git/path.h, branch v2.48.2

Merge branch 'bc/allow-upload-pack-from-other-people'

2024-12-10T01:04:55Z

Loosen overly strict ownership check introduced in the recent past, to keep the promise "cloning a suspicious repository is a safe first step to inspect it". * bc/allow-upload-pack-from-other-people: Allow cloning from repositories owned by another user

Allow cloning from repositories owned by another user

2024-11-15T02:05:06Z

Historically, Git has allowed users to clone from an untrusted repository, and we have documented that this is safe to do so: `upload-pack` tries to avoid any dangerous configuration options or hooks from the repository it's serving, making it safe to clone an untrusted directory and run commands on the resulting clone. However, this was broken by f4aa8c8bb1 ("fetch/clone: detect dubious ownership of local repositories", 2024-04-10) in an attempt to make things more secure. That change resulted in a variety of problems when cloning locally and over SSH, but it did not change the stated security boundary. Because the security boundary has not changed, it is safe to adjust part of the code that patch introduced. To do that and restore the previous functionality, adjust enter_repo to take two flags instead of one. The two bits are - ENTER_REPO_STRICT: callers that require exact paths (as opposed to allowing known suffixes like ".git", ".git/.git" to be omitted) can set this bit. Corresponds to the "strict" parameter that the flags word replaces. - ENTER_REPO_ANY_OWNER_OK: callers that are willing to run without ownership check can set this bit. The former is --strict-paths option of "git daemon". The latter is set only by upload-pack, which honors the claimed security boundary. Note that local clones across ownership boundaries require --no-local so that upload-pack is used. Document this fact in the manual page and provide an example. This patch was based on one written by Junio C Hamano. Signed-off-by: Junio C Hamano

path: hide functions using `the_repository` by default

2024-08-13T17:01:01Z

The path subsystem provides a bunch of legacy functions that compute paths relative to the "gitdir" and "commondir" directories of the global `the_repository` variable. Use of those functions is discouraged, and it is easy to miss the implicit dependency on `the_repository` that calls to those functions may cause. With `USE_THE_REPOSITORY_VARIABLE`, we have recently introduced a tool that allows us to get rid of such functions over time. With this macro, we can hide away functions that have such implicit dependency such that other subsystems that want to be free of `the_repository` will not use them by accident. Move all path-related functions that use `the_repository` into a block that gets only conditionally compiled depending on whether or not the macro has been defined. This also removes all dependencies on that variable in "path.c", allowing us to remove the definition of said preprocessor macro. Signed-off-by: Patrick Steinhardt Signed-off-by: Junio C Hamano

path: stop relying on `the_repository` in `worktree_git_path()`

2024-08-13T17:01:01Z

When not provided a worktree, then `worktree_git_path()` will fall back to returning a path relative to the main repository. In this case, we implicitly rely on `the_repository` to derive the path. Remove this dependency by passing a `struct repository` as parameter. Signed-off-by: Patrick Steinhardt Signed-off-by: Junio C Hamano

path: stop relying on `the_repository` when reporting garbage

2024-08-13T17:01:01Z

We access `the_repository` in `report_linked_checkout_garbage()` both directly and indirectly via `get_git_dir()`. Remove this dependency by instead passing a `struct repository` as parameter. Signed-off-by: Patrick Steinhardt Signed-off-by: Junio C Hamano

path: expose `do_git_common_path()` as `repo_common_pathv()`

2024-08-13T17:01:00Z

With the same reasoning as the preceding commit, expose the function `do_git_common_path()` as `repo_common_pathv()`. While at it, reorder parameters such that they match the order we have in `repo_git_pathv()`. Signed-off-by: Patrick Steinhardt Signed-off-by: Junio C Hamano

path: expose `do_git_path()` as `repo_git_pathv()`

2024-08-13T17:01:00Z

We're about to move functions of the "path" subsytem that do not use a `struct repository` into "path.h" as static inlined functions. This will require us to call `do_git_path()`, which is internal to "path.c". Expose the function as `repo_git_pathv()` to prepare for the change. Signed-off-by: Patrick Steinhardt Signed-off-by: Junio C Hamano

Merge branch 'jc/worktree-git-path'

2024-06-24T23:39:15Z

Code cleanup. * jc/worktree-git-path: worktree_git_path(): move the declaration to path.h

worktree_git_path(): move the declaration to path.h

2024-06-08T18:42:37Z

The definition of this function is in path.c but its declaration is in worktree.h, which is something unexpected. The function is explained as "Similar to git_path()"; declaring it next to where git_path() is declared would make more sense. Signed-off-by: Junio C Hamano

path: move `validate_headref()` to its only user

2024-05-07T05:50:48Z

While `validate_headref()` is only called from `is_git_directory()` in "setup.c", it is currently implemented in "path.c". Move it over such that it becomes clear that it is only really used during setup in order to discover repositories. Signed-off-by: Patrick Steinhardt Signed-off-by: Junio C Hamano