1. 19 May, 2015 1 commit
    • Junio C Hamano's avatar
      copy.c: make copy_fd() report its status silently · 00b7cbfc
      Junio C Hamano authored
      When copy_fd() function encounters errors, it emits error messages
      itself, which makes it impossible for callers to take responsibility
      for reporting errors, especially when they want to ignore certain
      errors.
      
      Move the error reporting to its callers in preparation.
      
       - copy_file() and copy_file_with_time() by indirection get their
         own calls to error().
      
       - hold_lock_file_for_append(), when told to die on error, used to
         exit(128) relying on the error message from copy_fd(), but now it
         does its own die() instead.  Note that the callers that do not
         pass LOCK_DIE_ON_ERROR need to be adjusted for this change, but
         fortunately there is none ;-)
      
       - filter_buffer_or_fd() has its own error() already, in addition to
         the message from copy_fd(), so this will change the output but
         arguably in a better way.
      Signed-off-by: default avatarJunio C Hamano <[email protected]>
      00b7cbfc
  2. 12 Jan, 2015 7 commits
  3. 07 Jan, 2015 5 commits
  4. 29 Dec, 2014 1 commit
    • Jeff King's avatar
      is_hfs_dotgit: loosen over-eager match of \u{..47} · 6aaf956b
      Jeff King authored
      Our is_hfs_dotgit function relies on the hackily-implemented
      next_hfs_char to give us the next character that an HFS+
      filename comparison would look at. It's hacky because it
      doesn't implement the full case-folding table of HFS+; it
      gives us just enough to see if the path matches ".git".
      
      At the end of next_hfs_char, we use tolower() to convert our
      32-bit code point to lowercase. Our tolower() implementation
      only takes an 8-bit char, though; it throws away the upper
      24 bits. This means we can't have any false negatives for
      is_hfs_dotgit. We only care about matching 7-bit ASCII
      characters in ".git", and we will correctly process 'G' or
      'g'.
      
