<feed xmlns='http://www.w3.org/2005/Atom'>
<title>git/path.c, branch v2.44.4</title>
<subtitle>Mirror of https://git.kernel.org/pub/scm/git/git.git/
</subtitle>
<id>https://git.shady.money/git/atom?h=v2.44.4</id>
<link rel='self' href='https://git.shady.money/git/atom?h=v2.44.4'/>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/'/>
<updated>2024-04-19T10:38:54Z</updated>
<entry>
<title>Sync with 2.43.4</title>
<updated>2024-04-19T10:38:54Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2024-04-10T20:10:06Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=e5e6663e69e4fddcf10f69fc4278632482e1889a'/>
<id>urn:sha1:e5e6663e69e4fddcf10f69fc4278632482e1889a</id>
<content type='text'>
* maint-2.43: (40 commits)
  Git 2.43.4
  Git 2.42.2
  Git 2.41.1
  Git 2.40.2
  Git 2.39.4
  fsck: warn about symlink pointing inside a gitdir
  core.hooksPath: add some protection while cloning
  init.templateDir: consider this config setting protected
  clone: prevent hooks from running during a clone
  Add a helper function to compare file contents
  init: refactor the template directory discovery into its own function
  find_hook(): refactor the `STRIP_EXTENSION` logic
  clone: when symbolic links collide with directories, keep the latter
  entry: report more colliding paths
  t5510: verify that D/F confusion cannot lead to an RCE
  submodule: require the submodule path to contain directories only
  clone_submodule: avoid using `access()` on directories
  submodules: submodule paths must not contain symlinks
  clone: prevent clashing git dirs when cloning submodule in parallel
  t7423: add tests for symlinked submodule directories
  ...
</content>
</entry>
<entry>
<title>Sync with 2.41.1</title>
<updated>2024-04-19T10:38:46Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2024-04-17T09:39:09Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=be348e9815285636789dccd4aef85b5bab5f8557'/>
<id>urn:sha1:be348e9815285636789dccd4aef85b5bab5f8557</id>
<content type='text'>
* maint-2.41: (38 commits)
  Git 2.41.1
  Git 2.40.2
  Git 2.39.4
  fsck: warn about symlink pointing inside a gitdir
  core.hooksPath: add some protection while cloning
  init.templateDir: consider this config setting protected
  clone: prevent hooks from running during a clone
  Add a helper function to compare file contents
  init: refactor the template directory discovery into its own function
  find_hook(): refactor the `STRIP_EXTENSION` logic
  clone: when symbolic links collide with directories, keep the latter
  entry: report more colliding paths
  t5510: verify that D/F confusion cannot lead to an RCE
  submodule: require the submodule path to contain directories only
  clone_submodule: avoid using `access()` on directories
  submodules: submodule paths must not contain symlinks
  clone: prevent clashing git dirs when cloning submodule in parallel
  t7423: add tests for symlinked submodule directories
  has_dir_name(): do not get confused by characters &lt; '/'
  docs: document security issues around untrusted .git dirs
  ...
</content>
</entry>
<entry>
<title>Sync with 2.40.2</title>
<updated>2024-04-19T10:38:42Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2024-04-17T09:38:18Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=f5b2af06f55c0f21ae0199be5fe120f2cccd698b'/>
<id>urn:sha1:f5b2af06f55c0f21ae0199be5fe120f2cccd698b</id>
<content type='text'>
* maint-2.40: (39 commits)
  Git 2.40.2
  Git 2.39.4
  fsck: warn about symlink pointing inside a gitdir
  core.hooksPath: add some protection while cloning
  init.templateDir: consider this config setting protected
  clone: prevent hooks from running during a clone
  Add a helper function to compare file contents
  init: refactor the template directory discovery into its own function
  find_hook(): refactor the `STRIP_EXTENSION` logic
  clone: when symbolic links collide with directories, keep the latter
  entry: report more colliding paths
  t5510: verify that D/F confusion cannot lead to an RCE
  submodule: require the submodule path to contain directories only
  clone_submodule: avoid using `access()` on directories
  submodules: submodule paths must not contain symlinks
  clone: prevent clashing git dirs when cloning submodule in parallel
  t7423: add tests for symlinked submodule directories
  has_dir_name(): do not get confused by characters &lt; '/'
  docs: document security issues around untrusted .git dirs
  upload-pack: disable lazy-fetching by default
  ...
</content>
</entry>
<entry>
<title>fetch/clone: detect dubious ownership of local repositories</title>
<updated>2024-04-17T20:29:54Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2024-04-10T12:39:37Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=f4aa8c8bb11dae6e769cd930565173808cbb69c8'/>
<id>urn:sha1:f4aa8c8bb11dae6e769cd930565173808cbb69c8</id>
<content type='text'>
When cloning from somebody else's repositories, it is possible that,
say, the `upload-pack` command is overridden in the repository that is
about to be cloned, which would then be run in the user's context who
started the clone.

To remind the user that this is a potentially unsafe operation, let's
extend the ownership checks we have already established for regular
gitdir discovery to extend also to local repositories that are about to
be cloned.

This protection extends also to file:// URLs.

The fixes in this commit address CVE-2024-32004.

Note: This commit does not touch the `fetch`/`clone` code directly, but
instead the function used implicitly by both: `enter_repo()`. This
function is also used by `git receive-pack` (i.e. pushes), by `git
upload-archive`, by `git daemon` and by `git http-backend`. In setups
that want to serve repositories owned by different users than the
account running the service, this will require `safe.*` settings to be
configured accordingly.

