mirror of
https://github.com/git/git
synced 2024-11-05 18:59:29 +00:00
7c3745fc61
Probably inspired by HFS' resource streams, NTFS supports "Alternate Data Streams": by appending `:<stream-name>` to the file name, information in addition to the file contents can be written and read, information that is copied together with the file (unless copied to a non-NTFS location). These Alternate Data Streams are typically used for things like marking an executable as having just been downloaded from the internet (and hence not necessarily being trustworthy). In addition to a stream name, a stream type can be appended, like so: `:<stream-name>:<stream-type>`. Unless specified, the default stream type is `$DATA` for files and `$INDEX_ALLOCATION` for directories. In other words, `.git::$INDEX_ALLOCATION` is a valid way to reference the `.git` directory! In our work in Git v2.2.1 to protect Git on NTFS drives under `core.protectNTFS`, we focused exclusively on NTFS short names, unaware of the fact that NTFS Alternate Data Streams offer a similar attack vector. Let's fix this. Seeing as it is better to be safe than sorry, we simply disallow paths referring to *any* NTFS Alternate Data Stream of `.git`, not just `::$INDEX_ALLOCATION`. This also simplifies the implementation. This closes CVE-2019-1352. Further reading about NTFS Alternate Data Streams: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3 Reported-by: Nicolas Joly <Nicolas.Joly@microsoft.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
63 lines
1.4 KiB
Bash
Executable file
63 lines
1.4 KiB
Bash
Executable file
#!/bin/sh
|
|
|
|
test_description='check that read-tree rejects confusing paths'
|
|
. ./test-lib.sh
|
|
|
|
test_expect_success 'create base tree' '
|
|
echo content >file &&
|
|
git add file &&
|
|
git commit -m base &&
|
|
blob=$(git rev-parse HEAD:file) &&
|
|
tree=$(git rev-parse HEAD^{tree})
|
|
'
|
|
|
|
test_expect_success 'enable core.protectHFS for rejection tests' '
|
|
git config core.protectHFS true
|
|
'
|
|
|
|
test_expect_success 'enable core.protectNTFS for rejection tests' '
|
|
git config core.protectNTFS true
|
|
'
|
|
|
|
while read path pretty; do
|
|
: ${pretty:=$path}
|
|
case "$path" in
|
|
*SPACE)
|
|
path="${path%SPACE} "
|
|
;;
|
|
esac
|
|
test_expect_success "reject $pretty at end of path" '
|
|
printf "100644 blob %s\t%s" "$blob" "$path" >tree &&
|
|
bogus=$(git mktree <tree) &&
|
|
test_must_fail git read-tree $bogus
|
|
'
|
|
|
|
test_expect_success "reject $pretty as subtree" '
|
|
printf "040000 tree %s\t%s" "$tree" "$path" >tree &&
|
|
bogus=$(git mktree <tree) &&
|
|
test_must_fail git read-tree $bogus
|
|
'
|
|
done <<-EOF
|
|
.
|
|
..
|
|
.git
|
|
.GIT
|
|
${u200c}.Git {u200c}.Git
|
|
.gI${u200c}T .gI{u200c}T
|
|
.GiT${u200c} .GiT{u200c}
|
|
git~1
|
|
.git.SPACE .git.{space}
|
|
.\\\\.GIT\\\\foobar backslashes
|
|
.git\\\\foobar backslashes2
|
|
.git...:alternate-stream
|
|
EOF
|
|
|
|
test_expect_success 'utf-8 paths allowed with core.protectHFS off' '
|
|
test_when_finished "git read-tree HEAD" &&
|
|
test_config core.protectHFS false &&
|
|
printf "100644 blob %s\t%s" "$blob" ".gi${u200c}t" >tree &&
|
|
ok=$(git mktree <tree) &&
|
|
git read-tree $ok
|
|
'
|
|
|
|
test_done
|