git-commit-vandalism/compat
Johannes Schindelin 817ddd64c2 mingw: refuse to access paths with illegal characters
Certain characters are not admissible in file names on Windows, even if
Cygwin/MSYS2 (and therefore, Git for Windows' Bash) pretend that they
are, e.g. `:`, `<`, `>`, etc

Let's disallow those characters explicitly in Windows builds of Git.

Note: just like trailing spaces or periods, it _is_ possible on Windows
to create commits adding files with such illegal characters, as long as
the operation leaves the worktree untouched. To allow for that, we
continue to guard `is_valid_win32_path()` behind the config setting
`core.protectNTFS`, so that users _can_ continue to do that, as long as
they turn the protections off via that config setting.

Among other problems, this prevents Git from trying to write to an "NTFS
Alternate Data Stream" (which refers to metadata stored alongside a
file, under a special name: "<filename>:<stream-name>"). This fix
therefore also prevents an attack vector that was exploited in
demonstrations of a number of recently-fixed security bugs.

Further reading on illegal characters in Win32 filenames:
https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2019-12-05 15:37:06 +01:00
..
nedmalloc compat: move strdup(3) replacement to its own file 2016-09-07 10:41:45 -07:00
poll poll.c: always set revents, even if to zero 2017-09-29 18:33:22 +09:00
regex Spelling fixes 2017-06-27 10:35:49 -07:00
vcbuild MSVC: use shipped headers instead of fallback definitions 2016-03-30 11:16:20 -07:00
win32 win32: plug memory leak on realloc() failure in syslog() 2017-08-10 13:57:52 -07:00
apple-common-crypto.h imap-send: use HMAC() function provided by OpenSSL 2016-04-08 11:45:47 -07:00
basename.c compat/basename.c: provide a dirname() compatibility function 2016-01-12 10:40:54 -08:00
bswap.h bswap: convert get_be16, get_be32 and put_be32 to inline functions 2017-07-17 14:54:15 -07:00
cygwin.c cygwin: allow pushing to UNC paths 2017-07-05 14:01:03 -07:00
cygwin.h cygwin: allow pushing to UNC paths 2017-07-05 14:01:03 -07:00
fopen.c git_fopen: fix a sparse 'not declared' warning 2017-05-26 12:33:55 +09:00
gmtime.c
hstrerror.c compat/hstrerror: convert sprintf to snprintf 2015-09-25 10:18:18 -07:00
inet_ntop.c compat/inet_ntop: fix off-by-one in inet_ntop4 2015-09-25 10:18:18 -07:00
inet_pton.c
memmem.c
mingw.c mingw: refuse to access paths with illegal characters 2019-12-05 15:37:06 +01:00
mingw.h mingw: refuse to access paths with illegal characters 2019-12-05 15:37:06 +01:00
mkdir.c
mkdtemp.c
mmap.c
msvc.c
msvc.h
obstack.c
obstack.h
pread.c
precompose_utf8.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
precompose_utf8.h probe_utf8_pathname_composition: use internal strbuf 2015-10-05 11:06:49 -07:00
qsort_s.c compat: add qsort_s() 2017-01-23 11:02:34 -08:00
qsort.c use st_add and st_mult for allocation size computation 2016-02-22 14:51:09 -08:00
setenv.c use st_add and st_mult for allocation size computation 2016-02-22 14:51:09 -08:00
sha1-chunked.c sha1: allow limiting the size of the data passed to SHA1_Update() 2015-11-05 10:35:11 -08:00
sha1-chunked.h sha1: allow limiting the size of the data passed to SHA1_Update() 2015-11-05 10:35:11 -08:00
snprintf.c MSVC: vsnprintf in Visual Studio 2015 doesn't need SNPRINTF_SIZE_CORR any more 2016-03-30 11:13:01 -07:00
stat.c compat: convert modes to use portable file type values 2014-12-04 11:58:36 -08:00
strcasestr.c
strdup.c compat: move strdup(3) replacement to its own file 2016-09-07 10:41:45 -07:00
strlcpy.c
strtoimax.c
strtoumax.c
terminal.c strbuf: introduce strbuf_getline_{lf,nul}() 2016-01-15 10:12:51 -08:00
terminal.h
unsetenv.c
win32.h
win32mmap.c mmap(win32): avoid expensive fstat() call 2016-04-22 15:01:16 -07:00
winansi.c winansi: avoid buffer overrun 2017-05-08 12:18:19 +09:00