<feed xmlns='http://www.w3.org/2005/Atom'>
<title>git/t, branch v2.41.3</title>
<subtitle>Mirror of https://git.kernel.org/pub/scm/git/git.git/
</subtitle>
<id>https://git.shady.money/git/atom?h=v2.41.3</id>
<link rel='self' href='https://git.shady.money/git/atom?h=v2.41.3'/>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/'/>
<updated>2024-11-26T21:14:57Z</updated>
<entry>
<title>Sync with 2.40.4</title>
<updated>2024-11-26T21:14:57Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2024-10-29T23:27:52Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=676cddebf94fab8defe704b2f58c5b59912bb40c'/>
<id>urn:sha1:676cddebf94fab8defe704b2f58c5b59912bb40c</id>
<content type='text'>
* maint-2.40:
  Git 2.40.4
  credential: disallow Carriage Returns in the protocol by default
  credential: sanitize the user prompt
  credential_format(): also encode &lt;host&gt;[:&lt;port&gt;]
  t7300: work around platform-specific behaviour with long paths on MinGW
  compat/regex: fix argument order to calloc(3)
  mingw: drop bogus (and unneeded) declaration of `_pgmptr`
  ci: remove 'Upload failed tests' directories' step from linux32 jobs
</content>
</entry>
<entry>
<title>credential: disallow Carriage Returns in the protocol by default</title>
<updated>2024-11-26T19:24:04Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2024-11-04T13:48:22Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=b01b9b81d36759cdcd07305e78765199e1bc2060'/>
<id>urn:sha1:b01b9b81d36759cdcd07305e78765199e1bc2060</id>
<content type='text'>
While Git has documented that the credential protocol is line-based,
with newlines as terminators, the exact shape of a newline has not been
documented.

From Git's perspective, which is firmly rooted in the Linux ecosystem,
it is clear that "a newline" means a Line Feed character.

However, even Git's credential protocol respects Windows line endings
(a Carriage Return character followed by a Line Feed character, "CR/LF")
by virtue of using `strbuf_getline()`.

There is a third category of line endings that has been used originally
by MacOS, and that is respected by the default line readers of .NET and
node.js: bare Carriage Returns.

Git cannot handle those, and what is worse: Git's remedy against
CVE-2020-5260 does not catch when credential helpers are used that
interpret bare Carriage Returns as newlines.

Git Credential Manager addressed this as CVE-2024-50338, but other
credential helpers may still be vulnerable. So let's not only disallow
Line Feed characters as part of the values in the credential protocol,
but also disallow Carriage Return characters.

In the unlikely event that a credential helper relies on Carriage
Returns in the protocol, introduce an escape hatch via the
`credential.protectProtocol` config setting.

This addresses CVE-2024-52006.

Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>credential: sanitize the user prompt</title>
<updated>2024-11-26T19:24:04Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2024-10-30T12:26:10Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=7725b8100ffbbff2750ee4d61a0fcc1f53a086e8'/>
<id>urn:sha1:7725b8100ffbbff2750ee4d61a0fcc1f53a086e8</id>
<content type='text'>
When asking the user interactively for credentials, we want to avoid
misleading them e.g. via control sequences that pretend that the URL
targets a trusted host when it does not.

While Git learned, over the course of the preceding commits, to disallow
URLs containing URL-encoded control characters by default, credential
helpers are still allowed to specify values very freely (apart from Line
Feed and NUL characters, anything is allowed), and this would allow,
say, a username containing control characters to be specified that would
then be displayed in the interactive terminal prompt asking the user for
the password, potentially sending those control characters directly to
the terminal. This is undesirable because control characters can be used
to mislead users to divulge secret information to untrusted sites.

To prevent such an attack vector, let's add a `git_prompt()` that forces
the displayed text to be sanitized, i.e. displaying question marks
instead of control characters.

