Commit graph

41866 commits

Author SHA1 Message Date
Junio C Hamano
5e0649dc65 Git 2.7.6
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-30 14:45:13 -07:00
Junio C Hamano
a4f234bf9b Merge branch 'jk/ssh-funny-url' into maint-2.7 2017-07-28 16:11:54 -07:00
Jeff King
aeeb2d4968 connect: reject paths that look like command line options
If we get a repo path like "-repo.git", we may try to invoke
"git-upload-pack -repo.git". This is going to fail, since
upload-pack will interpret it as a set of bogus options. But
let's reject this before we even run the sub-program, since
we would not want to allow any mischief with repo names that
actually are real command-line options.

You can still ask for such a path via git-daemon, but there's no
security problem there, because git-daemon enters the repo itself
and then passes "."  on the command line.

Signed-off-by: Jeff King <peff@peff.net>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-28 15:54:55 -07:00
Jeff King
3be4cf09cd connect: reject dashed arguments for proxy commands
If you have a GIT_PROXY_COMMAND configured, we will run it
with the host/port on the command-line. If a URL contains a
mischievous host like "--foo", we don't know how the proxy
command may handle it. It's likely to break, but it may also
do something dangerous and unwanted (technically it could
even do something useful, but that seems unlikely).

We should err on the side of caution and reject this before
we even run the command.

The hostname check matches the one we do in a similar
circumstance for ssh. The port check is not present for ssh,
but there it's not necessary because the syntax is "-p
<port>", and there's no ambiguity on the parsing side.

It's not clear whether you can actually get a negative port
to the proxy here or not. Doing:

  git fetch git://remote:-1234/repo.git

keeps the "-1234" as part of the hostname, with the default
port of 9418. But it's a good idea to keep this check close
to the point of running the command to make it clear that
there's no way to circumvent it (and at worst it serves as a
belt-and-suspenders check).

Signed-off-by: Jeff King <peff@peff.net>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-28 15:52:18 -07:00
Jeff King
2491f77b90 connect: factor out "looks like command line option" check
We reject hostnames that start with a dash because they may
be confused for command-line options. Let's factor out that
notion into a helper function, as we'll use it in more
places. And while it's simple now, it's not clear if some
systems might need more complex logic to handle all cases.

Signed-off-by: Jeff King <peff@peff.net>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-28 15:51:56 -07:00
Jeff King
2d90add5ad t5813: add test for hostname starting with dash
Per the explanation in the previous patch, this should be
(and is) rejected.

Signed-off-by: Jeff King <peff@peff.net>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-28 15:51:29 -07:00
Junio C Hamano
820d7650cc connect: reject ssh hostname that begins with a dash
When commands like "git fetch" talk with ssh://$rest_of_URL/, the
code splits $rest_of_URL into components like host, port, etc., and
then spawns the underlying "ssh" program by formulating argv[] array
that has:

 - the path to ssh command taken from GIT_SSH_COMMAND, etc.

 - dashed options like '-batch' (for Tortoise), '-p <port>' as
   needed.

 - ssh_host, which is supposed to be the hostname parsed out of
   $rest_of_URL.

 - then the command to be run on the other side, e.g. git
   upload-pack.

If the ssh_host ends up getting '-<anything>', the argv[] that is
used to spawn the command becomes something like:

    { "ssh", "-p", "22", "-<anything>", "command", "to", "run", NULL }

which obviously is bogus, but depending on the actual value of
"<anything>", will make "ssh" parse and use it as an option.

Prevent this by forbidding ssh_host that begins with a "-".

Noticed-by: Joern Schneeweisz of Recurity Labs
Reported-by: Brian at GitLab
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Reviewed-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-28 15:51:14 -07:00
Junio C Hamano
c8dd1e3bb1 Git 2.7.5
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05 13:03:40 +09:00
Junio C Hamano
dc58c8554a Merge branch 'maint-2.6' into maint-2.7 2017-05-05 12:59:16 +09:00
Junio C Hamano
70fcaef90b Git 2.6.7
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05 12:56:19 +09:00
Junio C Hamano
ab37a18b60 Merge branch 'maint-2.5' into maint-2.6 2017-05-05 12:52:26 +09:00
Junio C Hamano
ac33201285 Git 2.5.6
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05 12:50:38 +09:00
Junio C Hamano
531788af95 Merge branch 'maint-2.4' into maint-2.5 2017-05-05 12:46:53 +09:00
Junio C Hamano
4000b40209 Git 2.4.12
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05 12:43:16 +09:00
Junio C Hamano
5a4ffdf587 Merge branch 'jk/shell-no-repository-that-begins-with-dash' into maint-2.4
* jk/shell-no-repository-that-begins-with-dash:
  shell: disallow repo names beginning with dash
2017-05-05 12:17:55 +09:00
Jeff King
3ec804490a shell: disallow repo names beginning with dash
When a remote server uses git-shell, the client side will
connect to it like:

