Commit Graph

49356 Commits

Author SHA1 Message Date
Jeff King
10ecfa7649 verify_path: disallow symlinks in .gitmodules
There are a few reasons it's not a good idea to make
.gitmodules a symlink, including:

  1. It won't be portable to systems without symlinks.

  2. It may behave inconsistently, since Git may look at
     this file in the index or a tree without bothering to
     resolve any symbolic links. We don't do this _yet_, but
     the config infrastructure is there and it's planned for
     the future.

With some clever code, we could make (2) work. And some
people may not care about (1) if they only work on one
platform. But there are a few security reasons to simply
disallow it:

  a. A symlinked .gitmodules file may circumvent any fsck
     checks of the content.

  b. Git may read and write from the on-disk file without
     sanity checking the symlink target. So for example, if
     you link ".gitmodules" to "../oops" and run "git
     submodule add", we'll write to the file "oops" outside
     the repository.

Again, both of those are problems that _could_ be solved
with sufficient code, but given the complications in (1) and
(2), we're better off just outlawing it explicitly.

Note the slightly tricky call to verify_path() in
update-index's update_one(). There we may not have a mode if
we're not updating from the filesystem (e.g., we might just
be removing the file). Passing "0" as the mode there works
fine; since it's not a symlink, we'll just skip the extra
checks.

Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Jeff King
eb12dd0c76 update-index: stat updated files earlier
In the update_one(), we check verify_path() on the proposed
path before doing anything else. In preparation for having
verify_path() look at the file mode, let's stat the file
earlier, so we can check the mode accurately.

This is made a bit trickier by the fact that this function
only does an lstat in a few code paths (the ones that flow
down through process_path()). So we can speculatively do the
lstat() here and pass the results down, and just use a dummy
mode for cases where we won't actually be updating the index
from the filesystem.

Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Jeff King
641084b618 verify_dotfile: mention case-insensitivity in comment
We're more restrictive than we need to be in matching ".GIT"
on case-sensitive filesystems; let's make a note that this
is intentional.

Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Jeff King
e19e5e66d6 verify_path: drop clever fallthrough
We check ".git" and ".." in the same switch statement, and
fall through the cases to share the end-of-component check.
While this saves us a line or two, it makes modifying the
function much harder. Let's just write it out.

Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Jeff King
41a80924ae skip_prefix: add case-insensitive variant
We have the convenient skip_prefix() helper, but if you want
to do case-insensitive matching, you're stuck doing it by
hand. We could add an extra parameter to the function to
let callers ask for this, but the function is small and
somewhat performance-critical. Let's just re-implement it
for the case-insensitive version.

Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Johannes Schindelin
dc2d9ba318 is_{hfs,ntfs}_dotgitmodules: add tests
This tests primarily for NTFS issues, but also adds one example of an
HFS+ issue.

Thanks go to Congyi Wu for coming up with the list of examples where
NTFS would possibly equate the filename with `.gitmodules`.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Johannes Schindelin
e7cb0b4455 is_ntfs_dotgit: match other .git files
When we started to catch NTFS short names that clash with .git, we only
looked for GIT~1. This is sufficient because we only ever clone into an
empty directory, so .git is guaranteed to be the first subdirectory or
file in that directory.

However, even with a fresh clone, .gitmodules is *not* necessarily the
first file to be written that would want the NTFS short name GITMOD~1: a
malicious repository can add .gitmodul0000 and friends, which sorts
before `.gitmodules` and is therefore checked out *first*. For that
reason, we have to test not only for ~1 short names, but for others,
too.

It's hard to just adapt the existing checks in is_ntfs_dotgit(): since
Windows 2000 (i.e., in all Windows versions still supported by Git),
NTFS short names are only generated in the <prefix>~<number> form up to
number 4. After that, a *different* prefix is used, calculated from the
long file name using an undocumented, but stable algorithm.

For example, the short name of .gitmodules would be GITMOD~1, but if it
is taken, and all of ~2, ~3 and ~4 are taken, too, the short name
GI7EBA~1 will be used. From there, collisions are handled by
incrementing the number, shortening the prefix as needed (until ~9999999
is reached, in which case NTFS will not allow the file to be created).

We'd also want to handle .gitignore and .gitattributes, which suffer
from a similar problem, using the fall-back short names GI250A~1 and
GI7D29~1, respectively.

To accommodate for that, we could reimplement the hashing algorithm, but
it is just safer and simpler to provide the known prefixes. This
algorithm has been reverse-engineered and described at
https://usn.pw/blog/gen/2015/06/09/filenames/, which is defunct but
still available via https://web.archive.org/.

