1. 16 Dec, 2019 2 commits
  2. 10 Dec, 2019 3 commits
  3. 06 Dec, 2019 32 commits
    • Johannes Schindelin's avatar
      Git 2.24.1 · 53a06cf3
      Johannes Schindelin authored
      Signed-off-by: default avatarJohannes Schindelin <johannes.schindelin@gmx.de>
      53a06cf3
    • Johannes Schindelin's avatar
      Sync with 2.23.1 · 67af91c4
      Johannes Schindelin authored
      * maint-2.23: (44 commits)
        Git 2.23.1
        Git 2.22.2
        Git 2.21.1
        mingw: sh arguments need quoting in more circumstances
        mingw: fix quoting of empty arguments for `sh`
        mingw: use MSYS2 quoting even when spawning shell scripts
        mingw: detect when MSYS2's sh is to be spawned more robustly
        t7415: drop v2.20.x-specific work-around
        Git 2.20.2
        t7415: adjust test for dubiously-nested submodule gitdirs for v2.20.x
        Git 2.19.3
        Git 2.18.2
        Git 2.17.3
        Git 2.16.6
        test-drop-caches: use `has_dos_drive_prefix()`
        Git 2.15.4
        Git 2.14.6
        mingw: handle `subst`-ed "DOS drives"
        mingw: refuse to access paths with trailing spaces or periods
        mingw: refuse to access paths with illegal characters
        ...
      67af91c4
    • Johannes Schindelin's avatar
      Git 2.23.1 · a7312d1a
      Johannes Schindelin authored
      Signed-off-by: default avatarJohannes Schindelin <johannes.schindelin@gmx.de>
      a7312d1a
    • Johannes Schindelin's avatar
      Sync with 2.22.2 · 7fd9fd94
      Johannes Schindelin authored
      * maint-2.22: (43 commits)
        Git 2.22.2
        Git 2.21.1
        mingw: sh arguments need quoting in more circumstances
        mingw: fix quoting of empty arguments for `sh`
        mingw: use MSYS2 quoting even when spawning shell scripts
        mingw: detect when MSYS2's sh is to be spawned more robustly
        t7415: drop v2.20.x-specific work-around
        Git 2.20.2
        t7415: adjust test for dubiously-nested submodule gitdirs for v2.20.x
        Git 2.19.3
        Git 2.18.2
        Git 2.17.3
        Git 2.16.6
        test-drop-caches: use `has_dos_drive_prefix()`
        Git 2.15.4
        Git 2.14.6
        mingw: handle `subst`-ed "DOS drives"
        mingw: refuse to access paths with trailing spaces or periods
        mingw: refuse to access paths with illegal characters
        unpack-trees: let merged_entry() pass through do_add_entry()'s errors
        ...
      7fd9fd94
    • Johannes Schindelin's avatar
      Git 2.22.2 · d9589d40
      Johannes Schindelin authored
      Signed-off-by: default avatarJohannes Schindelin <johannes.schindelin@gmx.de>
      d9589d40
    • Johannes Schindelin's avatar
      Sync with 2.21.1 · 5421ddd8
      Johannes Schindelin authored
      * maint-2.21: (42 commits)
        Git 2.21.1
        mingw: sh arguments need quoting in more circumstances
        mingw: fix quoting of empty arguments for `sh`
        mingw: use MSYS2 quoting even when spawning shell scripts
        mingw: detect when MSYS2's sh is to be spawned more robustly
        t7415: drop v2.20.x-specific work-around
        Git 2.20.2
        t7415: adjust test for dubiously-nested submodule gitdirs for v2.20.x
        Git 2.19.3
        Git 2.18.2
        Git 2.17.3
        Git 2.16.6
        test-drop-caches: use `has_dos_drive_prefix()`
        Git 2.15.4
        Git 2.14.6
        mingw: handle `subst`-ed "DOS drives"
        mingw: refuse to access paths with trailing spaces or periods
        mingw: refuse to access paths with illegal characters
        unpack-trees: let merged_entry() pass through do_add_entry()'s errors
        quote-stress-test: offer to test quoting arguments for MSYS2 sh
        ...
      5421ddd8
    • Johannes Schindelin's avatar
      Git 2.21.1 · 367f12b7
      Johannes Schindelin authored
      Signed-off-by: default avatarJohannes Schindelin <johannes.schindelin@gmx.de>
      367f12b7
    • Johannes Schindelin's avatar
      Merge branch 'fix-msys2-quoting-bugs' · 20c71bcf
      Johannes Schindelin authored
      These patches fix several bugs in quoting arguments when spawning shell
      scripts on Windows.
      