  ssh server "git-upload-pack 'foo.git'"

and we literally exec ("git-upload-pack", "foo.git"). In
early versions of upload-pack and receive-pack, we took a
repository argument and nothing else. But over time they
learned to accept dashed options. If the user passes a
repository name that starts with a dash, the results are
confusing at best (we complain of a bogus option instead of
a non-existent repository) and malicious at worst (the user
can start an interactive pager via "--help").

We could pass "--" to the sub-process to make sure the
user's argument is interpreted as a branch name. I.e.:

  git-upload-pack -- -foo.git

But adding "--" automatically would make us inconsistent
with a normal shell (i.e., when git-shell is not in use),
where "-foo.git" would still be an error. For that case, the
client would have to specify the "--", but they can't do so
reliably, as existing versions of git-shell do not allow
more than a single argument.

The simplest thing is to simply disallow "-" at the start of
the repo name argument. This hasn't worked either with or
without git-shell since version 1.0.0, and nobody has
complained.

Note that this patch just applies to do_generic_cmd(), which
runs upload-pack, receive-pack, and upload-archive. There
are two other types of commands that git-shell runs:

  - do_cvs_cmd(), but this already restricts the argument to
    be the literal string "server"

  - admin-provided commands in the git-shell-commands
    directory. We'll pass along arbitrary arguments there,
    so these commands could have similar problems. But these
    commands might actually understand dashed arguments, so
    we cannot just block them here. It's up to the writer of
    the commands to make sure they are safe. With great
    power comes great responsibility.

Reported-by: Timo Schmid <tschmid@ernw.de>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-05-05 12:07:27 +09:00
Junio C Hamano
50b4a7807f Merge branch 'jk/war-on-sprintf' into maint-2.7
* jk/war-on-sprintf:
  archive-tar: convert snprintf to xsnprintf
2016-05-26 10:45:37 -07:00
Jeff King
9e6c1e91a3 archive-tar: convert snprintf to xsnprintf
Commit f2f0267 (archive-tar: use xsnprintf for trivial
formatting, 2015-09-24) converted cases of "sprintf" to
"xsnprintf", but accidentally left one as just "snprintf".
This meant that we could silently truncate the resulting
buffer instead of flagging an error.

In practice, this is impossible to achieve, as we are
formatting a ustar checksum, which can be at most 7
characters. But the point of xsnprintf is to document and
check for "should be impossible" conditions; this site was
just accidentally mis-converted during f2f0267.

Noticed-by: Paul Green <Paul.Green@stratus.com>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-05-26 10:44:26 -07:00
Junio C Hamano
a0feb1b187 Merge branch 'mm/doc-hooks-linkgit-fix' into maint
* mm/doc-hooks-linkgit-fix:
  Documentation: fix broken linkgit to git-config
2016-03-21 13:32:18 -07:00
Matthieu Moy
ad52148a7d Documentation: fix broken linkgit to git-config
Signed-off-by: Matthieu Moy <Matthieu.Moy@imag.fr>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-03-21 13:31:57 -07:00
Junio C Hamano
2ab5c88642 Merge branch 'es/st-add4-gcc-4.2-workaround' into maint
* es/st-add4-gcc-4.2-workaround:
  git-compat-util: st_add4: work around gcc 4.2.x compiler crash
2016-03-21 09:19:27 -07:00
Eric Sunshine
d616fbf256 git-compat-util: st_add4: work around gcc 4.2.x compiler crash
Although changes by 5b442c4 (tree-diff: catch integer overflow in
combine_diff_path allocation, 2016-02-19) are perfectly valid, they
unfortunately trigger an internal compiler error in gcc 4.2.x:

    combine-diff.c: In function 'diff_tree_combined':
    combine-diff.c:1391: internal compiler error: Segmentation fault: 11

Experimentation reveals that changing st_add4()'s argument evaluation
order is sufficient to sidestep this problem.