These can be recomputed by running the following Perl script:

-- snip --
use warnings;
use strict;

sub compute_short_name_hash ($) {
        my $checksum = 0;
        foreach (split('', $_[0])) {
                $checksum = ($checksum * 0x25 + ord($_)) & 0xffff;
        }

        $checksum = ($checksum * 314159269) & 0xffffffff;
        $checksum = 1 + (~$checksum & 0x7fffffff) if ($checksum & 0x80000000);
        $checksum -= (($checksum * 1152921497) >> 60) * 1000000007;

        return scalar reverse sprintf("%x", $checksum & 0xffff);
}

print compute_short_name_hash($ARGV[0]);
-- snap --

E.g., running that with the argument ".gitignore" will
result in "250a" (which then becomes "gi250a" in the code).

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Jeff King
0fc333ba20 is_hfs_dotgit: match other .git files
Both verify_path() and fsck match ".git", ".GIT", and other
variants specific to HFS+. Let's allow matching other
special files like ".gitmodules", which we'll later use to
enforce extra restrictions via verify_path() and fsck.

Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Jeff King
11a9f4d807 is_ntfs_dotgit: use a size_t for traversing string
We walk through the "name" string using an int, which can
wrap to a negative value and cause us to read random memory
before our array (e.g., by creating a tree with a name >2GB,
since "int" is still 32 bits even on most 64-bit platforms).
Worse, this is easy to trigger during the fsck_tree() check,
which is supposed to be protecting us from malicious
garbage.

Note one bit of trickiness in the existing code: we
sometimes assign -1 to "len" at the end of the loop, and
then rely on the "len++" in the for-loop's increment to take
it back to 0. This is still legal with a size_t, since
assigning -1 will turn into SIZE_MAX, which then wraps
around to 0 on increment.

Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Jeff King
0383bbb901 submodule-config: verify submodule names as paths
Submodule "names" come from the untrusted .gitmodules file,
but we blindly append them to $GIT_DIR/modules to create our
on-disk repo paths. This means you can do bad things by
putting "../" into the name (among other things).

Let's sanity-check these names to avoid building a path that
can be exploited. There are two main decisions:

  1. What should the allowed syntax be?

     It's tempting to reuse verify_path(), since submodule
     names typically come from in-repo paths. But there are
     two reasons not to:

       a. It's technically more strict than what we need, as
          we really care only about breaking out of the
          $GIT_DIR/modules/ hierarchy.  E.g., having a
          submodule named "foo/.git" isn't actually
          dangerous, and it's possible that somebody has
          manually given such a funny name.

       b. Since we'll eventually use this checking logic in
          fsck to prevent downstream repositories, it should
          be consistent across platforms. Because
          verify_path() relies on is_dir_sep(), it wouldn't
          block "foo\..\bar" on a non-Windows machine.

  2. Where should we enforce it? These days most of the
     .gitmodules reads go through submodule-config.c, so
     I've put it there in the reading step. That should
     cover all of the C code.

     We also construct the name for "git submodule add"
     inside the git-submodule.sh script. This is probably
     not a big deal for security since the name is coming
     from the user anyway, but it would be polite to remind
     them if the name they pick is invalid (and we need to
     expose the name-checker to the shell anyway for our
     test scripts).

     This patch issues a warning when reading .gitmodules
     and just ignores the related config entry completely.
     This will generally end up producing a sensible error,
     as it works the same as a .gitmodules file which is
     missing a submodule entry (so "submodule update" will
     barf, but "git clone --recurse-submodules" will print
     an error but not abort the clone.

     There is one minor oddity, which is that we print the
     warning once per malformed config key (since that's how
     the config subsystem gives us the entries). So in the
     new test, for example, the user would see three
     warnings. That's OK, since the intent is that this case
     should never come up outside of malicious repositories
     (and then it might even benefit the user to see the
     message multiple times).

Credit for finding this vulnerability and the proof of
concept from which the test script was adapted goes to
Etienne Stalmans.

Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
Junio C Hamano
3013dff866 Prepare for 2.15.2
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-12-06 09:10:35 -08:00
Junio C Hamano
03d4bc1edf Merge branch 'jc/merge-base-fork-point-doc' into maint
Clarify and enhance documentation for "merge-base --fork-point", as
it was clear what it computed but not why/what for.

* jc/merge-base-fork-point-doc:
  merge-base --fork-point doc: clarify the example and failure modes
2017-12-06 09:09:05 -08:00
Junio C Hamano
ce7320901f Merge branch 'tz/redirect-fix' into maint
A few scripts (both in production and tests) incorrectly redirected
their error output.  These have been corrected.

