Mirror of https://git.kernel.org/pub/scm/git/git.git/ https://www.git.shady.money/git/atom?h=v2.23.3 2020-04-19T23:30:27Z 2020-04-19T23:30:27Z Jonathan Nieder jrnieder@gmail.com 2020-04-19T23:30:27Z urn:sha1:f2771efd07b51edae023db95fcca39c72a0397fe This merges up the security fix from v2.17.5. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> 2020-04-19T23:30:19Z Jonathan Nieder jrnieder@gmail.com 2020-04-19T23:30:19Z urn:sha1:c9808fa014aa88cc306705d308d1d9065d567ddc This merges up the security fix from v2.17.5. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> 2020-04-19T23:30:08Z Jonathan Nieder jrnieder@gmail.com 2020-04-19T23:30:08Z urn:sha1:9206d27eb5e76bbb3a4e59e3c53f92eaa0caa97b This merges up the security fix from v2.17.5. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> 2020-04-19T23:28:57Z Jonathan Nieder jrnieder@gmail.com 2020-04-19T23:28:57Z urn:sha1:041bc65923e13313ca1b77681c3b2950b5e0a163 This merges up the security fix from v2.17.5. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> 2020-04-19T23:26:41Z Jonathan Nieder jrnieder@gmail.com 2020-04-19T23:26:41Z urn:sha1:76b54ee9b9944ee70422ac24884f78769cf264f1 This merges up the security fix from v2.17.5. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> 2020-04-19T23:24:14Z Jonathan Nieder jrnieder@gmail.com 2020-04-19T23:24:14Z urn:sha1:ba6f0905fdb9e65c1ac5fbc79c9a4ef0b59b3e68 This merges up the security fix from v2.17.5. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> 2020-04-19T23:10:58Z Jeff King peff@peff.net 2020-04-19T06:34:55Z urn:sha1:df5be6dc3fd18c294ec93a9af0321334e3f92c9c Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> 2020-04-19T23:10:58Z Jonathan Nieder jrnieder@gmail.com 2020-04-19T03:57:22Z urn:sha1:1a3609e402a062ef7b11f197fe96c28cabca132c Git's URL parser interprets https:///example.com/repo.git to have no host and a path of "example.com/repo.git". Curl, on the other hand, internally redirects it to https://example.com/repo.git. As a result, until "credential: parse URL without host as empty host, not unset", tricking a user into fetching from such a URL would cause Git to send credentials for another host to example.com. Teach fsck to block and detect .gitmodules files using such a URL to prevent sharing them with Git versions that are not yet protected. A relative URL in a .gitmodules file could also be used to trigger this. The relative URL resolver used for .gitmodules does not normalize sequences of slashes and can follow ".." components out of the path part and to the host part of a URL, meaning that such a relative URL can be used to traverse from a https://foo.example.com/innocent superproject to a https:///attacker.example.com/exploit submodule. Fortunately, redundant extra slashes in .gitmodules are rare, so we can catch this by detecting one after a leading sequence of "./" and "../" components. Helped-by: Jeff King <peff@peff.net> Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> Reviewed-by: Jeff King <peff@peff.net> 2020-04-19T23:10:58Z Jonathan Nieder jrnieder@gmail.com 2020-04-19T03:54:57Z urn:sha1:e7fab62b736cca3416660636e46f0be8386a5030 Until "credential: refuse to operate when missing host or protocol", Git's credential handling code interpreted URLs with empty scheme to mean "give me credentials matching this host for any protocol". Luckily libcurl does not recognize such URLs (it tries to look for a protocol named "" and fails). Just in case that changes, let's reject them within Git as well. This way, credential_from_url is guaranteed to always produce a "struct credential" with protocol and host set. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> 2020-04-19T23:10:58Z Jonathan Nieder jrnieder@gmail.com 2020-04-19T03:54:13Z urn:sha1:c44088ecc4b0722636e0a305f9608d3047197282 libcurl permits making requests without a URL scheme specified. In this case, it guesses the URL from the hostname, so I can run git ls-remote http::ftp.example.com/path/to/repo and it would make an FTP request. Any user intentionally using such a URL is likely to have made a typo. Unfortunately, credential_from_url is not able to determine the host and protocol in order to determine appropriate credentials to send, and until "credential: refuse to operate when missing host or protocol", this resulted in another host's credentials being leaked to the named host. Teach credential_from_url_gently to consider such a URL to be invalid so that fsck can detect and block gitmodules files with such URLs, allowing server operators to avoid serving them to downstream users running older versions of Git. This also means that when such URLs are passed on the command line, Git will print a clearer error so affected users can switch to the simpler URL that explicitly specifies the host and protocol they intend. One subtlety: .gitmodules files can contain relative URLs, representing a URL relative to the URL they were cloned from. The relative URL resolver used for .gitmodules can follow ".." components out of the path part and past the host part of a URL, meaning that such a relative URL can be used to traverse from a https://foo.example.com/innocent superproject to a https::attacker.example.com/exploit submodule. Fortunately a leading ':' in the first path component after a series of leading './' and '../' components is unlikely to show up in other contexts, so we can catch this by detecting that pattern. Reported-by: Jeff King <peff@peff.net> Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> Reviewed-by: Jeff King <peff@peff.net>