Staging
v0.5.1
v0.5.1
| Revision | Author | Date | Message | Commit Date |
|---|---|---|---|---|
| 367f12b | Johannes Schindelin | 04 December 2019, 22:01:50 UTC | Git 2.21.1 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 06 December 2019, 15:31:15 UTC |
| 20c71bc | Johannes Schindelin | 16 September 2019, 11:26:40 UTC | Merge branch 'fix-msys2-quoting-bugs' These patches fix several bugs in quoting arguments when spawning shell scripts on Windows. Note: these bugs are Windows-only, as we have to construct a command line for the process-to-spawn, unlike Linux/macOS, where `execv()` accepts an already-split command line. Furthermore, these fixes were not included in the CVE-2019-1350 part of v2.14.6 because the Windows-specific quoting when spawning shell scripts was contributed from Git for Windows into Git only in the v2.21.x era. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 06 December 2019, 15:31:15 UTC |
| 7d8b676 | Johannes Schindelin | 19 September 2019, 21:43:03 UTC | mingw: sh arguments need quoting in more circumstances Previously, we failed to quote characters such as '*', '(' and the likes. Let's fix this. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 06 December 2019, 15:31:15 UTC |
| 04522ed | Johannes Schindelin | 19 September 2019, 21:38:33 UTC | mingw: fix quoting of empty arguments for `sh` When constructing command-lines to spawn processes, it is an unfortunate but necessary decision to quote arguments differently: MSYS2 has different dequoting rules (inherited from Cygwin) than the rest of Windows. To accommodate that, Git's Windows compatibility layer has two separate quoting helpers, one for MSYS2 (which it uses exclusively when spawning `sh`) and the other for regular Windows executables. The MSYS2 one had an unfortunate bug where a `,` somehow slipped in, instead of the `;`. As a consequence, empty arguments would not be enclosed in a pair of double quotes, but the closing double quote was skipped. Let's fix this. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 06 December 2019, 15:31:14 UTC |
| 49f7a76 | Johannes Schindelin | 19 September 2019, 15:05:45 UTC | mingw: use MSYS2 quoting even when spawning shell scripts At the point where `mingw_spawn_fd()` is called, we already have a full path to the script interpreter in that scenario, and we pass it in as the executable to run, while the `argv` reflect what the script should receive as command-line. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 06 December 2019, 15:31:14 UTC |
| d9061ed | Johannes Schindelin | 04 December 2019, 21:47:25 UTC | t7415: drop v2.20.x-specific work-around This reverts the work-around that was introduced just for the v2.20.x release train in "t7415: adjust test for dubiously-nested submodule gitdirs for v2.20.x"; It is not necessary for v2.21.x. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 06 December 2019, 15:31:14 UTC |
| e2ba3d6 | Johannes Schindelin | 19 September 2019, 15:05:21 UTC | mingw: detect when MSYS2's sh is to be spawned more robustly Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 06 December 2019, 15:31:14 UTC |
| fc346cb | Johannes Schindelin | 04 December 2019, 21:46:37 UTC | Sync with 2.20.2 * maint-2.20: (36 commits) Git 2.20.2 t7415: adjust test for dubiously-nested submodule gitdirs for v2.20.x Git 2.19.3 Git 2.18.2 Git 2.17.3 Git 2.16.6 test-drop-caches: use `has_dos_drive_prefix()` Git 2.15.4 Git 2.14.6 mingw: handle `subst`-ed "DOS drives" mingw: refuse to access paths with trailing spaces or periods mingw: refuse to access paths with illegal characters unpack-trees: let merged_entry() pass through do_add_entry()'s errors quote-stress-test: offer to test quoting arguments for MSYS2 sh t6130/t9350: prepare for stringent Win32 path validation quote-stress-test: allow skipping some trials quote-stress-test: accept arguments to test via the command-line tests: add a helper to stress test argument quoting mingw: fix quoting of arguments Disallow dubiously-nested submodule git directories ... | 06 December 2019, 15:31:12 UTC |
