1. 12 Sep, 2017 1 commit
  2. 30 Jul, 2017 5 commits
  3. 28 Jul, 2017 6 commits
    • Junio C Hamano's avatar
      a4f234bf
    • Jeff King's avatar
      connect: reject paths that look like command line options · aeeb2d49
      Jeff King authored
      If we get a repo path like "-repo.git", we may try to invoke
      "git-upload-pack -repo.git". This is going to fail, since
      upload-pack will interpret it as a set of bogus options. But
      let's reject this before we even run the sub-program, since
      we would not want to allow any mischief with repo names that
      actually are real command-line options.
      
      You can still ask for such a path via git-daemon, but there's no
      security problem there, because git-daemon enters the repo itself
      and then passes "."  on the command line.
      Signed-off-by: default avatarJeff King <peff@peff.net>
      Reviewed-by: default avatarJonathan Nieder <jrnieder@gmail.com>
      Signed-off-by: default avatarJunio C Hamano <gitster@pobox.com>
      aeeb2d49
    • Jeff King's avatar
      connect: reject dashed arguments for proxy commands · 3be4cf09
      Jeff King authored
      If you have a GIT_PROXY_COMMAND configured, we will run it
      with the host/port on the command-line. If a URL contains a
      mischievous host like "--foo", we don't know how the proxy
      command may handle it. It's likely to break, but it may also
      do something dangerous and unwanted (technically it could
      even do something useful, but that seems unlikely).
      
      We should err on the side of caution and reject this before
      we even run the command.
      
      The hostname check matches the one we do in a similar
      circumstance for ssh. The port check is not present for ssh,
      but there it's not necessary because the syntax is "-p
      <port>", and there's no ambiguity on the parsing side.
      
      It's not clear whether you can actually get a negative port
      to the proxy here or not. Doing:
      
        git fetch git://remote:-1234/repo.git
      
      keeps the "-1234" as part of the hostname, with the default
      port of 9418. But it's a good idea to keep this check close
      to the point of running the command to make it clear that
      there's no way to circumvent it (and at worst it serves as a
      belt-and-suspenders check).
      Signed-off-by: default avatarJeff King <peff@peff.net>
      Reviewed-by: default avatarJonathan Nieder <jrnieder@gmail.com>
      Signed-off-by: default avatarJunio C Hamano <gitster@pobox.com>
      3be4cf09
    • Jeff King's avatar
      connect: factor out "looks like command line option" check · 2491f77b
      Jeff King authored
      We reject hostnames that start with a dash because they may
      be confused for command-line options. Let's factor out that
      notion into a helper function, as we'll use it in more
      places. And while it's simple now, it's not clear if some
      systems might need more complex logic to handle all cases.
      Signed-off-by: default avatarJeff King <peff@peff.net>
      Reviewed-by: default avatarJonathan Nieder <jrnieder@gmail.com>
      Signed-off-by: default avatarJunio C Hamano <gitster@pobox.com>
      2491f77b
    • Jeff King's avatar
      t5813: add test for hostname starting with dash · 2d90add5
      Jeff King authored
      Per the explanation in the previous patch, this should be
      (and is) rejected.
      Signed-off-by: default avatarJeff King <peff@peff.net>
      Reviewed-by: default avatarJonathan Nieder <jrnieder@gmail.com>
      Signed-off-by: default avatarJunio C Hamano <gitster@pobox.com>
      2d90add5
    • Junio C Hamano's avatar
      connect: reject ssh hostname that begins with a dash · 820d7650
      Junio C Hamano authored
      When commands like "git fetch" talk with ssh://$rest_of_URL/, the
      code splits $rest_of_URL into components like host, port, etc., and
      then spawns the underlying "ssh" program by formulating argv[] array
      that has:
      
       - the path to ssh command taken from GIT_SSH_COMMAND, etc.
      
       - dashed options like '-batch' (for Tortoise), '-p <port>' as
         needed.
      
       - ssh_host, which is supposed to be the hostname parsed out of
         $rest_of_URL.
      
       - then the command to be run on the other side, e.g. git
         upload-pack.
      
      If the ssh_host ends up getting '-<anything>', the argv[] that is
      used to spawn the command becomes something like:
      
          { "ssh", "-p", "22", "-<anything>", "command", "to", "run", NULL }
      
      which obviously is bogus, but depending on the actual value of
      "<anything>", will make "ssh" parse and use it as an option.
      
      Prevent this by forbidding ssh_host that begins with a "-".
      
      Noticed-by: Joern Schneeweisz of Recurity Labs
      Reported-by: Brian at GitLab
      Signed-off-by: default avatarJunio C Hamano <gitster@pobox.com>
      Reviewed-by: default avatarJeff King <peff@peff.net>
      Signed-off-by: default avatarJunio C Hamano <gitster@pobox.com>
      820d7650
  4. 05 May, 2017 13 commits
  5. 09 Sep, 2016 15 commits
    • Junio C Hamano's avatar
      Prepare for 2.9.4 · 0202c411
      Junio C Hamano authored
      Signed-off-by: default avatarJunio C Hamano <gitster@pobox.com>
      0202c411
    • Junio C Hamano's avatar
      Merge branch 'hv/doc-commit-reference-style' into maint · 3e8e69a6
      Junio C Hamano authored
      A small doc update.
      
      * hv/doc-commit-reference-style:
        SubmittingPatches: use gitk's "Copy commit summary" format
        SubmittingPatches: document how to reference previous commits
      3e8e69a6
    • Junio C Hamano's avatar
      Merge branch 'sg/reflog-past-root' into maint · b5abd302
      Junio C Hamano authored
      A small test clean-up for a topic introduced in v2.9.1 and later.
      
