1. 05 May, 2017 9 commits
    • Junio C Hamano's avatar
      Git 2.7.5 · c8dd1e3b
      Junio C Hamano authored
      Signed-off-by: default avatarJunio C Hamano <gitster@pobox.com>
      c8dd1e3b
    • Junio C Hamano's avatar
      Merge branch 'maint-2.6' into maint-2.7 · dc58c855
      Junio C Hamano authored
      dc58c855
    • Junio C Hamano's avatar
      Git 2.6.7 · 70fcaef9
      Junio C Hamano authored
      Signed-off-by: default avatarJunio C Hamano <gitster@pobox.com>
      70fcaef9
    • Junio C Hamano's avatar
      Merge branch 'maint-2.5' into maint-2.6 · ab37a18b
      Junio C Hamano authored
      ab37a18b
    • Junio C Hamano's avatar
      Git 2.5.6 · ac332012
      Junio C Hamano authored
      Signed-off-by: default avatarJunio C Hamano <gitster@pobox.com>
      ac332012
    • Junio C Hamano's avatar
      Merge branch 'maint-2.4' into maint-2.5 · 531788af
      Junio C Hamano authored
      531788af
    • Junio C Hamano's avatar
      Git 2.4.12 · 4000b402
      Junio C Hamano authored
      Signed-off-by: default avatarJunio C Hamano <gitster@pobox.com>
      4000b402
    • Junio C Hamano's avatar
      Merge branch 'jk/shell-no-repository-that-begins-with-dash' into maint-2.4 · 5a4ffdf5
      Junio C Hamano authored
      * jk/shell-no-repository-that-begins-with-dash:
        shell: disallow repo names beginning with dash
      5a4ffdf5
    • Jeff King's avatar
      shell: disallow repo names beginning with dash · 3ec80449
      Jeff King authored
      When a remote server uses git-shell, the client side will
      connect to it like:
      
        ssh server "git-upload-pack 'foo.git'"
      
      and we literally exec ("git-upload-pack", "foo.git"). In
      early versions of upload-pack and receive-pack, we took a
      repository argument and nothing else. But over time they
      learned to accept dashed options. If the user passes a
      repository name that starts with a dash, the results are
      confusing at best (we complain of a bogus option instead of
      a non-existent repository) and malicious at worst (the user
      can start an interactive pager via "--help").
      
      We could pass "--" to the sub-process to make sure the
      user's argument is interpreted as a branch name. I.e.:
      
        git-upload-pack -- -foo.git
      
      But adding "--" automatically would make us inconsistent
      with a normal shell (i.e., when git-shell is not in use),
      where "-foo.git" would still be an error. For that case, the
      client would have to specify the "--", but they can't do so
      reliably, as existing versions of git-shell do not allow
      more than a single argument.
      
      The simplest thing is to simply disallow "-" at the start of
      the repo name argument. This hasn't worked either with or
      without git-shell since version 1.0.0, and nobody has
      complained.
      
      Note that this patch just applies to do_generic_cmd(), which
      runs upload-pack, receive-pack, and upload-archive. There
      are two other types of commands that git-shell runs:
      
        - do_cvs_cmd(), but this already restricts the argument to
          be the literal string "server"
      