| 4cd1cf3 | Johannes Schindelin | 04 December 2019, 21:33:15 UTC | Git 2.20.2 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 06 December 2019, 15:30:51 UTC |
| c154745 | Jonathan Nieder | 05 December 2019, 09:28:28 UTC | submodule: defend against submodule.update = !command in .gitmodules In v2.15.4, we started to reject `submodule.update` settings in `.gitmodules`. Let's raise a BUG if it somehow still made it through from anywhere but the Git config. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Johannes Schindelin <Johannes.Schindelin@gmx.de> | 06 December 2019, 15:30:50 UTC |
| 4cfc47d | Johannes Schindelin | 04 December 2019, 09:06:08 UTC | t7415: adjust test for dubiously-nested submodule gitdirs for v2.20.x In v2.20.x, Git clones submodules recursively by first creating the submodules' gitdirs and _then_ "updating" the submodules. This can lead to the situation where the clone path is taken because the directory (while it exists already) is not a git directory, but then the clone fails because that gitdir is unexpectedly already a directory. This _also_ works around the vulnerability that was fixed in "Disallow dubiously-nested submodule git directories", but it produces a different error message than the one expected by the test case, therefore we adjust the test case accordingly. Note: as the two submodules "race each other", there are actually two possible error messages, therefore we have to teach the test case to expect _two_ possible (and good) outcomes in addition to the one it expected before. Note: this workaround is only necessary for the v2.20.x release train; The behavior changed again in v2.21.x so that the original test case's expectations are met again. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 06 December 2019, 15:30:50 UTC |
| d851d94 | Johannes Schindelin | 04 December 2019, 21:31:10 UTC | Sync with 2.19.3 * maint-2.19: (34 commits) Git 2.19.3 Git 2.18.2 Git 2.17.3 Git 2.16.6 test-drop-caches: use `has_dos_drive_prefix()` Git 2.15.4 Git 2.14.6 mingw: handle `subst`-ed "DOS drives" mingw: refuse to access paths with trailing spaces or periods mingw: refuse to access paths with illegal characters unpack-trees: let merged_entry() pass through do_add_entry()'s errors quote-stress-test: offer to test quoting arguments for MSYS2 sh t6130/t9350: prepare for stringent Win32 path validation quote-stress-test: allow skipping some trials quote-stress-test: accept arguments to test via the command-line tests: add a helper to stress test argument quoting mingw: fix quoting of arguments Disallow dubiously-nested submodule git directories protect_ntfs: turn on NTFS protection by default path: also guard `.gitmodules` against NTFS Alternate Data Streams ... | 06 December 2019, 15:30:49 UTC |
| caccc52 | Johannes Schindelin | 04 December 2019, 21:29:33 UTC | Git 2.19.3 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 06 December 2019, 15:30:40 UTC |
| 7c9fbda | Johannes Schindelin | 04 December 2019, 21:27:04 UTC | Sync with 2.18.2 * maint-2.18: (33 commits) Git 2.18.2 Git 2.17.3 Git 2.16.6 test-drop-caches: use `has_dos_drive_prefix()` Git 2.15.4 Git 2.14.6 mingw: handle `subst`-ed "DOS drives" mingw: refuse to access paths with trailing spaces or periods mingw: refuse to access paths with illegal characters unpack-trees: let merged_entry() pass through do_add_entry()'s errors quote-stress-test: offer to test quoting arguments for MSYS2 sh t6130/t9350: prepare for stringent Win32 path validation quote-stress-test: allow skipping some trials quote-stress-test: accept arguments to test via the command-line tests: add a helper to stress test argument quoting mingw: fix quoting of arguments Disallow dubiously-nested submodule git directories protect_ntfs: turn on NTFS protection by default path: also guard `.gitmodules` against NTFS Alternate Data Streams is_ntfs_dotgit(): speed it up ... | 06 December 2019, 15:30:38 UTC |
| 9877106 | Johannes Schindelin | 04 December 2019, 21:22:52 UTC | Git 2.18.2 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 06 December 2019, 15:29:17 UTC |