* tz/redirect-fix:
  rebase: fix stderr redirect in apply_autostash()
  t/lib-gpg: fix gpgconf stderr redirect to /dev/null
2017-12-06 09:09:04 -08:00
Junio C Hamano
0cfcb1695f Merge branch 'tz/notes-error-to-stderr' into maint
"git notes" sent its error message to its standard output stream,
which was corrected.

* tz/notes-error-to-stderr:
  notes: send "Automatic notes merge failed" messages to stderr
2017-12-06 09:09:04 -08:00
Junio C Hamano
2ace172f95 Merge branch 'sb/test-cherry-pick-submodule-getting-in-a-way' into maint
The three-way merge performed by "git cherry-pick" was confused
when a new submodule was added in the meantime, which has been
fixed (or "papered over").

* sb/test-cherry-pick-submodule-getting-in-a-way:
  merge-recursive: handle addition of submodule on our side of history
  t/3512: demonstrate unrelated submodule/file conflict as cherry-pick failure
2017-12-06 09:09:03 -08:00
Junio C Hamano
0175b6e2b9 Merge branch 'pw/sequencer-recover-from-unlockable-index' into maint
The sequencer machinery (used by "git cherry-pick A..B", and "git
rebase -i", among other things) would have lost a commit if stopped
due to an unlockable index file, which has been fixed.

* pw/sequencer-recover-from-unlockable-index:
  sequencer: reschedule pick if index can't be locked
2017-12-06 09:09:03 -08:00
Junio C Hamano
43240cb731 Merge branch 'rs/apply-inaccurate-eof-with-incomplete-line' into maint
"git apply --inaccurate-eof" when used with "--ignore-space-change"
triggered an internal sanity check, which has been fixed.

* rs/apply-inaccurate-eof-with-incomplete-line:
  apply: update line lengths for --inaccurate-eof
2017-12-06 09:09:03 -08:00
Junio C Hamano
2db93a80d3 Merge branch 'tz/complete-branch-copy' into maint
Command line completion (in contrib/) has been taught about the
"--copy" option of "git branch".

* tz/complete-branch-copy:
  completion: add '--copy' option to 'git branch'
2017-12-06 09:09:02 -08:00
Junio C Hamano
3cc60ecdda Merge branch 'ew/rebase-mboxrd' into maint
When "git rebase" prepared an mailbox of changes and fed it to "git
am" to replay them, it was confused when a stray "From " happened
to be in the log message of one of the replayed changes.  This has
been corrected.

* ew/rebase-mboxrd:
  rebase: use mboxrd format to avoid split errors
2017-12-06 09:09:01 -08:00
Junio C Hamano
74d6c9de9b Merge branch 'sd/branch-copy' into maint
Code clean-up.

* sd/branch-copy:
  config: avoid "write_in_full(fd, buf, len) != len" pattern
2017-12-06 09:09:01 -08:00
Junio C Hamano
0114a7ad06 Merge branch 'sw/pull-ipv46-passthru' into maint
Contrary to the documentation, "git pull -4/-6 other-args" did not
ask the underlying "git fetch" to go over IPv4/IPv6, which has been
corrected.

* sw/pull-ipv46-passthru:
  pull: pass -4/-6 option to 'git fetch'
2017-12-06 09:09:00 -08:00
Junio C Hamano
3cdea38707 Merge branch 'bc/submitting-patches-in-asciidoc' into maint
The SubmittingPatches document has been converted to produce an
HTML version via AsciiDoc/Asciidoctor.

* bc/submitting-patches-in-asciidoc:
  Documentation: convert SubmittingPatches to AsciiDoc
  Documentation: enable compat-mode for Asciidoctor
2017-12-06 09:08:59 -08:00
Junio C Hamano
02abc6be8e Merge branch 'mh/avoid-rewriting-packed-refs' into maint
Recent update to the refs infrastructure implementation started
rewriting packed-refs file more often than before; this has been
optimized again for most trivial cases.

* mh/avoid-rewriting-packed-refs:
  files-backend: don't rewrite the `packed-refs` file unnecessarily
  t1409: check that `packed-refs` is not rewritten unnecessarily
2017-12-06 09:08:50 -08:00
Junio C Hamano
9b185bef0c Git 2.15.1
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-11-28 13:39:14 +09:00
Junio C Hamano
b201e96f94 Merge branch 'rs/config-write-section-fix' into maint
There was a recent semantic mismerge in the codepath to write out a
section of a configuration section, which has been corrected.

