<feed xmlns='http://www.w3.org/2005/Atom'>
<title>git/apply.c, branch v2.32.7</title>
<subtitle>Mirror of https://git.kernel.org/pub/scm/git/git.git/
</subtitle>
<id>https://git.shady.money/git/atom?h=v2.32.7</id>
<link rel='self' href='https://git.shady.money/git/atom?h=v2.32.7'/>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/'/>
<updated>2023-04-17T19:15:49Z</updated>
<entry>
<title>Sync with 2.31.8</title>
<updated>2023-04-17T19:15:49Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2023-03-11T18:24:34Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=31f7fe5e34612b4b8af3918d0b0cf2ea2545c2c4'/>
<id>urn:sha1:31f7fe5e34612b4b8af3918d0b0cf2ea2545c2c4</id>
<content type='text'>
* maint-2.31: (25 commits)
  Git 2.31.8
  tests: avoid using `test_i18ncmp`
  Git 2.30.9
  gettext: avoid using gettext if the locale dir is not present
  apply --reject: overwrite existing `.rej` symlink if it exists
  http.c: clear the 'finished' member once we are done with it
  clone.c: avoid "exceeds maximum object size" error with GCC v12.x
  range-diff: use ssize_t for parsed "len" in read_patches()
  range-diff: handle unterminated lines in read_patches()
  range-diff: drop useless "offset" variable from read_patches()
  t5604: GETTEXT_POISON fix, conclusion
  t5604: GETTEXT_POISON fix, part 1
  t5619: GETTEXT_POISON fix
  t0003: GETTEXT_POISON fix, conclusion
  t0003: GETTEXT_POISON fix, part 1
  t0033: GETTEXT_POISON fix
  http: support CURLOPT_PROTOCOLS_STR
  http: prefer CURLOPT_SEEKFUNCTION to CURLOPT_IOCTLFUNCTION
  http-push: prefer CURLOPT_UPLOAD to CURLOPT_PUT
  ci: install python on ubuntu
  ci: use the same version of p4 on both Linux and macOS
  ...
</content>
</entry>
<entry>
<title>Sync with 2.30.9</title>
<updated>2023-04-17T19:15:44Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2023-03-11T16:54:13Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=b524e896b64f90086d913eebccaff3cd76f96dee'/>
<id>urn:sha1:b524e896b64f90086d913eebccaff3cd76f96dee</id>
<content type='text'>
* maint-2.30: (23 commits)
  Git 2.30.9
  gettext: avoid using gettext if the locale dir is not present
  apply --reject: overwrite existing `.rej` symlink if it exists
  http.c: clear the 'finished' member once we are done with it
  clone.c: avoid "exceeds maximum object size" error with GCC v12.x
  range-diff: use ssize_t for parsed "len" in read_patches()
  range-diff: handle unterminated lines in read_patches()
  range-diff: drop useless "offset" variable from read_patches()
  t5604: GETTEXT_POISON fix, conclusion
  t5604: GETTEXT_POISON fix, part 1
  t5619: GETTEXT_POISON fix
  t0003: GETTEXT_POISON fix, conclusion
  t0003: GETTEXT_POISON fix, part 1
  t0033: GETTEXT_POISON fix
  http: support CURLOPT_PROTOCOLS_STR
  http: prefer CURLOPT_SEEKFUNCTION to CURLOPT_IOCTLFUNCTION
  http-push: prefer CURLOPT_UPLOAD to CURLOPT_PUT
  ci: install python on ubuntu
  ci: use the same version of p4 on both Linux and macOS
  ci: remove the pipe after "p4 -V" to catch errors
  github-actions: run gcc-8 on ubuntu-20.04 image
  ...
</content>
</entry>
<entry>
<title>apply --reject: overwrite existing `.rej` symlink if it exists</title>
<updated>2023-04-17T19:15:38Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2023-03-09T15:02:54Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=9db05711c98efc14f414d4c87135a34c13586e0b'/>
<id>urn:sha1:9db05711c98efc14f414d4c87135a34c13586e0b</id>
<content type='text'>
The `git apply --reject` is expected to write out `.rej` files in case
one or more hunks fail to apply cleanly. Historically, the command
overwrites any existing `.rej` files. The idea being that
apply/reject/edit cycles are relatively common, and the generated `.rej`
files are not considered precious.

