| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
| |
Introduce `git_fs_path`, which operates on generic filesystem paths.
`git_path` will be kept for only git-specific path functionality (for
example, checking for `.git` in a path).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libgit2 has two distinct requirements that were previously solved by
`git_buf`. We require:
1. A general purpose string class that provides a number of utility APIs
for manipulating data (eg, concatenating, truncating, etc).
2. A structure that we can use to return strings to callers that they
can take ownership of.
By using a single class (`git_buf`) for both of these purposes, we have
confused the API to the point that refactorings are difficult and
reasoning about correctness is also difficult.
Move the utility class `git_buf` to be called `git_str`: this represents
its general purpose, as an internal string buffer class. The name also
is an homage to Junio Hamano ("gitstr").
The public API remains `git_buf`, and has a much smaller footprint. It
is generally only used as an "out" param with strict requirements that
follow the documentation. (Exceptions exist for some legacy APIs to
avoid breaking callers unnecessarily.)
Utility functions exist to convert a user-specified `git_buf` to a
`git_str` so that we can call internal functions, then converting it
back again.
|
| |
|
|
| |
working directory
|
| |
|
|
|
|
|
|
|
| |
This change:
* Initializes a few variables that were being read before being
initialized.
* Includes https://github.com/madler/zlib/pull/393. As such,
it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
The test case checkout::index::can_disable_pathspec_match has some
shortcomings when it comes to coding style, which didn't fit our own
coding style. Furthermore, it had an unnecessary static local variable.
The test has been refactored to address these issues.
|
| |
|
|
|
|
|
|
| |
The checkout code didn't iterate into a subdir if it didn't match the
pathspec, but since the pathspec might match files in the subdir we
should recurse into it (In contrast to gitignore handling).
Fixes #5089
|
| |
|
|
|
|
|
| |
The checkout::index::can_disable_pathspec_match test attempts to set a
path filter of `test11.txt` and `test12.txt`, but then validates that
`test10.txt` and `test11.txt` were left unmodified. Update the test's
path filter to match the expectation.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A little-known feature of NTFS is that it offers to store metadata in
so-called "Alternate Data Streams" (inspired by Apple's "resource
forks") that are copied together with the file they are associated with.
These Alternate Data Streams can be accessed via `<file name>:<stream
name>:<stream type>`.
Directories, too, have Alternate Data Streams, and they even have a
default stream type `$INDEX_ALLOCATION`. Which means that `abc/` and
`abc::$INDEX_ALLOCATION/` are actually equivalent.
This is of course another attack vector on the Git directory that we
definitely want to prevent.
On Windows, we already do this incidentally, by disallowing colons in
file/directory names.
While it looks as if files'/directories' Alternate Data Streams are not
accessible in the Windows Subsystem for Linux, and neither via
CIFS/SMB-mounted network shares in Linux, it _is_ possible to access
them on SMB-mounted network shares on macOS.
Therefore, let's go the extra mile and prevent this particular attack
_everywhere_. To keep things simple, let's just disallow *any* Alternate
Data Stream of `.git`.
This is libgit2's variant of CVE-2019-1352.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Windows Subsystem for Linux (WSL) is getting increasingly popular,
in particular because it makes it _so_ easy to run Linux software on
Windows' files, via the auto-mounted Windows drives (`C:\` is mapped to
`/mnt/c/`, no need to set that up manually).
Unfortunately, files/directories on the Windows drives can be accessed
via their _short names_, if that feature is enabled (which it is on the
`C:` drive by default).
Which means that we have to safeguard even our Linux users against the
short name attacks.
Further, while the default options of CIFS/SMB-mounts seem to disallow
accessing files on network shares via their short names on Linux/macOS,
it _is_ possible to do so with the right options.
So let's just safe-guard against short name attacks _everywhere_.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When initializing a repository, we need to check whether its working
directory supports symlinks to correctly set the initial value of the
"core.symlinks" config variable. The code to check the filesystem is
reusable in other parts of our codebase, like for example in our tests
to determine whether certain tests can be expected to succeed or not.