      However, we _can_ have false positives. Because we throw
      away the upper bits, code point \u{0147} (for example) will
      look like 'G' and get downcased to 'g'. It's not known
      whether a sequence of code points whose truncation ends up
      as ".git" is meaningful in any language, but it does not
      hurt to be more accurate here. We can just pass out the full
      32-bit code point, and compare it manually to the upper and
      lowercase characters we care about.
      Signed-off-by: default avatarJeff King <[email protected]>
      Signed-off-by: default avatarJunio C Hamano <[email protected]>
      6aaf956b
  5. 22 Dec, 2014 13 commits
  6. 17 Dec, 2014 13 commits
    • Junio C Hamano's avatar
      Git 2.2.1 · 9b7cbb31
      Junio C Hamano authored
      Signed-off-by: default avatarJunio C Hamano <[email protected]>
      9b7cbb31
    • Junio C Hamano's avatar
      Sync with v2.1.4 · 77933f44
      Junio C Hamano authored
      * maint-2.1:
        Git 2.1.4
        Git 2.0.5
        Git 1.9.5
        Git 1.8.5.6
        fsck: complain about NTFS ".git" aliases in trees
        read-cache: optionally disallow NTFS .git variants
        path: add is_ntfs_dotgit() helper
        fsck: complain about HFS+ ".git" aliases in trees
        read-cache: optionally disallow HFS+ .git variants
        utf8: add is_hfs_dotgit() helper
        fsck: notice .git case-insensitively
        t1450: refactor ".", "..", and ".git" fsck tests
        verify_dotfile(): reject .git case-insensitively
        read-tree: add tests for confusing paths like ".." and ".git"
        unpack-trees: propagate errors adding entries to the index
      77933f44
    • Junio C Hamano's avatar
      Git 2.1.4 · 8e36a6d5
      Junio C Hamano authored
      Signed-off-by: default avatarJunio C Hamano <[email protected]>
      8e36a6d5
    • Junio C Hamano's avatar
      Sync with v2.0.5 · 58f1d950
      Junio C Hamano authored
      * maint-2.0:
        Git 2.0.5
        Git 1.9.5
        Git 1.8.5.6
        fsck: complain about NTFS ".git" aliases in trees
        read-cache: optionally disallow NTFS .git variants
        path: add is_ntfs_dotgit() helper
        fsck: complain about HFS+ ".git" aliases in trees
        read-cache: optionally disallow HFS+ .git variants
        utf8: add is_hfs_dotgit() helper
        fsck: notice .git case-insensitively
        t1450: refactor ".", "..", and ".git" fsck tests
        verify_dotfile(): reject .git case-insensitively
        read-tree: add tests for confusing paths like ".." and ".git"
        unpack-trees: propagate errors adding entries to the index
      58f1d950
    • Junio C Hamano's avatar
      Git 2.0.5 · 9a8c2b67
      Junio C Hamano authored
      Signed-off-by: default avatarJunio C Hamano <[email protected]>
      9a8c2b67
    • Junio C Hamano's avatar
      Sync with v1.9.5 · 5e519fb8
      Junio C Hamano authored
      * maint-1.9:
        Git 1.9.5
        Git 1.8.5.6
        fsck: complain about NTFS ".git" aliases in trees
        read-cache: optionally disallow NTFS .git variants
        path: add is_ntfs_dotgit() helper
        fsck: complain about HFS+ ".git" aliases in trees
        read-cache: optionally disallow HFS+ .git variants
        utf8: add is_hfs_dotgit() helper
        fsck: notice .git case-insensitively
        t1450: refactor ".", "..", and ".git" fsck tests
        verify_dotfile(): reject .git case-insensitively
        read-tree: add tests for confusing paths like ".." and ".git"
        unpack-trees: propagate errors adding entries to the index
      5e519fb8
    • Junio C Hamano's avatar
      Git 1.9.5 · 83332636
      Junio C Hamano authored
      Signed-off-by: default avatarJunio C Hamano <[email protected]>
      83332636
    • Junio C Hamano's avatar
      Sync with v1.8.5.6 · 6898b797
      Junio C Hamano authored
      * maint-1.8.5:
        Git 1.8.5.6
        fsck: complain about NTFS ".git" aliases in trees
        read-cache: optionally disallow NTFS .git variants
        path: add is_ntfs_dotgit() helper
        fsck: complain about HFS+ ".git" aliases in trees
        read-cache: optionally disallow HFS+ .git variants
        utf8: add is_hfs_dotgit() helper
        fsck: notice .git case-insensitively
        t1450: refactor ".", "..", and ".git" fsck tests
        verify_dotfile(): reject .git case-insensitively
        read-tree: add tests for confusing paths like ".." and ".git"
        unpack-trees: propagate errors adding entries to the index
      6898b797
    • Junio C Hamano's avatar
      Git 1.8.5.6 · 5c8213a7
      Junio C Hamano authored
      Signed-off-by: default avatarJunio C Hamano <[email protected]>
      5c8213a7
    • Junio C Hamano's avatar
      Merge branch 'dotgit-case-maint-1.8.5' into maint-1.8.5 · 2aa91008
      Junio C Hamano authored
      * dotgit-case-maint-1.8.5:
        fsck: complain about NTFS ".git" aliases in trees
        read-cache: optionally disallow NTFS .git variants
        path: add is_ntfs_dotgit() helper
        fsck: complain about HFS+ ".git" aliases in trees
        read-cache: optionally disallow HFS+ .git variants
        utf8: add is_hfs_dotgit() helper
        fsck: notice .git case-insensitively
        t1450: refactor ".", "..", and ".git" fsck tests
        verify_dotfile(): reject .git case-insensitively
        read-tree: add tests for confusing paths like ".." and ".git"
        unpack-trees: propagate errors adding entries to the index
      2aa91008
    • Johannes Schindelin's avatar
      fsck: complain about NTFS ".git" aliases in trees · d08c13b9
      Johannes Schindelin authored
      Now that the index can block pathnames that can be mistaken
      to mean ".git" on NTFS and FAT32, it would be helpful for
      fsck to notice such problematic paths. This lets servers
      which use receive.fsckObjects block them before the damage
      spreads.
      
      Note that the fsck check is always on, even for systems
      without core.protectNTFS set. This is technically more
      restrictive than we need to be, as a set of users on ext4
      could happily use these odd filenames without caring about
      NTFS.
      