| 14af7ed | Johannes Schindelin | 04 December 2019, 21:21:20 UTC | Sync with 2.17.3 * maint-2.17: (32 commits) Git 2.17.3 Git 2.16.6 test-drop-caches: use `has_dos_drive_prefix()` Git 2.15.4 Git 2.14.6 mingw: handle `subst`-ed "DOS drives" mingw: refuse to access paths with trailing spaces or periods mingw: refuse to access paths with illegal characters unpack-trees: let merged_entry() pass through do_add_entry()'s errors quote-stress-test: offer to test quoting arguments for MSYS2 sh t6130/t9350: prepare for stringent Win32 path validation quote-stress-test: allow skipping some trials quote-stress-test: accept arguments to test via the command-line tests: add a helper to stress test argument quoting mingw: fix quoting of arguments Disallow dubiously-nested submodule git directories protect_ntfs: turn on NTFS protection by default path: also guard `.gitmodules` against NTFS Alternate Data Streams is_ntfs_dotgit(): speed it up mingw: disallow backslash characters in tree objects' file names ... | 06 December 2019, 15:29:15 UTC |
| a5ab8d0 | Johannes Schindelin | 04 December 2019, 21:13:04 UTC | Git 2.17.3 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 06 December 2019, 15:27:38 UTC |
| bb92255 | Jonathan Nieder | 05 December 2019, 09:30:43 UTC | fsck: reject submodule.update = !command in .gitmodules This allows hosting providers to detect whether they are being used to attack users using malicious 'update = !command' settings in .gitmodules. Since ac1fbbda2013 (submodule: do not copy unknown update mode from .gitmodules, 2013-12-02), in normal cases such settings have been treated as 'update = none', so forbidding them should not produce any collateral damage to legitimate uses. A quick search does not reveal any repositories making use of this construct, either. Reported-by: Joern Schneeweisz <jschneeweisz@gitlab.com> Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 06 December 2019, 15:27:38 UTC |
| bdfef04 | Johannes Schindelin | 04 December 2019, 20:52:10 UTC | Sync with 2.16.6 * maint-2.16: (31 commits) Git 2.16.6 test-drop-caches: use `has_dos_drive_prefix()` Git 2.15.4 Git 2.14.6 mingw: handle `subst`-ed "DOS drives" mingw: refuse to access paths with trailing spaces or periods mingw: refuse to access paths with illegal characters unpack-trees: let merged_entry() pass through do_add_entry()'s errors quote-stress-test: offer to test quoting arguments for MSYS2 sh t6130/t9350: prepare for stringent Win32 path validation quote-stress-test: allow skipping some trials quote-stress-test: accept arguments to test via the command-line tests: add a helper to stress test argument quoting mingw: fix quoting of arguments Disallow dubiously-nested submodule git directories protect_ntfs: turn on NTFS protection by default path: also guard `.gitmodules` against NTFS Alternate Data Streams is_ntfs_dotgit(): speed it up mingw: disallow backslash characters in tree objects' file names path: safeguard `.git` against NTFS Alternate Streams Accesses ... | 06 December 2019, 15:27:36 UTC |
| eb288bc | Johannes Schindelin | 04 December 2019, 20:45:07 UTC | Git 2.16.6 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 06 December 2019, 15:27:20 UTC |
| 6844049 | Johannes Schindelin | 04 December 2019, 20:40:01 UTC | test-drop-caches: use `has_dos_drive_prefix()` This is a companion patch to 'mingw: handle `subst`-ed "DOS drives"': use the DOS drive prefix handling that is already provided by `compat/mingw.c` (and which just learned to handle non-alphabetical "drive letters"). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 06 December 2019, 15:27:20 UTC |
