git-commit-vandalism/builtin
Johannes Schindelin a8dee3ca61 Disallow dubiously-nested submodule git directories
Currently it is technically possible to let a submodule's git
directory point right into the git dir of a sibling submodule.

Example: the git directories of two submodules with the names `hippo`
and `hippo/hooks` would be `.git/modules/hippo/` and
`.git/modules/hippo/hooks/`, respectively, but the latter is already
intended to house the former's hooks.

In most cases, this is just confusing, but there is also a (quite
contrived) attack vector where Git can be fooled into mistaking remote
content for file contents it wrote itself during a recursive clone.

Let's plug this bug.

To do so, we introduce the new function `validate_submodule_git_dir()`
which simply verifies that no git dir exists for any leading directories
of the submodule name (if there are any).

Note: this patch specifically continues to allow sibling modules names
of the form `core/lib`, `core/doc`, etc, as long as `core` is not a
submodule name.

This fixes CVE-2019-1387.

Reported-by: Nicolas Joly <Nicolas.Joly@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2019-12-05 15:36:51 +01:00
..
add.c Merge branch 'rj/add-chmod-error-message' into maint 2017-09-10 17:03:00 +09:00
am.c Merge branch 'pw/am-signoff' into maint 2017-09-10 17:02:51 +09:00
annotate.c
apply.c Convert read_mmblob to take struct object_id. 2016-09-07 12:59:42 -07:00
archive.c archive: read local configuration 2016-11-22 13:55:20 -08:00
bisect--helper.c
blame.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
branch.c Merge branch 'jk/ref-filter-colors-fix' into maint 2017-10-18 14:20:43 +09:00
bundle.c bundle: use prefix_filename with bundle path 2017-03-21 11:18:41 -07:00
cat-file.c Merge branch 'jk/diff-blob' into maint 2017-10-18 14:19:01 +09:00
check-attr.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
check-ignore.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
check-mailmap.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
check-ref-format.c use xmallocz to avoid size arithmetic 2016-02-22 14:51:09 -08:00
checkout-index.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
checkout.c Merge branch 'ls/filter-process-delayed' into jt/subprocess-handshake 2017-07-26 12:56:19 -07:00
clean.c Revert "color: check color.ui in git_default_config()" 2017-10-17 15:09:52 +09:00
clone.c clone --recurse-submodules: prevent name squatting on Windows 2019-12-04 13:20:05 +01:00
column.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
commit-tree.c commit-tree: do not complete line in -F input 2017-09-10 16:29:53 +09:00
commit.c Merge branch 'ks/commit-abort-on-empty-message-fix' into maint 2017-08-23 14:33:44 -07:00
config.c Merge branch 'ab/free-and-null' 2017-06-24 14:28:41 -07:00
count-objects.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
credential.c credential: handle invalid arguments earlier 2017-05-30 14:45:03 +09:00
describe.c Merge branch 'jk/describe-omit-some-refs' into maint 2017-10-18 14:19:01 +09:00
diff-files.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
diff-index.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
diff-tree.c Merge branch 'jc/diff-tree-stale-comment' into maint 2017-06-24 15:29:31 -07:00
diff.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
difftool.c hashmap.h: compare function has access to a data field 2017-06-30 12:49:28 -07:00
fast-export.c Merge branch 'jt/fast-export-copy-modify-fix' into maint 2017-10-23 14:14:51 +09:00
fetch-pack.c Rename sha1_array to oid_array 2017-03-31 08:33:56 -07:00
fetch.c Merge branch 'sb/pull-rebase-submodule' 2017-07-13 16:14:54 -07:00
fmt-merge-msg.c Merge branch 'dc/fmt-merge-msg-microcleanup' into maint 2017-08-23 14:33:52 -07:00
for-each-ref.c provide --color option for all ref-filter users 2017-10-04 11:35:29 +09:00
fsck.c Merge branch 'rs/fsck-obj-leakfix' into maint 2017-09-10 17:02:53 +09:00
gc.c Merge branch 'aw/gc-lockfile-fscanf-fix' into maint 2017-10-18 14:18:59 +09:00
get-tar-commit-id.c get-tar-commit-id: check write_in_full() return against 0 2017-09-14 15:16:21 +09:00
grep.c Revert "color: check color.ui in git_default_config()" 2017-10-17 15:09:52 +09:00
hash-object.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
help.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
index-pack.c Merge branch 'jt/unify-object-info' 2017-07-05 13:32:57 -07:00
init-db.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
interpret-trailers.c Merge branch 'jk/parseopt-string-list' into jk/string-list-static-init 2016-06-13 10:37:48 -07:00