      Note: these bugs are Windows-only, as we have to construct a command
      line for the process-to-spawn, unlike Linux/macOS, where `execv()`
      accepts an already-split command line.
      
      Furthermore, these fixes were not included in the CVE-2019-1350 part of
      v2.14.6 because the Windows-specific quoting when spawning shell scripts
      was contributed from Git for Windows into Git only in the v2.21.x era.
      Signed-off-by: default avatarJohannes Schindelin <johannes.schindelin@gmx.de>
      20c71bcf
    • Johannes Schindelin's avatar
      mingw: sh arguments need quoting in more circumstances · 7d8b6769
      Johannes Schindelin authored
      Previously, we failed to quote characters such as '*', '(' and the
      likes. Let's fix this.
      Signed-off-by: default avatarJohannes Schindelin <johannes.schindelin@gmx.de>
      7d8b6769
    • Johannes Schindelin's avatar
      t7415: drop v2.20.x-specific work-around · d9061ed9
      Johannes Schindelin authored
      This reverts the work-around that was introduced just for the v2.20.x
      release train in "t7415: adjust test for dubiously-nested submodule
      gitdirs for v2.20.x"; It is not necessary for v2.21.x.
      Signed-off-by: default avatarJohannes Schindelin <johannes.schindelin@gmx.de>
      d9061ed9
    • Johannes Schindelin's avatar
      mingw: fix quoting of empty arguments for `sh` · 04522edb
      Johannes Schindelin authored
      When constructing command-lines to spawn processes, it is an unfortunate
      but necessary decision to quote arguments differently: MSYS2 has
      different dequoting rules (inherited from Cygwin) than the rest of
      Windows.
      
      To accommodate that, Git's Windows compatibility layer has two separate
      quoting helpers, one for MSYS2 (which it uses exclusively when spawning
      `sh`) and the other for regular Windows executables.
      
      The MSYS2 one had an unfortunate bug where a `,` somehow slipped in,
      instead of the `;`. As a consequence, empty arguments would not be
      enclosed in a pair of double quotes, but the closing double quote was
      skipped.
      
      Let's fix this.
      Signed-off-by: default avatarJohannes Schindelin <johannes.schindelin@gmx.de>
      04522edb
    • Johannes Schindelin's avatar
      mingw: use MSYS2 quoting even when spawning shell scripts · 49f7a76d
      Johannes Schindelin authored
      At the point where `mingw_spawn_fd()` is called, we already have a full
      path to the script interpreter in that scenario, and we pass it in as
      the executable to run, while the `argv` reflect what the script should
      receive as command-line.
      Signed-off-by: default avatarJohannes Schindelin <johannes.schindelin@gmx.de>
      49f7a76d
    • Johannes Schindelin's avatar
    • Johannes Schindelin's avatar
      Sync with 2.20.2 · fc346cb2
      Johannes Schindelin authored
      * maint-2.20: (36 commits)
        Git 2.20.2
        t7415: adjust test for dubiously-nested submodule gitdirs for v2.20.x
        Git 2.19.3
        Git 2.18.2
        Git 2.17.3
        Git 2.16.6
        test-drop-caches: use `has_dos_drive_prefix()`
        Git 2.15.4
        Git 2.14.6
        mingw: handle `subst`-ed "DOS drives"
        mingw: refuse to access paths with trailing spaces or periods
        mingw: refuse to access paths with illegal characters
        unpack-trees: let merged_entry() pass through do_add_entry()'s errors
        quote-stress-test: offer to test quoting arguments for MSYS2 sh
        t6130/t9350: prepare for stringent Win32 path validation
        quote-stress-test: allow skipping some trials
        quote-stress-test: accept arguments to test via the command-line
        tests: add a helper to stress test argument quoting
        mingw: fix quoting of arguments
        Disallow dubiously-nested submodule git directories
        ...
      fc346cb2
    • Johannes Schindelin's avatar
      Git 2.20.2 · 4cd1cf31
      Johannes Schindelin authored
      Signed-off-by: default avatarJohannes Schindelin <johannes.schindelin@gmx.de>
      4cd1cf31
    • Jonathan Nieder's avatar
      submodule: defend against submodule.update = !command in .gitmodules · c1547450
      Jonathan Nieder authored
      In v2.15.4, we started to reject `submodule.update` settings in
      `.gitmodules`. Let's raise a BUG if it somehow still made it through
      from anywhere but the Git config.
      Signed-off-by: default avatarJonathan Nieder <jrnieder@gmail.com>
      Signed-off-by: default avatarJohannes Schindelin <Johannes.Schindelin@gmx.de>
      c1547450
    • Johannes Schindelin's avatar
      t7415: adjust test for dubiously-nested submodule gitdirs for v2.20.x · 4cfc47de
      Johannes Schindelin authored
      In v2.20.x, Git clones submodules recursively by first creating the
      submodules' gitdirs and _then_ "updating" the submodules. This can lead
      to the situation where the clone path is taken because the directory
      (while it exists already) is not a git directory, but then the clone
      fails because that gitdir is unexpectedly already a directory.
      
