| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Make some syntax change to follow coding style.
|
| | |
|
| |
|
|
|
|
|
|
| |
Let `git_path_find_dir` simply take a `git_buf` that contains a
directory or a file, instead of trying to both join a path AND then deal
with prettifying it or its basename. This allows consumers to join
paths themselves (and apply any necessary rules - like fitting within
MAX_PATH).
|
| |
|
|
|
| |
There was no test ensuring that we validate `.git` paths. We do, but
let's add a test to make sure that we never regress this.
|
| |
|
|
|
|
|
|
|
|
|
| |
Introduce `git_path_validate_filesystem` which validates (absolute) on-disk
paths and `git_path_validate_workdir` to perform validations on (absolute)
working directory paths. These functions are useful as there may be system
limitations on on-disk paths, particularly on Windows (for example,
enforcing MAX_PATH).
For working directory paths, these limitations may be per-repository, based
on the `core.longpaths` configuration setting.
|
| |
|
|
|
|
|
| |
If we want to validate more and different types of paths, the name
`git_path_validate` makes that easier and more expressive. We can add,
for example, `git_path_validate_foo` while the current name makes that
less ergonomic.
|
| |
|
|
|
|
|
|
| |
Move the utf8 functions into a proper namespace `git_utf8` instead of
being in the namespaceless `git__` function group. Update them to
have out-params first and use `char *` instead of `uint8_t *` to match
our API treating strings as `char *` (even if they truly contain `uchar`s
inside).
|
| | |
|
| | |
|
| |
|
|
|
| |
The info pointer was allocated with git__malloc, so needs to be free'd with git__free.
This bug can lurk pretty easily since if there's no custom allocator this is fine.
|
| |
|
|
|
|
|
| |
We've accumulated quite some functions which are never used outside of
their respective code unit, but which are lacking the `static` keyword.
Add it to reduce their linkage scope and allow the compiler to optimize
better.
|
| |
|
|
|
|
|
| |
Windows/DOS only supports drive letters that are alpha characters A-Z.
However, you can `subst` any one-character as a drive letter, including
numbers or even emoji. Test that we can identify emoji as drive
letters.
|
| |
|
|
|
| |
Enable core.protectNTFS by default everywhere and in every codepath, not
just on checkout.
|
| |
|
|
|
|
|
|
|
|
|
| |
The function `only_spaces_and_dots` used to detect the end of the
filename on win32. Now we look at spaces and dots _before_ the end of
the string _or_ a `:` character, which would signify a win32 alternate
data stream.
Thus, rename the function `ntfs_end_of_filename` to indicate that it
detects the (virtual) end of a filename, that any further characters
would be elided to the given path.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We just safe-guarded `.git` against NTFS Alternate Data Stream-related
attack vectors, and now it is time to do the same for `.gitmodules`.
Note: In the added regression test, we refrain from verifying all kinds
of variations between short names and NTFS Alternate Data Streams: as
the new code disallows _all_ Alternate Data Streams of `.gitmodules`, it
is enough to test one in order to know that all of them are guarded
against.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A little-known feature of NTFS is that it offers to store metadata in
so-called "Alternate Data Streams" (inspired by Apple's "resource
forks") that are copied together with the file they are associated with.
These Alternate Data Streams can be accessed via `<file name>:<stream
name>:<stream type>`.
Directories, too, have Alternate Data Streams, and they even have a
default stream type `$INDEX_ALLOCATION`. Which means that `abc/` and
`abc::$INDEX_ALLOCATION/` are actually equivalent.
This is of course another attack vector on the Git directory that we
definitely want to prevent.
On Windows, we already do this incidentally, by disallowing colons in
file/directory names.
While it looks as if files'/directories' Alternate Data Streams are not
accessible in the Windows Subsystem for Linux, and neither via
CIFS/SMB-mounted network shares in Linux, it _is_ possible to access
them on SMB-mounted network shares on macOS.
Therefore, let's go the extra mile and prevent this particular attack
_everywhere_. To keep things simple, let's just disallow *any* Alternate
Data Stream of `.git`.
This is libgit2's variant of CVE-2019-1352.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the VirtualStore feature is in effect, it is safe to let random
users write into C:\ProgramData because other users won't see those
files. This seemed to be the case when we introduced support for
C:\ProgramData\Git\config.
However, when that feature is not in effect (which seems to be the case
in newer Windows 10 versions), we'd rather not use those files unless
they come from a trusted source, such as an administrator.
This change imitates the strategy chosen by PowerShell's native OpenSSH
port to Windows regarding host key files: if a system file is owned
neither by an administrator, a system account, or the current user, it
is ignored.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When initializing a repository, we need to check whether its working
directory supports symlinks to correctly set the initial value of the
"core.symlinks" config variable. The code to check the filesystem is
reusable in other parts of our codebase, like for example in our tests
to determine whether certain tests can be expected to succeed or not.
Extract the code into a new function `git_path_supports_symlinks` to
avoid duplicate implementations. Remove a duplicate implementation in
the repo test helper code.
|
| |
|
|
|
| |
`cvar` is an unhelpful name. Refactor its usage to `configmap` for more
clarity.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Windows-based systems treat paths starting with '\' as absolute,
either referring to the current drive's root (e.g. "\foo" might
refer to "C:\foo") or to a network path (e.g. "\\host\foo"). On
the other hand, (most?) systems that are not based on Win32
accept backslashes as valid characters that may be part of the
filename, and thus we cannot treat them to identify absolute
paths.
