<feed xmlns='http://www.w3.org/2005/Atom'>
<title>git/submodule-config.c, branch v2.44.4</title>
<subtitle>Mirror of https://git.kernel.org/pub/scm/git/git.git/
</subtitle>
<id>https://git.shady.money/git/atom?h=v2.44.4</id>
<link rel='self' href='https://git.shady.money/git/atom?h=v2.44.4'/>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/'/>
<updated>2024-01-26T16:54:47Z</updated>
<entry>
<title>Merge branch 'vd/fsck-submodule-url-test'</title>
<updated>2024-01-26T16:54:47Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2024-01-26T16:54:47Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=76bd1294d8ed21d2d7e8d35220a0e820969c5ee8'/>
<id>urn:sha1:76bd1294d8ed21d2d7e8d35220a0e820969c5ee8</id>
<content type='text'>
Tighten URL checks fsck makes in a URL recorded for submodules.

* vd/fsck-submodule-url-test:
  submodule-config.c: strengthen URL fsck check
  t7450: test submodule urls
  test-submodule: remove command line handling for check-name
  submodule-config.h: move check_submodule_url
</content>
</entry>
<entry>
<title>submodule-config.c: strengthen URL fsck check</title>
<updated>2024-01-19T18:15:41Z</updated>
<author>
<name>Victoria Dye</name>
<email>vdye@github.com</email>
</author>
<published>2024-01-18T01:55:18Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=8430b438f628f2f0df08622a550e750158167f28'/>
<id>urn:sha1:8430b438f628f2f0df08622a550e750158167f28</id>
<content type='text'>
Update the validation of "curl URL" submodule URLs (i.e. those that specify
an "http[s]" or "ftp[s]" protocol) in 'check_submodule_url()' to catch more
invalid URLs. The existing validation using 'credential_from_url_gently()'
parses certain URLs incorrectly, leading to invalid submodule URLs passing
'git fsck' checks. Conversely, 'url_normalize()' - used to validate remote
URLs in 'remote_get()' - correctly identifies the invalid URLs missed by
'credential_from_url_gently()'.

To catch more invalid cases, replace 'credential_from_url_gently()' with
'url_normalize()' followed by a 'url_decode()' and a check for newlines
(mirroring 'check_url_component()' in the 'credential_from_url_gently()'
validation).

Signed-off-by: Victoria Dye &lt;vdye@github.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>submodule-config.h: move check_submodule_url</title>
<updated>2024-01-18T18:12:48Z</updated>
<author>
<name>Victoria Dye</name>
<email>vdye@github.com</email>
</author>
<published>2024-01-18T01:55:15Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=13320ff610b4083341175c4f8e636a1bc52145f5'/>
<id>urn:sha1:13320ff610b4083341175c4f8e636a1bc52145f5</id>
<content type='text'>
Move 'check_submodule_url' out of 'fsck.c' and into 'submodule-config.h' as
a public method, similar to 'check_submodule_name'. With the function now
accessible outside of 'fsck', it can be used in a later commit to extend
'test-tool submodule' to check the validity of submodule URLs as it does
with names in the 'check-name' subcommand.

Other than its location, no changes are made to 'check_submodule_url' in
this patch.

Signed-off-by: Victoria Dye &lt;vdye@github.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>submodule: handle NULL value when parsing submodule.*.branch</title>
<updated>2023-12-08T23:24:47Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2023-12-07T07:11:29Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=34b1a0d320e3a1531997d6681bacffbe9da7a046'/>
<id>urn:sha1:34b1a0d320e3a1531997d6681bacffbe9da7a046</id>
<content type='text'>
We record the submodule branch config value as a string, so config that
uses an implicit bool like:

  [submodule "foo"]
  branch

will cause us to segfault. Note that unlike most other config-parsing
bugs of this class, this can be triggered by parsing a bogus .gitmodules
file (which we might do after cloning a malicious repository).

I don't think the security implications are important, though. It's
always a strict NULL dereference, not an out-of-bounds read or write. So
we should reliably kill the process. That may be annoying, but the
impact is limited to the attacker preventing the victim from
successfully using "git clone --recurse-submodules", etc, on the
malicious repo.

