Mirror of https://git.kernel.org/pub/scm/git/git.git/ https://git.shady.money/git/atom?h=v2.40.2 2024-04-19T10:38:37Z 2024-04-19T10:38:37Z Johannes Schindelin johannes.schindelin@gmx.de 2024-04-12T07:45:28Z urn:sha1:93a88f42db7ed9a975768df0e5f4516317c50dda * maint-2.39: (38 commits) Git 2.39.4 fsck: warn about symlink pointing inside a gitdir core.hooksPath: add some protection while cloning init.templateDir: consider this config setting protected clone: prevent hooks from running during a clone Add a helper function to compare file contents init: refactor the template directory discovery into its own function find_hook(): refactor the `STRIP_EXTENSION` logic clone: when symbolic links collide with directories, keep the latter entry: report more colliding paths t5510: verify that D/F confusion cannot lead to an RCE submodule: require the submodule path to contain directories only clone_submodule: avoid using `access()` on directories submodules: submodule paths must not contain symlinks clone: prevent clashing git dirs when cloning submodule in parallel t7423: add tests for symlinked submodule directories has_dir_name(): do not get confused by characters < '/' docs: document security issues around untrusted .git dirs upload-pack: disable lazy-fetching by default fetch/clone: detect dubious ownership of local repositories ... 2024-04-19T10:38:19Z Johannes Schindelin johannes.schindelin@gmx.de 2024-03-30T14:59:20Z urn:sha1:584de0b4c235209fa60ca4a733678472263bdce0 In the next commit, Git will learn to disallow hooks during `git clone` operations _except_ when those hooks come from the templates (which are inherently supposed to be trusted). To that end, we add a function to compare the contents of two files. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> 2024-04-17T20:30:10Z Johannes Schindelin johannes.schindelin@gmx.de 2024-03-29T10:45:01Z urn:sha1:df93e407f0618e4a8265ac619dc7f4c7005155bc We will need to call this function from `hook.c` to be able to prevent hooks from running that were written as part of a `clone` but did not originate from the template directory. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> 2024-04-17T20:29:54Z Johannes Schindelin johannes.schindelin@gmx.de 2024-04-10T12:39:37Z urn:sha1:f4aa8c8bb11dae6e769cd930565173808cbb69c8 When cloning from somebody else's repositories, it is possible that, say, the `upload-pack` command is overridden in the repository that is about to be cloned, which would then be run in the user's context who started the clone. To remind the user that this is a potentially unsafe operation, let's extend the ownership checks we have already established for regular gitdir discovery to extend also to local repositories that are about to be cloned. This protection extends also to file:// URLs. The fixes in this commit address CVE-2024-32004. Note: This commit does not touch the `fetch`/`clone` code directly, but instead the function used implicitly by both: `enter_repo()`. This function is also used by `git receive-pack` (i.e. pushes), by `git upload-archive`, by `git daemon` and by `git http-backend`. In setups that want to serve repositories owned by different users than the account running the service, this will require `safe.*` settings to be configured accordingly. Also note: there are tiny time windows where a time-of-check-time-of-use ("TOCTOU") race is possible. The real solution to those would be to work with `fstat()` and `openat()`. However, the latter function is not available on Windows (and would have to be emulated with rather expensive low-level `NtCreateFile()` calls), and the changes would be quite extensive, for my taste too extensive for the little gain given that embargoed releases need to pay extra attention to avoid introducing inadvertent bugs. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> 2023-02-22T22:55:44Z Junio C Hamano gitster@pobox.com 2023-02-22T22:55:44Z urn:sha1:24fb150dcd6b18b6d14ed14a02c6a17c33f0d443 Remove more remaining uses of macros that relies on the_index singleton instance without explicitly spelling it out. * ab/the-index-compatibility: cocci & cache.h: remove "USE_THE_INDEX_COMPATIBILITY_MACROS" cache-tree API: remove redundant update_main_cache_tree() cocci & cache-tree.h: migrate "write_cache_as_tree" to "*_index_*" cocci & cache.h: apply pending "index_cache_pos" rule cocci & cache.h: fully apply "active_nr" part of index-compatibility builtin/rm.c: use narrower "USE_THE_INDEX_VARIABLE" 2023-02-16T01:11:53Z Junio C Hamano gitster@pobox.com 2023-02-16T01:11:53Z urn:sha1:c5f7b2a6fe34bbdd4453be6620e08dbcf1b695fb Type fixes. * rs/size-t-fixes: pack-objects: use strcspn(3) in name_cmp_len() read-cache: use size_t for {base,df}_name_compare() 2023-02-10T19:38:40Z Ævar Arnfjörð Bjarmason avarab@gmail.com 2023-02-10T10:28:39Z urn:sha1:dfd0a89374c6eba332dfa3f5670a29eaf96efa3b Have the last users of "USE_THE_INDEX_COMPATIBILITY_MACROS" use the underlying *_index() variants instead. Now all previous users of "USE_THE_INDEX_COMPATIBILITY_MACROS" have been migrated away from the wrapper macros, and if applicable to use the "USE_THE_INDEX_VARIABLE" added in [1]. Let's leave the "index-compatibility.cocci" in place, even though it won't be doing anything on "master". It will benefit any out-of-tree code that need to use these compatibility macros. We can eventually remove it. 1. bdafeae0b9c (cache.h & test-tool.h: add & use "USE_THE_INDEX_VARIABLE", 2022-11-19) Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2023-02-10T19:37:27Z Ævar Arnfjörð Bjarmason avarab@gmail.com 2023-02-10T10:28:36Z urn:sha1:babed893f52a44771dd9d85329ee3bd64438adfb Apply the rule added in [1] to change "cache_name_pos" to "index_name_pos", which allows us to get rid of another "USE_THE_INDEX_COMPATIBILITY_MACROS" macro. The replacement of "USE_THE_INDEX_COMPATIBILITY_MACROS" here with "USE_THE_INDEX_VARIABLE" is a manual change on top, now that these files only use "&the_index", and don't need any compatibility macros (or functions). 1. 0e6550a2c63 (cocci: add a index-compatibility.pending.cocci, 2022-11-19) Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2023-02-10T19:31:18Z Ævar Arnfjörð Bjarmason avarab@gmail.com 2023-02-10T10:28:35Z urn:sha1:cec13b9514868cf38b41330bbc3ea91a7961dd00 Apply the "active_nr" part of "index-compatibility.pending.cocci", which was left out in [1] due to an in-flight conflict. As of [2] the topic we conflicted with has been merged to "master", so we can fully apply this rule. 1. dc594180d9e (cocci & cache.h: apply variable section of "pending" index-compatibility, 2022-11-19) 2. 9ea1378d046 (Merge branch 'ab/various-leak-fixes', 2022-12-14) Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2023-02-06T22:31:03Z René Scharfe l.s.r@web.de 2023-02-05T10:36:28Z urn:sha1:1b4a38d741a4f256c76ae5bffd3c8a52e05927b2 Support names of any length in base_name_compare() and df_name_compare() by using size_t for their length parameters. They pass the length on to memcmp(3), which also takes it as a size_t. Signed-off-by: René Scharfe <l.s.r@web.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>