's more than one hunk", 2018-02-13) which is present in
2.17.0-rc*, but not 2.16.0.

In Perl, regex variables like $1 always refer to the last regex
match. When the aforementioned change added a new regex match between
the old match and the corresponding code that was expecting $1, the $1
variable would always be undef, since the newly inserted regex match
doesn't have any captures.

As a result the "/" feature to search for a string in a hunk by regex
completely broke, on git.git:

    $ perl -pi -e 's/Git/Tig/g' README.md
    $ ./git --exec-path=$PWD add -p
    [..]
    Stage this hunk [y,n,q,a,d,j,J,g,/,s,e,?]? s
    Split into 4 hunks.
    [...]
    Stage this hunk [y,n,q,a,d,j,J,g,/,s,e,?]? /Many
    Use of uninitialized value $1 in string eq at /home/avar/g/git/git-add--interactive line 1568, <STDIN> line 1.
    search for regex? Many

I.e. the initial "/regex" command wouldn't work, and would always emit
a warning and ask again for a regex, now it works as intended again.

Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-03-31 21:54:28 -07:00
Ralf Thielow
8bb6d60dd6 l10n: de.po: translate 132 new messages
Translate 132 new messages came from git.pot update in abc8de64d (l10n:
git.pot: v2.17.0 round 1 (132 new, 44 removed)).

Signed-off-by: Ralf Thielow <ralf.thielow@gmail.com>
2018-03-31 13:21:09 +02:00
Junio C Hamano
c2a499e6c3 Merge branch 'jh/partial-clone'
Hotfix.

* jh/partial-clone:
  upload-pack: disable object filtering when disabled by config
  unpack-trees: release oid_array after use in check_updates()
2018-03-29 15:39:59 -07:00
Jonathan Nieder
c7620bd0f3 upload-pack: disable object filtering when disabled by config
When upload-pack gained partial clone support (v2.17.0-rc0~132^2~12,
2017-12-08), it was guarded by the uploadpack.allowFilter config item
to allow server operators to control when they start supporting it.

That config item didn't go far enough, though: it controls whether the
'filter' capability is advertised, but if a (custom) client ignores
the capability advertisement and passes a filter specification anyway,
the server would handle that despite allowFilter being false.

This is particularly significant if a security bug is discovered in
this new experimental partial clone code.  Installations without
uploadpack.allowFilter ought not to be affected since they don't
intend to support partial clone, but they would be swept up into being
vulnerable.

Simplify and limit the attack surface by making uploadpack.allowFilter
disable the feature, not just the advertisement of it.

Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-03-29 15:39:31 -07:00
Ray Chen
610f8099cd l10n: zh_CN: review for git v2.17.0 l10n round 1
Signed-off-by: Ray Chen <oldsharp@gmail.com>
2018-03-29 22:09:39 +08:00
Jiang Xin
31e5e17b22 l10n: zh_CN: for git v2.17.0 l10n round 1
Translate 132 new messages (3376t0f0u) for git 2.17.0-rc0.

Reviewed-by: 依云 <lilydjwg@gmail.com>
Reviewed-by: Fangyi Zhou <fangyi.zhou@yuriko.moe>
Signed-off-by: Jiang Xin <worldhello.net@gmail.com>
2018-03-29 22:09:39 +08:00
Junio C Hamano
03df495947 Git 2.17-rc2
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-03-28 11:05:14 -07:00
Junio C Hamano
72d30c71a3 Merge branch 'tg/stash-doc-typofix'
Hotfix.

* tg/stash-doc-typofix:
  git-stash.txt: remove extra square bracket
2018-03-28 11:04:25 -07:00
Junio C Hamano
2081fa73b4 Merge branch 'pc/submodule-helper'
Hotfix.

* pc/submodule-helper:
  submodule deinit: handle non existing pathspecs gracefully
2018-03-28 11:04:25 -07:00
Junio C Hamano
87cc76fa3a Merge branch 'nd/parseopt-completion'
Hotfix for recently graduated topic that give help to completion
scripts from the Git subcommands that are being completed

* nd/parseopt-completion:
  t9902: disable test on the list of merge-strategies under GETTEXT_POISON
  completion: clear cached --options when sourcing the completion script
2018-03-28 11:04:24 -07:00
Changwoo Ryu
1be5ae8a4b l10n: ko.po: Update Korean translation
Signed-off-by: Changwoo Ryu <cwryu@debian.org>
Signed-off-by: Sihyeon Jang <uneedsihyeon@gmail.com>
Signed-off-by: Gwan-gyeong Mun <elongbug@gmail.com>
Reviewed-by: Changwoo Ryu <cwryu@debian.org>
2018-03-28 23:41:20 +09:00
Stefan Beller
9748e39d0c submodule deinit: handle non existing pathspecs gracefully
This fixes a regression introduced in 2e612731b5 (submodule: port
submodule subcommand 'deinit' from shell to C, 2018-01-15), when
handling pathspecs that do not exist gracefully. This restores the
historic behavior of reporting the pathspec as unknown and returning
instead of reporting a bug.

