Commit Graph

50102 Commits

Author SHA1 Message Date
René Scharfe
cbd23de8bb pack-objects: specify --index-version argument help explicitly
Wrap both placeholders in the argument help string in angular brackets
to signal that users needs replace them with some actual value.  Use the
flag PARSE_OPT_LITERAL_ARGHELP to prevent parseopt from adding another
pair.

Signed-off-by: Rene Scharfe <l.s.r@web.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-08-03 08:36:20 -07:00
René Scharfe
9f6013a88d difftool: remove angular brackets from argument help
Parseopt wraps arguments in a pair of angular brackets by default,
signifying that the user needs to replace it with a value of the
documented type.  Remove the pairs from the option definitions to
duplication and confusion.

Signed-off-by: Rene Scharfe <l.s.r@web.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-08-03 08:36:20 -07:00
René Scharfe
8b5ebbed0e add, update-index: fix --chmod argument help
Don't translate the argument specification for --chmod; "+x" and "-x"
are the literal strings that the commands accept.

Separate alternatives using a pipe character instead of a slash, for
consistency.

Use the flag PARSE_OPT_LITERAL_ARGHELP to prevent parseopt from adding a
pair of angular brackets around the argument help string, as that would
wrongly indicate that users need to replace the literal strings with
some kind of value.

Signed-off-by: Rene Scharfe <l.s.r@web.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-08-03 08:36:20 -07:00
Ævar Arnfjörð Bjarmason
c67318ecb6 push: use PARSE_OPT_LITERAL_ARGHELP instead of unbalanced brackets
The option help text for the force-with-lease option to "git push"
reads like this:

    $ git push -h 2>&1 | grep -e force-with-lease
       --force-with-lease[=<refname>:<expect>]

which comes from having N_("refname>:<expect") as the argument help
text in the source code, with an aparent lack of "<" and ">" at both
ends.

It turns out that parse-options machinery takes the whole string and
encloses it inside a pair of "<>", to make it easier for majority
cases that uses a single token placeholder.

The help string was written in a funnily unbalanced way knowing that
the end result would balance out, by somebody who forgot the
presence of PARSE_OPT_LITERAL_ARGHELP, which is the escape hatch
mechanism designed to help such a case.  We just should use the
official escape hatch instead.

Because ":<expect>" part can be omitted to ask Git to guess, it may
be more correct to spell it as "<refname>[:<expect>]", but that is
not the focus of this topic.

Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
Helped-by: René Scharfe <l.s.r@web.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-08-03 08:31:28 -07:00
Junio C Hamano
a42a58d7b6 Git 2.16.4
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-05-22 14:18:51 +09:00
Junio C Hamano
023020401d Sync with Git 2.15.2
* maint-2.15:
  Git 2.15.2
  Git 2.14.4
  Git 2.13.7
  verify_path: disallow symlinks in .gitmodules
  update-index: stat updated files earlier
  verify_dotfile: mention case-insensitivity in comment
  verify_path: drop clever fallthrough
  skip_prefix: add case-insensitive variant
  is_{hfs,ntfs}_dotgitmodules: add tests
  is_ntfs_dotgit: match other .git files
  is_hfs_dotgit: match other .git files
  is_ntfs_dotgit: use a size_t for traversing string
  submodule-config: verify submodule names as paths
2018-05-22 14:18:06 +09:00
Junio C Hamano
d33c87517a Git 2.15.2
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-05-22 14:15:59 +09:00
Junio C Hamano
9e0f06d55d Sync with Git 2.14.4
* maint-2.14:
  Git 2.14.4
  Git 2.13.7
  verify_path: disallow symlinks in .gitmodules
  update-index: stat updated files earlier
  verify_dotfile: mention case-insensitivity in comment
  verify_path: drop clever fallthrough
  skip_prefix: add case-insensitive variant
  is_{hfs,ntfs}_dotgitmodules: add tests
  is_ntfs_dotgit: match other .git files
  is_hfs_dotgit: match other .git files
  is_ntfs_dotgit: use a size_t for traversing string
  submodule-config: verify submodule names as paths
2018-05-22 14:15:14 +09:00
Junio C Hamano
4dde7b8799 Git 2.14.4
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-05-22 14:12:02 +09:00
Junio C Hamano
7b01c71b64 Sync with Git 2.13.7
* maint-2.13:
  Git 2.13.7
  verify_path: disallow symlinks in .gitmodules
  update-index: stat updated files earlier
  verify_dotfile: mention case-insensitivity in comment
  verify_path: drop clever fallthrough
  skip_prefix: add case-insensitive variant
  is_{hfs,ntfs}_dotgitmodules: add tests
  is_ntfs_dotgit: match other .git files
  is_hfs_dotgit: match other .git files
  is_ntfs_dotgit: use a size_t for traversing string
  submodule-config: verify submodule names as paths
2018-05-22 14:10:49 +09:00
Junio C Hamano
0114f71344 Git 2.13.7
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-05-22 13:50:36 +09:00
Junio C Hamano
8528c31d98 Merge branch 'jk/submodule-fix-loose' into maint-2.13
* jk/submodule-fix-loose:
  verify_path: disallow symlinks in .gitmodules
  update-index: stat updated files earlier
  verify_dotfile: mention case-insensitivity in comment
  verify_path: drop clever fallthrough
  skip_prefix: add case-insensitive variant
  is_{hfs,ntfs}_dotgitmodules: add tests
  is_ntfs_dotgit: match other .git files
  is_hfs_dotgit: match other .git files
  is_ntfs_dotgit: use a size_t for traversing string
  submodule-config: verify submodule names as paths
2018-05-22 13:48:26 +09:00
Jeff King
10ecfa7649 verify_path: disallow symlinks in .gitmodules
There are a few reasons it's not a good idea to make
.gitmodules a symlink, including:

