<feed xmlns='http://www.w3.org/2005/Atom'>
<title>git/t, branch v2.32.7</title>
<subtitle>Mirror of https://git.kernel.org/pub/scm/git/git.git/
</subtitle>
<id>https://git.shady.money/git/atom?h=v2.32.7</id>
<link rel='self' href='https://git.shady.money/git/atom?h=v2.32.7'/>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/'/>
<updated>2023-04-17T19:15:49Z</updated>
<entry>
<title>Sync with 2.31.8</title>
<updated>2023-04-17T19:15:49Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2023-03-11T18:24:34Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=31f7fe5e34612b4b8af3918d0b0cf2ea2545c2c4'/>
<id>urn:sha1:31f7fe5e34612b4b8af3918d0b0cf2ea2545c2c4</id>
<content type='text'>
* maint-2.31: (25 commits)
  Git 2.31.8
  tests: avoid using `test_i18ncmp`
  Git 2.30.9
  gettext: avoid using gettext if the locale dir is not present
  apply --reject: overwrite existing `.rej` symlink if it exists
  http.c: clear the 'finished' member once we are done with it
  clone.c: avoid "exceeds maximum object size" error with GCC v12.x
  range-diff: use ssize_t for parsed "len" in read_patches()
  range-diff: handle unterminated lines in read_patches()
  range-diff: drop useless "offset" variable from read_patches()
  t5604: GETTEXT_POISON fix, conclusion
  t5604: GETTEXT_POISON fix, part 1
  t5619: GETTEXT_POISON fix
  t0003: GETTEXT_POISON fix, conclusion
  t0003: GETTEXT_POISON fix, part 1
  t0033: GETTEXT_POISON fix
  http: support CURLOPT_PROTOCOLS_STR
  http: prefer CURLOPT_SEEKFUNCTION to CURLOPT_IOCTLFUNCTION
  http-push: prefer CURLOPT_UPLOAD to CURLOPT_PUT
  ci: install python on ubuntu
  ci: use the same version of p4 on both Linux and macOS
  ...
</content>
</entry>
<entry>
<title>tests: avoid using `test_i18ncmp`</title>
<updated>2023-04-17T19:15:45Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2023-03-11T17:02:04Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=92957d84271d8a54604df0a78c4318485c607ef6'/>
<id>urn:sha1:92957d84271d8a54604df0a78c4318485c607ef6</id>
<content type='text'>
Since `test_i18ncmp` was deprecated in v2.31.*, the instances added in
v2.30.9 needed to be converted to `test_cmp` calls.

Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>Sync with 2.30.9</title>
<updated>2023-04-17T19:15:44Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2023-03-11T16:54:13Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=b524e896b64f90086d913eebccaff3cd76f96dee'/>
<id>urn:sha1:b524e896b64f90086d913eebccaff3cd76f96dee</id>
<content type='text'>
* maint-2.30: (23 commits)
  Git 2.30.9
  gettext: avoid using gettext if the locale dir is not present
  apply --reject: overwrite existing `.rej` symlink if it exists
  http.c: clear the 'finished' member once we are done with it
  clone.c: avoid "exceeds maximum object size" error with GCC v12.x
  range-diff: use ssize_t for parsed "len" in read_patches()
  range-diff: handle unterminated lines in read_patches()
  range-diff: drop useless "offset" variable from read_patches()
  t5604: GETTEXT_POISON fix, conclusion
  t5604: GETTEXT_POISON fix, part 1
  t5619: GETTEXT_POISON fix
  t0003: GETTEXT_POISON fix, conclusion
  t0003: GETTEXT_POISON fix, part 1
  t0033: GETTEXT_POISON fix
  http: support CURLOPT_PROTOCOLS_STR
  http: prefer CURLOPT_SEEKFUNCTION to CURLOPT_IOCTLFUNCTION
  http-push: prefer CURLOPT_UPLOAD to CURLOPT_PUT
  ci: install python on ubuntu
  ci: use the same version of p4 on both Linux and macOS
  ci: remove the pipe after "p4 -V" to catch errors
  github-actions: run gcc-8 on ubuntu-20.04 image
  ...
</content>
</entry>
<entry>
<title>Merge branch 'tb/config-copy-or-rename-in-file-injection'</title>
<updated>2023-04-17T19:15:42Z</updated>
<author>
<name>Taylor Blau</name>
<email>me@ttaylorr.com</email>
</author>
<published>2023-04-14T15:46:59Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=528290f8c61222433a8cf02fb7cfffa8438432b4'/>
<id>urn:sha1:528290f8c61222433a8cf02fb7cfffa8438432b4</id>
<content type='text'>
Avoids issues with renaming or deleting sections with long lines, where
configuration values may be interpreted as sections, leading to
configuration injection. Addresses CVE-2023-29007.

