<feed xmlns='http://www.w3.org/2005/Atom'>
<title>git, branch v2.3.10</title>
<subtitle>Mirror of https://git.kernel.org/pub/scm/git/git.git/
</subtitle>
<id>https://git.shady.money/git/atom?h=v2.3.10</id>
<link rel='self' href='https://git.shady.money/git/atom?h=v2.3.10'/>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/'/>
<updated>2015-09-28T22:26:52Z</updated>
<entry>
<title>Git 2.3.10</title>
<updated>2015-09-28T22:26:52Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2015-09-28T22:00:37Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=18b58f707fdb3ad7d3d4931bd40693834c9ec8a0'/>
<id>urn:sha1:18b58f707fdb3ad7d3d4931bd40693834c9ec8a0</id>
<content type='text'>
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>Merge branch 'jk/xdiff-memory-limits' into maint-2.3</title>
<updated>2015-09-28T21:59:28Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2015-09-28T21:59:28Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=92cdfd21313c5bf5657d4ac2d3e6ae7af7e9ce94'/>
<id>urn:sha1:92cdfd21313c5bf5657d4ac2d3e6ae7af7e9ce94</id>
<content type='text'>
</content>
</entry>
<entry>
<title>merge-file: enforce MAX_XDIFF_SIZE on incoming files</title>
<updated>2015-09-28T21:58:13Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2015-09-25T21:58:09Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=83c4d380171a2ecd24dd2e04072692ec54a7aaa5'/>
<id>urn:sha1:83c4d380171a2ecd24dd2e04072692ec54a7aaa5</id>
<content type='text'>
The previous commit enforces MAX_XDIFF_SIZE at the
interfaces to xdiff: xdi_diff (which calls xdl_diff) and
ll_xdl_merge (which calls xdl_merge).

But we have another direct call to xdl_merge in
merge-file.c. If it were written today, this probably would
just use the ll_merge machinery. But it predates that code,
and uses slightly different options to xdl_merge (e.g.,
ZEALOUS_ALNUM).

We could try to abstract out an xdi_merge to match the
existing xdi_diff, but even that is difficult. Rather than
simply report error, we try to treat large files as binary,
and that distinction would happen outside of xdi_merge.

The simplest fix is to just replicate the MAX_XDIFF_SIZE
check in merge-file.c.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>xdiff: reject files larger than ~1GB</title>
<updated>2015-09-28T21:57:23Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2015-09-24T23:12:45Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=dcd1742e56ebb944c4ff62346da4548e1e3be675'/>
<id>urn:sha1:dcd1742e56ebb944c4ff62346da4548e1e3be675</id>
<content type='text'>
The xdiff code is not prepared to handle extremely large
files. It uses "int" in many places, which can overflow if
we have a very large number of lines or even bytes in our
input files. This can cause us to produce incorrect diffs,
with no indication that the output is wrong. Or worse, we
may even underallocate a buffer whose size is the result of
an overflowing addition.

We're much better off to tell the user that we cannot diff
or merge such a large file. This patch covers both cases,
but in slightly different ways:

  1. For merging, we notice the large file and cleanly fall
     back to a binary merge (which is effectively "we cannot
     merge this").

  2. For diffing, we make the binary/text distinction much
     earlier, and in many different places. For this case,
     we'll use the xdi_diff as our choke point, and reject
     any diff there before it hits the xdiff code.

     This means in most cases we'll die() immediately after.
     That's not ideal, but in practice we shouldn't
     generally hit this code path unless the user is trying
     to do something tricky. We already consider files
     larger than core.bigfilethreshold to be binary, so this
     code would only kick in when that is circumvented
     (either by bumping that value, or by using a
     .gitattribute to mark a file as diffable).

     In other words, we can avoid being "nice" here, because
     there is already nice code that tries to do the right
     thing. We are adding the suspenders to the nice code's
     belt, so notice when it has been worked around (both to
     protect the user from malicious inputs, and because it
     is better to die() than generate bogus output).

The maximum size was chosen after experimenting with feeding
large files to the xdiff code. It's just under a gigabyte,
which leaves room for two obvious cases:

  - a diff3 merge conflict result on files of maximum size X
    could be 3*X plus the size of the markers, which would
    still be only about 3G, which fits in a 32-bit int.

  - some of the diff code allocates arrays of one int per
    record. Even if each file consists only of blank lines,
    then a file smaller than 1G will have fewer than 1G
    records, and therefore the int array will fit in 4G.

Since the limit is arbitrary anyway, I chose to go under a
gigabyte, to leave a safety margin (e.g., we would not want
to overflow by allocating "(records + 1) * sizeof(int)" or
similar.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>react to errors in xdi_diff</title>
<updated>2015-09-28T21:57:10Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2015-09-24T23:12:23Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=3efb988098858bf6b974b1e673a190f9d2965d1d'/>
<id>urn:sha1:3efb988098858bf6b974b1e673a190f9d2965d1d</id>
<content type='text'>
When we call into xdiff to perform a diff, we generally lose
the return code completely. Typically by ignoring the return
of our xdi_diff wrapper, but sometimes we even propagate
that return value up and then ignore it later.  This can
lead to us silently producing incorrect diffs (e.g., "git
log" might produce no output at all, not even a diff header,
for a content-level diff).