  1. It won't be portable to systems without symlinks.

  2. It may behave inconsistently, since Git may look at
     this file in the index or a tree without bothering to
     resolve any symbolic links. We don't do this _yet_, but
     the config infrastructure is there and it's planned for
     the future.

With some clever code, we could make (2) work. And some
people may not care about (1) if they only work on one
platform. But there are a few security reasons to simply
disallow it:

  a. A symlinked .gitmodules file may circumvent any fsck
     checks of the content.

  b. Git may read and write from the on-disk file without
     sanity checking the symlink target. So for example, if
     you link ".gitmodules" to "../oops" and run "git
     submodule add", we'll write to the file "oops" outside
     the repository.

Again, both of those are problems that _could_ be solved
with sufficient code, but given the complications in (1) and
(2), we're better off just outlawing it explicitly.

Note the slightly tricky call to verify_path() in
update-index's update_one(). There we may not have a mode if
we're not updating from the filesystem (e.g., we might just
be removing the file). Passing "0" as the mode there works
fine; since it's not a symlink, we'll just skip the extra
checks.

Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Jeff King
eb12dd0c76 update-index: stat updated files earlier
In the update_one(), we check verify_path() on the proposed
path before doing anything else. In preparation for having
verify_path() look at the file mode, let's stat the file
earlier, so we can check the mode accurately.

This is made a bit trickier by the fact that this function
only does an lstat in a few code paths (the ones that flow
down through process_path()). So we can speculatively do the
lstat() here and pass the results down, and just use a dummy
mode for cases where we won't actually be updating the index
from the filesystem.

Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Jeff King
641084b618 verify_dotfile: mention case-insensitivity in comment
We're more restrictive than we need to be in matching ".GIT"
on case-sensitive filesystems; let's make a note that this
is intentional.

Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Jeff King
e19e5e66d6 verify_path: drop clever fallthrough
We check ".git" and ".." in the same switch statement, and
fall through the cases to share the end-of-component check.
While this saves us a line or two, it makes modifying the
function much harder. Let's just write it out.

Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Jeff King
41a80924ae skip_prefix: add case-insensitive variant
We have the convenient skip_prefix() helper, but if you want
to do case-insensitive matching, you're stuck doing it by
hand. We could add an extra parameter to the function to
let callers ask for this, but the function is small and
somewhat performance-critical. Let's just re-implement it
for the case-insensitive version.

Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Johannes Schindelin
dc2d9ba318 is_{hfs,ntfs}_dotgitmodules: add tests
This tests primarily for NTFS issues, but also adds one example of an
HFS+ issue.

Thanks go to Congyi Wu for coming up with the list of examples where
NTFS would possibly equate the filename with `.gitmodules`.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Johannes Schindelin
e7cb0b4455 is_ntfs_dotgit: match other .git files
When we started to catch NTFS short names that clash with .git, we only
looked for GIT~1. This is sufficient because we only ever clone into an
empty directory, so .git is guaranteed to be the first subdirectory or
file in that directory.

However, even with a fresh clone, .gitmodules is *not* necessarily the
first file to be written that would want the NTFS short name GITMOD~1: a
malicious repository can add .gitmodul0000 and friends, which sorts
before `.gitmodules` and is therefore checked out *first*. For that
reason, we have to test not only for ~1 short names, but for others,
too.