Also note: there are tiny time windows where a time-of-check-time-of-use
("TOCTOU") race is possible. The real solution to those would be to work
with `fstat()` and `openat()`. However, the latter function is not
available on Windows (and would have to be emulated with rather
expensive low-level `NtCreateFile()` calls), and the changes would be
quite extensive, for my taste too extensive for the little gain given
that embargoed releases need to pay extra attention to avoid introducing
inadvertent bugs.

Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>refs: convert MERGE_AUTOSTASH to become a normal pseudo-ref</title>
<updated>2024-01-19T19:10:41Z</updated>
<author>
<name>Patrick Steinhardt</name>
<email>ps@pks.im</email>
</author>
<published>2024-01-19T10:40:19Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=3f921c75913a4ba7b73cb0d8ec05a2cf24d1f4d4'/>
<id>urn:sha1:3f921c75913a4ba7b73cb0d8ec05a2cf24d1f4d4</id>
<content type='text'>
Similar to the preceding conversion of the AUTO_MERGE pseudo-ref, let's
convert the MERGE_AUTOSTASH ref to become a normal pseudo-ref as well.

Signed-off-by: Patrick Steinhardt &lt;ps@pks.im&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>refs: convert AUTO_MERGE to become a normal pseudo-ref</title>
<updated>2024-01-19T19:10:41Z</updated>
<author>
<name>Patrick Steinhardt</name>
<email>ps@pks.im</email>
</author>
<published>2024-01-19T10:40:09Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=fd7c6ffa9e118cdf18a3752ec456070ed0a22e3b'/>
<id>urn:sha1:fd7c6ffa9e118cdf18a3752ec456070ed0a22e3b</id>
<content type='text'>
In 70c70de616 (refs: complete list of special refs, 2023-12-14) we have
inrtoduced a new `is_special_ref()` function that classifies some refs
as being special. The rule is that special refs are exclusively read and
written via the filesystem directly, whereas normal refs exclucsively go
via the refs API.

The intent of that commit was to record the status quo so that we know
to route reads of such special refs consistently. Eventually, the list
should be reduced to its bare minimum of refs which really are special,
namely FETCH_HEAD and MERGE_HEAD.

Follow up on this promise and convert the AUTO_MERGE ref to become a
normal pseudo-ref by using the refs API to both read and write it
instead of accessing the filesystem directly.

Signed-off-by: Patrick Steinhardt &lt;ps@pks.im&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>Merge branch 'cw/compat-util-header-cleanup'</title>
<updated>2023-07-17T18:30:42Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2023-07-17T18:30:42Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=ce481ac8b31c9061eeecd1ba0d7174b621f96632'/>
<id>urn:sha1:ce481ac8b31c9061eeecd1ba0d7174b621f96632</id>
<content type='text'>
Further shuffling of declarations across header files to streamline
file dependencies.

* cw/compat-util-header-cleanup:
  git-compat-util: move alloc macros to git-compat-util.h
  treewide: remove unnecessary includes for wrapper.h
  kwset: move translation table from ctype
  sane-ctype.h: create header for sane-ctype macros
  git-compat-util: move wrapper.c funcs to its header
  git-compat-util: move strbuf.c funcs to its header
</content>
</entry>
<entry>
<title>Merge branch 'cw/strbuf-cleanup'</title>
<updated>2023-07-06T18:54:46Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2023-07-06T18:54:46Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=67e7305e64fea8d15879e9dc3831fc8e31cfe619'/>
<id>urn:sha1:67e7305e64fea8d15879e9dc3831fc8e31cfe619</id>
<content type='text'>
Move functions that are not about pure string manipulation out of
strbuf.[ch]

* cw/strbuf-cleanup:
  strbuf: remove global variable
  path: move related function to path
  object-name: move related functions to object-name
  credential-store: move related functions to credential-store file
  abspath: move related functions to abspath
  strbuf: clarify dependency
  strbuf: clarify API boundary
</content>
</entry>
<entry>
<title>treewide: remove unnecessary includes for wrapper.h</title>
<updated>2023-07-05T18:41:59Z</updated>
<author>
<name>Calvin Wan</name>
<email>calvinwan@google.com</email>
</author>
<published>2023-07-05T17:09:23Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=da9502ff4dc495471a1a080dc297cd6e4628c10c'/>
<id>urn:sha1:da9502ff4dc495471a1a080dc297cd6e4628c10c</id>
<content type='text'>
Signed-off-by: Calvin Wan &lt;calvinwan@google.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>object-store-ll.h: split this header out of object-store.h</title>
<updated>2023-06-21T20:39:54Z</updated>
<author>
<name>Elijah Newren</name>
<email>newren@gmail.com</email>
</author>
<published>2023-05-16T06:34:06Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=a034e9106ff1a4cb6fcb6f2ea3a1a47b4d2ba173'/>
<id>urn:sha1:a034e9106ff1a4cb6fcb6f2ea3a1a47b4d2ba173</id>
<content type='text'>
The vast majority of files including object-store.h did not need dir.h
nor khash.h.  Split the header into two files, and let most just depend
upon object-store-ll.h, while letting the two callers that need it
depend on the full object-store.h.

After this patch:
    $ git grep -h include..object-store | sort | uniq -c
          2 #include "object-store.h"
        129 #include "object-store-ll.h"

Diff best viewed with `--color-moved`.

Signed-off-by: Elijah Newren &lt;newren@gmail.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
</feed>