* rs/config-write-section-fix:
  config: flip return value of write_section()
2017-11-28 13:38:33 +09:00
Junio C Hamano
7bc77766e1 A bit more fixes for 2.15.1
We've been waiting long enough, a few more would not hurt ;-)

Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-11-27 10:58:31 +09:00
Junio C Hamano
80a0e0fdd6 Merge branch 'ma/reduce-heads-leakfix' into maint
Leak fixes.

* ma/reduce-heads-leakfix:
  reduce_heads: fix memory leaks
  builtin/merge-base: free commit lists
2017-11-27 10:57:02 +09:00
Junio C Hamano
03e8004f06 Merge branch 'ma/bisect-leakfix' into maint
Leak fixes.

* ma/bisect-leakfix:
  bisect: fix memory leak when returning best element
  bisect: fix off-by-one error in `best_bisection_sorted()`
  bisect: fix memory leak in `find_bisection()`
  bisect: change calling-convention of `find_bisection()`
2017-11-27 10:57:02 +09:00
Junio C Hamano
df481b99ef Merge branch 'rs/apply-fuzzy-match-fix' into maint
A fix for an ancient bug in "git apply --ignore-space-change" codepath.

* rs/apply-fuzzy-match-fix:
  apply: avoid out-of-bounds access in fuzzy_matchlines()
2017-11-27 10:57:02 +09:00
Junio C Hamano
b51df7d306 Merge branch 'ad/submitting-patches-title-decoration' into maint
Doc update around use of "format-patch --subject-prefix" etc.

* ad/submitting-patches-title-decoration:
  doc/SubmittingPatches: correct subject guidance
2017-11-27 10:57:01 +09:00
Junio C Hamano
95bf6151dc Merge branch 'rs/imap-send-next-arg-fix' into maint
Error checking in "git imap-send" for empty response has been
improved.

* rs/imap-send-next-arg-fix:
  imap-send: handle missing response codes gracefully
  imap-send: handle NULL return of next_arg()
2017-11-27 10:57:00 +09:00
Todd Zullinger
7d22aec681 RelNotes: minor typo fixes in 2.15.1 draft
Signed-off-by: Todd Zullinger <tmz@pobox.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-11-26 12:49:23 +09:00
Junio C Hamano
95a731ce92 Almost ready for 2.15.1
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-11-21 14:07:08 +09:00
Junio C Hamano
1c89be1db2 Merge branch 'rs/sequencer-rewrite-file-cleanup' into maint
Code cleanup.

* rs/sequencer-rewrite-file-cleanup:
  sequencer.c: check return value of close() in rewrite_file()
  sequencer: use O_TRUNC to truncate files
  sequencer: factor out rewrite_file()
2017-11-21 14:05:33 +09:00
Junio C Hamano
01e0c53c73 Merge branch 'cb/t4201-robustify' into maint
A test update.

* cb/t4201-robustify:
  t4201: make use of abbreviation in the test more robust
2017-11-21 14:05:33 +09:00
Junio C Hamano
b2a276830f Merge branch 'tz/fsf-address-update' into maint
Replace the mailing address of FSF to a URL, as FSF prefers.

* tz/fsf-address-update:
  Replace Free Software Foundation address in license notices
  Replace Free Software Foundation address in license notices
2017-11-21 14:05:32 +09:00
Junio C Hamano
8ff22f5a88 Merge branch 'ad/rebase-i-serie-typofix' into maint
Typofix.

* ad/rebase-i-serie-typofix:
  rebase -i: fix comment typo
2017-11-21 14:05:32 +09:00
Junio C Hamano
5a80d1dd9c Merge branch 'jk/info-alternates-fix' into maint
We used to add an empty alternate object database to the system
that does not help anything; it has been corrected.

* jk/info-alternates-fix:
  link_alt_odb_entries: make empty input a noop
2017-11-21 14:05:31 +09:00
Junio C Hamano
8e3e51a3a7 Merge branch 'ab/pcre-v2' into maint
Building with NO_LIBPCRE1_JIT did not disable it, which has been fixed.

* ab/pcre-v2:
  grep: fix NO_LIBPCRE1_JIT to fully disable JIT
2017-11-21 14:05:30 +09:00
Junio C Hamano
b77b96e29b Merge branch 'sr/wrapper-quote-filenames' into maint
Some error messages did not quote filenames shown in it, which have
been fixed.

* sr/wrapper-quote-filenames:
  wrapper.c: consistently quote filenames in error messages
2017-11-21 14:05:29 +09:00
Junio C Hamano
6baa11dc2a Merge branch 'bw/rebase-i-ignored-submodule-fix' into maint
"git rebase -i" recently started misbehaving when a submodule that
is configured with 'submodule.<name>.ignore' is dirty; this has
been corrected.

