Mirror of https://git.kernel.org/pub/scm/git/git.git/ https://www.git.shady.money/git/atom?h=v2.40.3 2024-05-24T19:29:36Z 2024-05-24T19:29:36Z Junio C Hamano gitster@pobox.com 2024-05-24T19:29:35Z urn:sha1:48440f60a730b93b2a39449a69cb56db5e7114c7 Revert overly aggressive "layered defence" that went into 2.45.1 and friends, which broke "git-lfs", "git-annex", and other use cases, so that we can rebuild necessary counterparts in the open. * jc/fix-2.45.1-and-friends-for-2.39: Revert "fsck: warn about symlink pointing inside a gitdir" Revert "Add a helper function to compare file contents" clone: drop the protections where hooks aren't run tests: verify that `clone -c core.hooksPath=/dev/null` works again Revert "core.hooksPath: add some protection while cloning" init: use the correct path of the templates directory again hook: plug a new memory leak ci: stop installing "gcc-13" for osx-gcc ci: avoid bare "gcc" for osx-gcc job ci: drop mention of BREW_INSTALL_PACKAGES variable send-email: avoid creating more than one Term::ReadLine object send-email: drop FakeTerm hack 2024-05-21T19:33:08Z Johannes Schindelin johannes.schindelin@gmx.de 2024-05-20T20:22:05Z urn:sha1:35dfccb2b430ee67fddb7b1a1f8cd7a1a8fb7cbe Now that during a `git clone`, the hooks' contents are no longer compared to the templates' files', the caller for which the `do_files_match()` function was introduced is gone, and therefore this function can be retired, too. This reverts commit 584de0b4c23 (Add a helper function to compare file contents, 2024-03-30). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2024-04-19T10:38:37Z Johannes Schindelin johannes.schindelin@gmx.de 2024-04-12T07:45:28Z urn:sha1:93a88f42db7ed9a975768df0e5f4516317c50dda * maint-2.39: (38 commits) Git 2.39.4 fsck: warn about symlink pointing inside a gitdir core.hooksPath: add some protection while cloning init.templateDir: consider this config setting protected clone: prevent hooks from running during a clone Add a helper function to compare file contents init: refactor the template directory discovery into its own function find_hook(): refactor the `STRIP_EXTENSION` logic clone: when symbolic links collide with directories, keep the latter entry: report more colliding paths t5510: verify that D/F confusion cannot lead to an RCE submodule: require the submodule path to contain directories only clone_submodule: avoid using `access()` on directories submodules: submodule paths must not contain symlinks clone: prevent clashing git dirs when cloning submodule in parallel t7423: add tests for symlinked submodule directories has_dir_name(): do not get confused by characters < '/' docs: document security issues around untrusted .git dirs upload-pack: disable lazy-fetching by default fetch/clone: detect dubious ownership of local repositories ... 2024-04-19T10:38:19Z Johannes Schindelin johannes.schindelin@gmx.de 2024-03-30T14:59:20Z urn:sha1:584de0b4c235209fa60ca4a733678472263bdce0 In the next commit, Git will learn to disallow hooks during `git clone` operations _except_ when those hooks come from the templates (which are inherently supposed to be trusted). To that end, we add a function to compare the contents of two files. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> 2024-04-17T20:30:10Z Johannes Schindelin johannes.schindelin@gmx.de 2024-03-29T10:45:01Z urn:sha1:df93e407f0618e4a8265ac619dc7f4c7005155bc We will need to call this function from `hook.c` to be able to prevent hooks from running that were written as part of a `clone` but did not originate from the template directory. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> 2024-04-17T20:29:54Z Johannes Schindelin johannes.schindelin@gmx.de 2024-04-10T12:39:37Z urn:sha1:f4aa8c8bb11dae6e769cd930565173808cbb69c8 When cloning from somebody else's repositories, it is possible that, say, the `upload-pack` command is overridden in the repository that is about to be cloned, which would then be run in the user's context who started the clone. To remind the user that this is a potentially unsafe operation, let's extend the ownership checks we have already established for regular gitdir discovery to extend also to local repositories that are about to be cloned. This protection extends also to file:// URLs. The fixes in this commit address CVE-2024-32004. Note: This commit does not touch the `fetch`/`clone` code directly, but instead the function used implicitly by both: `enter_repo()`. This function is also used by `git receive-pack` (i.e. pushes), by `git upload-archive`, by `git daemon` and by `git http-backend`. In setups that want to serve repositories owned by different users than the account running the service, this will require `safe.*` settings to be configured accordingly. Also note: there are tiny time windows where a time-of-check-time-of-use ("TOCTOU") race is possible. The real solution to those would be to work with `fstat()` and `openat()`. However, the latter function is not available on Windows (and would have to be emulated with rather expensive low-level `NtCreateFile()` calls), and the changes would be quite extensive, for my taste too extensive for the little gain given that embargoed releases need to pay extra attention to avoid introducing inadvertent bugs. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> 2023-02-22T22:55:44Z Junio C Hamano gitster@pobox.com 2023-02-22T22:55:44Z urn:sha1:24fb150dcd6b18b6d14ed14a02c6a17c33f0d443 Remove more remaining uses of macros that relies on the_index singleton instance without explicitly spelling it out. * ab/the-index-compatibility: cocci & cache.h: remove "USE_THE_INDEX_COMPATIBILITY_MACROS" cache-tree API: remove redundant update_main_cache_tree() cocci & cache-tree.h: migrate "write_cache_as_tree" to "*_index_*" cocci & cache.h: apply pending "index_cache_pos" rule cocci & cache.h: fully apply "active_nr" part of index-compatibility builtin/rm.c: use narrower "USE_THE_INDEX_VARIABLE" 2023-02-16T01:11:53Z Junio C Hamano gitster@pobox.com 2023-02-16T01:11:53Z urn:sha1:c5f7b2a6fe34bbdd4453be6620e08dbcf1b695fb Type fixes. * rs/size-t-fixes: pack-objects: use strcspn(3) in name_cmp_len() read-cache: use size_t for {base,df}_name_compare() 2023-02-10T19:38:40Z Ævar Arnfjörð Bjarmason avarab@gmail.com 2023-02-10T10:28:39Z urn:sha1:dfd0a89374c6eba332dfa3f5670a29eaf96efa3b Have the last users of "USE_THE_INDEX_COMPATIBILITY_MACROS" use the underlying *_index() variants instead. Now all previous users of "USE_THE_INDEX_COMPATIBILITY_MACROS" have been migrated away from the wrapper macros, and if applicable to use the "USE_THE_INDEX_VARIABLE" added in [1]. Let's leave the "index-compatibility.cocci" in place, even though it won't be doing anything on "master". It will benefit any out-of-tree code that need to use these compatibility macros. We can eventually remove it. 1. bdafeae0b9c (cache.h & test-tool.h: add & use "USE_THE_INDEX_VARIABLE", 2022-11-19) Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2023-02-10T19:37:27Z Ævar Arnfjörð Bjarmason avarab@gmail.com 2023-02-10T10:28:36Z urn:sha1:babed893f52a44771dd9d85329ee3bd64438adfb Apply the rule added in [1] to change "cache_name_pos" to "index_name_pos", which allows us to get rid of another "USE_THE_INDEX_COMPATIBILITY_MACROS" macro. The replacement of "USE_THE_INDEX_COMPATIBILITY_MACROS" here with "USE_THE_INDEX_VARIABLE" is a manual change on top, now that these files only use "&the_index", and don't need any compatibility macros (or functions). 1. 0e6550a2c63 (cocci: add a index-compatibility.pending.cocci, 2022-11-19) Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>