git/url.c, branch v2.22.2

url: do not allow %00 to represent NUL in URLs

2019-06-04T21:48:25Z

There is no reason to allow %00 to terminate a string, so do not allow it. Otherwise, we end up returning arbitrary content in the string (that which is after the %00) which is effectively hidden from callers and can escape sanity checks and validation, and possible be used in tandem with a security vulnerability to introduce a payload. Helped-by: brian m. carlson Signed-off-by: Matthew DeVore Signed-off-by: Junio C Hamano

url: do not read past end of buffer

2019-06-04T21:48:06Z

url_decode_internal could have been tricked into reading past the length of the **query buffer if there are fewer than 2 characters after a % (in a null-terminated string, % would have to be the last character). Prevent this from happening by checking len before decoding the % sequence. Helped-by: René Scharfe Signed-off-by: Matthew DeVore Signed-off-by: Junio C Hamano

style: the opening '{' of a function is in a separate line

2018-12-10T06:41:09Z

Signed-off-by: Nguyễn Thái Ngọc Duy Signed-off-by: Junio C Hamano

introduce hex2chr() for converting two hexadecimal digits to a character

2016-09-07T17:42:46Z

Add and use a helper function that decodes the char value of two hexadecimal digits. It returns a negative number on error, avoids running over the end of the given string and doesn't shift negative values. Signed-off-by: Rene Scharfe Signed-off-by: Junio C Hamano

use strbuf_complete to conditionally append slash

2015-10-05T18:08:06Z

When working with paths in strbufs, we frequently want to ensure that a directory contains a trailing slash before appending to it. We can shorten this code (and make the intent more obvious) by calling strbuf_complete. Most of these cases are trivially identical conversions, but there are two things to note: - in a few cases we did not check that the strbuf is non-empty (which would lead to an out-of-bounds memory access). These were generally not triggerable in practice, either from earlier assertions, or typically because we would have just fed the strbuf to opendir(), which would choke on an empty path. - in a few cases we indexed the buffer with "original_len" or similar, rather than the current sb->len, and it is not immediately obvious from the diff that they are the same. In all of these cases, I manually verified that the strbuf does not change between the assignment and the strbuf_complete call. This does not convert cases which look like: if (sb->len && !is_dir_sep(sb->buf[sb->len - 1])) strbuf_addch(sb, '/'); as those are obviously semantically different. Some of these cases arguably should be doing that, but that is out of scope for this change, which aims purely for cleanup with no behavior change (and at least it will make such sites easier to find and examine in the future, as we can grep for strbuf_complete). Signed-off-by: Jeff King Signed-off-by: Junio C Hamano

use strbuf_addch for adding single characters

2014-07-10T21:06:46Z

Signed-off-by: Rene Scharfe Signed-off-by: Junio C Hamano

Merge branch 'jk/http-auth'

2011-10-18T04:37:15Z

* jk/http-auth: http_init: accept separate URL parameter http: use hostname in credential description http: retry authentication failures for all http requests remote-curl: don't retry auth failures with dumb protocol improve httpd auth tests url: decode buffers that are not NUL-terminated

Merge branch 'jc/is-url-simplify'

2011-10-14T02:03:21Z

* jc/is-url-simplify: url.c: simplify is_url()

url.c: simplify is_url()

2011-10-03T17:56:42Z

The function was implemented in an overly complicated way. Rewrite it to check from left to right in a single pass. Signed-off-by: Junio C Hamano

url: decode buffers that are not NUL-terminated

2011-07-20T18:38:34Z

The url_decode function needs only minor tweaks to handle arbitrary buffers. Let's do those tweaks, which cleans up an unreadable mess of temporary strings in http.c. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano