<feed xmlns='http://www.w3.org/2005/Atom'>
<title>git/path.c, branch v2.17.2</title>
<subtitle>Mirror of https://git.kernel.org/pub/scm/git/git.git/
</subtitle>
<id>https://git.shady.money/git/atom?h=v2.17.2</id>
<link rel='self' href='https://git.shady.money/git/atom?h=v2.17.2'/>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/'/>
<updated>2018-05-22T05:15:14Z</updated>
<entry>
<title>Sync with Git 2.14.4</title>
<updated>2018-05-22T05:15:14Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2018-05-22T05:15:14Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=9e0f06d55df5855178ff41342937943604f6e97c'/>
<id>urn:sha1:9e0f06d55df5855178ff41342937943604f6e97c</id>
<content type='text'>
* maint-2.14:
  Git 2.14.4
  Git 2.13.7
  verify_path: disallow symlinks in .gitmodules
  update-index: stat updated files earlier
  verify_dotfile: mention case-insensitivity in comment
  verify_path: drop clever fallthrough
  skip_prefix: add case-insensitive variant
  is_{hfs,ntfs}_dotgitmodules: add tests
  is_ntfs_dotgit: match other .git files
  is_hfs_dotgit: match other .git files
  is_ntfs_dotgit: use a size_t for traversing string
  submodule-config: verify submodule names as paths
</content>
</entry>
<entry>
<title>Sync with Git 2.13.7</title>
<updated>2018-05-22T05:10:49Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2018-05-22T05:10:49Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=7b01c71b64d25202d80b73cbd46104ebfddbdab3'/>
<id>urn:sha1:7b01c71b64d25202d80b73cbd46104ebfddbdab3</id>
<content type='text'>
* maint-2.13:
  Git 2.13.7
  verify_path: disallow symlinks in .gitmodules
  update-index: stat updated files earlier
  verify_dotfile: mention case-insensitivity in comment
  verify_path: drop clever fallthrough
  skip_prefix: add case-insensitive variant
  is_{hfs,ntfs}_dotgitmodules: add tests
  is_ntfs_dotgit: match other .git files
  is_hfs_dotgit: match other .git files
  is_ntfs_dotgit: use a size_t for traversing string
  submodule-config: verify submodule names as paths
</content>
</entry>
<entry>
<title>is_ntfs_dotgit: match other .git files</title>
<updated>2018-05-22T03:50:11Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2018-05-11T14:03:54Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=e7cb0b4455c85b53aeba40f88ffddcf6d4002498'/>
<id>urn:sha1:e7cb0b4455c85b53aeba40f88ffddcf6d4002498</id>
<content type='text'>
When we started to catch NTFS short names that clash with .git, we only
looked for GIT~1. This is sufficient because we only ever clone into an
empty directory, so .git is guaranteed to be the first subdirectory or
file in that directory.

However, even with a fresh clone, .gitmodules is *not* necessarily the
first file to be written that would want the NTFS short name GITMOD~1: a
malicious repository can add .gitmodul0000 and friends, which sorts
before `.gitmodules` and is therefore checked out *first*. For that
reason, we have to test not only for ~1 short names, but for others,
too.

It's hard to just adapt the existing checks in is_ntfs_dotgit(): since
Windows 2000 (i.e., in all Windows versions still supported by Git),
NTFS short names are only generated in the &lt;prefix&gt;~&lt;number&gt; form up to
number 4. After that, a *different* prefix is used, calculated from the
long file name using an undocumented, but stable algorithm.

For example, the short name of .gitmodules would be GITMOD~1, but if it
is taken, and all of ~2, ~3 and ~4 are taken, too, the short name
GI7EBA~1 will be used. From there, collisions are handled by
incrementing the number, shortening the prefix as needed (until ~9999999
is reached, in which case NTFS will not allow the file to be created).

We'd also want to handle .gitignore and .gitattributes, which suffer
from a similar problem, using the fall-back short names GI250A~1 and
GI7D29~1, respectively.

To accommodate for that, we could reimplement the hashing algorithm, but
it is just safer and simpler to provide the known prefixes. This
algorithm has been reverse-engineered and described at
https://usn.pw/blog/gen/2015/06/09/filenames/, which is defunct but
still available via https://web.archive.org/.

