git-commit-vandalism/builtin
Johannes Schindelin 0060fd1511 clone --recurse-submodules: prevent name squatting on Windows
In addition to preventing `.git` from being tracked by Git, on Windows
we also have to prevent `git~1` from being tracked, as the default NTFS
short name (also known as the "8.3 filename") for the file name `.git`
is `git~1`, otherwise it would be possible for malicious repositories to
write directly into the `.git/` directory, e.g. a `post-checkout` hook
that would then be executed _during_ a recursive clone.

When we implemented appropriate protections in 2b4c6efc82 (read-cache:
optionally disallow NTFS .git variants, 2014-12-16), we had analyzed
carefully that the `.git` directory or file would be guaranteed to be
the first directory entry to be written. Otherwise it would be possible
e.g. for a file named `..git` to be assigned the short name `git~1` and
subsequently, the short name generated for `.git` would be `git~2`. Or
`git~3`. Or even `~9999999` (for a detailed explanation of the lengths
we have to go to protect `.gitmodules`, see the commit message of
e7cb0b4455 (is_ntfs_dotgit: match other .git files, 2018-05-11)).

However, by exploiting two issues (that will be addressed in a related
patch series close by), it is currently possible to clone a submodule
into a non-empty directory:

- On Windows, file names cannot end in a space or a period (for
  historical reasons: the period separating the base name from the file
  extension was not actually written to disk, and the base name/file
  extension was space-padded to the full 8/3 characters, respectively).
  Helpfully, when creating a directory under the name, say, `sub.`, that
  trailing period is trimmed automatically and the actual name on disk
  is `sub`.

  This means that while Git thinks that the submodule names `sub` and
  `sub.` are different, they both access `.git/modules/sub/`.

- While the backslash character is a valid file name character on Linux,
  it is not so on Windows. As Git tries to be cross-platform, it
  therefore allows backslash characters in the file names stored in tree
  objects.

  Which means that it is totally possible that a submodule `c` sits next
  to a file `c\..git`, and on Windows, during recursive clone a file
  called `..git` will be written into `c/`, of course _before_ the
  submodule is cloned.

Note that the actual exploit is not quite as simple as having a
submodule `c` next to a file `c\..git`, as we have to make sure that the
directory `.git/modules/b` already exists when the submodule is checked
out, otherwise a different code path is taken in `module_clone()` that
does _not_ allow a non-empty submodule directory to exist already.

Even if we will address both issues nearby (the next commit will
disallow backslash characters in tree entries' file names on Windows,
and another patch will disallow creating directories/files with trailing
spaces or periods), it is a wise idea to defend in depth against this
sort of attack vector: when submodules are cloned recursively, we now
_require_ the directory to be empty, addressing CVE-2019-1349.

Note: the code path we patch is shared with the code path of `git
submodule update --init`, which must not expect, in general, that the
directory is empty. Hence we have to introduce the new option
`--force-init` and hand it all the way down from `git submodule` to the
actual `git submodule--helper` process that performs the initial clone.