      * sg/reflog-past-root:
        t1410: remove superfluous 'git reflog' from the 'walk past root' test
      b5abd302
    • Junio C Hamano's avatar
      Merge branch 'rs/mailinfo-lib' into maint · 71165f02
      Junio C Hamano authored
      Small code clean-up.
      
      * rs/mailinfo-lib:
        mailinfo: recycle strbuf in check_header()
      71165f02
    • Junio C Hamano's avatar
      Merge branch 'jk/tighten-alloc' into maint · 9bef6422
      Junio C Hamano authored
      Small code and comment clean-up.
      
      * jk/tighten-alloc:
        receive-pack: use FLEX_ALLOC_MEM in queue_command()
        correct FLEXPTR_* example in comment
      9bef6422
    • Junio C Hamano's avatar
      Merge branch 'rs/use-strbuf-add-unique-abbrev' into maint · 5e469ab6
      Junio C Hamano authored
      A small code clean-up.
      
      * rs/use-strbuf-add-unique-abbrev:
        use strbuf_add_unique_abbrev() for adding short hashes
      5e469ab6
    • Junio C Hamano's avatar
      Merge branch 'rs/merge-recursive-string-list-init' into maint · f14883b9
      Junio C Hamano authored
      A small code clean-up.
      
      * rs/merge-recursive-string-list-init:
        merge-recursive: use STRING_LIST_INIT_NODUP
      f14883b9
    • Junio C Hamano's avatar
      Merge branch 'rs/merge-add-strategies-simplification' into maint · 24c88ad8
      Junio C Hamano authored
      A small code clean-up.
      
      * rs/merge-add-strategies-simplification:
        merge: use string_list_split() in add_strategies()
      24c88ad8
    • Junio C Hamano's avatar
      Merge branch 'ls/packet-line-protocol-doc-fix' into maint · a75341c7
      Junio C Hamano authored
      Correct an age-old calco (is that a typo-like word for calc)
      in the documentation.
      
      * ls/packet-line-protocol-doc-fix:
        pack-protocol: fix maximum pkt-line size
      a75341c7
    • Junio C Hamano's avatar
      Merge branch 'bw/mingw-avoid-inheriting-fd-to-lockfile' into maint · c0e8b3b4
      Junio C Hamano authored
      The tempfile (hence its user lockfile) API lets the caller to open
      a file descriptor to a temporary file, write into it and then
      finalize it by first closing the filehandle and then either
      removing or renaming the temporary file.  When the process spawns a
      subprocess after obtaining the file descriptor, and if the
      subprocess has not exited when the attempt to remove or rename is
      made, the last step fails on Windows, because the subprocess has
      the file descriptor still open.  Open tempfile with O_CLOEXEC flag
      to avoid this (on Windows, this is mapped to O_NOINHERIT).
      
      * bw/mingw-avoid-inheriting-fd-to-lockfile:
        mingw: ensure temporary file handles are not inherited by child processes
        t6026-merge-attr: child processes must not inherit index.lock handles
      c0e8b3b4
    • Junio C Hamano's avatar
      Merge branch 'dg/document-git-c-in-git-config-doc' into maint · 15a27298
      Junio C Hamano authored
      The "git -c var[=val] cmd" facility to append a configuration
      variable definition at the end of the search order was described in
      git(1) manual page, but not in git-config(1), which was more likely
      place for people to look for when they ask "can I make a one-shot
      override, and if so how?"
      
      * dg/document-git-c-in-git-config-doc:
        doc: mention `git -c` in git-config(1)
      15a27298
    • Junio C Hamano's avatar
      Merge branch 'js/no-html-bypass-on-windows' into maint · ba22efd8
      Junio C Hamano authored
      On Windows, help.browser configuration variable used to be ignored,
      which has been corrected.
      
      * js/no-html-bypass-on-windows:
        Revert "display HTML in default browser using Windows' shell API"
      ba22efd8
    • Junio C Hamano's avatar
      Merge branch 'jk/difftool-command-not-found' into maint · bde42f08
      Junio C Hamano authored
      "git difftool" by default ignores the error exit from the backend
      commands it spawns, because often they signal that they found
      differences by exiting with a non-zero status code just like "diff"
      does; the exit status codes 126 and above however are special in
      that they are used to signal that the command is not executable,
      does not exist, or killed by a signal.  "git difftool" has been
      taught to notice these exit status codes.
      
      * jk/difftool-command-not-found:
        difftool: always honor fatal error exit codes
      bde42f08
    • Junio C Hamano's avatar
      Merge branch 'sb/checkout-explit-detach-no-advice' into maint · 7c964719
      Junio C Hamano authored
      "git checkout --detach <branch>" used to give the same advice
      message as that is issued when "git checkout <tag>" (or anything
      that is not a branch name) is given, but asking with "--detach" is
      an explicit enough sign that the user knows what is going on.  The
      advice message has been squelched in this case.
      
      * sb/checkout-explit-detach-no-advice:
        checkout: do not mention detach advice for explicit --detach option
      7c964719
    • Junio C Hamano's avatar
      Merge branch 'rs/pull-signed-tag' into maint · 69307312
      Junio C Hamano authored
      When "git merge-recursive" works on history with many criss-cross
      merges in "verbose" mode, the names the command assigns to the
      virtual merge bases could have overwritten each other by unintended
      reuse of the same piece of memory.
      
      * rs/pull-signed-tag:
        commit: use FLEX_ARRAY in struct merge_remote_desc
        merge-recursive: fix verbose output for multiple base trees
        commit: factor out set_merge_remote_desc()
        commit: use xstrdup() in get_merge_parent()
      69307312