Extract the code into a new function `git_path_supports_symlinks` to
avoid duplicate implementations. Remove a duplicate implementation in
the repo test helper code.
|
| |
|
|
|
|
|
|
|
| |
Our file utils functions all have a "futils" prefix, e.g.
`git_futils_touch`. One would thus naturally guess that their
definitions and implementation would live in files "futils.h" and
"futils.c", respectively, but in fact they live in "fileops.h".
Rename the files to match expectations.
|
| |
|
|
|
| |
`cvar` is an unhelpful name. Refactor its usage to `configmap` for more
clarity.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In libgit2 nomenclature, when we need to verb a direct object, we name
a function `git_directobject_verb`. Thus, if we need to init an options
structure named `git_foo_options`, then the name of the function that
does that should be `git_foo_options_init`.
The previous names of `git_foo_init_options` is close - it _sounds_ as
if it's initializing the options of a `foo`, but in fact
`git_foo_options` is its own noun that should be respected.
Deprecate the old names; they'll now call directly to the new ones.
|
| |
|
|
|
|
|
|
|
| |
The function `populate_symlink_workdir` creates a new
"symlink.git" repository with a relative path "../symlink.git".
As the current working directory is the sandbox, the new
repository will be created just outside of the sandbox.
Fix this by using `clar_sandbox_path`.
|
| |
|
|
|
| |
Move to the `git_error` name in the internal API for error-related
functions.
|
| |
|
|
| |
Update internal usage to use the `git_reference` names for constants.
|
| |
|
|
|
| |
Wrap function calls in the `checkout::crlf` tests with `cl_git_pass`,
`cl_assert`, etc. to ensure that they're successful.
|
| |
|
|
|
|
|
| |
After sandboxing the crlf directory, remove the working directory
contents. This allows us to package data within the crlf directory
(for simplicity, this allows us to script the to-odb and to-workdir
crlf filter conversion data in a single location).
|
| |
|
|
|
|
|
| |
Move the crlf_data folders reponsible for holding the state of the
filters going into the working directory to "to_workdir" variations of
the folder name to accommodate future growth into the "to odb" filter
variation. Update the script to create these new folders as appopriate.
|
| |
|
|
| |
Use the new object_type enumeration names within the codebase.
|
| |
|
|
| |
Use the new-style index names throughout our own codebase.
|
| |
|
|
|
|
|
|
|
| |
Test updated symbolic link creation on Windows. Ensure that we emulate
Git for Windows behavior. Ensure that when `core.symlinks=true` is set
in a global configuration that new repositories are created without a
`core.symlinks` setting, and that when `core.symlinks` is unset that
`core.symlinks=false` in set in the repository. Further ensure that
checkout honors the expected `core.symlinks` defaults on Windows.
|
| | |
|
| |
|
|
|
|
| |
Don't try to use `link_size` as an index into a string if `p_readlink`
returned <0. That will - obviously - fail and we'll write out of
bounds.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When testing whether symlinks are correctly checked out, examine the
`core.symlinks` configuration option to determine if symlinks are
supported in a repository, don't simply assume that Windows means that
symbolic links are not supported.
Further, when testing the expected default behavior of `core.symlinks`,
test the filesystem's support to determine if symlinks are supported.
Finally, ensure that `core.symlinks=true` fails on a system where
symlinks are actually not supported. This aligns with the behavior of
Git for Windows.
|
| |
|
|
|
|
|
|
|
|
|
| |
To determine the canonical filename for a given path, we previously
looked at the directory entries on POSIX systems and used
GetFinalPathNameByHandle on Windows. However, GetFinalPathNameByHandle
requires a HANDLE - the results of CreateFile - and you cannot
CreateFile on a symbolic link.
