<feed xmlns='http://www.w3.org/2005/Atom'>
<title>git/attr.h, branch v2.33.6</title>
<subtitle>Mirror of https://git.kernel.org/pub/scm/git/git.git/
</subtitle>
<id>https://git.shady.money/git/atom?h=v2.33.6</id>
<link rel='self' href='https://git.shady.money/git/atom?h=v2.33.6'/>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/'/>
<updated>2022-12-13T12:09:40Z</updated>
<entry>
<title>Sync with Git 2.31.6</title>
<updated>2022-12-13T12:09:40Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2022-12-13T12:09:40Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=8a755eddf5bf256613bc584f32cd44401a25897c'/>
<id>urn:sha1:8a755eddf5bf256613bc584f32cd44401a25897c</id>
<content type='text'>
</content>
</entry>
<entry>
<title>attr: ignore overly large gitattributes files</title>
<updated>2022-12-05T06:50:03Z</updated>
<author>
<name>Patrick Steinhardt</name>
<email>ps@pks.im</email>
</author>
<published>2022-12-01T14:45:53Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=3c50032ff5289cc45659f21949c8d09e52164579'/>
<id>urn:sha1:3c50032ff5289cc45659f21949c8d09e52164579</id>
<content type='text'>
Similar as with the preceding commit, start ignoring gitattributes files
that are overly large to protect us against out-of-bounds reads and
writes caused by integer overflows. Unfortunately, we cannot just define
"overly large" in terms of any preexisting limits in the codebase.

Instead, we choose a very conservative limit of 100MB. This is plenty of
room for specifying gitattributes, and incidentally it is also the limit
for blob sizes for GitHub. While we don't want GitHub to dictate limits
here, it is still sensible to use this fact for an informed decision
given that it is hosting a huge set of repositories. Furthermore, over
at GitLab we scanned a subset of repositories for their root-level
attribute files. We found that 80% of them have a gitattributes file
smaller than 100kB, 99.99% have one smaller than 1MB, and only a single
repository had one that was almost 3MB in size. So enforcing a limit of
100MB seems to give us ample of headroom.

With this limit in place we can be reasonably sure that there is no easy
way to exploit the gitattributes file via integer overflows anymore.
Furthermore, it protects us against resource exhaustion caused by
allocating the in-memory data structures required to represent the
parsed attributes.

Signed-off-by: Patrick Steinhardt &lt;ps@pks.im&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>attr: ignore attribute lines exceeding 2048 bytes</title>
<updated>2022-12-05T06:33:07Z</updated>
<author>
<name>Patrick Steinhardt</name>
<email>ps@pks.im</email>
</author>
<published>2022-12-01T14:45:48Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=dfa6b32b5e599d97448337ed4fc18dd50c90758f'/>
<id>urn:sha1:dfa6b32b5e599d97448337ed4fc18dd50c90758f</id>
<content type='text'>
There are two different code paths to read gitattributes: once via a
file, and once via the index. These two paths used to behave differently
because when reading attributes from a file, we used fgets(3P) with a
buffer size of 2kB. Consequentially, we silently truncate line lengths
when lines are longer than that and will then parse the remainder of the
line as a new pattern. It goes without saying that this is entirely
unexpected, but it's even worse that the behaviour depends on how the
gitattributes are parsed.

While this is simply wrong, the silent truncation saves us with the
recently discovered vulnerabilities that can cause out-of-bound writes
or reads with unreasonably long lines due to integer overflows. As the
common path is to read gitattributes via the worktree file instead of
via the index, we can assume that any gitattributes file that had lines
longer than that is already broken anyway. So instead of lifting the
limit here, we can double down on it to fix the vulnerabilities.

Introduce an explicit line length limit of 2kB that is shared across all
paths that read attributes and ignore any line that hits this limit
while printing a warning.

Signed-off-by: Patrick Steinhardt &lt;ps@pks.im&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>*: remove 'const' qualifier for struct index_state</title>
<updated>2021-04-14T20:46:00Z</updated>
<author>
<name>Derrick Stolee</name>
<email>dstolee@microsoft.com</email>
</author>
<published>2021-04-01T01:49:39Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=847a9e5d4f876646e128c89f0818b1a8ce792509'/>
<id>urn:sha1:847a9e5d4f876646e128c89f0818b1a8ce792509</id>
<content type='text'>
Several methods specify that they take a 'struct index_state' pointer
with the 'const' qualifier because they intend to only query the data,
not change it. However, we will be introducing a step very low in the
method stack that might modify a sparse-index to become a full index in
the case that our queries venture inside a sparse-directory entry.

This change only removes the 'const' qualifiers that are necessary for
the following change which will actually modify the implementation of
index_name_stage_pos().

Signed-off-by: Derrick Stolee &lt;dstolee@microsoft.com&gt;
Reviewed-by: Elijah Newren &lt;newren@gmail.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>attr: move doc to attr.h</title>
<updated>2019-11-18T06:21:28Z</updated>
<author>
<name>Heba Waly</name>
<email>heba.waly@gmail.com</email>
</author>
<published>2019-11-17T21:04:47Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=3a1b3415d9330cbe3d3cce125b971dff96d0aa4c'/>
<id>urn:sha1:3a1b3415d9330cbe3d3cce125b971dff96d0aa4c</id>
<content type='text'>
Move the documentation from Documentation/technical/api-gitattributes.txt
to attr.h as it's easier for the developers to find the usage
information beside the code instead of looking for it in another doc file.