* bw/rebase-i-ignored-submodule-fix:
  wt-status: actually ignore submodules when requested
2017-11-21 14:05:29 +09:00
Shuyu Wei
ffb4568afe pull: pass -4/-6 option to 'git fetch'
The -4/-6 option should be passed through to 'git fetch' to be
consistent with the man page.

Signed-off-by: Wei Shuyu <wsy@dogben.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-11-21 09:53:48 +09:00
René Scharfe
782c030ea2 config: flip return value of write_section()
d9bd4cbb9c (config: flip return value of store_write_*()) made
write_section() follow the convention of write(2) to return -1 on error
and the number of written bytes on success.  3b48045c6c (Merge branch
'sd/branch-copy') changed it back to returning 0 on error and 1 on
success, but left its callers still checking for negative values.

Let write_section() follow the convention of write(2) again to meet the
expectations of its callers.

Reported-by: Jeff King <peff@peff.net>
Signed-off-by: Rene Scharfe <l.s.r@web.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-11-18 20:38:40 +09:00
Eric Wong
ae3b2b04bb rebase: use mboxrd format to avoid split errors
The mboxrd format allows the use of embedded "From " lines in
commit messages without being misinterpreted by mailsplit

Reported-by: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Eric Wong <e@80x24.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-11-18 12:30:16 +09:00
René Scharfe
4855de1233 apply: update line lengths for --inaccurate-eof
Some diff implementations don't report missing newlines at the end of
files.  Applying such a patch can cause a newline character to be
added inadvertently.  The option --inaccurate-eof of git apply can be
used to remove trailing newlines if needed.

apply_one_fragment() cuts it off from the buffers for preimage and
postimage.  Before it does, it builds an array with the lengths of each
line for both.  Make sure to update the length of the last line in
these line info structures as well to keep them consistent with their
respective buffer.

Without this fix the added test fails; git apply dies and reports:

   fatal: BUG: caller miscounted postlen: asked 1, orig = 1, used = 2

That sanity check is only called if whitespace changes are ignored.

Reported-by: Mahmoud Al-Qudsi <mqudsi@neosmart.net>
Signed-off-by: Rene Scharfe <l.s.r@web.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-11-17 10:42:08 +09:00
Todd Zullinger
41ca0f773e completion: add '--copy' option to 'git branch'
In 52d59cc645 (branch: add a --copy (-c) option to go with --move (-m),
2017-06-18), `git branch` learned a `--copy` option.  Include it when
providing command completions.

Signed-off-by: Todd Zullinger <tmz@pobox.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-11-17 10:32:19 +09:00
Phillip Wood
bd58886775 sequencer: reschedule pick if index can't be locked
If the index cannot be locked in do_recursive_merge(), issue an
error message and go on to the error recovery codepath, instead of
dying.  When the commit cannot be picked, it needs to be rescheduled
when performing an interactive rebase, but just dying there won't
allow that to happen, and when the user runs 'git rebase --continue'
rather than 'git rebase --abort', the commit gets silently dropped.

Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
2017-11-16 14:19:12 +09:00
Phillip Wood
c5e3bc6ec4 config: avoid "write_in_full(fd, buf, len) != len" pattern
As explained in commit 06f46f237 (avoid "write_in_full(fd, buf, len)
!= len" pattern, 2017–09–13) the return value of write_in_full() is
either -1 or the requested number of bytes. As such comparing the
return value to an unsigned value such as strbuf.len will fail to
catch errors. Change the code to use the preferred '< 0' check.

Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-11-16 10:36:16 +09:00
Elijah Newren
c641ca6707 merge-recursive: handle addition of submodule on our side of history
The code for a newly added path assumed that the path was a normal file,
and thus checked for there being a directory still being in the way of
the file.  Note that since unpack_trees() does path-in-the-way checks
already, the only way for there to be a directory in the way at this
point in the code, is if there is some kind of D/F conflict in the merge.

For a submodule addition on HEAD's side of history, the submodule would
have already been present.  This means that we do expect there to be a
directory present but should not consider it to be "in the way"; instead,
it's the expected submodule.  So, when there's a submodule addition from
HEAD's side, don't bother checking the working copy for a directory in
the way.

Signed-off-by: Elijah Newren <newren@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-11-15 12:42:34 +09:00
Junio C Hamano
5a1f5c3060 Start preparation for 2.15.1
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-11-15 12:05:22 +09:00