<feed xmlns='http://www.w3.org/2005/Atom'>
<title>git/t, branch v2.3.10</title>
<subtitle>Mirror of https://git.kernel.org/pub/scm/git/git.git/
</subtitle>
<id>https://git.shady.money/git/atom?h=v2.3.10</id>
<link rel='self' href='https://git.shady.money/git/atom?h=v2.3.10'/>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/'/>
<updated>2015-09-25T22:32:28Z</updated>
<entry>
<title>http: limit redirection depth</title>
<updated>2015-09-25T22:32:28Z</updated>
<author>
<name>Blake Burkhart</name>
<email>bburky@bburky.com</email>
</author>
<published>2015-09-22T22:06:20Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=b258116462399b318c86165c61a5c7123043cfd4'/>
<id>urn:sha1:b258116462399b318c86165c61a5c7123043cfd4</id>
<content type='text'>
By default, libcurl will follow circular http redirects
forever. Let's put a cap on this so that somebody who can
trigger an automated fetch of an arbitrary repository (e.g.,
for CI) cannot convince git to loop infinitely.

The value chosen is 20, which is the same default that
Firefox uses.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>http: limit redirection to protocol-whitelist</title>
<updated>2015-09-25T22:30:39Z</updated>
<author>
<name>Blake Burkhart</name>
<email>bburky@bburky.com</email>
</author>
<published>2015-09-22T22:06:04Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=f4113cac0c88b4f36ee6f3abf3218034440a68e3'/>
<id>urn:sha1:f4113cac0c88b4f36ee6f3abf3218034440a68e3</id>
<content type='text'>
Previously, libcurl would follow redirection to any protocol
it was compiled for support with. This is desirable to allow
redirection from HTTP to HTTPS. However, it would even
successfully allow redirection from HTTP to SFTP, a protocol
that git does not otherwise support at all. Furthermore
git's new protocol-whitelisting could be bypassed by
following a redirect within the remote helper, as it was
only enforced at transport selection time.

This patch limits redirects within libcurl to HTTP, HTTPS,
FTP and FTPS. If there is a protocol-whitelist present, this
list is limited to those also allowed by the whitelist. As
redirection happens from within libcurl, it is impossible
for an HTTP redirect to a protocol implemented within
another remote helper.

When the curl version git was compiled with is too old to
support restrictions on protocol redirection, we warn the
user if GIT_ALLOW_PROTOCOL restrictions were requested. This
is a little inaccurate, as even without that variable in the
environment, we would still restrict SFTP, etc, and we do
not warn in that case. But anything else means we would
literally warn every time git accesses an http remote.

This commit includes a test, but it is not as robust as we
would hope. It redirects an http request to ftp, and checks
that curl complained about the protocol, which means that we
are relying on curl's specific error message to know what
happened. Ideally we would redirect to a working ftp server
and confirm that we can clone without protocol restrictions,
and not with them. But we do not have a portable way of
providing an ftp server, nor any other protocol that curl
supports (https is the closest, but we would have to deal
with certificates).

[jk: added test and version warning]

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>submodule: allow only certain protocols for submodule fetches</title>
<updated>2015-09-23T18:35:48Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2015-09-16T17:13:12Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=33cfccbbf35a56e190b79bdec5c85457c952a021'/>
<id>urn:sha1:33cfccbbf35a56e190b79bdec5c85457c952a021</id>
<content type='text'>
Some protocols (like git-remote-ext) can execute arbitrary
code found in the URL. The URLs that submodules use may come
from arbitrary sources (e.g., .gitmodules files in a remote
repository). Let's restrict submodules to fetching from a
known-good subset of protocols.

Note that we apply this restriction to all submodule
commands, whether the URL comes from .gitmodules or not.
This is more restrictive than we need to be; for example, in
the tests we run:

  git submodule add ext::...

which should be trusted, as the URL comes directly from the
command line provided by the user. But doing it this way is
simpler, and makes it much less likely that we would miss a
case. And since such protocols should be an exception
(especially because nobody who clones from them will be able
to update the submodules!), it's not likely to inconvenience
anyone in practice.

Reported-by: Blake Burkhart &lt;bburky@bburky.com&gt;
Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>transport: add a protocol-whitelist environment variable</title>
<updated>2015-09-23T18:35:48Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2015-09-16T17:12:52Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=a5adaced2e13c135d5d9cc65be9eb95aa3bacedf'/>
<id>urn:sha1:a5adaced2e13c135d5d9cc65be9eb95aa3bacedf</id>
<content type='text'>
If we are cloning an untrusted remote repository into a
sandbox, we may also want to fetch remote submodules in
order to get the complete view as intended by the other
side. However, that opens us up to attacks where a malicious
user gets us to clone something they would not otherwise
have access to (this is not necessarily a problem by itself,
but we may then act on the cloned contents in a way that
exposes them to the attacker).

Ideally such a setup would sandbox git entirely away from
high-value items, but this is not always practical or easy
to set up (e.g., OS network controls may block multiple
protocols, and we would want to enable some but not others).