Although st_add3() does not trigger the compiler bug, for style
consistency, change its argument evaluation order to match.

Signed-off-by: Eric Sunshine <sunshine@sunshineco.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-03-21 09:18:07 -07:00
Junio C Hamano
937978e0f3 Git 2.7.4
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-03-17 11:32:13 -07:00
Junio C Hamano
8e9cc5f3e2 Sync with Git 2.6.6
* maint-2.6:
  Git 2.6.6
  Git 2.5.5
  Git 2.4.11
2016-03-17 11:28:52 -07:00
Junio C Hamano
e46579643d Git 2.6.6
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-03-17 11:26:41 -07:00
Junio C Hamano
ce4d4e763c Merge branch 'maint-2.5' into maint-2.6
* maint-2.5:
  Git 2.5.5
  Git 2.4.11
  list-objects: pass full pathname to callbacks
  list-objects: drop name_path entirely
  list-objects: convert name_path to a strbuf
  show_object_with_name: simplify by using path_name()
  http-push: stop using name_path
  tree-diff: catch integer overflow in combine_diff_path allocation
  add helpers for detecting size_t overflow
2016-03-17 11:26:18 -07:00
Junio C Hamano
e568e563ad Git 2.5.5
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-03-17 11:24:59 -07:00
Junio C Hamano
c638f3e4d5 Merge branch 'maint-2.4' into maint-2.5
* maint-2.4:
  Git 2.4.11
  list-objects: pass full pathname to callbacks
  list-objects: drop name_path entirely
  list-objects: convert name_path to a strbuf
  show_object_with_name: simplify by using path_name()
  http-push: stop using name_path
  tree-diff: catch integer overflow in combine_diff_path allocation
  add helpers for detecting size_t overflow
2016-03-17 11:24:14 -07:00
Junio C Hamano
765428699a Git 2.4.11
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-03-17 11:23:05 -07:00
Junio C Hamano
32c6dca8c4 Merge branch 'jk/path-name-safety-2.4' into maint-2.4
Bugfix patches were backported from the 'master' front to plug heap
corruption holes, to catch integer overflow in the computation of
pathname lengths, and to get rid of the name_path API.  Both of
these would have resulted in writing over an under-allocated buffer
when formulating pathnames while tree traversal.

* jk/path-name-safety-2.4:
  list-objects: pass full pathname to callbacks
  list-objects: drop name_path entirely
  list-objects: convert name_path to a strbuf
  show_object_with_name: simplify by using path_name()
  http-push: stop using name_path
  tree-diff: catch integer overflow in combine_diff_path allocation
  add helpers for detecting size_t overflow
2016-03-17 11:22:24 -07:00
Junio C Hamano
d79db92483 Merge branch 'jk/path-name-safety-2.7' into maint
* jk/path-name-safety-2.7:
  list-objects: pass full pathname to callbacks
  list-objects: drop name_path entirely
  list-objects: convert name_path to a strbuf
  show_object_with_name: simplify by using path_name()
  http-push: stop using name_path
  tree-diff: catch integer overflow in combine_diff_path allocation
  add helpers for detecting size_t overflow
2016-03-16 13:15:04 -07:00
Junio C Hamano
55c45a7325 Merge branch 'jk/path-name-safety-2.6' into jk/path-name-safety-2.7
* jk/path-name-safety-2.6:
  list-objects: pass full pathname to callbacks
  list-objects: drop name_path entirely
  list-objects: convert name_path to a strbuf
  show_object_with_name: simplify by using path_name()
  http-push: stop using name_path
  tree-diff: catch integer overflow in combine_diff_path allocation
  add helpers for detecting size_t overflow
2016-03-16 10:42:32 -07:00
Junio C Hamano
717e3551b9 Merge branch 'jk/path-name-safety-2.5' into jk/path-name-safety-2.6
* jk/path-name-safety-2.5:
  list-objects: pass full pathname to callbacks
  list-objects: drop name_path entirely
  list-objects: convert name_path to a strbuf
  show_object_with_name: simplify by using path_name()
  http-push: stop using name_path
  tree-diff: catch integer overflow in combine_diff_path allocation
  add helpers for detecting size_t overflow
2016-03-16 10:42:02 -07:00
Junio C Hamano
253ce7a15c Merge branch 'jk/path-name-safety-2.4' into jk/path-name-safety-2.5
* jk/path-name-safety-2.4:
  list-objects: pass full pathname to callbacks
  list-objects: drop name_path entirely
  list-objects: convert name_path to a strbuf
  show_object_with_name: simplify by using path_name()
  http-push: stop using name_path
  tree-diff: catch integer overflow in combine_diff_path allocation
  add helpers for detecting size_t overflow
2016-03-16 10:41:43 -07:00
Jeff King
2824e1841b list-objects: pass full pathname to callbacks
When we find a blob at "a/b/c", we currently pass this to
our show_object_fn callbacks as two components: "a/b/" and
"c". Callbacks which want the full value then call
path_name(), which concatenates the two. But this is an
inefficient interface; the path is a strbuf, and we could
simply append "c" to it temporarily, then roll back the
length, without creating a new copy.