| 9ac92fe | Johannes Schindelin | 04 December 2019, 20:38:25 UTC | Sync with 2.15.4 * maint-2.15: (29 commits) Git 2.15.4 Git 2.14.6 mingw: handle `subst`-ed "DOS drives" mingw: refuse to access paths with trailing spaces or periods mingw: refuse to access paths with illegal characters unpack-trees: let merged_entry() pass through do_add_entry()'s errors quote-stress-test: offer to test quoting arguments for MSYS2 sh t6130/t9350: prepare for stringent Win32 path validation quote-stress-test: allow skipping some trials quote-stress-test: accept arguments to test via the command-line tests: add a helper to stress test argument quoting mingw: fix quoting of arguments Disallow dubiously-nested submodule git directories protect_ntfs: turn on NTFS protection by default path: also guard `.gitmodules` against NTFS Alternate Data Streams is_ntfs_dotgit(): speed it up mingw: disallow backslash characters in tree objects' file names path: safeguard `.git` against NTFS Alternate Streams Accesses clone --recurse-submodules: prevent name squatting on Windows is_ntfs_dotgit(): only verify the leading segment ... | 06 December 2019, 15:27:18 UTC |
| 7cdafca | Johannes Schindelin | 04 December 2019, 20:33:29 UTC | Git 2.15.4 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 06 December 2019, 15:26:58 UTC |
| e904deb | Jonathan Nieder | 05 December 2019, 09:28:28 UTC | submodule: reject submodule.update = !command in .gitmodules Since ac1fbbda2013 (submodule: do not copy unknown update mode from .gitmodules, 2013-12-02), Git has been careful to avoid copying [submodule "foo"] update = !run an arbitrary scary command from .gitmodules to a repository's local config, copying in the setting 'update = none' instead. The gitmodules(5) manpage documents the intention: The !command form is intentionally ignored here for security reasons Unfortunately, starting with v2.20.0-rc0 (which integrated ee69b2a9 (submodule--helper: introduce new update-module-mode helper, 2018-08-13, first released in v2.20.0-rc0)), there are scenarios where we *don't* ignore it: if the config store contains no submodule.foo.update setting, the submodule-config API falls back to reading .gitmodules and the repository-supplied !command gets run after all. This was part of a general change over time in submodule support to read more directly from .gitmodules, since unlike .git/config it allows a project to change values between branches and over time (while still allowing .git/config to override things). But it was never intended to apply to this kind of dangerous configuration. The behavior change was not advertised in ee69b2a9's commit message and was missed in review. Let's take the opportunity to make the protection more robust, even in Git versions that are technically not affected: instead of quietly converting 'update = !command' to 'update = none', noisily treat it as an error. Allowing the setting but treating it as meaning something else was just confusing; users are better served by seeing the error sooner. Forbidding the construct makes the semantics simpler and means we can check for it in fsck (in a separate patch). As a result, the submodule-config API cannot read this value from .gitmodules under any circumstance, and we can declare with confidence For security reasons, the '!command' form is not accepted here. Reported-by: Joern Schneeweisz <jschneeweisz@gitlab.com> Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Johannes Schindelin <Johannes.Schindelin@gmx.de> | 06 December 2019, 15:26:58 UTC |
| d3ac8c3 | Johannes Schindelin | 04 December 2019, 20:26:31 UTC | Sync with 2.14.6 * maint-2.14: (28 commits) Git 2.14.6 mingw: handle `subst`-ed "DOS drives" mingw: refuse to access paths with trailing spaces or periods mingw: refuse to access paths with illegal characters unpack-trees: let merged_entry() pass through do_add_entry()'s errors quote-stress-test: offer to test quoting arguments for MSYS2 sh t6130/t9350: prepare for stringent Win32 path validation quote-stress-test: allow skipping some trials quote-stress-test: accept arguments to test via the command-line tests: add a helper to stress test argument quoting mingw: fix quoting of arguments Disallow dubiously-nested submodule git directories protect_ntfs: turn on NTFS protection by default path: also guard `.gitmodules` against NTFS Alternate Data Streams is_ntfs_dotgit(): speed it up mingw: disallow backslash characters in tree objects' file names path: safeguard `.git` against NTFS Alternate Streams Accesses clone --recurse-submodules: prevent name squatting on Windows is_ntfs_dotgit(): only verify the leading segment test-path-utils: offer to run a protectNTFS/protectHFS benchmark ... | 06 December 2019, 15:26:55 UTC |