The "branch" entry is the only one with this problem; other strings like
"path" and "url" already check for NULL.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>Merge branch 'cw/compat-util-header-cleanup'</title>
<updated>2023-07-17T18:30:42Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2023-07-17T18:30:42Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=ce481ac8b31c9061eeecd1ba0d7174b621f96632'/>
<id>urn:sha1:ce481ac8b31c9061eeecd1ba0d7174b621f96632</id>
<content type='text'>
Further shuffling of declarations across header files to streamline
file dependencies.

* cw/compat-util-header-cleanup:
  git-compat-util: move alloc macros to git-compat-util.h
  treewide: remove unnecessary includes for wrapper.h
  kwset: move translation table from ctype
  sane-ctype.h: create header for sane-ctype macros
  git-compat-util: move wrapper.c funcs to its header
  git-compat-util: move strbuf.c funcs to its header
</content>
</entry>
<entry>
<title>Merge branch 'gc/config-context'</title>
<updated>2023-07-06T18:54:48Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2023-07-06T18:54:48Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=b3d1c85d4833aef546f11e4d37516a1ececaefc3'/>
<id>urn:sha1:b3d1c85d4833aef546f11e4d37516a1ececaefc3</id>
<content type='text'>
Reduce reliance on a global state in the config reading API.

* gc/config-context:
  config: pass source to config_parser_event_fn_t
  config: add kvi.path, use it to evaluate includes
  config.c: remove config_reader from configsets
  config: pass kvi to die_bad_number()
  trace2: plumb config kvi
  config.c: pass ctx with CLI config
  config: pass ctx with config files
  config.c: pass ctx in configsets
  config: add ctx arg to config_fn_t
  urlmatch.h: use config_fn_t type
  config: inline git_color_default_config
</content>
</entry>
<entry>
<title>git-compat-util: move alloc macros to git-compat-util.h</title>
<updated>2023-07-05T18:42:31Z</updated>
<author>
<name>Calvin Wan</name>
<email>calvinwan@google.com</email>
</author>
<published>2023-07-05T17:09:24Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=91c080dff511b7a81f91d1cc79589b49e16a2b7a'/>
<id>urn:sha1:91c080dff511b7a81f91d1cc79589b49e16a2b7a</id>
<content type='text'>
alloc_nr, ALLOC_GROW, and ALLOC_GROW_BY are commonly used macros for
dynamic array allocation. Moving these macros to git-compat-util.h with
the other alloc macros focuses alloc.[ch] to allocation for Git objects
and additionally allows us to remove inclusions to alloc.h from files
that solely used the above macros.

Signed-off-by: Calvin Wan &lt;calvinwan@google.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>config: pass kvi to die_bad_number()</title>
<updated>2023-06-28T21:06:40Z</updated>
<author>
<name>Glen Choo</name>
<email>chooglen@google.com</email>
</author>
<published>2023-06-28T19:26:27Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=8868b1ebfb8274a3ef90e1ba69ed45be94f6c3fb'/>
<id>urn:sha1:8868b1ebfb8274a3ef90e1ba69ed45be94f6c3fb</id>
<content type='text'>
Plumb "struct key_value_info" through all code paths that end in
die_bad_number(), which lets us remove the helper functions that read
analogous values from "struct config_reader". As a result, nothing reads
config_reader.config_kvi any more, so remove that too.

In config.c, this requires changing the signature of
git_configset_get_value() to 'return' "kvi" in an out parameter so that
git_configset_get_&lt;type&gt;() can pass it to git_config_&lt;type&gt;(). Only
numeric types will use "kvi", so for non-numeric types (e.g.
git_configset_get_string()), pass NULL to indicate that the out
parameter isn't needed.

Outside of config.c, config callbacks now need to pass "ctx-&gt;kvi" to any
of the git_config_&lt;type&gt;() functions that parse a config string into a
number type. Included is a .cocci patch to make that refactor.

The only exceptional case is builtin/config.c, where git_config_&lt;type&gt;()
is called outside of a config callback (namely, on user-provided input),
so config source information has never been available. In this case,
die_bad_number() defaults to a generic, but perfectly descriptive
message. Let's provide a safe, non-NULL for "kvi" anyway, but make sure
not to change the message.