So we could improve this by teaching the callsites of
path_name() this trick (and there are only 3). But we can
also notice that no callback actually cares about the
broken-down representation, and simply pass each callback
the full path "a/b/c" as a string. The callback code becomes
even simpler, then, as we do not have to worry about freeing
an allocated buffer, nor rolling back our modification to
the strbuf.

This is theoretically less efficient, as some callbacks
would not bother to format the final path component. But in
practice this is not measurable. Since we use the same
strbuf over and over, our work to grow it is amortized, and
we really only pay to memcpy a few bytes.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-03-16 10:41:04 -07:00
Jeff King
dc06dc8800 list-objects: drop name_path entirely
In the previous commit, we left name_path as a thin wrapper
around a strbuf. This patch drops it entirely. As a result,
every show_object_fn callback needs to be adjusted. However,
none of their code needs to be changed at all, because the
only use was to pass it to path_name(), which now handles
the bare strbuf.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-03-16 10:41:03 -07:00
Jeff King
f3badaed51 list-objects: convert name_path to a strbuf
The "struct name_path" data is examined in only two places:
we generate it in process_tree(), and we convert it to a
single string in path_name(). Everyone else just passes it
through to those functions.

We can further note that process_tree() already keeps a
single strbuf with the leading tree path, for use with
tree_entry_interesting().

Instead of building a separate name_path linked list, let's
just use the one we already build in "base". This reduces
the amount of code (especially tricky code in path_name()
which did not check for integer overflows caused by deep
or large pathnames).

It is also more efficient in some instances.  Any time we
were using tree_entry_interesting, we were building up the
strbuf anyway, so this is an immediate and obvious win
there. In cases where we were not, we trade off storing
"pathname/" in a strbuf on the heap for each level of the
path, instead of two pointers and an int on the stack (with
one pointer into the tree object). On a 64-bit system, the
latter is 20 bytes; so if path components are less than that
on average, this has lower peak memory usage.  In practice
it probably doesn't matter either way; we are already
holding in memory all of the tree objects leading up to each
pathname, and for normal-depth pathnames, we are only
talking about hundreds of bytes.

This patch leaves "struct name_path" as a thin wrapper
around the strbuf, to avoid disrupting callbacks. We should
fix them, but leaving it out makes this diff easier to view.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-03-16 10:41:03 -07:00
Jeff King
8eee9f9277 show_object_with_name: simplify by using path_name()
When "git rev-list" shows an object with its associated path
name, it does so by walking the name_path linked list and
printing each component (stopping at any embedded NULs or
newlines).

We'd like to eventually get rid of name_path entirely in
favor of a single buffer, and dropping this custom printing
code is part of that. As a first step, let's use path_name()
to format the list into a single buffer, and print that.
This is strictly less efficient than the original, but it's
a temporary step in the refactoring; our end game will be to
get the fully formatted name in the first place.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-03-16 10:41:03 -07:00
Jeff King
935de81289 add helpers for detecting size_t overflow
Performing computations on size_t variables that we feed to
xmalloc and friends can be dangerous, as an integer overflow
can cause us to allocate a much smaller chunk than we
realized.

We already have unsigned_add_overflows(), but let's add
unsigned_mult_overflows() to that. Furthermore, rather than
have each site manually check and die on overflow, we can
provide some helpers that will:

  - promote the arguments to size_t, so that we know we are
    doing our computation in the same size of integer that
    will ultimately be fed to xmalloc

  - check and die on overflow

  - return the result so that computations can be done in
    the parameter list of xmalloc.

