Mirror of https://git.kernel.org/pub/scm/git/git.git/ https://git.shady.money/git/atom?h=v2.50.0 2025-02-07T17:59:21Z 2025-02-07T17:59:21Z Patrick Steinhardt ps@pks.im 2025-02-07T11:03:29Z urn:sha1:f9467895d884908d5588fc920997b2e53dfb3302 The `submodule_to_gitdir()` function implicitly uses `the_repository` to resolve submodule paths. Refactor the function to instead accept a repo as parameter to remove the dependency on global state. Signed-off-by: Patrick Steinhardt <ps@pks.im> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2024-09-27T15:25:34Z Patrick Steinhardt ps@pks.im 2024-09-26T11:46:08Z urn:sha1:2e492f2047748cf70350d503214ef89f1110ee82 We're not freeing the submodule update strategy command. Provide a helper function that does this for us and call it in `update_data_release()`. Signed-off-by: Patrick Steinhardt <ps@pks.im> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2024-04-19T10:38:37Z Johannes Schindelin johannes.schindelin@gmx.de 2024-04-12T07:45:28Z urn:sha1:93a88f42db7ed9a975768df0e5f4516317c50dda * maint-2.39: (38 commits) Git 2.39.4 fsck: warn about symlink pointing inside a gitdir core.hooksPath: add some protection while cloning init.templateDir: consider this config setting protected clone: prevent hooks from running during a clone Add a helper function to compare file contents init: refactor the template directory discovery into its own function find_hook(): refactor the `STRIP_EXTENSION` logic clone: when symbolic links collide with directories, keep the latter entry: report more colliding paths t5510: verify that D/F confusion cannot lead to an RCE submodule: require the submodule path to contain directories only clone_submodule: avoid using `access()` on directories submodules: submodule paths must not contain symlinks clone: prevent clashing git dirs when cloning submodule in parallel t7423: add tests for symlinked submodule directories has_dir_name(): do not get confused by characters < '/' docs: document security issues around untrusted .git dirs upload-pack: disable lazy-fetching by default fetch/clone: detect dubious ownership of local repositories ... 2024-04-17T20:30:04Z Johannes Schindelin johannes.schindelin@gmx.de 2024-03-26T13:37:25Z urn:sha1:e8d0608944486019ea0e1ed2ed29776811a565c2 Submodules are stored in subdirectories of their superproject. When these subdirectories have been replaced with symlinks by a malicious actor, all kinds of mayhem can be caused. This _should_ not be possible, but many CVEs in the past showed that _when_ possible, it allows attackers to slip in code that gets executed during, say, a `git clone --recursive` operation. Let's add some defense-in-depth to disallow submodule paths to have anything except directories in them. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> 2022-12-26T01:21:44Z Ævar Arnfjörð Bjarmason avarab@gmail.com 2022-12-20T12:39:56Z urn:sha1:4002ec3dcf0f89db46fbdf56549218c573a9c0f2 The "--super-prefix" option to "git" was initially added in [1] for use with "ls-files"[2], and shortly thereafter "submodule--helper"[3] and "grep"[4]. It wasn't until [5] that "read-tree" made use of it. At the time [5] made sense, but since then we've made "ls-files" recurse in-process in [6], "grep" in [7], and finally "submodule--helper" in the preceding commits. Let's also remove it from "read-tree", which allows us to remove the option to "git" itself. We can do this because the only remaining user of it is the submodule API, which will now invoke "read-tree" with its new "--super-prefix" option. It will only do so when the "submodule_move_head()" function is called. That "submodule_move_head()" function was then only invoked by "read-tree" itself, but now rather than setting an environment variable to pass "--super-prefix" between cmd_read_tree() we: - Set a new "super_prefix" in "struct unpack_trees_options". The "super_prefixed()" function in "unpack-trees.c" added in [5] will now use this, rather than get_super_prefix() looking up the environment variable we set earlier in the same process. - Add the same field to the "struct checkout", which is only needed to ferry the "super_prefix" in the "struct unpack_trees_options" all the way down to the "entry.c" callers of "submodule_move_head()". Those calls which used the super prefix all originated in "cmd_read_tree()". The only other caller is the "unlink_entry()" caller in "builtin/checkout.c", which now passes a "NULL". 1. 74866d75793 (git: make super-prefix option, 2016-10-07) 2. e77aa336f11 (ls-files: optionally recurse into submodules, 2016-10-07) 3. 89c86265576 (submodule helper: support super prefix, 2016-12-08) 4. 0281e487fd9 (grep: optionally recurse into submodules, 2016-12-16) 5. 