We can help this case by providing a way to restrict
particular protocols. We use a whitelist in the environment.
This is more annoying to set up than a blacklist, but
defaults to safety if the set of protocols git supports
grows). If no whitelist is specified, we continue to default
to allowing all protocols (this is an "unsafe" default, but
since the minority of users will want this sandboxing
effect, it is the only sensible one).

A note on the tests: ideally these would all be in a single
test file, but the git-daemon and httpd test infrastructure
is an all-or-nothing proposition rather than a test-by-test
prerequisite. By putting them all together, we would be
unable to test the file-local code on machines without
apache.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>Merge branch 'mm/usage-log-l-can-take-regex' into maint-2.3</title>
<updated>2015-05-11T21:34:01Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2015-05-11T21:34:01Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=811ce1b47c5486fa3348617d062e2eb4593962a1'/>
<id>urn:sha1:811ce1b47c5486fa3348617d062e2eb4593962a1</id>
<content type='text'>
Documentation fix.

* mm/usage-log-l-can-take-regex:
  log -L: improve error message on malformed argument
  Documentation: change -L:&lt;regex&gt; to -L:&lt;funcname&gt;
</content>
</entry>
<entry>
<title>Merge branch 'jc/diff-no-index-d-f' into maint-2.3</title>
<updated>2015-05-11T21:34:00Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2015-05-11T21:34:00Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=cd0120857b8112258cef72c0f5adb7f8e8df7c1c'/>
<id>urn:sha1:cd0120857b8112258cef72c0f5adb7f8e8df7c1c</id>
<content type='text'>
The usual "git diff" when seeing a file turning into a directory
showed a patchset to remove the file and create all files in the
directory, but "git diff --no-index" simply refused to work.  Also,
when asked to compare a file and a directory, imitate POSIX "diff"
and compare the file with the file with the same name in the
directory, instead of refusing to run.

* jc/diff-no-index-d-f:
  diff-no-index: align D/F handling with that of normal Git
  diff-no-index: DWIM "diff D F" into "diff D/F F"
</content>
</entry>
<entry>
<title>Merge branch 'tb/connect-ipv6-parse-fix' into maint</title>
<updated>2015-04-27T19:23:54Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2015-04-27T19:23:53Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=ad34ad614da30387c82a54c7087705050b4de441'/>
<id>urn:sha1:ad34ad614da30387c82a54c7087705050b4de441</id>
<content type='text'>
An earlier update to the parser that disects a URL broke an
address, followed by a colon, followed by an empty string (instead
of the port number), e.g. ssh://example.com:/path/to/repo.

* tb/connect-ipv6-parse-fix:
  connect.c: ignore extra colon after hostname
</content>
</entry>
<entry>
<title>Merge branch 'jk/test-annoyances' into maint</title>
<updated>2015-04-21T19:12:24Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2015-04-21T19:12:24Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=d3115a35fc29e7a55131a677878e67725d4cc165'/>
<id>urn:sha1:d3115a35fc29e7a55131a677878e67725d4cc165</id>
<content type='text'>
Test fixes.

* jk/test-annoyances:
  t5551: make EXPENSIVE test cheaper
  t5541: move run_with_cmdline_limit to test-lib.sh
  t: pass GIT_TRACE through Apache
  t: redirect stderr GIT_TRACE to descriptor 4
  t: translate SIGINT to an exit
</content>
</entry>
<entry>
<title>log -L: improve error message on malformed argument</title>
<updated>2015-04-20T18:06:10Z</updated>
<author>
<name>Matthieu Moy</name>
<email>Matthieu.Moy@imag.fr</email>
</author>
<published>2015-04-20T12:09:07Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=0269f968b7effea8a4f61f1fb0ac7e9386a9d90c'/>
<id>urn:sha1:0269f968b7effea8a4f61f1fb0ac7e9386a9d90c</id>
<content type='text'>
The old message did not mention the :regex:file form.

To avoid overly long lines, split the message into two lines (in case
item-&gt;string is long, it will be the only part truncated in a narrow
terminal).

Signed-off-by: Matthieu Moy &lt;Matthieu.Moy@imag.fr&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>connect.c: ignore extra colon after hostname</title>
<updated>2015-04-09T04:00:53Z</updated>
<author>
<name>Torsten Bögershausen</name>
<email>tboegi@web.de</email>
</author>
<published>2015-04-07T20:03:25Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=6b6c5f7a2f66751a93afce54277a1f30ab0dc521'/>
<id>urn:sha1:6b6c5f7a2f66751a93afce54277a1f30ab0dc521</id>
<content type='text'>
Ignore an extra ':' at the end of the hostname in URL's like
"ssh://example.com:/path/to/repo"

The colon is meant to separate a port number from the hostname.
If the port is empty, the colon should be ignored, see RFC 3986.

It had been working for URLs with ssh:// scheme, but was unintentionally
broken in 86ceb3, "allow ssh://user@[2001:db8::1]/repo.git"

Reported-by: Reid Woodbury Jr. &lt;reidw@rawsound.com&gt;
Signed-off-by: Torsten Bögershausen &lt;tboegi@web.de&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
</feed>