Reported-by: Nicolas Joly <Nicolas.Joly@microsoft.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2019-12-04 13:20:05 +01:00
..
add.c Merge branch 'rj/add-chmod-error-message' into maint 2017-09-10 17:03:00 +09:00
am.c Merge branch 'pw/am-signoff' into maint 2017-09-10 17:02:51 +09:00
annotate.c
apply.c Convert read_mmblob to take struct object_id. 2016-09-07 12:59:42 -07:00
archive.c archive: read local configuration 2016-11-22 13:55:20 -08:00
bisect--helper.c
blame.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
branch.c Merge branch 'jk/ref-filter-colors-fix' into maint 2017-10-18 14:20:43 +09:00
bundle.c bundle: use prefix_filename with bundle path 2017-03-21 11:18:41 -07:00
cat-file.c Merge branch 'jk/diff-blob' into maint 2017-10-18 14:19:01 +09:00
check-attr.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
check-ignore.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
check-mailmap.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
check-ref-format.c
checkout-index.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
checkout.c Merge branch 'ls/filter-process-delayed' into jt/subprocess-handshake 2017-07-26 12:56:19 -07:00
clean.c Revert "color: check color.ui in git_default_config()" 2017-10-17 15:09:52 +09:00
clone.c clone --recurse-submodules: prevent name squatting on Windows 2019-12-04 13:20:05 +01:00
column.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
commit-tree.c commit-tree: do not complete line in -F input 2017-09-10 16:29:53 +09:00
commit.c Merge branch 'ks/commit-abort-on-empty-message-fix' into maint 2017-08-23 14:33:44 -07:00
config.c Merge branch 'ab/free-and-null' 2017-06-24 14:28:41 -07:00
count-objects.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
credential.c credential: handle invalid arguments earlier 2017-05-30 14:45:03 +09:00
describe.c Merge branch 'jk/describe-omit-some-refs' into maint 2017-10-18 14:19:01 +09:00
diff-files.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
diff-index.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
diff-tree.c Merge branch 'jc/diff-tree-stale-comment' into maint 2017-06-24 15:29:31 -07:00
diff.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
difftool.c hashmap.h: compare function has access to a data field 2017-06-30 12:49:28 -07:00
fast-export.c Merge branch 'jt/fast-export-copy-modify-fix' into maint 2017-10-23 14:14:51 +09:00
fetch-pack.c Rename sha1_array to oid_array 2017-03-31 08:33:56 -07:00
fetch.c Merge branch 'sb/pull-rebase-submodule' 2017-07-13 16:14:54 -07:00
fmt-merge-msg.c Merge branch 'dc/fmt-merge-msg-microcleanup' into maint 2017-08-23 14:33:52 -07:00
for-each-ref.c provide --color option for all ref-filter users 2017-10-04 11:35:29 +09:00
fsck.c Merge branch 'rs/fsck-obj-leakfix' into maint 2017-09-10 17:02:53 +09:00
gc.c Merge branch 'aw/gc-lockfile-fscanf-fix' into maint 2017-10-18 14:18:59 +09:00
get-tar-commit-id.c get-tar-commit-id: check write_in_full() return against 0 2017-09-14 15:16:21 +09:00
grep.c Revert "color: check color.ui in git_default_config()" 2017-10-17 15:09:52 +09:00
hash-object.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
help.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
index-pack.c Merge branch 'jt/unify-object-info' 2017-07-05 13:32:57 -07:00
init-db.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
interpret-trailers.c Merge branch 'jk/parseopt-string-list' into jk/string-list-static-init 2016-06-13 10:37:48 -07:00
log.c Merge branch 'jk/reflog-walk' into maint 2017-08-23 14:33:44 -07:00
ls-files.c ls-files: don't try to prune an empty index 2017-07-17 14:55:21 -07:00
ls-remote.c wildmatch: remove unused wildopts parameter 2017-06-23 18:27:07 -07:00
ls-tree.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
mailinfo.c prefix_filename: return newly allocated string 2017-03-21 11:18:41 -07:00
mailsplit.c mailinfo & mailsplit: check for EOF while parsing 2017-05-08 12:18:19 +09:00
merge-base.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
merge-file.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
merge-index.c Convert GIT_SHA1_HEXSZ used for allocation to GIT_MAX_HEXSZ 2017-03-26 22:08:21 -07:00
merge-ours.c
merge-recursive.c i18n: merge-recursive: mark verbose message for translation 2016-09-15 13:17:32 -07:00
merge-tree.c Convert lookup_blob to struct object_id 2017-05-08 15:12:57 +09:00
merge.c Merge branch 'rs/merge-microcleanup' into maint 2017-09-10 17:03:02 +09:00
mktag.c
mktree.c mktree: plug memory leaks reported by Coverity 2017-05-08 12:18:19 +09:00
mv.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
name-rev.c Merge branch 'mg/timestamp-t-fix' into maint 2017-10-18 14:19:09 +09:00
notes.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
pack-objects.c Merge branch 'rj/no-sign-compare' into maint 2017-10-23 14:20:18 +09:00
pack-redundant.c pack-redundant: plug memory leak 2017-05-08 12:18:19 +09:00
pack-refs.c refs: delete pack_refs() in favor of refs_pack_refs() 2017-04-14 03:53:25 -07:00
patch-id.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
prune-packed.c sha1_file: guard against invalid loose subdirectory numbers 2017-06-24 11:09:52 -07:00
prune.c Merge branch 'rs/sha1-name-readdir-optim' 2017-07-05 13:32:56 -07:00
pull.c Merge branch 'sb/pull-rebase-submodule' 2017-07-13 16:14:54 -07:00
push.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
read-tree.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
rebase--helper.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
receive-pack.c avoid "write_in_full(fd, buf, len) != len" pattern 2017-09-14 15:17:59 +09:00
reflog.c Merge branch 'ab/wildmatch' 2017-07-10 13:42:51 -07:00
remote-ext.c remote-{ext,fd}: print usage message on invalid arguments 2017-05-30 14:45:04 +09:00
remote-fd.c remote-{ext,fd}: print usage message on invalid arguments 2017-05-30 14:45:04 +09:00
remote.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
repack.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
replace.c Merge branch 'ab/wildmatch' 2017-07-10 13:42:51 -07:00
rerere.c avoid "write_in_full(fd, buf, len) != len" pattern 2017-09-14 15:17:59 +09:00
reset.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
rev-list.c Merge branch 'jk/rev-list-empty-input' into maint 2017-09-10 17:02:48 +09:00
rev-parse.c Merge branch 'mh/packed-ref-store-prep' into maint 2017-10-18 14:18:58 +09:00
revert.c cherry-pick/revert: reject --rerere-autoupdate when continuing 2017-08-02 15:16:09 -07:00
rm.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
send-pack.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
shortlog.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
show-branch.c Revert "color: check color.ui in git_default_config()" 2017-10-17 15:09:52 +09:00
show-ref.c show-ref: remove a stale comment 2017-01-23 18:51:56 -08:00
stripspace.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
submodule--helper.c clone --recurse-submodules: prevent name squatting on Windows 2019-12-04 13:20:05 +01:00
symbolic-ref.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
tag.c tag: respect color.ui config 2017-10-17 15:10:13 +09:00
unpack-file.c avoid "write_in_full(fd, buf, len) != len" pattern 2017-09-14 15:17:59 +09:00
unpack-objects.c Merge branch 'ab/free-and-null' 2017-06-24 14:28:41 -07:00
update-index.c Sync with Git 2.13.7 2018-05-22 14:10:49 +09:00
update-ref.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
update-server-info.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
upload-archive.c upload-archive: handle "-h" option early 2017-05-30 14:45:04 +09:00
var.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
verify-commit.c Merge branch 'bw/config-h' 2017-06-24 14:28:41 -07:00
verify-pack.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00
verify-tag.c ref-filter: abstract ref format into its own struct 2017-07-13 12:42:50 -07:00
worktree.c Merge branch 'ab/free-and-null' 2017-06-24 14:28:41 -07:00
write-tree.c config: don't include config.h by default 2017-06-15 12:56:22 -07:00