To support finding the canonical path of a symbolic link, simply use the
existing POSIX code to look at the directory entries.
|
| |\
| |
| | |
Assorted Coverity fixes
|
| | |
| |
| | |
Reported by Coverity, CID 1393678-1393697.
|
| |/
|
|
|
|
|
|
|
| |
C++ style comment ("//") are not specified by the ISO C90 standard and
thus do not conform to it. While libgit2 aims to conform to C90, we did
not enforce it until now, which is why quite a lot of these
non-conforming comments have snuck into our codebase. Do a tree-wide
conversion of all C++ style comments to the supported C style comments
to allow us enforcing strict C90 compliance in a later commit.
|
| |
|
|
|
| |
If the index is dirty, allow `GIT_CHECKOUT_FORCE` to obliterate unsaved
changes. This is in keeping with its name and description.
|
| |
|
|
|
|
|
| |
Now that the index has a "dirty" state, where it has changes that have
not yet been committed or rolled back, our tests need to be adapted to
actually commit or rollback the changes instead of assuming that the
index can be operated on in its indeterminate state.
|
| |
|
|
|
|
| |
Add tests that ensure that we re-read the on-disk image by default
during checkout, but when the `GIT_CHECKOUT_NO_REFRESH` option is
specified, we do _not_ re-read the index.
|
| | |
|
| |
|
|
|
|
| |
When dealing with `core.proectNTFS` and `core.protectHFS` we do check
against `.gitmodules` but we still have a failing test as the non-filesystem
codepath does not check for it.
|
| |
|
|
|
| |
We want to reject these as they cause compatibility issues and can lead to git
writing to files outside of the repository.
|
| |
|
|
|
| |
This adds the 'T' status character to git_diff_status_char() for diff
entries that change type.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that when examining the working directory for checkout that the
mode is correctly simplified. Git only pays attention to whether a file
is executable or not. When examining a working directory, we should
coalesce modes in the working directory to either `0755` (indicating
that a file is executable) or `0644` (indicating that it is not).
Test this by giving the file an exotic mode, and ensuring that when
checkout out a branch that changes the file's contents, that we do not
have a checkout conflict.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add two tests for filemode.
The first ensures that `core.filemode=true` is honored: if we have
changed the filemode such that a file that _was_ executable (mode 0755)
is now executable (mode 0644) and we go to check out a branch that has
otherwise changed the contents of the file, then we should raise a
checkout conflict for that file.
The second ensures that `core.filemode=false` is honored: in the same
situation, we set a file that was executable to be non-executable, and
check out the branch that changes the contents of the file. However,
since `core.filemode` is false, we do not detect the filemode change.
We run these tests on both operating systems that obey `core.filemode`
(eg, POSIX) and those that have no conception of filemode (eg, Win32).
This ensures that `core.filemode` is always honored, as it is a cache of
the underlying filesystem's settings. This ensures that we do not
make assumptions based on the operating system, and honor the
configuration setting even if it were misconfigured.
|
| |
|
|
|
|
|
| |
When both the index _and_ the working directory has changed
permissions on a file permissions on a file - but only the permissions,
such that the contents of the file are identical - ensure that
`git_checkout` updates the permissions to match the checkout target.
|
| |
|
|
|
|
|
| |
When the working directory has changed permissions on a file - but only
the permissions, such that the contents of the file are identical -
ensure that `git_checkout` updates the permissions to match the checkout
target.
|
| |
|
|
|
|
|
|
|
| |
Some function bodies of tests which are not applicable to the Win32
platform are completely #ifdef'd out instead of calling `cl_skip()`.
This leaves us with no indication that these tests are not being
executed at all and may thus cause decreased scrutiny when investigating
skipped tests. Improve the situation by calling `cl_skip()` instead of
just doing nothing.
|
| |
|
|
|
|
|
|
| |
While we verify that we have no mode changes after calling
`git_checkout_tree`, we do not verify that the `p_chmod` calls actually
resulted in a changed entry. While we should assume that this works due
to separate tests for the status list, we should test for the change
being listed to avoid programming errors in the test.
|
| |
|
|
|
|
| |
There are multiple locations where we have the same code to check
whether the count of status list entries of a repository matches an
expected number. Extract that into a common function.
|
| |
|
|
|
| |
Test that we can successfully force checkout a target when the file
contents are identical, but the mode has changed.
|
| |
|
|
|
|
|
|
|
|
| |
If the `GIT_CHECKOUT_FORCE` flag is given to any of the `git_checkout`
invocations, we remove files which were previously staged. But while
doing so, we unfortunately also remove unstaged files in a directory
which contains at least one staged file, resulting in potential data
loss.
This commit adds two tests to verify behavior.
|
| | |
|