In practice this does not happen very often, because the
typical reason for xdiff to report failure is that it
malloc() failed (it uses straight malloc, and not our
xmalloc wrapper).  But it could also happen when xdiff
triggers one our callbacks, which returns an error (e.g.,
outf() in builtin/rerere.c tries to report a write failure
in this way). And the next patch also plans to add more
failure modes.

Let's notice an error return from xdiff and react
appropriately. In most of the diff.c code, we can simply
die(), which matches the surrounding code (e.g., that is
what we do if we fail to load a file for diffing in the
first place). This is not that elegant, but we are probably
better off dying to let the user know there was a problem,
rather than simply generating bogus output.

We could also just die() directly in xdi_diff, but the
callers typically have a bit more context, and can provide a
better message (and if we do later decide to pass errors up,
we're one step closer to doing so).

There is one interesting case, which is in diff_grep(). Here
if we cannot generate the diff, there is nothing to match,
and we silently return "no hits". This is actually what the
existing code does already, but we make it a little more
explicit.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>Merge branch 'jk/transfer-limit-redirection' into maint-2.3</title>
<updated>2015-09-28T21:46:05Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2015-09-28T21:46:05Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=f2df3104ce45bc1ee6d7c16f3a02f1d157c65e07'/>
<id>urn:sha1:f2df3104ce45bc1ee6d7c16f3a02f1d157c65e07</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Merge branch 'jk/transfer-limit-protocol' into maint-2.3</title>
<updated>2015-09-28T21:33:27Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2015-09-28T21:33:27Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=df37727a65c87cf9bba35befca1255031649553f'/>
<id>urn:sha1:df37727a65c87cf9bba35befca1255031649553f</id>
<content type='text'>
</content>
</entry>
<entry>
<title>http: limit redirection depth</title>
<updated>2015-09-25T22:32:28Z</updated>
<author>
<name>Blake Burkhart</name>
<email>bburky@bburky.com</email>
</author>
<published>2015-09-22T22:06:20Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=b258116462399b318c86165c61a5c7123043cfd4'/>
<id>urn:sha1:b258116462399b318c86165c61a5c7123043cfd4</id>
<content type='text'>
By default, libcurl will follow circular http redirects
forever. Let's put a cap on this so that somebody who can
trigger an automated fetch of an arbitrary repository (e.g.,
for CI) cannot convince git to loop infinitely.

The value chosen is 20, which is the same default that
Firefox uses.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>http: limit redirection to protocol-whitelist</title>
<updated>2015-09-25T22:30:39Z</updated>
<author>
<name>Blake Burkhart</name>
<email>bburky@bburky.com</email>
</author>
<published>2015-09-22T22:06:04Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=f4113cac0c88b4f36ee6f3abf3218034440a68e3'/>
<id>urn:sha1:f4113cac0c88b4f36ee6f3abf3218034440a68e3</id>
<content type='text'>
Previously, libcurl would follow redirection to any protocol
it was compiled for support with. This is desirable to allow
redirection from HTTP to HTTPS. However, it would even
successfully allow redirection from HTTP to SFTP, a protocol
that git does not otherwise support at all. Furthermore
git's new protocol-whitelisting could be bypassed by
following a redirect within the remote helper, as it was
only enforced at transport selection time.

This patch limits redirects within libcurl to HTTP, HTTPS,
FTP and FTPS. If there is a protocol-whitelist present, this
list is limited to those also allowed by the whitelist. As
redirection happens from within libcurl, it is impossible
for an HTTP redirect to a protocol implemented within
another remote helper.

When the curl version git was compiled with is too old to
support restrictions on protocol redirection, we warn the
user if GIT_ALLOW_PROTOCOL restrictions were requested. This
is a little inaccurate, as even without that variable in the
environment, we would still restrict SFTP, etc, and we do
not warn in that case. But anything else means we would
literally warn every time git accesses an http remote.

This commit includes a test, but it is not as robust as we
would hope. It redirects an http request to ftp, and checks
that curl complained about the protocol, which means that we
are relying on curl's specific error message to know what
happened. Ideally we would redirect to a working ftp server
and confirm that we can clone without protocol restrictions,
and not with them. But we do not have a portable way of
providing an ftp server, nor any other protocol that curl
supports (https is the closest, but we would have to deal
with certificates).

[jk: added test and version warning]

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>transport: refactor protocol whitelist code</title>
<updated>2015-09-25T22:28:36Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2015-09-22T22:03:49Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=5088d3b38775f8ac12d7f77636775b16059b67ef'/>
<id>urn:sha1:5088d3b38775f8ac12d7f77636775b16059b67ef</id>
<content type='text'>
The current callers only want to die when their transport is
prohibited. But future callers want to query the mechanism
without dying.

Let's break out a few query functions, and also save the
results in a static list so we don't have to re-parse for
each query.

Based-on-a-patch-by: Blake Burkhart &lt;bburky@bburky.com&gt;
Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
</feed>