Also documentation/technical/api-gitattributes.txt is removed because the
information it has is now redundant and it'll be hard to keep it up to
date and synchronized with the documentation in the header file.

Signed-off-by: Heba Waly &lt;heba.waly@gmail.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>Make git_check_attr() a void function</title>
<updated>2018-09-12T22:15:34Z</updated>
<author>
<name>Torsten Bögershausen</name>
<email>tboegi@web.de</email>
</author>
<published>2018-09-12T19:32:02Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=d64324cb60e4d0e1f5fdc1d3319c79ddbf5d0eb2'/>
<id>urn:sha1:d64324cb60e4d0e1f5fdc1d3319c79ddbf5d0eb2</id>
<content type='text'>
git_check_attr() returns always 0.
Remove all the error handling code of the callers, which is never executed.
Change git_check_attr() to be a void function.

Signed-off-by: Torsten Bögershausen &lt;tboegi@web.de&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>Merge branch 'en/incl-forward-decl'</title>
<updated>2018-08-20T19:41:32Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2018-08-20T19:41:32Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=5ade03446430f1190fdf1eca8b8fde5f63367110'/>
<id>urn:sha1:5ade03446430f1190fdf1eca8b8fde5f63367110</id>
<content type='text'>
Code hygiene improvement for the header files.

* en/incl-forward-decl:
  Remove forward declaration of an enum
  compat/precompose_utf8.h: use more common include guard style
  urlmatch.h: fix include guard
  Move definition of enum branch_track from cache.h to branch.h
  alloc: make allocate_alloc_state and clear_alloc_state more consistent
  Add missing includes and forward declarations
</content>
</entry>
<entry>
<title>Add missing includes and forward declarations</title>
<updated>2018-08-15T18:52:09Z</updated>
<author>
<name>Elijah Newren</name>
<email>newren@gmail.com</email>
</author>
<published>2018-08-15T17:54:05Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=ef3ca95475ce467ae883cc8175ed40e6f7d27800'/>
<id>urn:sha1:ef3ca95475ce467ae883cc8175ed40e6f7d27800</id>
<content type='text'>
I looped over the toplevel header files, creating a temporary two-line C
program for each consisting of
  #include "git-compat-util.h"
  #include $HEADER
This patch is the result of manually fixing errors in compiling those
tiny programs.

Signed-off-by: Elijah Newren &lt;newren@gmail.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>attr: remove index from git_attr_set_direction()</title>
<updated>2018-08-13T21:14:43Z</updated>
<author>
<name>Nguyễn Thái Ngọc Duy</name>
<email>pclouds@gmail.com</email>
</author>
<published>2018-08-13T16:14:33Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=c4500e251f89cbbc49fe90b832348ea9d4899946'/>
<id>urn:sha1:c4500e251f89cbbc49fe90b832348ea9d4899946</id>
<content type='text'>
Since attr checking API now take the index, there's no need to set an
index in advance with this call. Most call sites are straightforward
because they either pass the_index or NULL (which defaults back to
the_index previously). There's only one suspicious call site in
unpack-trees.c where it sets a different index.

This code in unpack-trees is about to check out entries from the
new/temporary index after merging is done in it. The attributes will
be used by entry.c code to do crlf conversion if needed. entry.c now
respects struct checkout's istate field, and this field is correctly
set in unpack-trees.c, there should be no regression from this change.

Signed-off-by: Nguyễn Thái Ngọc Duy &lt;pclouds@gmail.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>attr: remove an implicit dependency on the_index</title>
<updated>2018-08-13T21:14:42Z</updated>
<author>
<name>Nguyễn Thái Ngọc Duy</name>
<email>pclouds@gmail.com</email>
</author>
<published>2018-08-13T16:14:20Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=7a400a2c0270f2085b70690e4ddbfd8d141e69ca'/>
<id>urn:sha1:7a400a2c0270f2085b70690e4ddbfd8d141e69ca</id>
<content type='text'>
Make the attr API take an index_state instead of assuming the_index in
attr code. All call sites are converted blindly to keep the patch
simple and retain current behavior. Individual call sites may receive
further updates to use the right index instead of the_index.

There is one ugly temporary workaround added in attr.c that needs some
more explanation.

Commit c24f3abace (apply: file commited with CRLF should roundtrip
diff and apply - 2017-08-19) forces one convert_to_git() call to NOT
read the index at all. But what do you know, we read it anyway by
falling back to the_index. When "istate" from convert_to_git is now
propagated down to read_attr_from_array() we will hit segfault
somewhere inside read_blob_data_from_index.

The right way of dealing with this is to kill "use_index" variable and
only follow "istate" but at this stage we are not ready for that:
while most git_attr_set_direction() calls just passes the_index to be
assigned to use_index, unpack-trees passes a different one which is
used by entry.c code, which has no way to know what index to use if we
delete use_index. So this has to be done later.

Signed-off-by: Nguyễn Thái Ngọc Duy &lt;pclouds@gmail.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
</feed>