Reported-by: Peter Oberndorfer <kumbayo84@arcor.de>
Signed-off-by: Stefan Beller <sbeller@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-03-27 22:07:13 -07:00
Thomas Gummerer
0a790f09c6 git-stash.txt: remove extra square bracket
In 1ada5020b3 ("stash: use stash_push for no verb form", 2017-02-28),
when the pathspec argument was introduced in 'git stash', that was also
documented.  However I forgot to remove an extra square bracket after
the '--message' argument, even though the square bracket should have
been after the pathspec argument (where it was also added).

Remove the extra square bracket after the '--message' argument, to show
that the pathspec argument should be used with the 'push' verb.

While the pathspec argument can be used without the push verb, that's a
special case described later in the man page, and removing the first extra
square bracket instead of the second one makes the synopis easier to
understand.

Signed-off-by: Thomas Gummerer <t.gummerer@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-03-27 19:09:13 -07:00
René Scharfe
9f242a1336 unpack-trees: release oid_array after use in check_updates()
Signed-off-by: Rene Scharfe <l.s.r@web.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-03-25 10:51:46 -07:00
Jiang Xin
edc320edc3 Merge branch 'fr_v2.17.0' of git://github.com/jnavila/git
* 'fr_v2.17.0' of git://github.com/jnavila/git:
  l10n: fr.po: v2.17.0 no fuzzy
2018-03-25 21:24:02 +08:00
Jean-Noël Avila
7be97e414b l10n: fr.po: v2.17.0 no fuzzy
Signed-off-by: Jean-Noël Avila <jn.avila@free.fr>
2018-03-23 23:03:37 +01:00
Junio C Hamano
b60e88cc78 t9902: disable test on the list of merge-strategies under GETTEXT_POISON
The code to learn the list of merge strategies from the output of
"git merge -s help" forces C locale, so that it can notice the
message shown to indicate where the list starts in the output.

However, GETTEXT_POISON build corrupts its output even when run in
the C locale, and we cannot expect this test to succeed.

Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-03-23 11:27:52 -07:00
Junio C Hamano
90bbd502d5 Sync with Git 2.16.3 2018-03-22 14:36:51 -07:00
Junio C Hamano
d32eb83c1d Git 2.16.3
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-03-22 14:24:45 -07:00
Junio C Hamano
88595ebceb Merge branch 'ms/non-ascii-ticks' into maint
Doc markup fix.

* ms/non-ascii-ticks:
  Documentation/gitsubmodules.txt: avoid non-ASCII apostrophes
2018-03-22 14:24:26 -07:00
Junio C Hamano
393eee1cad Merge branch 'jk/cached-commit-buffer' into maint
Code clean-up.

* jk/cached-commit-buffer:
  revision: drop --show-all option
  commit: drop uses of get_cached_commit_buffer()
2018-03-22 14:24:25 -07:00
Junio C Hamano
c9bc2c5d4d Merge branch 'sm/mv-dry-run-update' into maint
Code clean-up.

* sm/mv-dry-run-update:
  mv: remove unneeded 'if (!show_only)'
  t7001: add test case for --dry-run
2018-03-22 14:24:25 -07:00
Junio C Hamano
342215be59 Merge branch 'tg/worktree-create-tracking' into maint
Hotfix for a recent topic.

* tg/worktree-create-tracking:
  git-worktree.txt: fix indentation of example and text of 'add' command
  git-worktree.txt: fix missing ")" typo
2018-03-22 14:24:24 -07:00
Junio C Hamano
8bfeb0e42c Merge branch 'gs/test-unset-xdg-cache-home' into maint
Test update.

* gs/test-unset-xdg-cache-home:
  test-lib.sh: unset XDG_CACHE_HOME
2018-03-22 14:24:24 -07:00
Junio C Hamano
e09224812a Merge branch 'sb/status-doc-fix' into maint
Docfix.

* sb/status-doc-fix:
  Documentation/git-status: clarify status table for porcelain mode
2018-03-22 14:24:23 -07:00
Junio C Hamano
9ea8e0ca81 Merge branch 'rd/typofix' into maint
Typofix.