      This _also_ works around the vulnerability that was fixed in "Disallow
      dubiously-nested submodule git directories", but it produces a different
      error message than the one expected by the test case, therefore we
      adjust the test case accordingly.
      
      Note: as the two submodules "race each other", there are actually two
      possible error messages, therefore we have to teach the test case to
      expect _two_ possible (and good) outcomes in addition to the one it
      expected before.
      
      Note: this workaround is only necessary for the v2.20.x release train;
      The behavior changed again in v2.21.x so that the original test case's
      expectations are met again.
      Signed-off-by: default avatarJohannes Schindelin <johannes.schindelin@gmx.de>
      4cfc47de
    • Johannes Schindelin's avatar
      Sync with 2.19.3 · d851d941
      Johannes Schindelin authored
      * maint-2.19: (34 commits)
        Git 2.19.3
        Git 2.18.2
        Git 2.17.3
        Git 2.16.6
        test-drop-caches: use `has_dos_drive_prefix()`
        Git 2.15.4
        Git 2.14.6
        mingw: handle `subst`-ed "DOS drives"
        mingw: refuse to access paths with trailing spaces or periods
        mingw: refuse to access paths with illegal characters
        unpack-trees: let merged_entry() pass through do_add_entry()'s errors
        quote-stress-test: offer to test quoting arguments for MSYS2 sh
        t6130/t9350: prepare for stringent Win32 path validation
        quote-stress-test: allow skipping some trials
        quote-stress-test: accept arguments to test via the command-line
        tests: add a helper to stress test argument quoting
        mingw: fix quoting of arguments
        Disallow dubiously-nested submodule git directories
        protect_ntfs: turn on NTFS protection by default
        path: also guard `.gitmodules` against NTFS Alternate Data Streams
        ...
      d851d941
    • Johannes Schindelin's avatar
      Git 2.19.3 · caccc527
      Johannes Schindelin authored
      Signed-off-by: default avatarJohannes Schindelin <johannes.schindelin@gmx.de>
      caccc527
    • Johannes Schindelin's avatar
      Sync with 2.18.2 · 7c9fbda6
      Johannes Schindelin authored
      * maint-2.18: (33 commits)
        Git 2.18.2
        Git 2.17.3
        Git 2.16.6
        test-drop-caches: use `has_dos_drive_prefix()`
        Git 2.15.4
        Git 2.14.6
        mingw: handle `subst`-ed "DOS drives"
        mingw: refuse to access paths with trailing spaces or periods
        mingw: refuse to access paths with illegal characters
        unpack-trees: let merged_entry() pass through do_add_entry()'s errors
        quote-stress-test: offer to test quoting arguments for MSYS2 sh
        t6130/t9350: prepare for stringent Win32 path validation
        quote-stress-test: allow skipping some trials
        quote-stress-test: accept arguments to test via the command-line
        tests: add a helper to stress test argument quoting
        mingw: fix quoting of arguments
        Disallow dubiously-nested submodule git directories
        protect_ntfs: turn on NTFS protection by default
        path: also guard `.gitmodules` against NTFS Alternate Data Streams
        is_ntfs_dotgit(): speed it up
        ...
      7c9fbda6
    • Johannes Schindelin's avatar
      Git 2.18.2 · 9877106b
      Johannes Schindelin authored
      Signed-off-by: default avatarJohannes Schindelin <johannes.schindelin@gmx.de>
      9877106b
    • Johannes Schindelin's avatar
      Sync with 2.17.3 · 14af7ed5
      Johannes Schindelin authored
      * maint-2.17: (32 commits)
        Git 2.17.3
        Git 2.16.6
        test-drop-caches: use `has_dos_drive_prefix()`
        Git 2.15.4
        Git 2.14.6
        mingw: handle `subst`-ed "DOS drives"
        mingw: refuse to access paths with trailing spaces or periods
        mingw: refuse to access paths with illegal characters
        unpack-trees: let merged_entry() pass through do_add_entry()'s errors
        quote-stress-test: offer to test quoting arguments for MSYS2 sh
        t6130/t9350: prepare for stringent Win32 path validation
        quote-stress-test: allow skipping some trials
        quote-stress-test: accept arguments to test via the command-line
        tests: add a helper to stress test argument quoting
        mingw: fix quoting of arguments
        Disallow dubiously-nested submodule git directories
        protect_ntfs: turn on NTFS protection by default
        path: also guard `.gitmodules` against NTFS Alternate Data Streams
        is_ntfs_dotgit(): speed it up
        mingw: disallow backslash characters in tree objects' file names
        ...
      14af7ed5
    • Johannes Schindelin's avatar
      Git 2.17.3 · a5ab8d03
      Johannes Schindelin authored
      Signed-off-by: default avatarJohannes Schindelin <johannes.schindelin@gmx.de>
      a5ab8d03
    • Jonathan Nieder's avatar
      fsck: reject submodule.update = !command in .gitmodules · bb92255e
      Jonathan Nieder authored
      This allows hosting providers to detect whether they are being used
      to attack users using malicious 'update = !command' settings in
      .gitmodules.
      