        - admin-provided commands in the git-shell-commands
          directory. We'll pass along arbitrary arguments there,
          so these commands could have similar problems. But these
          commands might actually understand dashed arguments, so
          we cannot just block them here. It's up to the writer of
          the commands to make sure they are safe. With great
          power comes great responsibility.
      Reported-by: BlueC0re's avatarTimo Schmid <tschmid@ernw.de>
      Signed-off-by: default avatarJeff King <peff@peff.net>
      Signed-off-by: default avatarJunio C Hamano <gitster@pobox.com>
      3ec80449
  2. 26 May, 2016 2 commits
  3. 21 Mar, 2016 4 commits
  4. 17 Mar, 2016 8 commits
    • Junio C Hamano's avatar
      Git 2.7.4 · 937978e0
      Junio C Hamano authored
      Signed-off-by: default avatarJunio C Hamano <gitster@pobox.com>
      937978e0
    • Junio C Hamano's avatar
      Sync with Git 2.6.6 · 8e9cc5f3
      Junio C Hamano authored
      * maint-2.6:
        Git 2.6.6
        Git 2.5.5
        Git 2.4.11
      8e9cc5f3
    • Junio C Hamano's avatar
      Git 2.6.6 · e4657964
      Junio C Hamano authored
      Signed-off-by: default avatarJunio C Hamano <gitster@pobox.com>
      e4657964
    • Junio C Hamano's avatar
      Merge branch 'maint-2.5' into maint-2.6 · ce4d4e76
      Junio C Hamano authored
      * maint-2.5:
        Git 2.5.5
        Git 2.4.11
        list-objects: pass full pathname to callbacks
        list-objects: drop name_path entirely
        list-objects: convert name_path to a strbuf
        show_object_with_name: simplify by using path_name()
        http-push: stop using name_path
        tree-diff: catch integer overflow in combine_diff_path allocation
        add helpers for detecting size_t overflow
      ce4d4e76
    • Junio C Hamano's avatar
      Git 2.5.5 · e568e563
      Junio C Hamano authored
      Signed-off-by: default avatarJunio C Hamano <gitster@pobox.com>
      e568e563
    • Junio C Hamano's avatar
      Merge branch 'maint-2.4' into maint-2.5 · c638f3e4
      Junio C Hamano authored
      * maint-2.4:
        Git 2.4.11
        list-objects: pass full pathname to callbacks
        list-objects: drop name_path entirely
        list-objects: convert name_path to a strbuf
        show_object_with_name: simplify by using path_name()
        http-push: stop using name_path
        tree-diff: catch integer overflow in combine_diff_path allocation
        add helpers for detecting size_t overflow
      c638f3e4
    • Junio C Hamano's avatar
      Git 2.4.11 · 76542869
      Junio C Hamano authored
      Signed-off-by: default avatarJunio C Hamano <gitster@pobox.com>
      76542869
    • Junio C Hamano's avatar
      Merge branch 'jk/path-name-safety-2.4' into maint-2.4 · 32c6dca8
      Junio C Hamano authored
      Bugfix patches were backported from the 'master' front to plug heap
      corruption holes, to catch integer overflow in the computation of
      pathname lengths, and to get rid of the name_path API.  Both of
      these would have resulted in writing over an under-allocated buffer
      when formulating pathnames while tree traversal.
      
      * jk/path-name-safety-2.4:
        list-objects: pass full pathname to callbacks
        list-objects: drop name_path entirely
        list-objects: convert name_path to a strbuf
        show_object_with_name: simplify by using path_name()
        http-push: stop using name_path
        tree-diff: catch integer overflow in combine_diff_path allocation
        add helpers for detecting size_t overflow
      32c6dca8
  5. 16 Mar, 2016 11 commits
    • Junio C Hamano's avatar
      Merge branch 'jk/path-name-safety-2.7' into maint · d79db924
      Junio C Hamano authored
      * jk/path-name-safety-2.7:
        list-objects: pass full pathname to callbacks
        list-objects: drop name_path entirely
        list-objects: convert name_path to a strbuf
        show_object_with_name: simplify by using path_name()
        http-push: stop using name_path
        tree-diff: catch integer overflow in combine_diff_path allocation
        add helpers for detecting size_t overflow
      d79db924
    • Junio C Hamano's avatar
      Merge branch 'jk/path-name-safety-2.6' into jk/path-name-safety-2.7 · 55c45a73
      Junio C Hamano authored
      * jk/path-name-safety-2.6:
        list-objects: pass full pathname to callbacks
        list-objects: drop name_path entirely
        list-objects: convert name_path to a strbuf
        show_object_with_name: simplify by using path_name()
        http-push: stop using name_path
        tree-diff: catch integer overflow in combine_diff_path allocation
        add helpers for detecting size_t overflow
      55c45a73
    • Junio C Hamano's avatar
      Merge branch 'jk/path-name-safety-2.5' into jk/path-name-safety-2.6 · 717e3551
      Junio C Hamano authored
      * jk/path-name-safety-2.5:
        list-objects: pass full pathname to callbacks
        list-objects: drop name_path entirely
        list-objects: convert name_path to a strbuf
        show_object_with_name: simplify by using path_name()
        http-push: stop using name_path
        tree-diff: catch integer overflow in combine_diff_path allocation
        add helpers for detecting size_t overflow
      717e3551
    • Junio C Hamano's avatar
      Merge branch 'jk/path-name-safety-2.4' into jk/path-name-safety-2.5 · 253ce7a1
      Junio C Hamano authored
      * jk/path-name-safety-2.4:
        list-objects: pass full pathname to callbacks
        list-objects: drop name_path entirely
        list-objects: convert name_path to a strbuf
        show_object_with_name: simplify by using path_name()
        http-push: stop using name_path
        tree-diff: catch integer overflow in combine_diff_path allocation
        add helpers for detecting size_t overflow
      253ce7a1
    • Jeff King's avatar
      list-objects: pass full pathname to callbacks · 2824e184
      Jeff King authored
      When we find a blob at "a/b/c", we currently pass this to
      our show_object_fn callbacks as two components: "a/b/" and
      "c". Callbacks which want the full value then call
      path_name(), which concatenates the two. But this is an
      inefficient interface; the path is a strbuf, and we could
      simply append "c" to it temporarily, then roll back the
      length, without creating a new copy.
      
