diff options
| author | Carlos Martín Nieto <cmn@dwim.me> | 2018-04-30 13:47:15 +0200 |
|---|---|---|
| committer | Carlos Martín Nieto <cmn@dwim.me> | 2018-05-09 20:29:49 +0200 |
| commit | 6b15ceac0ad19ab671995e9926b492e93703ed0f (patch) | |
| tree | 708f3da8efcf0d81902cbd277aa91bc7c0e4eb76 /src/submodule.h | |
| parent | 7553763aca0068fd331f2ba07fbe960605f04bb6 (diff) | |
| download | libgit2-6b15ceac0ad19ab671995e9926b492e93703ed0f.tar.gz | |
submodule: ignore submodules which include path traversal in their name
If the we decide that the "name" of the submodule (i.e. its path inside
`.git/modules/`) is trying to escape that directory or otherwise trick us, we
ignore the configuration for that submodule.
This leaves us with a half-configured submodule when looking it up by path, but
it's the same result as if the configuration really were missing.
The name check is potentially more strict than it needs to be, but it lets us
re-use the check we're doing for the checkout. The function that encapsulates
this logic is ready to be exported but we don't want to do that in a security
release so it remains internal for now.
Diffstat (limited to 'src/submodule.h')
| -rw-r--r-- | src/submodule.h | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/src/submodule.h b/src/submodule.h index 72867a322..e188dbb3c 100644 --- a/src/submodule.h +++ b/src/submodule.h @@ -148,4 +148,17 @@ extern int git_submodule_parse_update( extern int git_submodule__map( git_repository *repo, git_strmap *map); + +/** + * Check whether a submodule's name is valid. + * + * Check the path against the path validity rules, either the filesystem + * defaults (like checkout does) or whichever you want to compare against. + * + * @param repo the repository which contains the submodule + * @param name the name to check + * @param flags the `GIT_PATH` flags to use for the check (0 to use filesystem defaults) + */ +extern int git_submodule_name_is_valid(const git_repository *repo, const char *name, int flags); + #endif |