log.c Merge branch 'jk/reflog-walk' into maint 2017-08-23 14:33:44 -07:00
ls-files.c ls-files: don't try to prune an empty index 2017-07-17 14:55:21 -07:00
ls-remote.c wildmatch: remove unused wildopts parameter 2017-06-23 18:27:07 -07:00
ls-tree.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
mailinfo.c prefix_filename: return newly allocated string 2017-03-21 11:18:41 -07:00
mailsplit.c mailinfo & mailsplit: check for EOF while parsing 2017-05-08 12:18:19 +09:00
merge-base.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
merge-file.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
merge-index.c Convert GIT_SHA1_HEXSZ used for allocation to GIT_MAX_HEXSZ 2017-03-26 22:08:21 -07:00
merge-ours.c
merge-recursive.c i18n: merge-recursive: mark verbose message for translation 2016-09-15 13:17:32 -07:00
merge-tree.c Convert lookup_blob to struct object_id 2017-05-08 15:12:57 +09:00
merge.c Merge branch 'rs/merge-microcleanup' into maint 2017-09-10 17:03:02 +09:00
mktag.c usage: do not insist that standard input must come from a file 2015-10-16 15:27:52 -07:00
mktree.c mktree: plug memory leaks reported by Coverity 2017-05-08 12:18:19 +09:00
mv.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
name-rev.c Merge branch 'mg/timestamp-t-fix' into maint 2017-10-18 14:19:09 +09:00
notes.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
pack-objects.c Merge branch 'rj/no-sign-compare' into maint 2017-10-23 14:20:18 +09:00
pack-redundant.c pack-redundant: plug memory leak 2017-05-08 12:18:19 +09:00
pack-refs.c refs: delete pack_refs() in favor of refs_pack_refs() 2017-04-14 03:53:25 -07:00
patch-id.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
prune-packed.c sha1_file: guard against invalid loose subdirectory numbers 2017-06-24 11:09:52 -07:00
prune.c Merge branch 'rs/sha1-name-readdir-optim' 2017-07-05 13:32:56 -07:00
pull.c Merge branch 'sb/pull-rebase-submodule' 2017-07-13 16:14:54 -07:00
push.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
read-tree.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
rebase--helper.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
receive-pack.c avoid "write_in_full(fd, buf, len) != len" pattern 2017-09-14 15:17:59 +09:00
reflog.c Merge branch 'ab/wildmatch' 2017-07-10 13:42:51 -07:00
remote-ext.c remote-{ext,fd}: print usage message on invalid arguments 2017-05-30 14:45:04 +09:00
remote-fd.c remote-{ext,fd}: print usage message on invalid arguments 2017-05-30 14:45:04 +09:00
remote.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
repack.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
replace.c Merge branch 'ab/wildmatch' 2017-07-10 13:42:51 -07:00
rerere.c avoid "write_in_full(fd, buf, len) != len" pattern 2017-09-14 15:17:59 +09:00
reset.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
rev-list.c Merge branch 'jk/rev-list-empty-input' into maint 2017-09-10 17:02:48 +09:00
rev-parse.c Merge branch 'mh/packed-ref-store-prep' into maint 2017-10-18 14:18:58 +09:00
revert.c cherry-pick/revert: reject --rerere-autoupdate when continuing 2017-08-02 15:16:09 -07:00
rm.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
send-pack.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
shortlog.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
show-branch.c Revert "color: check color.ui in git_default_config()" 2017-10-17 15:09:52 +09:00
show-ref.c show-ref: remove a stale comment 2017-01-23 18:51:56 -08:00
stripspace.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
submodule--helper.c Disallow dubiously-nested submodule git directories 2019-12-05 15:36:51 +01:00
symbolic-ref.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
tag.c tag: respect color.ui config 2017-10-17 15:10:13 +09:00
unpack-file.c avoid "write_in_full(fd, buf, len) != len" pattern 2017-09-14 15:17:59 +09:00
unpack-objects.c Merge branch 'ab/free-and-null' 2017-06-24 14:28:41 -07:00
update-index.c Sync with Git 2.13.7 2018-05-22 14:10:49 +09:00
update-ref.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
update-server-info.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
upload-archive.c upload-archive: handle "-h" option early 2017-05-30 14:45:04 +09:00
var.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
verify-commit.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
verify-pack.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
verify-tag.c ref-filter: abstract ref format into its own struct 2017-07-13 12:42:50 -07:00
worktree.c Merge branch 'ab/free-and-null' 2017-06-24 14:28:41 -07:00
write-tree.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00