* rd/typofix:
  Correct mispellings of ".gitmodule" to ".gitmodules"
  t/: correct obvious typo "detahced"
2018-03-22 14:24:22 -07:00
Junio C Hamano
5a03f1d75a Merge branch 'bp/fsmonitor' into maint
Doc update for a recently added feature.

* bp/fsmonitor:
  fsmonitor: update documentation to remove reference to invalid config settings
2018-03-22 14:24:21 -07:00
Junio C Hamano
dfc20a5e3c Merge branch 'bc/doc-interpret-trailers-grammofix' into maint
Docfix.

* bc/doc-interpret-trailers-grammofix:
  docs/interpret-trailers: fix agreement error
2018-03-22 14:24:21 -07:00
Junio C Hamano
68559c464a Merge branch 'sg/doc-test-must-fail-args' into maint
Devdoc update.

* sg/doc-test-must-fail-args:
  t: document 'test_must_fail ok=<signal-name>'
2018-03-22 14:24:20 -07:00
Junio C Hamano
67b7dd3d86 Merge branch 'rj/sparse-updates' into maint
Devtool update.

* rj/sparse-updates:
  Makefile: suppress a sparse warning for pack-revindex.c
  config.mak.uname: remove SPARSE_FLAGS setting for cygwin
2018-03-22 14:24:19 -07:00
Junio C Hamano
2e1062d30f Merge branch 'jk/gettext-poison' into maint
Test updates.

* jk/gettext-poison:
  git-sh-i18n: check GETTEXT_POISON before USE_GETTEXT_SCHEME
  t0205: drop redundant test
2018-03-22 14:24:19 -07:00
Junio C Hamano
34f6f0eca2 Merge branch 'nd/ignore-glob-doc-update' into maint
Doc update.

* nd/ignore-glob-doc-update:
  gitignore.txt: elaborate shell glob syntax
2018-03-22 14:24:18 -07:00
Junio C Hamano
fda2326cb7 Merge branch 'rs/cocci-strbuf-addf-to-addstr' into maint
* rs/cocci-strbuf-addf-to-addstr:
  cocci: simplify check for trivial format strings
2018-03-22 14:24:17 -07:00
Junio C Hamano
e55521be8d Merge branch 'jc/worktree-add-short-help' into maint
Error message fix.

* jc/worktree-add-short-help:
  worktree: say that "add" takes an arbitrary commit in short-help
2018-03-22 14:24:17 -07:00
Junio C Hamano
9c34129e6b Merge branch 'tz/doc-show-defaults-to-head' into maint
Doc update.

* tz/doc-show-defaults-to-head:
  doc: mention 'git show' defaults to HEAD
2018-03-22 14:24:17 -07:00
Junio C Hamano
3112c3fa7f Merge branch 'nd/shared-index-fix' into maint
Code clean-up.

* nd/shared-index-fix:
  read-cache: don't write index twice if we can't write shared index
  read-cache.c: move tempfile creation/cleanup out of write_shared_index
  read-cache.c: change type of "temp" in write_shared_index()
2018-03-22 14:24:16 -07:00
Junio C Hamano
bffce882fd Merge branch 'jc/mailinfo-cleanup-fix' into maint
Corner case bugfix.

* jc/mailinfo-cleanup-fix:
  mailinfo: avoid segfault when can't open files
2018-03-22 14:24:16 -07:00
Junio C Hamano
b502aa4f45 Merge branch 'rb/hashmap-h-compilation-fix' into maint
Code clean-up.

* rb/hashmap-h-compilation-fix:
  hashmap.h: remove unused variable
2018-03-22 14:24:15 -07:00
Junio C Hamano
9bcb48912c Merge branch 'rs/describe-unique-abbrev' into maint
Code clean-up.

* rs/describe-unique-abbrev:
  describe: use strbuf_add_unique_abbrev() for adding short hashes
2018-03-22 14:24:14 -07:00
Junio C Hamano
60736db161 Merge branch 'ks/submodule-doc-updates' into maint
Doc updates.

* ks/submodule-doc-updates:
  Doc/git-submodule: improve readability and grammar of a sentence
  Doc/gitsubmodules: make some changes to improve readability and syntax
2018-03-22 14:24:14 -07:00
Junio C Hamano
b1bdf46bb8 Merge branch 'cl/t9001-cleanup' into maint
Test clean-up.

* cl/t9001-cleanup:
  t9001: use existing helper in send-email test
2018-03-22 14:24:13 -07:00