      So we could improve this by teaching the callsites of
      path_name() this trick (and there are only 3). But we can
      also notice that no callback actually cares about the
      broken-down representation, and simply pass each callback
      the full path "a/b/c" as a string. The callback code becomes
      even simpler, then, as we do not have to worry about freeing
      an allocated buffer, nor rolling back our modification to
      the strbuf.
      
      This is theoretically less efficient, as some callbacks
      would not bother to format the final path component. But in
      practice this is not measurable. Since we use the same
      strbuf over and over, our work to grow it is amortized, and
      we really only pay to memcpy a few bytes.
      Signed-off-by: default avatarJeff King <peff@peff.net>
      Signed-off-by: default avatarJunio C Hamano <gitster@pobox.com>
      2824e184
    • Jeff King's avatar
      list-objects: drop name_path entirely · dc06dc88
      Jeff King authored
      In the previous commit, we left name_path as a thin wrapper
      around a strbuf. This patch drops it entirely. As a result,
      every show_object_fn callback needs to be adjusted. However,
      none of their code needs to be changed at all, because the
      only use was to pass it to path_name(), which now handles
      the bare strbuf.
      Signed-off-by: default avatarJeff King <peff@peff.net>
      Signed-off-by: default avatarJunio C Hamano <gitster@pobox.com>
      dc06dc88
    • Jeff King's avatar
      list-objects: convert name_path to a strbuf · f3badaed
      Jeff King authored
      The "struct name_path" data is examined in only two places:
      we generate it in process_tree(), and we convert it to a
      single string in path_name(). Everyone else just passes it
      through to those functions.
      
      We can further note that process_tree() already keeps a
      single strbuf with the leading tree path, for use with
      tree_entry_interesting().
      
      Instead of building a separate name_path linked list, let's
      just use the one we already build in "base". This reduces
      the amount of code (especially tricky code in path_name()
      which did not check for integer overflows caused by deep
      or large pathnames).
      
      It is also more efficient in some instances.  Any time we
      were using tree_entry_interesting, we were building up the
      strbuf anyway, so this is an immediate and obvious win
      there. In cases where we were not, we trade off storing
      "pathname/" in a strbuf on the heap for each level of the
      path, instead of two pointers and an int on the stack (with
      one pointer into the tree object). On a 64-bit system, the
      latter is 20 bytes; so if path components are less than that
      on average, this has lower peak memory usage.  In practice
      it probably doesn't matter either way; we are already
      holding in memory all of the tree objects leading up to each
      pathname, and for normal-depth pathnames, we are only
      talking about hundreds of bytes.
      