3d415425c7b (unpack-trees: support super-prefix option, 2017-01-17) 6. 188dce131fa (ls-files: use repository object, 2017-06-22) 7. f9ee2fcdfa0 (grep: recurse in-process using 'struct repository', 2017-08-02) Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-12-26T01:21:43Z Ævar Arnfjörð Bjarmason avarab@gmail.com 2022-12-20T12:39:50Z urn:sha1:f0a5e5ad57ae729d9971bdb6bdaa82c1d85bd062 Start passing the "super_prefix" along as a parameter to get_submodule_displaypath() and absorb_git_dir_into_superproject(), rather than get the value directly as a global. This is in preparation for subsequent commits, where we'll gradually phase out get_super_prefix() for an alternative way of getting the "super_prefix". Most of the users of this get a get_super_prefix() value, either directly or by indirection. The exceptions are: - builtin/rm.c: Doesn't declare SUPPORT_SUPER_PREFIX, so we'd have died if this was provided, so it's safe to pass "NULL". - deinit_submodule(): The "deinit_submodule()" function has never been able to use the "git -super-prefix". It will call "absorb_git_dir_into_superproject()", but it will only do so from the top-level project. If "absorbgitdirs" recurses will use the "path" passed to "absorb_git_dir_into_superproject()" in "deinit_submodule()" as its starting "--super-prefix". So we can safely remove the get_super_prefix() call here, and pass NULL instead. Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-11-08T19:55:30Z Ævar Arnfjörð Bjarmason avarab@gmail.com 2022-11-08T14:10:37Z urn:sha1:82ff87789bdd972c9746ec184ae9464e58c8d29b Remove the "----recursive" option to "git submodule--helper absorbgitdirs" (yes, with 4 dashes, not 2). This option and all the "else" when "flags & ABSORB_GITDIR_RECURSE_SUBMODULES" is false has never been used since it was added in f6f85861400 (submodule: add absorb-git-dir function, 2016-12-12), which we'd have had to do as "----recursive", a "--recursive" would have errored out. It would be nice to follow-up with an optbug() assertion to parse-options.c for such funnily named options, I manually validated that this was the only long option whose name started with "-", but let's skip adding such an assertion for now. Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Taylor Blau <me@ttaylorr.com> 2022-09-02T16:16:24Z Ævar Arnfjörð Bjarmason avarab@gmail.com 2022-08-31T23:18:05Z urn:sha1:b9dd63ffe2842fe676f54d4d5f8f06bc04c6dd8b Change the submodule_strategy_to_string() function added in 3604242f080 (submodule: port init from shell to C, 2016-04-15) to really return a "const char *". In the "SM_UPDATE_COMMAND" case it would return a strbuf_detach(). Furthermore, this function would return NULL on SM_UPDATE_UNSPECIFIED, so it wasn't safe to xstrdup() its return value in the general case, or to use it in a sprintf() format as the code removed in the preceding commit did. But its callers would never call it with either SM_UPDATE_UNSPECIFIED or SM_UPDATE_COMMAND. Let's have its behavior reflect how its only user expects it to behave, and BUG() out on the rest. By doing this we can also stop needlessly xstrdup()-ing and free()-ing the memory for the config we're setting. We can instead always use constant strings. We can also use the *_tmp() variant of git_config_get_string(). Let's also rename this submodule_strategy_to_string() function to submodule_update_type_to_string(). Now that it's only tasked with returning a string version of the "enum submodule_update_type type". Before it would look at the "command" field in "struct submodule_update_strategy". Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Reviewed-by: Glen Choo <chooglen@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-06-10T22:04:13Z Junio C Hamano gitster@pobox.com 2022-06-10T22:04:13Z urn:sha1:c21fa3bb549a7769f9d508f0a5f95c654539e1f7 Rename .env_array member to .env in the child_process structure. * ab/env-array: run-command API users: use "env" not "env_array" in comments & names run-command API: rename "env_array" to "env" 2022-06-02T21:31:27Z Ævar Arnfjörð Bjarmason avarab@gmail.com 2022-06-02T09:09:51Z urn:sha1:b3193252c4278e9039fbb896a35f84abc1fb5aac Follow-up on a preceding commit which changed all references to the "env_array" when referring to the "struct child_process" member. These changes are all unnecessary for the compiler, but help the code's human readers. All the comments that referred to "env_array" have now been updated, as well as function names and variables that had "env_array" in their name, they now refer to "env". In addition the "out" name for the submodule.h prototype was inconsistent with the function definition's use of "env_array" in submodule.c. Both of them use "env" now. Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>