      Since ac1fbbda (submodule: do not copy unknown update mode from
      .gitmodules, 2013-12-02), in normal cases such settings have been
      treated as 'update = none', so forbidding them should not produce any
      collateral damage to legitimate uses.  A quick search does not reveal
      any repositories making use of this construct, either.
      Reported-by: default avatarJoern Schneeweisz <jschneeweisz@gitlab.com>
      Signed-off-by: default avatarJonathan Nieder <jrnieder@gmail.com>
      Signed-off-by: default avatarJohannes Schindelin <johannes.schindelin@gmx.de>
      bb92255e
    • Johannes Schindelin's avatar
      Sync with 2.16.6 · bdfef049
      Johannes Schindelin authored
      * maint-2.16: (31 commits)
        Git 2.16.6
        test-drop-caches: use `has_dos_drive_prefix()`
        Git 2.15.4
        Git 2.14.6
        mingw: handle `subst`-ed "DOS drives"
        mingw: refuse to access paths with trailing spaces or periods
        mingw: refuse to access paths with illegal characters
        unpack-trees: let merged_entry() pass through do_add_entry()'s errors
        quote-stress-test: offer to test quoting arguments for MSYS2 sh
        t6130/t9350: prepare for stringent Win32 path validation
        quote-stress-test: allow skipping some trials
        quote-stress-test: accept arguments to test via the command-line
        tests: add a helper to stress test argument quoting
        mingw: fix quoting of arguments
        Disallow dubiously-nested submodule git directories
        protect_ntfs: turn on NTFS protection by default
        path: also guard `.gitmodules` against NTFS Alternate Data Streams
        is_ntfs_dotgit(): speed it up
        mingw: disallow backslash characters in tree objects' file names
        path: safeguard `.git` against NTFS Alternate Streams Accesses
        ...
      bdfef049
    • Johannes Schindelin's avatar
      Git 2.16.6 · eb288bc4
      Johannes Schindelin authored
      Signed-off-by: default avatarJohannes Schindelin <johannes.schindelin@gmx.de>
      eb288bc4
    • Johannes Schindelin's avatar
      test-drop-caches: use `has_dos_drive_prefix()` · 68440496
      Johannes Schindelin authored
      This is a companion patch to 'mingw: handle `subst`-ed "DOS drives"':
      use the DOS drive prefix handling that is already provided by
      `compat/mingw.c` (and which just learned to handle non-alphabetical
      "drive letters").
      Signed-off-by: default avatarJohannes Schindelin <johannes.schindelin@gmx.de>
      68440496
    • Johannes Schindelin's avatar
      Sync with 2.15.4 · 9ac92fed
      Johannes Schindelin authored
      * maint-2.15: (29 commits)
        Git 2.15.4
        Git 2.14.6
        mingw: handle `subst`-ed "DOS drives"
        mingw: refuse to access paths with trailing spaces or periods
        mingw: refuse to access paths with illegal characters
        unpack-trees: let merged_entry() pass through do_add_entry()'s errors
        quote-stress-test: offer to test quoting arguments for MSYS2 sh
        t6130/t9350: prepare for stringent Win32 path validation
        quote-stress-test: allow skipping some trials
        quote-stress-test: accept arguments to test via the command-line
        tests: add a helper to stress test argument quoting
        mingw: fix quoting of arguments
        Disallow dubiously-nested submodule git directories
        protect_ntfs: turn on NTFS protection by default
        path: also guard `.gitmodules` against NTFS Alternate Data Streams
        is_ntfs_dotgit(): speed it up
        mingw: disallow backslash characters in tree objects' file names
        path: safeguard `.git` against NTFS Alternate Streams Accesses
        clone --recurse-submodules: prevent name squatting on Windows
        is_ntfs_dotgit(): only verify the leading segment
        ...
      9ac92fed
    • Johannes Schindelin's avatar
      Git 2.15.4 · 7cdafcaa
      Johannes Schindelin authored
      Signed-off-by: default avatarJohannes Schindelin <johannes.schindelin@gmx.de>
      7cdafcaa
    • Jonathan Nieder's avatar
      submodule: reject submodule.update = !command in .gitmodules · e904deb8
      Jonathan Nieder authored
      Since ac1fbbda (submodule: do not copy unknown update mode from
      .gitmodules, 2013-12-02), Git has been careful to avoid copying
      