But the command does not overwrite existing `.rej` symbolic links, and
instead follows them. This is unsafe because the same patch could
potentially create such a symbolic link and point at arbitrary paths
outside the current worktree, and `git apply` would write the contents
of the `.rej` file into that location.

Therefore, let's make sure that any existing `.rej` file or symbolic
link is removed before writing it.

Reported-by: RyotaK &lt;ryotak.mail@gmail.com&gt;
Helped-by: Taylor Blau &lt;me@ttaylorr.com&gt;
Helped-by: Junio C Hamano &lt;gitster@pobox.com&gt;
Helped-by: Linus Torvalds &lt;torvalds@linuxfoundation.org&gt;
Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>Sync with 2.31.7</title>
<updated>2023-02-06T08:25:08Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2023-02-06T08:25:08Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=aeb93d7da2bee3fac5e858b8eb89fa480d8b692e'/>
<id>urn:sha1:aeb93d7da2bee3fac5e858b8eb89fa480d8b692e</id>
<content type='text'>
* maint-2.31:
  Git 2.31.7
  Git 2.30.8
  apply: fix writing behind newly created symbolic links
  dir-iterator: prevent top-level symlinks without FOLLOW_SYMLINKS
  clone: delay picking a transport until after get_repo_path()
  t5619: demonstrate clone_local() with ambiguous transport
</content>
</entry>
<entry>
<title>Sync with 2.30.8</title>
<updated>2023-02-06T08:24:06Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2023-02-06T08:24:06Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=e14d6b8408a2a283e55ca64d2c77ac929ec77204'/>
<id>urn:sha1:e14d6b8408a2a283e55ca64d2c77ac929ec77204</id>
<content type='text'>
* maint-2.30:
  Git 2.30.8
  apply: fix writing behind newly created symbolic links
  dir-iterator: prevent top-level symlinks without FOLLOW_SYMLINKS
  clone: delay picking a transport until after get_repo_path()
  t5619: demonstrate clone_local() with ambiguous transport
</content>
</entry>
<entry>
<title>apply: fix writing behind newly created symbolic links</title>
<updated>2023-02-03T22:41:31Z</updated>
<author>
<name>Patrick Steinhardt</name>
<email>ps@pks.im</email>
</author>
<published>2023-02-02T10:54:34Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=fade728df1221598f42d391cf377e9e84a32053f'/>
<id>urn:sha1:fade728df1221598f42d391cf377e9e84a32053f</id>
<content type='text'>
When writing files git-apply(1) initially makes sure that none of the
files it is about to create are behind a symlink:

```
 $ git init repo
 Initialized empty Git repository in /tmp/repo/.git/
 $ cd repo/
 $ ln -s dir symlink
 $ git apply - &lt;&lt;EOF
 diff --git a/symlink/file b/symlink/file
 new file mode 100644
 index 0000000..e69de29
 EOF
 error: affected file 'symlink/file' is beyond a symbolic link
```

This safety mechanism is crucial to ensure that we don't write outside
of the repository's working directory. It can be fooled though when the
patch that is being applied creates the symbolic link in the first
place, which can lead to writing files in arbitrary locations.

Fix this by checking whether the path we're about to create is
beyond a symlink or not. Tightening these checks like this should be
fine as we already have these precautions in Git as explained
above. Ideally, we should update the check we do up-front before
starting to reflect the computed changes to the working tree so that
we catch this case as well, but as part of embargoed security work,
adding an equivalent check just before we try to write out a file
should serve us well as a reasonable first step.

Digging back into history shows that this vulnerability has existed
since at least Git v2.9.0. As Git v2.8.0 and older don't build on my
system anymore I cannot tell whether older versions are affected, as
well.

Reported-by: Joern Schneeweisz &lt;jschneeweisz@gitlab.com&gt;
Signed-off-by: Patrick Steinhardt &lt;ps@pks.im&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>Merge branch 'jz/apply-3way-first-message-fix'</title>
<updated>2021-05-07T03:47:38Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2021-05-07T03:47:38Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=6d99f31ddafb064795d1d8f9b9bd930296f7069e'/>
<id>urn:sha1:6d99f31ddafb064795d1d8f9b9bd930296f7069e</id>
<content type='text'>
When we swapped the order of --3way fallback, we forgot to adjust
the message we give when the first method fails and the second
method is attempted (which used to be "direct application failed
hence we try 3way", now it is the other way around).

* jz/apply-3way-first-message-fix:
  apply: adjust messages to account for --3way changes
</content>
</entry>
<entry>
<title>apply: adjust messages to account for --3way changes</title>
<updated>2021-04-29T03:27:45Z</updated>
<author>
<name>Jerry Zhang</name>
<email>jerry@skydio.com</email>
</author>
<published>2021-04-29T02:35:03Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=526705fd3d14a38646a12235ee385dcc0ffc7321'/>
<id>urn:sha1:526705fd3d14a38646a12235ee385dcc0ffc7321</id>
<content type='text'>
"git apply" specifically calls out when it is falling back to 3way
merge application.  Since the order changed to preferring 3way and
falling back to direct application, continue that behavior by
printing whenever 3way fails and git has to fall back.

Signed-off-by: Jerry Zhang &lt;jerry@skydio.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>git-apply: allow simultaneous --cached and --3way options</title>
<updated>2021-04-08T05:20:33Z</updated>
<author>
<name>Jerry Zhang</name>
<email>jerry@skydio.com</email>
</author>
<published>2021-04-08T02:13:44Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=c0c2a37ac2b9338c3a93340cbcbab69690da4df0'/>
<id>urn:sha1:c0c2a37ac2b9338c3a93340cbcbab69690da4df0</id>
<content type='text'>
"git apply" does not allow "--cached" and "--3way" to be used
together, since "--3way" writes conflict markers into the working
tree.

Allow "git apply" to accept "--cached" and "--3way" at the same
time.  When a single file auto-resolves cleanly, the result is
placed in the index at stage #0 and the command exits with 0 status.

For a file that has a conflict which cannot be cleanly
auto-resolved, the original contents from common ancestor (stage
conflict at the content level, and the command exists with non-zero
status, because there is no place (like the working tree) to leave a
half-resolved merge for the user to resolve.

The user can use `git diff` to view the contents of the conflict, or
`git checkout -m -- .` to regenerate the conflict markers in the
working directory.

Don't attempt rerere in this case since it depends on conflict
markers written to file for its database storage and lookup. There
would be two main changes required to get rerere working:

1. Allow the rerere api to accept in memory object rather than
   files, which would allow us to pass in the conflict markers
   contained in the result from ll_merge().

2. Rerere can't write to the working directory, so it would have to
   apply the result to cache stage #0 directly. A flag would be
   needed to control this.

Signed-off-by: Jerry Zhang &lt;jerry@skydio.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>git-apply: try threeway first when "--3way" is used</title>
<updated>2021-04-07T00:11:41Z</updated>
<author>
<name>Jerry Zhang</name>
<email>jerry@skydio.com</email>
</author>
<published>2021-04-06T23:25:32Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=923cd87ac8550a8e277bfeb19198a11b6a8ed854'/>
<id>urn:sha1:923cd87ac8550a8e277bfeb19198a11b6a8ed854</id>
<content type='text'>
The apply_fragments() method of "git apply"
can silently apply patches incorrectly if
a file has repeating contents. In these
cases a three-way merge is capable of applying
it correctly in more situations, and will
show a conflict rather than applying it
incorrectly. However, because the patches
apply "successfully" using apply_fragments(),
git will never fall back to the merge, even
if the "--3way" flag is used, and the user has
no way to ensure correctness by forcing the
three-way merge method.

Change the behavior so that when "--3way" is used,
git will always try the three-way merge first and
will only fall back to apply_fragments() in cases
where blobs are not available or some other error
(but not in the case of a merge conflict).

Since user-facing results will be different,
this has backwards compatibility implications
for users depending on the old behavior. In
addition, the three-way merge will be slower
than direct patch application.

Signed-off-by: Jerry Zhang &lt;jerry@skydio.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
</feed>