Note: While this commit's diff changes a lot of `user@host` strings to
`user%40host`, which may look suspicious on the surface, there is a good
reason for that: this string specifies a user name, not a
&lt;username&gt;@&lt;hostname&gt; combination! In the context of t5541, the actual
combination looks like this: `user%40@127.0.0.1:5541`. Therefore, these
string replacements document a net improvement introduced by this
commit, as `user@host@127.0.0.1` could have left readers wondering where
the user name ends and where the host name begins.

Hinted-at-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>credential_format(): also encode &lt;host&gt;[:&lt;port&gt;]</title>
<updated>2024-11-26T19:24:00Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2024-11-07T07:57:52Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=c903985bf7e772e2d08275c1a95c8a55ab011577'/>
<id>urn:sha1:c903985bf7e772e2d08275c1a95c8a55ab011577</id>
<content type='text'>
An upcoming change wants to sanitize the credential password prompt
where a URL is displayed that may potentially come from a `.gitmodules`
file. To this end, the `credential_format()` function is employed.

To sanitize the host name (and optional port) part of the URL, we need a
new mode of the `strbuf_add_percentencode()` function because the
current mode is both too strict and too lenient: too strict because it
encodes `:`, `[` and `]` (which should be left unencoded in
`&lt;host&gt;:&lt;port&gt;` and in IPv6 addresses), and too lenient because it does
not encode invalid host name characters `/`, `_` and `~`.

So let's introduce and use a new mode specifically to encode the host
name and optional port part of a URI, leaving alpha-numerical
characters, periods, colons and brackets alone and encoding all others.

This only leads to a change of behavior for URLs that contain invalid
host names.

Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>t7300: work around platform-specific behaviour with long paths on MinGW</title>
<updated>2024-10-30T16:38:35Z</updated>
<author>
<name>Patrick Steinhardt</name>
<email>ps@pks.im</email>
</author>
<published>2024-10-09T13:25:18Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=83b08eb19f05710a92d565124606dcaf68bcc68b'/>
<id>urn:sha1:83b08eb19f05710a92d565124606dcaf68bcc68b</id>
<content type='text'>
Windows by default has a restriction in place to only allow paths up to
260 characters. This restriction can nowadays be lifted by setting a
registry key, but is still active by default.

In t7300 we have one test that exercises the behaviour of git-clean(1)
with such long paths. Interestingly enough, this test fails on my system
that uses Windows 10 with mingw-w64 installed via MSYS2: instead of
observing ENAMETOOLONG, we observe ENOENT. This behaviour is consistent
across multiple different environments I have tried.

I cannot say why exactly we observe a different error here, but I would
not be surprised if this was either dependent on the Windows version,
the version of MinGW, the current working directory of Git or any kind
of combination of these.

Work around the issue by handling both errors.

[Backported from 106834e34a2 (t7300: work around platform-specific
behaviour with long paths on MinGW, 2024-10-09).]

Signed-off-by: Patrick Steinhardt &lt;ps@pks.im&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>Merge branch 'fixes/2.45.1/2.40' into fixes/2.45.1/2.41</title>
<updated>2024-05-24T23:57:02Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2024-05-24T23:57:01Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=4f215d214f15b1dbecd9816aea740b0df37b3fa5'/>
<id>urn:sha1:4f215d214f15b1dbecd9816aea740b0df37b3fa5</id>
<content type='text'>
* fixes/2.45.1/2.40:
  Revert "fsck: warn about symlink pointing inside a gitdir"
  Revert "Add a helper function to compare file contents"
  clone: drop the protections where hooks aren't run
  tests: verify that `clone -c core.hooksPath=/dev/null` works again
  Revert "core.hooksPath: add some protection while cloning"
  init: use the correct path of the templates directory again
  hook: plug a new memory leak
  ci: stop installing "gcc-13" for osx-gcc
  ci: avoid bare "gcc" for osx-gcc job
  ci: drop mention of BREW_INSTALL_PACKAGES variable
  send-email: avoid creating more than one Term::ReadLine object
  send-email: drop FakeTerm hack
</content>
</entry>
<entry>
<title>Merge branch 'jc/fix-2.45.1-and-friends-for-2.39' into fixes/2.45.1/2.40</title>
<updated>2024-05-24T19:29:36Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2024-05-24T19:29:35Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=48440f60a730b93b2a39449a69cb56db5e7114c7'/>
<id>urn:sha1:48440f60a730b93b2a39449a69cb56db5e7114c7</id>
<content type='text'>
Revert overly aggressive "layered defence" that went into 2.45.1
and friends, which broke "git-lfs", "git-annex", and other use
cases, so that we can rebuild necessary counterparts in the open.

* jc/fix-2.45.1-and-friends-for-2.39:
  Revert "fsck: warn about symlink pointing inside a gitdir"
  Revert "Add a helper function to compare file contents"
  clone: drop the protections where hooks aren't run
  tests: verify that `clone -c core.hooksPath=/dev/null` works again
  Revert "core.hooksPath: add some protection while cloning"
  init: use the correct path of the templates directory again
  hook: plug a new memory leak
  ci: stop installing "gcc-13" for osx-gcc
  ci: avoid bare "gcc" for osx-gcc job
  ci: drop mention of BREW_INSTALL_PACKAGES variable
  send-email: avoid creating more than one Term::ReadLine object
  send-email: drop FakeTerm hack
</content>
</entry>
<entry>
<title>Revert "fsck: warn about symlink pointing inside a gitdir"</title>
<updated>2024-05-23T04:55:31Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2024-05-23T04:55:31Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=1991703bdbb7839e3b43e0e0238f8efd76c8fe8d'/>
<id>urn:sha1:1991703bdbb7839e3b43e0e0238f8efd76c8fe8d</id>
<content type='text'>
This reverts commit a33fea08 (fsck: warn about symlink pointing
inside a gitdir, 2024-04-10), which warns against symbolic links
commonly created by git-annex.
</content>
</entry>
<entry>
<title>Revert "Add a helper function to compare file contents"</title>
<updated>2024-05-21T19:33:08Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2024-05-20T20:22:05Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=35dfccb2b430ee67fddb7b1a1f8cd7a1a8fb7cbe'/>
<id>urn:sha1:35dfccb2b430ee67fddb7b1a1f8cd7a1a8fb7cbe</id>
<content type='text'>
Now that during a `git clone`, the hooks' contents are no longer
compared to the templates' files', the caller for which the
`do_files_match()` function was introduced is gone, and therefore this
function can be retired, too.

This reverts commit 584de0b4c23 (Add a helper function to compare file
contents, 2024-03-30).

Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>clone: drop the protections where hooks aren't run</title>
<updated>2024-05-21T19:33:08Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2024-05-20T20:22:04Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=873a466ea3f233d4fb11f894a311de06939a2a3e'/>
<id>urn:sha1:873a466ea3f233d4fb11f894a311de06939a2a3e</id>
<content type='text'>
As part of the security bug-fix releases v2.39.4, ..., v2.45.1, I
introduced logic to safeguard `git clone` from running hooks that were
installed _during_ the clone operation.

The rationale was that Git's CVE-2024-32002, CVE-2021-21300,
CVE-2019-1354, CVE-2019-1353, CVE-2019-1352, and CVE-2019-1349 should
have been low-severity vulnerabilities but were elevated to
critical/high severity by the attack vector that allows a weakness where
files inside `.git/` can be inadvertently written during a `git clone`
to escalate to a Remote Code Execution attack by virtue of installing a
malicious `post-checkout` hook that Git will then run at the end of the
operation without giving the user a chance to see what code is executed.

Unfortunately, Git LFS uses a similar strategy to install its own
`post-checkout` hook during a `git clone`; In fact, Git LFS is
installing four separate hooks while running the `smudge` filter.

While this pattern is probably in want of being improved by introducing
better support in Git for Git LFS and other tools wishing to register
hooks to be run at various stages of Git's commands, let's undo the
clone protections to unbreak Git LFS-enabled clones.

This reverts commit 8db1e8743c0 (clone: prevent hooks from running
during a clone, 2024-03-28).

Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
</feed>