* tb/config-copy-or-rename-in-file-injection:
  config.c: disallow overly-long lines in `copy_or_rename_section_in_file()`
  config.c: avoid integer truncation in `copy_or_rename_section_in_file()`
  config: avoid fixed-sized buffer when renaming/deleting a section
  t1300: demonstrate failure when renaming sections with long lines

Signed-off-by: Taylor Blau &lt;me@ttaylorr.com&gt;
</content>
</entry>
<entry>
<title>config.c: disallow overly-long lines in `copy_or_rename_section_in_file()`</title>
<updated>2023-04-17T19:15:40Z</updated>
<author>
<name>Taylor Blau</name>
<email>me@ttaylorr.com</email>
</author>
<published>2023-04-12T23:18:28Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=3bb3d6bac5f2b496dfa2862dc1a84cbfa9b4449a'/>
<id>urn:sha1:3bb3d6bac5f2b496dfa2862dc1a84cbfa9b4449a</id>
<content type='text'>
As a defense-in-depth measure to guard against any potentially-unknown
buffer overflows in `copy_or_rename_section_in_file()`, refuse to work
with overly-long lines in a gitconfig.

Signed-off-by: Taylor Blau &lt;me@ttaylorr.com&gt;
Signed-off-by: Johannes Schindelin &lt;Johannes.Schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>config: avoid fixed-sized buffer when renaming/deleting a section</title>
<updated>2023-04-17T19:15:40Z</updated>
<author>
<name>Taylor Blau</name>
<email>me@ttaylorr.com</email>
</author>
<published>2023-04-06T18:07:58Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=a5bb10fd5e74101e7c07da93e7c32bbe60f6173a'/>
<id>urn:sha1:a5bb10fd5e74101e7c07da93e7c32bbe60f6173a</id>
<content type='text'>
When renaming (or deleting) a section of configuration, Git uses the
function `git_config_copy_or_rename_section_in_file()` to rewrite the
configuration file after applying the rename or deletion to the given
section.

To do this, Git repeatedly calls `fgets()` to read the existing
configuration data into a fixed size buffer.

When the configuration value under `old_name` exceeds the size of the
buffer, we will call `fgets()` an additional time even if there is no
newline in the configuration file, since our read length is capped at
`sizeof(buf)`.

If the first character of the buffer (after zero or more characters
satisfying `isspace()`) is a '[', Git will incorrectly treat it as
beginning a new section when the original section is being removed. In
other words, a configuration value satisfying this criteria can
incorrectly be considered as a new secftion instead of a variable in the
original section.

Avoid this issue by using a variable-width buffer in the form of a
strbuf rather than a fixed-with region on the stack. A couple of small
points worth noting:

  - Using a strbuf will cause us to allocate arbitrary sizes to match
    the length of each line.  In practice, we don't expect any
    reasonable configuration files to have lines that long, and a
    bandaid will be introduced in a later patch to ensure that this is
    the case.

  - We are using strbuf_getwholeline() here instead of strbuf_getline()
    in order to match `fgets()`'s behavior of leaving the trailing LF
    character on the buffer (as well as a trailing NUL).

    This could be changed later, but using strbuf_getwholeline() changes
    the least about this function's implementation, so it is picked as
    the safest path.

  - It is temping to want to replace the loop to skip over characters
    matching isspace() at the beginning of the buffer with a convenience
    function like `strbuf_ltrim()`. But this is the wrong approach for a
    couple of reasons:

    First, it involves a potentially large and expensive `memmove()`
    which we would like to avoid. Second, and more importantly, we also
    *do* want to preserve those spaces to avoid changing the output of
    other sections.

In all, this patch is a minimal replacement of the fixed-width buffer in
`git_config_copy_or_rename_section_in_file()` to instead use a `struct
strbuf`.

