• Jeff King's avatar
    verify_path: disallow symlinks in .gitmodules · 10ecfa76
    Jeff King authored
    There are a few reasons it's not a good idea to make
    .gitmodules a symlink, including:
      1. It won't be portable to systems without symlinks.
      2. It may behave inconsistently, since Git may look at
         this file in the index or a tree without bothering to
         resolve any symbolic links. We don't do this _yet_, but
         the config infrastructure is there and it's planned for
         the future.
    With some clever code, we could make (2) work. And some
    people may not care about (1) if they only work on one
    platform. But there are a few security reasons to simply
    disallow it:
      a. A symlinked .gitmodules file may circumvent any fsck
         checks of the content.
      b. Git may read and write from the on-disk file without
         sanity checking the symlink target. So for example, if
         you link ".gitmodules" to "../oops" and run "git
         submodule add", we'll write to the file "oops" outside
         the repository.
    Again, both of those are problems that _could_ be solved
    with sufficient code, but given the complications in (1) and
    (2), we're better off just outlawing it explicitly.
    Note the slightly tricky call to verify_path() in
    update-index's update_one(). There we may not have a mode if
    we're not updating from the filesystem (e.g., we might just
    be removing the file). Passing "0" as the mode there works
    fine; since it's not a symlink, we'll just skip the extra
    Signed-off-by: default avatarJeff King <peff@peff.net>
apply.c 129 KB