<feed xmlns='http://www.w3.org/2005/Atom'>
<title>git/setup.c, branch v2.44.4</title>
<subtitle>Mirror of https://git.kernel.org/pub/scm/git/git.git/
</subtitle>
<id>https://git.shady.money/git/atom?h=v2.44.4</id>
<link rel='self' href='https://git.shady.money/git/atom?h=v2.44.4'/>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/'/>
<updated>2024-04-19T10:38:54Z</updated>
<entry>
<title>Sync with 2.43.4</title>
<updated>2024-04-19T10:38:54Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2024-04-10T20:10:06Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=e5e6663e69e4fddcf10f69fc4278632482e1889a'/>
<id>urn:sha1:e5e6663e69e4fddcf10f69fc4278632482e1889a</id>
<content type='text'>
* maint-2.43: (40 commits)
  Git 2.43.4
  Git 2.42.2
  Git 2.41.1
  Git 2.40.2
  Git 2.39.4
  fsck: warn about symlink pointing inside a gitdir
  core.hooksPath: add some protection while cloning
  init.templateDir: consider this config setting protected
  clone: prevent hooks from running during a clone
  Add a helper function to compare file contents
  init: refactor the template directory discovery into its own function
  find_hook(): refactor the `STRIP_EXTENSION` logic
  clone: when symbolic links collide with directories, keep the latter
  entry: report more colliding paths
  t5510: verify that D/F confusion cannot lead to an RCE
  submodule: require the submodule path to contain directories only
  clone_submodule: avoid using `access()` on directories
  submodules: submodule paths must not contain symlinks
  clone: prevent clashing git dirs when cloning submodule in parallel
  t7423: add tests for symlinked submodule directories
  ...
</content>
</entry>
<entry>
<title>Sync with 2.42.2</title>
<updated>2024-04-19T10:38:50Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2024-04-10T20:04:48Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=8e97ec3662a54b07e4c19bb761e95cf87bd54364'/>
<id>urn:sha1:8e97ec3662a54b07e4c19bb761e95cf87bd54364</id>
<content type='text'>
* maint-2.42: (39 commits)
  Git 2.42.2
  Git 2.41.1
  Git 2.40.2
  Git 2.39.4
  fsck: warn about symlink pointing inside a gitdir
  core.hooksPath: add some protection while cloning
  init.templateDir: consider this config setting protected
  clone: prevent hooks from running during a clone
  Add a helper function to compare file contents
  init: refactor the template directory discovery into its own function
  find_hook(): refactor the `STRIP_EXTENSION` logic
  clone: when symbolic links collide with directories, keep the latter
  entry: report more colliding paths
  t5510: verify that D/F confusion cannot lead to an RCE
  submodule: require the submodule path to contain directories only
  clone_submodule: avoid using `access()` on directories
  submodules: submodule paths must not contain symlinks
  clone: prevent clashing git dirs when cloning submodule in parallel
  t7423: add tests for symlinked submodule directories
  has_dir_name(): do not get confused by characters &lt; '/'
  ...
</content>
</entry>
<entry>
<title>Sync with 2.41.1</title>
<updated>2024-04-19T10:38:46Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2024-04-17T09:39:09Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=be348e9815285636789dccd4aef85b5bab5f8557'/>
<id>urn:sha1:be348e9815285636789dccd4aef85b5bab5f8557</id>
<content type='text'>
* maint-2.41: (38 commits)
  Git 2.41.1
  Git 2.40.2
  Git 2.39.4
  fsck: warn about symlink pointing inside a gitdir
  core.hooksPath: add some protection while cloning
  init.templateDir: consider this config setting protected
  clone: prevent hooks from running during a clone
  Add a helper function to compare file contents
  init: refactor the template directory discovery into its own function
  find_hook(): refactor the `STRIP_EXTENSION` logic
  clone: when symbolic links collide with directories, keep the latter
  entry: report more colliding paths
  t5510: verify that D/F confusion cannot lead to an RCE
  submodule: require the submodule path to contain directories only
  clone_submodule: avoid using `access()` on directories
  submodules: submodule paths must not contain symlinks
  clone: prevent clashing git dirs when cloning submodule in parallel
  t7423: add tests for symlinked submodule directories
  has_dir_name(): do not get confused by characters &lt; '/'
  docs: document security issues around untrusted .git dirs
  ...
</content>
</entry>
<entry>
<title>Sync with 2.40.2</title>
<updated>2024-04-19T10:38:42Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2024-04-17T09:38:18Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=f5b2af06f55c0f21ae0199be5fe120f2cccd698b'/>
<id>urn:sha1:f5b2af06f55c0f21ae0199be5fe120f2cccd698b</id>
<content type='text'>
* maint-2.40: (39 commits)
  Git 2.40.2
  Git 2.39.4
  fsck: warn about symlink pointing inside a gitdir
  core.hooksPath: add some protection while cloning
  init.templateDir: consider this config setting protected
  clone: prevent hooks from running during a clone
  Add a helper function to compare file contents
  init: refactor the template directory discovery into its own function
  find_hook(): refactor the `STRIP_EXTENSION` logic
  clone: when symbolic links collide with directories, keep the latter
  entry: report more colliding paths
  t5510: verify that D/F confusion cannot lead to an RCE
  submodule: require the submodule path to contain directories only
  clone_submodule: avoid using `access()` on directories
  submodules: submodule paths must not contain symlinks
  clone: prevent clashing git dirs when cloning submodule in parallel
  t7423: add tests for symlinked submodule directories
  has_dir_name(): do not get confused by characters &lt; '/'
  docs: document security issues around untrusted .git dirs
  upload-pack: disable lazy-fetching by default
  ...
</content>
</entry>
<entry>
<title>init.templateDir: consider this config setting protected</title>
<updated>2024-04-19T10:38:24Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2024-03-29T12:15:32Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=4412a04fe6f7e632269a6668a4f367230ca2c0e0'/>
<id>urn:sha1:4412a04fe6f7e632269a6668a4f367230ca2c0e0</id>
<content type='text'>
The ability to configuring the template directory is a delicate feature:
It allows defining hooks that will be run e.g. during a `git clone`
operation, such as the `post-checkout` hook.