These can be recomputed by running the following Perl script:

-- snip --
use warnings;
use strict;

sub compute_short_name_hash ($) {
        my $checksum = 0;
        foreach (split('', $_[0])) {
                $checksum = ($checksum * 0x25 + ord($_)) &amp; 0xffff;
        }

        $checksum = ($checksum * 314159269) &amp; 0xffffffff;
        $checksum = 1 + (~$checksum &amp; 0x7fffffff) if ($checksum &amp; 0x80000000);
        $checksum -= (($checksum * 1152921497) &gt;&gt; 60) * 1000000007;

        return scalar reverse sprintf("%x", $checksum &amp; 0xffff);
}

print compute_short_name_hash($ARGV[0]);
-- snap --

E.g., running that with the argument ".gitignore" will
result in "250a" (which then becomes "gi250a" in the code).

Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
Signed-off-by: Jeff King &lt;peff@peff.net&gt;
</content>
</entry>
<entry>
<title>is_ntfs_dotgit: use a size_t for traversing string</title>
<updated>2018-05-22T03:50:11Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2018-05-13T16:09:42Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=11a9f4d807a0d71dc6eff51bb87baf4ca2cccf1d'/>
<id>urn:sha1:11a9f4d807a0d71dc6eff51bb87baf4ca2cccf1d</id>
<content type='text'>
We walk through the "name" string using an int, which can
wrap to a negative value and cause us to read random memory
before our array (e.g., by creating a tree with a name &gt;2GB,
since "int" is still 32 bits even on most 64-bit platforms).
Worse, this is easy to trigger during the fsck_tree() check,
which is supposed to be protecting us from malicious
garbage.

Note one bit of trickiness in the existing code: we
sometimes assign -1 to "len" at the end of the loop, and
then rely on the "len++" in the for-loop's increment to take
it back to 0. This is still legal with a size_t, since
assigning -1 will turn into SIZE_MAX, which then wraps
around to 0 on increment.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
</content>
</entry>
<entry>
<title>Merge branch 'ao/path-use-xmalloc'</title>
<updated>2017-10-28T01:18:40Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2017-10-28T01:18:39Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=fd052e4f9abc2cf9ea54ea33e2b563c0e120a795'/>
<id>urn:sha1:fd052e4f9abc2cf9ea54ea33e2b563c0e120a795</id>
<content type='text'>
A possible oom error is now caught as a fatal error, instead of
continuing and dereferencing NULL.

* ao/path-use-xmalloc:
  path.c: use xmalloc() in add_to_trie()
</content>
</entry>
<entry>
<title>path.c: use xmalloc() in add_to_trie()</title>
<updated>2017-10-25T07:16:22Z</updated>
<author>
<name>Andrey Okoshkin</name>
<email>a.okoshkin@samsung.com</email>
</author>
<published>2017-10-24T15:15:05Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=55d7d15847e84d531f712f9fd6a7117283b208a3'/>
<id>urn:sha1:55d7d15847e84d531f712f9fd6a7117283b208a3</id>
<content type='text'>
Add usage of xmalloc() instead of malloc() in add_to_trie() as xmalloc wraps
and checks memory allocation result.

Signed-off-by: Andrey Okoshkin &lt;a.okoshkin@samsung.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>Merge branch 'jk/validate-headref-fix' into maint</title>
<updated>2017-10-18T05:19:12Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2017-10-18T05:19:12Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=41052b11bc5a128c6a4266ea60c712a088cb2166'/>
<id>urn:sha1:41052b11bc5a128c6a4266ea60c712a088cb2166</id>
<content type='text'>
Code clean-up.

* jk/validate-headref-fix:
  validate_headref: use get_oid_hex for detached HEADs
  validate_headref: use skip_prefix for symref parsing
  validate_headref: NUL-terminate HEAD buffer
</content>
</entry>
<entry>
<title>Merge branch 'tg/memfixes'</title>
<updated>2017-10-07T07:27:54Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2017-10-07T07:27:54Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=98c03a0de83f5b5a98ac25d5639f647559c0e619'/>
<id>urn:sha1:98c03a0de83f5b5a98ac25d5639f647559c0e619</id>
<content type='text'>
Fixes for a handful memory access issues identified by valgrind.

