git/contrib, branch v2.41.2

Merge branch 'sg/retire-unused-cocci'

2023-05-15T20:59:06Z

Retire a rather expensive-to-run Coccinelle check patch. * sg/retire-unused-cocci: cocci: remove 'unused.cocci'

Merge branch 'js/subtree-fully-spelt-quiet-and-debug-options'

2023-05-15T20:59:06Z

"git subtree" (in contrib/) update. * js/subtree-fully-spelt-quiet-and-debug-options: subtree: support long global flags

Merge branch 'mh/credential-password-expiry-wincred'

2023-05-11T19:16:16Z

Teach the recently invented "password expiry time" trait to the wincred credential helper. * mh/credential-password-expiry-wincred: credential/wincred: store password_expiry_utc

Merge branch 'mh/use-wincred-from-system'

2023-05-11T19:16:15Z

Code clean-up. * mh/use-wincred-from-system: credential/wincred: include wincred.h

Merge branch 'tb/credential-long-lines'

2023-05-10T17:23:27Z

The implementation of credential helpers used fgets() over fixed size buffers to read protocol messages, causing the remainder of the folded long line to trigger unexpected behaviour, which has been corrected. * tb/credential-long-lines: contrib/credential: embiggen fixed-size buffer in wincred contrib/credential: avoid fixed-size buffer in libsecret contrib/credential: .gitignore libsecret build artifacts contrib/credential: remove 'gnome-keyring' credential helper contrib/credential: avoid fixed-size buffer in osxkeychain t/lib-credential.sh: ensure credential helpers handle long headers credential.c: store "wwwauth[]" values in `credential_read()`

subtree: support long global flags

2023-05-08T14:58:27Z

The documentation at e75d1da38a claimed support, but it was never present Signed-off-by: Josh Soref Signed-off-by: Junio C Hamano

Merge branch 'ek/completion-use-read-r-to-read-literally'

2023-05-02T17:13:34Z

The completion script used to use bare "read" without the "-r" option to read the contents of various state files, which risked getting confused with backslashes in them. This has been corrected. * ek/completion-use-read-r-to-read-literally: completion: suppress unwanted unescaping of `read`

contrib/credential: embiggen fixed-size buffer in wincred

2023-05-01T16:27:02Z

As in previous commits, harden the wincred credential helper against the aforementioned protocol injection attack. Unlike the approached used for osxkeychain and libsecret, where a fixed-size buffer was replaced with `getline()`, we must take a different approach here. There is no `getline()` equivalent in Windows, and the function is not available to us with ordinary compiler settings. Instead, allocate a larger (still fixed-size) buffer in which to process each line. The value of 100 KiB is chosen to match the maximum-length header that curl will allow, CURL_MAX_HTTP_HEADER. To ensure that we are reading complete lines at a time, and that we aren't susceptible to a similar injection attack (albeit with more padding), ensure that each read terminates at a newline (i.e., that no line is more than 100 KiB long). Note that it isn't sufficient to turn the old loop into something like: while (len && strchr("\r\n", buf[len - 1])) { buf[--len] = 0; ends_in_newline = 1; } because if an attacker sends something like: [aaaaa.....]\r host=example.com\r\n the credential helper would fill its buffer after reading up through the first '\r', call fgets() again, and then see "host=example.com\r\n" on its line. Note that the original code was written in a way that would trim an arbitrary number of "\r" and "\n" from the end of the string. We should get only a single "\n" (since the point of `fgets()` is to return the buffer to us when it sees one), and likewise would not expect to see more than one associated "\r". The new code trims a single "\r\n", which matches the original intent. [1]: https://curl.se/libcurl/c/CURLOPT_HEADERFUNCTION.html Tested-by: Matthew John Cheetham Helped-by: Matthew John Cheetham Co-authored-by: Jeff King Signed-off-by: Jeff King Signed-off-by: Taylor Blau Signed-off-by: Junio C Hamano

contrib/credential: avoid fixed-size buffer in libsecret

2023-05-01T16:27:02Z

The libsecret credential helper reads the newline-delimited protocol stream one line at a time by repeatedly calling fgets() into a fixed-size buffer, and is thus affected by the vulnerability described in the previous commit. To mitigate this attack, avoid using a fixed-size buffer, and instead rely on getline() to allocate a buffer as large as necessary to fit the entire content of the line, preventing any protocol injection. In most parts of Git we don't assume that every platform has getline(). But libsecret is primarily used on Linux, where we do already assume it (using a knob in config.mak.uname). POSIX also added getline() in 2008, so we'd expect other recent Unix-like operating systems to have it (e.g., FreeBSD also does). Note that the buffer was already allocated on the heap in this case, but we'll swap `g_free()` for `free()`, since it will now be allocated by the system `getline()`, rather than glib's `g_malloc()`. Tested-by: Jeff King Co-authored-by: Jeff King Signed-off-by: Jeff King Signed-off-by: Taylor Blau Signed-off-by: Junio C Hamano

contrib/credential: .gitignore libsecret build artifacts

2023-05-01T16:27:02Z

The libsecret credential helper does not mark its build artifact as ignored, so running "make" results in a dirty working tree. Mark the "git-credential-libsecret" binary as ignored to avoid the above. Co-authored-by: Jeff King Signed-off-by: Jeff King Signed-off-by: Taylor Blau Signed-off-by: Junio C Hamano