      	[submodule "foo"]
      		update = !run an arbitrary scary command
      
      from .gitmodules to a repository's local config, copying in the
      setting 'update = none' instead.  The gitmodules(5) manpage documents
      the intention:
      
      	The !command form is intentionally ignored here for security
      	reasons
      
      Unfortunately, starting with v2.20.0-rc0 (which integrated ee69b2a9
      (submodule--helper: introduce new update-module-mode helper,
      2018-08-13, first released in v2.20.0-rc0)), there are scenarios where
      we *don't* ignore it: if the config store contains no
      submodule.foo.update setting, the submodule-config API falls back to
      reading .gitmodules and the repository-supplied !command gets run
      after all.
      
      This was part of a general change over time in submodule support to
      read more directly from .gitmodules, since unlike .git/config it
      allows a project to change values between branches and over time
      (while still allowing .git/config to override things).  But it was
      never intended to apply to this kind of dangerous configuration.
      
      The behavior change was not advertised in ee69b2a9's commit message
      and was missed in review.
      
      Let's take the opportunity to make the protection more robust, even in
      Git versions that are technically not affected: instead of quietly
      converting 'update = !command' to 'update = none', noisily treat it as
      an error.  Allowing the setting but treating it as meaning something
      else was just confusing; users are better served by seeing the error
      sooner.  Forbidding the construct makes the semantics simpler and
      means we can check for it in fsck (in a separate patch).
      
      As a result, the submodule-config API cannot read this value from
      .gitmodules under any circumstance, and we can declare with confidence
      
      	For security reasons, the '!command' form is not accepted
      	here.
      Reported-by: default avatarJoern Schneeweisz <jschneeweisz@gitlab.com>
      Signed-off-by: default avatarJonathan Nieder <jrnieder@gmail.com>
      Signed-off-by: default avatarJohannes Schindelin <Johannes.Schindelin@gmx.de>
      e904deb8
    • Johannes Schindelin's avatar
      Sync with 2.14.6 · d3ac8c3f
      Johannes Schindelin authored
      * maint-2.14: (28 commits)
        Git 2.14.6
        mingw: handle `subst`-ed "DOS drives"
        mingw: refuse to access paths with trailing spaces or periods
        mingw: refuse to access paths with illegal characters
        unpack-trees: let merged_entry() pass through do_add_entry()'s errors
        quote-stress-test: offer to test quoting arguments for MSYS2 sh
        t6130/t9350: prepare for stringent Win32 path validation
        quote-stress-test: allow skipping some trials
        quote-stress-test: accept arguments to test via the command-line
        tests: add a helper to stress test argument quoting
        mingw: fix quoting of arguments
        Disallow dubiously-nested submodule git directories
        protect_ntfs: turn on NTFS protection by default
        path: also guard `.gitmodules` against NTFS Alternate Data Streams
        is_ntfs_dotgit(): speed it up
        mingw: disallow backslash characters in tree objects' file names
        path: safeguard `.git` against NTFS Alternate Streams Accesses
        clone --recurse-submodules: prevent name squatting on Windows
        is_ntfs_dotgit(): only verify the leading segment
        test-path-utils: offer to run a protectNTFS/protectHFS benchmark
        ...
      d3ac8c3f
    • Johannes Schindelin's avatar
      Git 2.14.6 · 66d2a615
      Johannes Schindelin authored
      Signed-off-by: default avatarJohannes Schindelin <johannes.schindelin@gmx.de>
      66d2a615
  4. 05 Dec, 2019 3 commits