As such, it is of utmost importance that Git would not allow that config
setting to be changed during a `git clone` by mistake, allowing an
attacker a chance for a Remote Code Execution, allowing attackers to run
arbitrary code on unsuspecting users' machines.

As a defense-in-depth measure, to prevent minor vulnerabilities in the
`git clone` code from ballooning into higher-serverity attack vectors,
let's make this a protected setting just like `safe.directory` and
friends, i.e. ignore any `init.templateDir` entries from any local
config.

Note: This does not change the behavior of any recursive clone (modulo
bugs), as the local repository config is not even supposed to be written
while cloning the superproject, except in one scenario: If a config
template is configured that sets the template directory. This might be
done because `git clone --recurse-submodules --template=&lt;directory&gt;`
does not pass that template directory on to the submodules'
initialization.

Another scenario where this commit changes behavior is where
repositories are _not_ cloned recursively, and then some (intentional,
benign) automation configures the template directory to be used before
initializing the submodules.

So the caveat is that this could theoretically break existing processes.

In both scenarios, there is a way out, though: configuring the template
directory via the environment variable `GIT_TEMPLATE_DIR`.

This change in behavior is a trade-off between security and
backwards-compatibility that is struck in favor of security.

Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>init: refactor the template directory discovery into its own function</title>
<updated>2024-04-17T20:30:10Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2024-03-29T10:45:01Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=df93e407f0618e4a8265ac619dc7f4c7005155bc'/>
<id>urn:sha1:df93e407f0618e4a8265ac619dc7f4c7005155bc</id>
<content type='text'>
We will need to call this function from `hook.c` to be able to prevent
hooks from running that were written as part of a `clone` but did not
originate from the template directory.

Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>fetch/clone: detect dubious ownership of local repositories</title>
<updated>2024-04-17T20:29:54Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2024-04-10T12:39:37Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=f4aa8c8bb11dae6e769cd930565173808cbb69c8'/>
<id>urn:sha1:f4aa8c8bb11dae6e769cd930565173808cbb69c8</id>
<content type='text'>
When cloning from somebody else's repositories, it is possible that,
say, the `upload-pack` command is overridden in the repository that is
about to be cloned, which would then be run in the user's context who
started the clone.

To remind the user that this is a potentially unsafe operation, let's
extend the ownership checks we have already established for regular
gitdir discovery to extend also to local repositories that are about to
be cloned.

This protection extends also to file:// URLs.

The fixes in this commit address CVE-2024-32004.

Note: This commit does not touch the `fetch`/`clone` code directly, but
instead the function used implicitly by both: `enter_repo()`. This
function is also used by `git receive-pack` (i.e. pushes), by `git
upload-archive`, by `git daemon` and by `git http-backend`. In setups
that want to serve repositories owned by different users than the
account running the service, this will require `safe.*` settings to be
configured accordingly.

Also note: there are tiny time windows where a time-of-check-time-of-use
("TOCTOU") race is possible. The real solution to those would be to work
with `fstat()` and `openat()`. However, the latter function is not
available on Windows (and would have to be emulated with rather
expensive low-level `NtCreateFile()` calls), and the changes would be
quite extensive, for my taste too extensive for the little gain given
that embargoed releases need to pay extra attention to avoid introducing
inadvertent bugs.

Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>Merge branch 'en/header-cleanup' into maint-2.43</title>
<updated>2024-02-09T00:22:10Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2024-02-09T00:22:10Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=0f7a10a3aad344a28f0f30b32a979925a9629533'/>
<id>urn:sha1:0f7a10a3aad344a28f0f30b32a979925a9629533</id>
<content type='text'>
Remove unused header "#include".

* en/header-cleanup:
  treewide: remove unnecessary includes in source files
  treewide: add direct includes currently only pulled in transitively
  trace2/tr2_tls.h: remove unnecessary include
  submodule-config.h: remove unnecessary include
  pkt-line.h: remove unnecessary include
  line-log.h: remove unnecessary include
  http.h: remove unnecessary include
  fsmonitor--daemon.h: remove unnecessary includes
  blame.h: remove unnecessary includes
  archive.h: remove unnecessary include
  treewide: remove unnecessary includes in source files
  treewide: remove unnecessary includes from header files
</content>
</entry>
<entry>
<title>Merge branch 'kl/allow-working-in-dot-git-in-non-bare-repository'</title>
<updated>2024-01-30T21:34:12Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2024-01-30T21:34:12Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=a8bf3c0cac802487f308f5986620723ee3c27969'/>
<id>urn:sha1:a8bf3c0cac802487f308f5986620723ee3c27969</id>
<content type='text'>
The "disable repository discovery of a bare repository" check,
triggered by setting safe.bareRepository configuration variable to
'explicit', has been loosened to exclude the ".git/" directory inside
a non-bare repository from the check.  So you can do "cd .git &amp;&amp;
git cmd" to run a Git command that works on a bare repository without
explicitly specifying $GIT_DIR now.

* kl/allow-working-in-dot-git-in-non-bare-repository:
  setup: allow cwd=.git w/ bareRepository=explicit
</content>
</entry>
<entry>
<title>Merge branch 'ps/worktree-refdb-initialization'</title>
<updated>2024-01-26T16:54:46Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2024-01-26T16:54:46Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=dc8ce995a2ad203ffb5ef335682b64da955e645a'/>
<id>urn:sha1:dc8ce995a2ad203ffb5ef335682b64da955e645a</id>
<content type='text'>
Instead of manually creating refs/ hierarchy on disk upon a
creation of a secondary worktree, which is only usable via the
files backend, use the refs API to populate it.

* ps/worktree-refdb-initialization:
  builtin/worktree: create refdb via ref backend
  worktree: expose interface to look up worktree by name
  builtin/worktree: move setup of commondir file earlier
  refs/files: skip creation of "refs/{heads,tags}" for worktrees
  setup: move creation of "refs/" into the files backend
  refs: prepare `refs_init_db()` for initializing worktree refs
</content>
</entry>
</feed>