It's hard to just adapt the existing checks in is_ntfs_dotgit(): since
Windows 2000 (i.e., in all Windows versions still supported by Git),
NTFS short names are only generated in the <prefix>~<number> form up to
number 4. After that, a *different* prefix is used, calculated from the
long file name using an undocumented, but stable algorithm.

For example, the short name of .gitmodules would be GITMOD~1, but if it
is taken, and all of ~2, ~3 and ~4 are taken, too, the short name
GI7EBA~1 will be used. From there, collisions are handled by
incrementing the number, shortening the prefix as needed (until ~9999999
is reached, in which case NTFS will not allow the file to be created).

We'd also want to handle .gitignore and .gitattributes, which suffer
from a similar problem, using the fall-back short names GI250A~1 and
GI7D29~1, respectively.

To accommodate for that, we could reimplement the hashing algorithm, but
it is just safer and simpler to provide the known prefixes. This
algorithm has been reverse-engineered and described at
https://usn.pw/blog/gen/2015/06/09/filenames/, which is defunct but
still available via https://web.archive.org/.

These can be recomputed by running the following Perl script:

-- snip --
use warnings;
use strict;

sub compute_short_name_hash ($) {
        my $checksum = 0;
        foreach (split('', $_[0])) {
                $checksum = ($checksum * 0x25 + ord($_)) & 0xffff;
        }

        $checksum = ($checksum * 314159269) & 0xffffffff;
        $checksum = 1 + (~$checksum & 0x7fffffff) if ($checksum & 0x80000000);
        $checksum -= (($checksum * 1152921497) >> 60) * 1000000007;

        return scalar reverse sprintf("%x", $checksum & 0xffff);
}

print compute_short_name_hash($ARGV[0]);
-- snap --

E.g., running that with the argument ".gitignore" will
result in "250a" (which then becomes "gi250a" in the code).

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Jeff King
0fc333ba20 is_hfs_dotgit: match other .git files
Both verify_path() and fsck match ".git", ".GIT", and other
variants specific to HFS+. Let's allow matching other
special files like ".gitmodules", which we'll later use to
enforce extra restrictions via verify_path() and fsck.

Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Jeff King
11a9f4d807 is_ntfs_dotgit: use a size_t for traversing string
We walk through the "name" string using an int, which can
wrap to a negative value and cause us to read random memory
before our array (e.g., by creating a tree with a name >2GB,
since "int" is still 32 bits even on most 64-bit platforms).
Worse, this is easy to trigger during the fsck_tree() check,
which is supposed to be protecting us from malicious
garbage.

Note one bit of trickiness in the existing code: we
sometimes assign -1 to "len" at the end of the loop, and
then rely on the "len++" in the for-loop's increment to take
it back to 0. This is still legal with a size_t, since
assigning -1 will turn into SIZE_MAX, which then wraps
around to 0 on increment.

Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Jeff King
0383bbb901 submodule-config: verify submodule names as paths
Submodule "names" come from the untrusted .gitmodules file,
but we blindly append them to $GIT_DIR/modules to create our
on-disk repo paths. This means you can do bad things by
putting "../" into the name (among other things).

Let's sanity-check these names to avoid building a path that
can be exploited. There are two main decisions:

  1. What should the allowed syntax be?

     It's tempting to reuse verify_path(), since submodule
     names typically come from in-repo paths. But there are
     two reasons not to:

       a. It's technically more strict than what we need, as
          we really care only about breaking out of the
          $GIT_DIR/modules/ hierarchy.  E.g., having a
          submodule named "foo/.git" isn't actually
          dangerous, and it's possible that somebody has
          manually given such a funny name.

       b. Since we'll eventually use this checking logic in
          fsck to prevent downstream repositories, it should
          be consistent across platforms. Because
          verify_path() relies on is_dir_sep(), it wouldn't
          block "foo\..\bar" on a non-Windows machine.

  2. Where should we enforce it? These days most of the
     .gitmodules reads go through submodule-config.c, so
     I've put it there in the reading step. That should
     cover all of the C code.

     We also construct the name for "git submodule add"
     inside the git-submodule.sh script. This is probably
     not a big deal for security since the name is coming
     from the user anyway, but it would be polite to remind
     them if the name they pick is invalid (and we need to
     expose the name-checker to the shell anyway for our
     test scripts).