      However, on balance, it's helpful for all servers to block
      these (because the paths can be used for mischief, and
      servers which bother to fsck would want to stop the spread
      whether they are on NTFS themselves or not), and hardly
      anybody will be affected (because the blocked names are
      variants of .git or git~1, meaning mischief is almost
      certainly what the tree author had in mind).
      
      Ideally these would be controlled by a separate
      "fsck.protectNTFS" flag. However, it would be much nicer to
      be able to enable/disable _any_ fsck flag individually, and
      any scheme we choose should match such a system. Given the
      likelihood of anybody using such a path in practice, it is
      not unreasonable to wait until such a system materializes.
      Signed-off-by: Johannes Schindelin's avatarJohannes Schindelin <[email protected]>
      Signed-off-by: default avatarJunio C Hamano <[email protected]>
      d08c13b9
    • Johannes Schindelin's avatar
      read-cache: optionally disallow NTFS .git variants · 2b4c6efc
      Johannes Schindelin authored
      The point of disallowing ".git" in the index is that we
      would never want to accidentally overwrite files in the
      repository directory. But this means we need to respect the
      filesystem's idea of when two paths are equal. The prior
      commit added a helper to make such a comparison for NTFS
      and FAT32; let's use it in verify_path().
      
      We make this check optional for two reasons:
      
        1. It restricts the set of allowable filenames, which is
           unnecessary for people who are not on NTFS nor FAT32.
           In practice this probably doesn't matter, though, as
           the restricted names are rather obscure and almost
           certainly would never come up in practice.
      
        2. It has a minor performance penalty for every path we
           insert into the index.
      
      This patch ties the check to the core.protectNTFS config
      option. Though this is expected to be most useful on Windows,
      we allow it to be set everywhere, as NTFS may be mounted on
      other platforms. The variable does default to on for Windows,
      though.
      Signed-off-by: Johannes Schindelin's avatarJohannes Schindelin <[email protected]>
      Signed-off-by: default avatarJunio C Hamano <[email protected]>
      2b4c6efc
    • Johannes Schindelin's avatar
      path: add is_ntfs_dotgit() helper · 1d1d69bc
      Johannes Schindelin authored
      We do not allow paths with a ".git" component to be added to
      the index, as that would mean repository contents could
      overwrite our repository files. However, asking "is this
      path the same as .git" is not as simple as strcmp() on some
      filesystems.
      
      On NTFS (and FAT32), there exist so-called "short names" for
      backwards-compatibility: 8.3 compliant names that refer to the same files
      as their long names. As ".git" is not an 8.3 compliant name, a short name
      is generated automatically, typically "git~1".
      
      Depending on the Windows version, any combination of trailing spaces and
      periods are ignored, too, so that both "git~1." and ".git." still refer
      to the Git directory. The reason is that 8.3 stores file names shorter
      than 8 characters with trailing spaces. So literally, it does not matter
      for the short name whether it is padded with spaces or whether it is
      shorter than 8 characters, it is considered to be the exact same.
      
      The period is the separator between file name and file extension, and
      again, an empty extension consists just of spaces in 8.3 format. So
      technically, we would need only take care of the equivalent of this
      regex:
              (\.git {0,4}|git~1 {0,3})\. {0,3}
      
      However, there are indications that at least some Windows versions might
      be more lenient and accept arbitrary combinations of trailing spaces and
      periods and strip them out. So we're playing it real safe here. Besides,
      there can be little doubt about the intention behind using file names
      matching even the more lenient pattern specified above, therefore we
      should be fine with disallowing such patterns.
      
      Extra care is taken to catch names such as '.\\.git\\booh' because the
      backslash is marked as a directory separator only on Windows, and we want
      to use this new helper function also in fsck on other platforms.
      
      A big thank you goes to Ed Thomson and an unnamed Microsoft engineer for
      the detailed analysis performed to come up with the corresponding fixes
      for libgit2.
      
      This commit adds a function to detect whether a given file name can refer
      to the Git directory by mistake.
      Signed-off-by: Johannes Schindelin's avatarJohannes Schindelin <[email protected]>
      Signed-off-by: default avatarJunio C Hamano <[email protected]>
      1d1d69bc