      This patch leaves "struct name_path" as a thin wrapper
      around the strbuf, to avoid disrupting callbacks. We should
      fix them, but leaving it out makes this diff easier to view.
      Signed-off-by: default avatarJeff King <peff@peff.net>
      Signed-off-by: default avatarJunio C Hamano <gitster@pobox.com>
      f3badaed
    • Jeff King's avatar
      show_object_with_name: simplify by using path_name() · 8eee9f92
      Jeff King authored
      When "git rev-list" shows an object with its associated path
      name, it does so by walking the name_path linked list and
      printing each component (stopping at any embedded NULs or
      newlines).
      
      We'd like to eventually get rid of name_path entirely in
      favor of a single buffer, and dropping this custom printing
      code is part of that. As a first step, let's use path_name()
      to format the list into a single buffer, and print that.
      This is strictly less efficient than the original, but it's
      a temporary step in the refactoring; our end game will be to
      get the fully formatted name in the first place.
      Signed-off-by: default avatarJeff King <peff@peff.net>
      Signed-off-by: default avatarJunio C Hamano <gitster@pobox.com>
      8eee9f92
    • Jeff King's avatar
      add helpers for detecting size_t overflow · 935de812
      Jeff King authored
      Performing computations on size_t variables that we feed to
      xmalloc and friends can be dangerous, as an integer overflow
      can cause us to allocate a much smaller chunk than we
      realized.
      
      We already have unsigned_add_overflows(), but let's add
      unsigned_mult_overflows() to that. Furthermore, rather than
      have each site manually check and die on overflow, we can
      provide some helpers that will:
      
        - promote the arguments to size_t, so that we know we are
          doing our computation in the same size of integer that
          will ultimately be fed to xmalloc
      
        - check and die on overflow
      
        - return the result so that computations can be done in
          the parameter list of xmalloc.
      
      These functions are a lot uglier to use than normal
      arithmetic operators (you have to do "st_add(foo, bar)"
      instead of "foo + bar"). To at least limit the damage, we
      also provide multi-valued versions. So rather than:
      
        st_add(st_add(a, b), st_add(c, d));
      
      you can write:
      
        st_add4(a, b, c, d);
      
      This isn't nearly as elegant as a varargs function, but it's
      a lot harder to get it wrong. You don't have to remember to
      add a sentinel value at the end, and the compiler will
      complain if you get the number of arguments wrong. This
      patch adds only the numbered variants required to convert
      the current code base; we can easily add more later if
      needed.
      Signed-off-by: default avatarJeff King <peff@peff.net>
      Signed-off-by: default avatarJunio C Hamano <gitster@pobox.com>
      935de812
    • Jeff King's avatar
      http-push: stop using name_path · c6bd2a1d
      Jeff King authored
      The graph traversal code here passes along a name_path to
      build up the pathname at which we find each blob. But we
      never actually do anything with the resulting names, making
      it a waste of code and memory.
      
      This usage came in aa1dbc98 (Update http-push functionality,
      2006-03-07), and originally the result was passed to
      "add_object" (which stored it, but didn't really use it,
      either). But we stopped using that function in 1f1e895f (Add
      "named object array" concept, 2006-06-19) in favor of
      storing just the objects themselves.
      
      Moreover, the generation of the name in process_tree() is
      buggy. It sticks "name" onto the end of the name_path linked
      list, and then passes it down again as it recurses (instead
      of "entry.path"). So it's a good thing this was unused, as
      the resulting path for "a/b/c/d" would end up as "a/a/a/a".
      Signed-off-by: default avatarJeff King <peff@peff.net>
      Signed-off-by: default avatarJunio C Hamano <gitster@pobox.com>
      c6bd2a1d
    • Jeff King's avatar
      tree-diff: catch integer overflow in combine_diff_path allocation · d7701878
      Jeff King authored
      A combine_diff_path struct has two "flex" members allocated
      alongside the struct: a string to hold the pathname, and an
      array of parent pointers. We use an "int" to compute this,
      meaning we may easily overflow it if the pathname is
      extremely long.
      
      We can fix this by using size_t, and checking for overflow
      with the st_add helper.
      Signed-off-by: default avatarJeff King <peff@peff.net>
      Signed-off-by: default avatarJunio C Hamano <gitster@pobox.com>
      d7701878
  6. 10 Mar, 2016 6 commits