     This patch issues a warning when reading .gitmodules
     and just ignores the related config entry completely.
     This will generally end up producing a sensible error,
     as it works the same as a .gitmodules file which is
     missing a submodule entry (so "submodule update" will
     barf, but "git clone --recurse-submodules" will print
     an error but not abort the clone.

     There is one minor oddity, which is that we print the
     warning once per malformed config key (since that's how
     the config subsystem gives us the entries). So in the
     new test, for example, the user would see three
     warnings. That's OK, since the intent is that this case
     should never come up outside of malicious repositories
     (and then it might even benefit the user to see the
     message multiple times).

Credit for finding this vulnerability and the proof of
concept from which the test script was adapted goes to
Etienne Stalmans.

Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Junio C Hamano
d32eb83c1d Git 2.16.3
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-03-22 14:24:45 -07:00
Junio C Hamano
88595ebceb Merge branch 'ms/non-ascii-ticks' into maint
Doc markup fix.

* ms/non-ascii-ticks:
  Documentation/gitsubmodules.txt: avoid non-ASCII apostrophes
2018-03-22 14:24:26 -07:00
Junio C Hamano
393eee1cad Merge branch 'jk/cached-commit-buffer' into maint
Code clean-up.

* jk/cached-commit-buffer:
  revision: drop --show-all option
  commit: drop uses of get_cached_commit_buffer()
2018-03-22 14:24:25 -07:00
Junio C Hamano
c9bc2c5d4d Merge branch 'sm/mv-dry-run-update' into maint
Code clean-up.

* sm/mv-dry-run-update:
  mv: remove unneeded 'if (!show_only)'
  t7001: add test case for --dry-run
2018-03-22 14:24:25 -07:00
Junio C Hamano
342215be59 Merge branch 'tg/worktree-create-tracking' into maint
Hotfix for a recent topic.

* tg/worktree-create-tracking:
  git-worktree.txt: fix indentation of example and text of 'add' command
  git-worktree.txt: fix missing ")" typo
2018-03-22 14:24:24 -07:00
Junio C Hamano
8bfeb0e42c Merge branch 'gs/test-unset-xdg-cache-home' into maint
Test update.

* gs/test-unset-xdg-cache-home:
  test-lib.sh: unset XDG_CACHE_HOME
2018-03-22 14:24:24 -07:00
Junio C Hamano
e09224812a Merge branch 'sb/status-doc-fix' into maint
Docfix.

* sb/status-doc-fix:
  Documentation/git-status: clarify status table for porcelain mode
2018-03-22 14:24:23 -07:00
Junio C Hamano
9ea8e0ca81 Merge branch 'rd/typofix' into maint
Typofix.

* rd/typofix:
  Correct mispellings of ".gitmodule" to ".gitmodules"
  t/: correct obvious typo "detahced"
2018-03-22 14:24:22 -07:00
Junio C Hamano
5a03f1d75a Merge branch 'bp/fsmonitor' into maint
Doc update for a recently added feature.

* bp/fsmonitor:
  fsmonitor: update documentation to remove reference to invalid config settings
2018-03-22 14:24:21 -07:00
Junio C Hamano
dfc20a5e3c Merge branch 'bc/doc-interpret-trailers-grammofix' into maint
Docfix.

* bc/doc-interpret-trailers-grammofix:
  docs/interpret-trailers: fix agreement error
2018-03-22 14:24:21 -07:00
Junio C Hamano
68559c464a Merge branch 'sg/doc-test-must-fail-args' into maint
Devdoc update.

* sg/doc-test-must-fail-args:
  t: document 'test_must_fail ok=<signal-name>'
2018-03-22 14:24:20 -07:00
Junio C Hamano
67b7dd3d86 Merge branch 'rj/sparse-updates' into maint
Devtool update.

* rj/sparse-updates:
  Makefile: suppress a sparse warning for pack-revindex.c
  config.mak.uname: remove SPARSE_FLAGS setting for cygwin
2018-03-22 14:24:19 -07:00
Junio C Hamano
2e1062d30f Merge branch 'jk/gettext-poison' into maint
Test updates.

* jk/gettext-poison:
  git-sh-i18n: check GETTEXT_POISON before USE_GETTEXT_SCHEME
  t0205: drop redundant test
2018-03-22 14:24:19 -07:00
Junio C Hamano
34f6f0eca2 Merge branch 'nd/ignore-glob-doc-update' into maint
Doc update.

