<feed xmlns='http://www.w3.org/2005/Atom'>
<title>git, branch v2.20.2</title>
<subtitle>Mirror of https://git.kernel.org/pub/scm/git/git.git/
</subtitle>
<id>https://git.shady.money/git/atom?h=v2.20.2</id>
<link rel='self' href='https://git.shady.money/git/atom?h=v2.20.2'/>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/'/>
<updated>2019-12-06T15:30:51Z</updated>
<entry>
<title>Git 2.20.2</title>
<updated>2019-12-06T15:30:51Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2019-12-04T21:33:15Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=4cd1cf31efed9b16db5035c377bfa222f5272458'/>
<id>urn:sha1:4cd1cf31efed9b16db5035c377bfa222f5272458</id>
<content type='text'>
Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>submodule: defend against submodule.update = !command in .gitmodules</title>
<updated>2019-12-06T15:30:50Z</updated>
<author>
<name>Jonathan Nieder</name>
<email>jrnieder@gmail.com</email>
</author>
<published>2019-12-05T09:28:28Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=c1547450748fcbac21675f2681506d2d80351a19'/>
<id>urn:sha1:c1547450748fcbac21675f2681506d2d80351a19</id>
<content type='text'>
In v2.15.4, we started to reject `submodule.update` settings in
`.gitmodules`. Let's raise a BUG if it somehow still made it through
from anywhere but the Git config.

Signed-off-by: Jonathan Nieder &lt;jrnieder@gmail.com&gt;
Signed-off-by: Johannes Schindelin &lt;Johannes.Schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>t7415: adjust test for dubiously-nested submodule gitdirs for v2.20.x</title>
<updated>2019-12-06T15:30:50Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2019-12-04T09:06:08Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=4cfc47de25be7be1cddb47dcfddab3f1f80e5c41'/>
<id>urn:sha1:4cfc47de25be7be1cddb47dcfddab3f1f80e5c41</id>
<content type='text'>
In v2.20.x, Git clones submodules recursively by first creating the
submodules' gitdirs and _then_ "updating" the submodules. This can lead
to the situation where the clone path is taken because the directory
(while it exists already) is not a git directory, but then the clone
fails because that gitdir is unexpectedly already a directory.

This _also_ works around the vulnerability that was fixed in "Disallow
dubiously-nested submodule git directories", but it produces a different
error message than the one expected by the test case, therefore we
adjust the test case accordingly.

Note: as the two submodules "race each other", there are actually two
possible error messages, therefore we have to teach the test case to
expect _two_ possible (and good) outcomes in addition to the one it
expected before.

Note: this workaround is only necessary for the v2.20.x release train;
The behavior changed again in v2.21.x so that the original test case's
expectations are met again.

Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>Sync with 2.19.3</title>
<updated>2019-12-06T15:30:49Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2019-12-04T21:31:10Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=d851d94151734db8234b0a3dba7783bce36dd00b'/>
<id>urn:sha1:d851d94151734db8234b0a3dba7783bce36dd00b</id>
<content type='text'>
* maint-2.19: (34 commits)
  Git 2.19.3
  Git 2.18.2
  Git 2.17.3
  Git 2.16.6
  test-drop-caches: use `has_dos_drive_prefix()`
  Git 2.15.4
  Git 2.14.6
  mingw: handle `subst`-ed "DOS drives"
  mingw: refuse to access paths with trailing spaces or periods
  mingw: refuse to access paths with illegal characters
  unpack-trees: let merged_entry() pass through do_add_entry()'s errors
  quote-stress-test: offer to test quoting arguments for MSYS2 sh
  t6130/t9350: prepare for stringent Win32 path validation
  quote-stress-test: allow skipping some trials
  quote-stress-test: accept arguments to test via the command-line
  tests: add a helper to stress test argument quoting
  mingw: fix quoting of arguments
  Disallow dubiously-nested submodule git directories
  protect_ntfs: turn on NTFS protection by default
  path: also guard `.gitmodules` against NTFS Alternate Data Streams
  ...
</content>
</entry>
<entry>
<title>Git 2.19.3</title>
<updated>2019-12-06T15:30:40Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2019-12-04T21:29:33Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=caccc527ca7f4b3e6f4bb6775cbff94b27741482'/>
<id>urn:sha1:caccc527ca7f4b3e6f4bb6775cbff94b27741482</id>
<content type='text'>
Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>Sync with 2.18.2</title>
<updated>2019-12-06T15:30:38Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2019-12-04T21:27:04Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=7c9fbda6e2e0ac4a491863253aeedeafb3cb9dab'/>
<id>urn:sha1:7c9fbda6e2e0ac4a491863253aeedeafb3cb9dab</id>
<content type='text'>
* maint-2.18: (33 commits)
  Git 2.18.2
  Git 2.17.3
  Git 2.16.6
  test-drop-caches: use `has_dos_drive_prefix()`
  Git 2.15.4
  Git 2.14.6
  mingw: handle `subst`-ed "DOS drives"
  mingw: refuse to access paths with trailing spaces or periods
  mingw: refuse to access paths with illegal characters
  unpack-trees: let merged_entry() pass through do_add_entry()'s errors
  quote-stress-test: offer to test quoting arguments for MSYS2 sh
  t6130/t9350: prepare for stringent Win32 path validation
  quote-stress-test: allow skipping some trials
  quote-stress-test: accept arguments to test via the command-line
  tests: add a helper to stress test argument quoting
  mingw: fix quoting of arguments
  Disallow dubiously-nested submodule git directories
  protect_ntfs: turn on NTFS protection by default
  path: also guard `.gitmodules` against NTFS Alternate Data Streams
  is_ntfs_dotgit(): speed it up
  ...
</content>
</entry>
<entry>
<title>Git 2.18.2</title>
<updated>2019-12-06T15:29:17Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2019-12-04T21:22:52Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=9877106b01cbd346b862cc8cd2c52e496dd40ed5'/>
<id>urn:sha1:9877106b01cbd346b862cc8cd2c52e496dd40ed5</id>
<content type='text'>
Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>Sync with 2.17.3</title>
<updated>2019-12-06T15:29:15Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2019-12-04T21:21:20Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=14af7ed5a9c9c0ff2ea347bf54ed2af4b0e10cc2'/>
<id>urn:sha1:14af7ed5a9c9c0ff2ea347bf54ed2af4b0e10cc2</id>
<content type='text'>
* maint-2.17: (32 commits)
  Git 2.17.3
  Git 2.16.6
  test-drop-caches: use `has_dos_drive_prefix()`
  Git 2.15.4
  Git 2.14.6
  mingw: handle `subst`-ed "DOS drives"
  mingw: refuse to access paths with trailing spaces or periods
  mingw: refuse to access paths with illegal characters
  unpack-trees: let merged_entry() pass through do_add_entry()'s errors
  quote-stress-test: offer to test quoting arguments for MSYS2 sh
  t6130/t9350: prepare for stringent Win32 path validation
  quote-stress-test: allow skipping some trials
  quote-stress-test: accept arguments to test via the command-line
  tests: add a helper to stress test argument quoting
  mingw: fix quoting of arguments
  Disallow dubiously-nested submodule git directories
  protect_ntfs: turn on NTFS protection by default
  path: also guard `.gitmodules` against NTFS Alternate Data Streams
  is_ntfs_dotgit(): speed it up
  mingw: disallow backslash characters in tree objects' file names
  ...
</content>
</entry>
<entry>
<title>Git 2.17.3</title>
<updated>2019-12-06T15:27:38Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2019-12-04T21:13:04Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=a5ab8d03173458b76b8452efd90a7173f490c132'/>
<id>urn:sha1:a5ab8d03173458b76b8452efd90a7173f490c132</id>
<content type='text'>
Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>fsck: reject submodule.update = !command in .gitmodules</title>
<updated>2019-12-06T15:27:38Z</updated>
<author>
<name>Jonathan Nieder</name>
<email>jrnieder@gmail.com</email>
</author>
<published>2019-12-05T09:30:43Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=bb92255ebe6bccd76227e023d6d0bc997e318ad0'/>
<id>urn:sha1:bb92255ebe6bccd76227e023d6d0bc997e318ad0</id>
<content type='text'>
This allows hosting providers to detect whether they are being used
to attack users using malicious 'update = !command' settings in
.gitmodules.

Since ac1fbbda2013 (submodule: do not copy unknown update mode from
.gitmodules, 2013-12-02), in normal cases such settings have been
treated as 'update = none', so forbidding them should not produce any
collateral damage to legitimate uses.  A quick search does not reveal
any repositories making use of this construct, either.

Reported-by: Joern Schneeweisz &lt;jschneeweisz@gitlab.com&gt;
Signed-off-by: Jonathan Nieder &lt;jrnieder@gmail.com&gt;
Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
</feed>