Change the logic to only paths starting with '\' as absolute on
the Win32 platform. Add tests to avoid regressions and document
behaviour.
|
| |
|
|
|
| |
Move to the `git_error` name in the internal API for error-related
functions.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ARM treats its `char` type as `unsigned type` by default; as a result,
testing a `char` value as being `< 0` is always false. This is a
warning on ARM, which is promoted to an error given our use of
`-Werror`.
Per ISO 9899:199, section "6.2.5 Types":
> The three types char, signed char, and unsigned char are collectively
> called the character types. The implementation shall define char to
> have the same range, representation, and behavior as either signed
> char or unsigned char.
>
...
> Irrespective of the choice made, char is a separate type from the other
> two and is not compatible with either.
|
| |\
| |
| | |
pack: rename `git_packfile_stream_free`
|
| | | |
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Right now, there's quite a lot of different function calls to determine
whether a path component matches a specific name after normalization
from the filesystem. We have a function for each of {gitattributes,
gitmodules, gitignore} multiplicated with {generic, NTFS, HFS} checks.
In the long time, this is unmaintainable in case there are e.g. new
filesystems with specific semantics, blowing up the number of functions
we need to implement.
Replace all functions with a simple `git_path_is_gitfile` function,
which accepts an enum pointing out the filename that is to be checked
against as well as the filesystem normalizations to check for. This
greatly simplifies implementation at the expense of the caller having to
invoke a somewhat longer function call.
|
| |
|
|
|
| |
We still compare case-insensitively to protect more thoroughly as we don't know
what specifics we'll see on the system and it's the behaviour from git.
|
| |
|
|
|
|
|
|
| |
Any part of the library which asks the question can pass in the mode to have it
checked against `.gitmodules` being a symlink.
This is particularly relevant for adding entries to the index from the worktree
and for checking out files.
|
| |
|
|
|
| |
We may take in names from the middle of a string so we want the caller to let us
know how long the path component is that we should be checking.
|
| |
|
|
|
| |
These will be used by the checkout code to detect them for the particular
filesystem they're on.
|
| | |
|
| |
|
|
|
|
|
|
| |
Given a path component it knows what to pass to the filesystem-specific
functions so we're protected even from trees which try to use the 8.3 naming
rules to get around us matching on the filename exactly.
The logic and test strings come from the equivalent git change.
|
| |
|
|
|
| |
It checks against the 8.3 shortname variants, including the one which includes
the checksum as part of its name.
|
| |
|
|
| |
This lets us check for other kinds of reserved files.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Next to including several files, our "common.h" header also declares
various macros which are then used throughout the project. As such, we
have to make sure to always include this file first in all
implementation files. Otherwise, we might encounter problems or even
silent behavioural differences due to macros or defines not being
defined as they should be. So in fact, our header and implementation
files should make sure to always include "common.h" first.
This commit does so by establishing a common include pattern. Header
files inside of "src" will now always include "common.h" as its first
other file, separated by a newline from all the other includes to make
it stand out as special. There are two cases for the implementation
files. If they do have a matching header file, they will always include
this one first, leading to "common.h" being transitively included as
first file. If they do not have a matching header file, they instead
include "common.h" as first file themselves.
This fixes the outlined problems and will become our standard practice
for header and source files inside of the "src/" from now on.
|
| | |
|
| |
|
|
|
|
|
| |
Short-circuit the call to `git_path_resolve_relative` in case
`git_buf_joinpath` returns an error. While this does not fix any
immediate errors, the resulting code is easier to read and handles
potential new error conditions raised by `git_buf_joinpath`.
|
| |
|
|
|
|
|
|
| |
In the `_check_dir_contents` function, we first allocate memory for
joining the directory and subdirectory together and afterwards use
`git_buf_joinpath`. While this function in fact should not fail as
memory is already allocated, err on the safe side and check for returned
errors.
|
| |
|
|
|
|
|
|
|
|
| |
When calling `git_path_dirname_r` on a Win32 prefix, e.g. a drive
or network share prefix, we always want to return the trailing
'/'. This does not work currently when passing in a path like
'C:', where the '/' would not be appended correctly.
Fix this by appending a '/' if we try to normalize a Win32 prefix
and there is no trailing '/'.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Getting the dirname of a filesystem root should return the filesystem
root itself. E.g. the dirname of "/" is always "/". On Windows, we
emulate this behavior and as such, we should return e.g. "C:/" if
calling dirname on "C:/". But we currently fail to do so and instead
return ".", as we do not check if we actually have a Windows prefix
before stripping off the last directory component.
Fix this by calling out to `win32_prefix_length` immediately after
stripping trailing slashes, returning early if we have a prefix.
|
| |
|
|
|
|
| |
Extract code which determines if a path is at a Windows system's root.
This incluses drive prefixes (e.g. "C:\") as well as network computer
names (e.g. "//computername/").
|
| |
|
|
|
|
|
|
| |
Error messages should be sentence fragments, and therefore:
1. Should not begin with a capital letter,
2. Should not conclude with punctuation, and
3. Should not end a sentence and begin a new one
|
| | |
|
| |
|
|
|
|
| |
On Windows we can find locked files even when reading a reference or the
packed-refs file. Bubble up the error in this case as well to allow
callers on Windows to retry more intelligently.
|
| | |
|
| | |
|
| | |
|
| | |
|