* nd/ignore-glob-doc-update:
  gitignore.txt: elaborate shell glob syntax
2018-03-22 14:24:18 -07:00
Junio C Hamano
fda2326cb7 Merge branch 'rs/cocci-strbuf-addf-to-addstr' into maint
* rs/cocci-strbuf-addf-to-addstr:
  cocci: simplify check for trivial format strings
2018-03-22 14:24:17 -07:00
Junio C Hamano
e55521be8d Merge branch 'jc/worktree-add-short-help' into maint
Error message fix.

* jc/worktree-add-short-help:
  worktree: say that "add" takes an arbitrary commit in short-help
2018-03-22 14:24:17 -07:00
Junio C Hamano
9c34129e6b Merge branch 'tz/doc-show-defaults-to-head' into maint
Doc update.

* tz/doc-show-defaults-to-head:
  doc: mention 'git show' defaults to HEAD
2018-03-22 14:24:17 -07:00
Junio C Hamano
3112c3fa7f Merge branch 'nd/shared-index-fix' into maint
Code clean-up.

* nd/shared-index-fix:
  read-cache: don't write index twice if we can't write shared index
  read-cache.c: move tempfile creation/cleanup out of write_shared_index
  read-cache.c: change type of "temp" in write_shared_index()
2018-03-22 14:24:16 -07:00
Junio C Hamano
bffce882fd Merge branch 'jc/mailinfo-cleanup-fix' into maint
Corner case bugfix.

* jc/mailinfo-cleanup-fix:
  mailinfo: avoid segfault when can't open files
2018-03-22 14:24:16 -07:00
Junio C Hamano
b502aa4f45 Merge branch 'rb/hashmap-h-compilation-fix' into maint
Code clean-up.

* rb/hashmap-h-compilation-fix:
  hashmap.h: remove unused variable
2018-03-22 14:24:15 -07:00
Junio C Hamano
9bcb48912c Merge branch 'rs/describe-unique-abbrev' into maint
Code clean-up.

* rs/describe-unique-abbrev:
  describe: use strbuf_add_unique_abbrev() for adding short hashes
2018-03-22 14:24:14 -07:00
Junio C Hamano
60736db161 Merge branch 'ks/submodule-doc-updates' into maint
Doc updates.

* ks/submodule-doc-updates:
  Doc/git-submodule: improve readability and grammar of a sentence
  Doc/gitsubmodules: make some changes to improve readability and syntax
2018-03-22 14:24:14 -07:00
Junio C Hamano
b1bdf46bb8 Merge branch 'cl/t9001-cleanup' into maint
Test clean-up.

* cl/t9001-cleanup:
  t9001: use existing helper in send-email test
2018-03-22 14:24:13 -07:00
Junio C Hamano
6ef449ea77 Merge branch 'bw/oidmap-autoinit' into maint
Code clean-up.

* bw/oidmap-autoinit:
  oidmap: ensure map is initialized
2018-03-22 14:24:12 -07:00
Junio C Hamano
dab684ff43 Merge branch 'sg/test-i18ngrep' into maint
Test fixes.

* sg/test-i18ngrep:
  t: make 'test_i18ngrep' more informative on failure
  t: validate 'test_i18ngrep's parameters
  t: move 'test_i18ncmp' and 'test_i18ngrep' to 'test-lib-functions.sh'
  t5536: let 'test_i18ngrep' read the file without redirection
  t5510: consolidate 'grep' and 'test_i18ngrep' patterns
  t4001: don't run 'git status' upstream of a pipe
  t6022: don't run 'git merge' upstream of a pipe
  t5812: add 'test_i18ngrep's missing filename parameter
  t5541: add 'test_i18ngrep's missing filename parameter
2018-03-22 14:24:12 -07:00
Junio C Hamano
d78b7eb2d5 Merge branch 'jt/fsck-code-cleanup' into maint
Plug recently introduced leaks in fsck.

* jt/fsck-code-cleanup:
  fsck: fix leak when traversing trees
2018-03-22 14:24:12 -07:00
Junio C Hamano
34b9ec8dd9 Merge branch 'ew/svn-branch-segfault-fix' into maint
Workaround for segfault with more recent versions of SVN.

* ew/svn-branch-segfault-fix:
  git-svn: control destruction order to avoid segfault
2018-03-22 14:24:11 -07:00
Junio C Hamano
091853a1aa Merge branch 'nd/list-merge-strategy' into maint
Completion of "git merge -s<strategy>" (in contrib/) did not work
well in non-C locale.

* nd/list-merge-strategy:
  completion: fix completing merge strategies on non-C locales
2018-03-22 14:24:11 -07:00