Signed-off-by: Glen Choo &lt;chooglen@google.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>config: pass ctx with config files</title>
<updated>2023-06-28T21:06:39Z</updated>
<author>
<name>Glen Choo</name>
<email>chooglen@google.com</email>
</author>
<published>2023-06-28T19:26:24Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=809d868061c5e55e9b3bd59a4118628318eb46e9'/>
<id>urn:sha1:809d868061c5e55e9b3bd59a4118628318eb46e9</id>
<content type='text'>
Pass config_context to config_callbacks when parsing config files. To
provide the .kvi member, refactor out the configset logic that caches
"struct config_source" and "enum config_scope" as a "struct
key_value_info". Make the "enum config_scope" available to the config
file machinery by plumbing an additional arg through
git_config_from_file_with_options().

We do not exercise ctx yet because the remaining current_config_*()
callers may be used with config_with_options(), which may read config
from parameters, but parameters don't pass ctx yet.

Signed-off-by: Glen Choo &lt;chooglen@google.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>config: add ctx arg to config_fn_t</title>
<updated>2023-06-28T21:06:39Z</updated>
<author>
<name>Glen Choo</name>
<email>chooglen@google.com</email>
</author>
<published>2023-06-28T19:26:22Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=a4e7e317f8f27f861321e6eb08b9c8c0f3ab570c'/>
<id>urn:sha1:a4e7e317f8f27f861321e6eb08b9c8c0f3ab570c</id>
<content type='text'>
Add a new "const struct config_context *ctx" arg to config_fn_t to hold
additional information about the config iteration operation.
config_context has a "struct key_value_info kvi" member that holds
metadata about the config source being read (e.g. what kind of config
source it is, the filename, etc). In this series, we're only interested
in .kvi, so we could have just used "struct key_value_info" as an arg,
but config_context makes it possible to add/adjust members in the future
without changing the config_fn_t signature. We could also consider other
ways of organizing the args (e.g. moving the config name and value into
config_context or key_value_info), but in my experiments, the
incremental benefit doesn't justify the added complexity (e.g. a
config_fn_t will sometimes invoke another config_fn_t but with a
different config value).

In subsequent commits, the .kvi member will replace the global "struct
config_reader" in config.c, making config iteration a global-free
operation. It requires much more work for the machinery to provide
meaningful values of .kvi, so for now, merely change the signature and
call sites, pass NULL as a placeholder value, and don't rely on the arg
in any meaningful way.

Most of the changes are performed by
contrib/coccinelle/config_fn_ctx.pending.cocci, which, for every
config_fn_t:

- Modifies the signature to accept "const struct config_context *ctx"
- Passes "ctx" to any inner config_fn_t, if needed
- Adds UNUSED attributes to "ctx", if needed

Most config_fn_t instances are easily identified by seeing if they are
called by the various config functions. Most of the remaining ones are
manually named in the .cocci patch. Manual cleanups are still needed,
but the majority of it is trivial; it's either adjusting config_fn_t
that the .cocci patch didn't catch, or adding forward declarations of
"struct config_context ctx" to make the signatures make sense.

The non-trivial changes are in cases where we are invoking a config_fn_t
outside of config machinery, and we now need to decide what value of
"ctx" to pass. These cases are:

- trace2/tr2_cfg.c:tr2_cfg_set_fl()

  This is indirectly called by git_config_set() so that the trace2
  machinery can notice the new config values and update its settings
  using the tr2 config parsing function, i.e. tr2_cfg_cb().

- builtin/checkout.c:checkout_main()

  This calls git_xmerge_config() as a shorthand for parsing a CLI arg.
  This might be worth refactoring away in the future, since
  git_xmerge_config() can call git_default_config(), which can do much
  more than just parsing.

Handle them by creating a KVI_INIT macro that initializes "struct
key_value_info" to a reasonable default, and use that to construct the
"ctx" arg.

Signed-off-by: Glen Choo &lt;chooglen@google.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
</feed>