Reported-by: André Baptista &lt;andre@ethiack.com&gt;
Reported-by: Vítor Pinho &lt;vitor@ethiack.com&gt;
Helped-by: Patrick Steinhardt &lt;ps@pks.im&gt;
Co-authored-by: Johannes Schindelin &lt;Johannes.Schindelin@gmx.de&gt;
Signed-off-by: Johannes Schindelin &lt;Johannes.Schindelin@gmx.de&gt;
Signed-off-by: Taylor Blau &lt;me@ttaylorr.com&gt;
</content>
</entry>
<entry>
<title>t1300: demonstrate failure when renaming sections with long lines</title>
<updated>2023-04-17T19:15:39Z</updated>
<author>
<name>Taylor Blau</name>
<email>me@ttaylorr.com</email>
</author>
<published>2023-04-06T15:42:03Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=29198213c9163c1d552ee2bdbf78d2b09ccc98b8'/>
<id>urn:sha1:29198213c9163c1d552ee2bdbf78d2b09ccc98b8</id>
<content type='text'>
When renaming a configuration section which has an entry whose length
exceeds the size of our buffer in config.c's implementation of
`git_config_copy_or_rename_section_in_file()`, Git will incorrectly
form a new configuration section with part of the data in the section
being removed.

In this instance, our first configuration file looks something like:

    [b]
      c = d &lt;spaces&gt; [a] e = f
    [a]
      g = h

Here, we have two configuration values, "b.c", and "a.g". The value "[a]
e = f" belongs to the configuration value "b.c", and does not form its
own section.

However, when renaming the section 'a' to 'xyz', Git will write back
"[xyz]\ne = f", but "[xyz]" is still attached to the value of "b.c",
which is why "e = f" on its own line becomes a new entry called "b.e".

A slightly different example embeds the section being renamed within
another section.

Demonstrate this failure in a test in t1300, which we will fix in the
following commit.

Co-authored-by: Johannes Schindelin &lt;Johannes.Schindelin@gmx.de&gt;
Helped-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Johannes Schindelin &lt;Johannes.Schindelin@gmx.de&gt;
Signed-off-by: Taylor Blau &lt;me@ttaylorr.com&gt;
</content>
</entry>
<entry>
<title>apply --reject: overwrite existing `.rej` symlink if it exists</title>
<updated>2023-04-17T19:15:38Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2023-03-09T15:02:54Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=9db05711c98efc14f414d4c87135a34c13586e0b'/>
<id>urn:sha1:9db05711c98efc14f414d4c87135a34c13586e0b</id>
<content type='text'>
The `git apply --reject` is expected to write out `.rej` files in case
one or more hunks fail to apply cleanly. Historically, the command
overwrites any existing `.rej` files. The idea being that
apply/reject/edit cycles are relatively common, and the generated `.rej`
files are not considered precious.

But the command does not overwrite existing `.rej` symbolic links, and
instead follows them. This is unsafe because the same patch could
potentially create such a symbolic link and point at arbitrary paths
outside the current worktree, and `git apply` would write the contents
of the `.rej` file into that location.

Therefore, let's make sure that any existing `.rej` file or symbolic
link is removed before writing it.

Reported-by: RyotaK &lt;ryotak.mail@gmail.com&gt;
Helped-by: Taylor Blau &lt;me@ttaylorr.com&gt;
Helped-by: Junio C Hamano &lt;gitster@pobox.com&gt;
Helped-by: Linus Torvalds &lt;torvalds@linuxfoundation.org&gt;
Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>t5604: GETTEXT_POISON fix, conclusion</title>
<updated>2023-03-12T19:31:56Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2023-03-09T21:54:32Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=0c8d22abaf155d97a0efd04bae9fcdad1de7956e'/>
<id>urn:sha1:0c8d22abaf155d97a0efd04bae9fcdad1de7956e</id>
<content type='text'>
In fade728df122 (apply: fix writing behind newly created symbolic links,
2023-02-02), we backported a patch onto v2.30.* that was originally
based on a much newer version. The v2.30.* release train still has the
GETTEXT_POISON CI job, though, and hence needs `test_i18n*` in its
tests.

Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>t5604: GETTEXT_POISON fix, part 1</title>
<updated>2023-03-12T19:31:56Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2023-03-09T21:55:40Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=7c811ed5e55553769f0077ddf026ef17061bd8bd'/>
<id>urn:sha1:7c811ed5e55553769f0077ddf026ef17061bd8bd</id>
<content type='text'>
In bffc762f87ae (dir-iterator: prevent top-level symlinks without
FOLLOW_SYMLINKS, 2023-01-24), we backported a patch onto v2.30.* that
was originally based on a much newer version. The v2.30.* release train
still has the GETTEXT_POISON CI job, though, and hence needs
`test_i18n*` in its tests.

Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
</feed>