* tg/memfixes:
  sub-process: use child_process.args instead of child_process.argv
  http-push: fix construction of hex value from path
  path.c: fix uninitialized memory access
</content>
</entry>
<entry>
<title>Merge branch 'rs/cleanup-strbuf-users'</title>
<updated>2017-10-05T04:48:19Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2017-10-05T04:48:19Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=e46ebc27547e3d09385a76ade7ab11dc794f7595'/>
<id>urn:sha1:e46ebc27547e3d09385a76ade7ab11dc794f7595</id>
<content type='text'>
Code clean-up.

* rs/cleanup-strbuf-users:
  graph: use strbuf_addchars() to add spaces
  use strbuf_addstr() for adding strings to strbufs
  path: use strbuf_add_real_path()
</content>
</entry>
<entry>
<title>path.c: fix uninitialized memory access</title>
<updated>2017-10-04T04:47:16Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2017-10-03T23:30:40Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=8262715b8eb157497ec1ee1cfcef778d526b2336'/>
<id>urn:sha1:8262715b8eb157497ec1ee1cfcef778d526b2336</id>
<content type='text'>
In cleanup_path we're passing in a char array, run a memcmp on it, and
run through it without ever checking if something is in the array in the
first place.  This can lead us to access uninitialized memory, for
example in t5541-http-push-smart.sh test 7, when run under valgrind:

==4423== Conditional jump or move depends on uninitialised value(s)
==4423==    at 0x242FA9: cleanup_path (path.c:35)
==4423==    by 0x242FA9: mkpath (path.c:456)
==4423==    by 0x256CC7: refname_match (refs.c:364)
==4423==    by 0x26C181: count_refspec_match (remote.c:1015)
==4423==    by 0x26C181: match_explicit_lhs (remote.c:1126)
==4423==    by 0x26C181: check_push_refs (remote.c:1409)
==4423==    by 0x2ABB4D: transport_push (transport.c:870)
==4423==    by 0x186703: push_with_options (push.c:332)
==4423==    by 0x18746D: do_push (push.c:409)
==4423==    by 0x18746D: cmd_push (push.c:566)
==4423==    by 0x1183E0: run_builtin (git.c:352)
==4423==    by 0x11973E: handle_builtin (git.c:539)
==4423==    by 0x11973E: run_argv (git.c:593)
==4423==    by 0x11973E: main (git.c:698)
==4423==  Uninitialised value was created by a heap allocation
==4423==    at 0x4C2CD8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4423==    by 0x4C2F195: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4423==    by 0x2C196B: xrealloc (wrapper.c:137)
==4423==    by 0x29A30B: strbuf_grow (strbuf.c:66)
==4423==    by 0x29A30B: strbuf_vaddf (strbuf.c:277)
==4423==    by 0x242F9F: mkpath (path.c:454)
==4423==    by 0x256CC7: refname_match (refs.c:364)
==4423==    by 0x26C181: count_refspec_match (remote.c:1015)
==4423==    by 0x26C181: match_explicit_lhs (remote.c:1126)
==4423==    by 0x26C181: check_push_refs (remote.c:1409)
==4423==    by 0x2ABB4D: transport_push (transport.c:870)
==4423==    by 0x186703: push_with_options (push.c:332)
==4423==    by 0x18746D: do_push (push.c:409)
==4423==    by 0x18746D: cmd_push (push.c:566)
==4423==    by 0x1183E0: run_builtin (git.c:352)
==4423==    by 0x11973E: handle_builtin (git.c:539)
==4423==    by 0x11973E: run_argv (git.c:593)
==4423==    by 0x11973E: main (git.c:698)
==4423==

Avoid this by using skip_prefix(), which knows not to go beyond the
end of the string.

Reported-by: Thomas Gummerer &lt;t.gummerer@gmail.com&gt;
Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Reviewed-by: Jonathan Nieder &lt;jrnieder@gmail.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
</feed>