These functions are a lot uglier to use than normal
arithmetic operators (you have to do "st_add(foo, bar)"
instead of "foo + bar"). To at least limit the damage, we
also provide multi-valued versions. So rather than:

  st_add(st_add(a, b), st_add(c, d));

you can write:

  st_add4(a, b, c, d);

This isn't nearly as elegant as a varargs function, but it's
a lot harder to get it wrong. You don't have to remember to
add a sentinel value at the end, and the compiler will
complain if you get the number of arguments wrong. This
patch adds only the numbered variants required to convert
the current code base; we can easily add more later if
needed.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-03-16 10:41:02 -07:00
Jeff King
c6bd2a1dec http-push: stop using name_path
The graph traversal code here passes along a name_path to
build up the pathname at which we find each blob. But we
never actually do anything with the resulting names, making
it a waste of code and memory.

This usage came in aa1dbc9 (Update http-push functionality,
2006-03-07), and originally the result was passed to
"add_object" (which stored it, but didn't really use it,
either). But we stopped using that function in 1f1e895 (Add
"named object array" concept, 2006-06-19) in favor of
storing just the objects themselves.

Moreover, the generation of the name in process_tree() is
buggy. It sticks "name" onto the end of the name_path linked
list, and then passes it down again as it recurses (instead
of "entry.path"). So it's a good thing this was unused, as
the resulting path for "a/b/c/d" would end up as "a/a/a/a".

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-03-16 10:41:02 -07:00
Jeff King
d770187872 tree-diff: catch integer overflow in combine_diff_path allocation
A combine_diff_path struct has two "flex" members allocated
alongside the struct: a string to hold the pathname, and an
array of parent pointers. We use an "int" to compute this,
meaning we may easily overflow it if the pathname is
extremely long.

We can fix this by using size_t, and checking for overflow
with the st_add helper.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-03-16 10:41:02 -07:00
Junio C Hamano
594730e980 Git 2.7.3
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-03-10 11:14:08 -08:00
Junio C Hamano
2e1e569d0e Merge branch 'ma/update-hooks-sample-typofix' into maint
* ma/update-hooks-sample-typofix:
  templates/hooks: fix minor typo in the sample update-hook
2016-03-10 11:13:50 -08:00
Junio C Hamano
3e6e43e130 Merge branch 'dt/initial-ref-xn-commit-doc' into maint
* dt/initial-ref-xn-commit-doc:
  refs: document transaction semantics
2016-03-10 11:13:49 -08:00
Junio C Hamano
4da402695d Merge branch 'ps/plug-xdl-merge-leak' into maint
* ps/plug-xdl-merge-leak:
  xdiff/xmerge: fix memory leak in xdl_merge
2016-03-10 11:13:49 -08:00
Junio C Hamano
08e21c9b5f Merge branch 'ak/git-strip-extension-from-dashed-command' into maint
Code simplification.

* ak/git-strip-extension-from-dashed-command:
  git.c: simplify stripping extension of a file in handle_builtin()
2016-03-10 11:13:48 -08:00
Junio C Hamano
c6f399c96f Merge branch 'ak/extract-argv0-last-dir-sep' into maint
Code simplification.

* ak/extract-argv0-last-dir-sep:
  exec_cmd.c: use find_last_dir_sep() for code simplification
2016-03-10 11:13:47 -08:00
Junio C Hamano
80047fa084 Merge branch 'jk/pack-idx-corruption-safety' into maint
The code to read the pack data using the offsets stored in the pack
idx file has been made more carefully check the validity of the
data in the idx.

* jk/pack-idx-corruption-safety:
  sha1_file.c: mark strings for translation
  use_pack: handle signed off_t overflow
  nth_packed_object_offset: bounds-check extended offset
  t5313: test bounds-checks of corrupted/malicious pack/idx files
2016-03-10 11:13:46 -08:00
Junio C Hamano
0e58b47d15 Merge branch 'js/config-set-in-non-repository' into maint
"git config section.var value" to set a value in per-repository
configuration file failed when it was run outside any repository,
but didn't say the reason correctly.

* js/config-set-in-non-repository:
  git config: report when trying to modify a non-existing repo config
2016-03-10 11:13:45 -08:00
Junio C Hamano
1191d606bb Merge branch 'sb/submodule-module-list-fix' into maint
A helper function "git submodule" uses since v2.7.0 to list the
modules that match the pathspec argument given to its subcommands
(e.g. "submodule add <repo> <path>") has been fixed.

* sb/submodule-module-list-fix:
  submodule helper list: respect correct path prefix
2016-03-10 11:13:45 -08:00