| 66d2a61 | Johannes Schindelin | 04 December 2019, 18:58:46 UTC | Git 2.14.6 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 06 December 2019, 15:26:15 UTC |
| 2ddcccf | Johannes Schindelin | 16 September 2019, 11:26:40 UTC | Merge branch 'win32-accommodate-funny-drive-names' While the only permitted drive letters for physical drives on Windows are letters of the US-English alphabet, this restriction does not apply to virtual drives assigned via `subst <letter>: <path>`. To prevent targeted attacks against systems where "funny" drive letters such as `1` or `!` are assigned, let's handle them as regular drive letters on Windows. This fixes CVE-2019-1351. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 05 December 2019, 14:37:09 UTC |
| 65d30a1 | Johannes Schindelin | 16 September 2019, 11:26:40 UTC | Merge branch 'win32-filenames-cannot-have-trailing-spaces-or-periods' On Windows, filenames cannot have trailing spaces or periods, when opening such paths, they are stripped automatically. Read: you can open the file `README` via the file name `README . . .`. This ambiguity can be used in combination with other security bugs to cause e.g. remote code execution during recursive clones. This patch series fixes that. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 05 December 2019, 14:37:09 UTC |
| 5532ebd | Johannes Schindelin | 16 September 2019, 11:26:40 UTC | Merge branch 'fix-mingw-quoting-bug' This patch fixes a vulnerability in the Windows-specific code where a submodule names ending in a backslash were quoted incorrectly, and that bug could be abused to insert command-line parameters e.g. to `ssh` in a recursive clone. Note: this bug is Windows-only, as we have to construct a command line for the process-to-spawn, unlike Linux/macOS, where `execv()` accepts an already-split command line. While at it, other quoting issues are fixed as well. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 05 December 2019, 14:37:08 UTC |
| 76a681c | Johannes Schindelin | 02 October 2019, 11:08:45 UTC | Merge branch 'dubiously-nested-submodules' Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names. This topic branch fixes that. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 05 December 2019, 14:37:08 UTC |
| dd53ea7 | Johannes Schindelin | 16 September 2019, 11:26:40 UTC | Merge branch 'turn-on-protectntfs-by-default' This patch series makes it safe to use Git on Windows drives, even if running on a mounted network share or within the Windows Subsystem for Linux (WSL). This topic branch addresses CVE-2019-1353. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 05 December 2019, 14:37:08 UTC |
| 7f3551d | Johannes Schindelin | 16 September 2019, 11:26:40 UTC | Merge branch 'disallow-dotgit-via-ntfs-alternate-data-streams' This patch series plugs an attack vector we had overlooked in our December 2014 work on `core.protectNTFS`. Essentially, the path `.git::$INDEX_ALLOCATION/config` is interpreted as `.git/config` when NTFS Alternate Data Streams are available (which they are on Windows, and at least on network shares that are SMB-mounted on macOS). Needless to say: we don't want that. In fact, we want to stay on the very safe side and not even special-case the `$INDEX_ALLOCATION` stream type: let's just prevent Git from touching _any_ explicitly specified Alternate Data Stream of `.git`. In essence, we'll prevent Git from tracking, or writing to, any path with a segment of the form `.git:<anything>`. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 05 December 2019, 14:37:07 UTC |
| f82a97e | Johannes Schindelin | 05 September 2019, 22:09:10 UTC | mingw: handle `subst`-ed "DOS drives" Over a decade ago, in 25fe217b86c (Windows: Treat Windows style path names., 2008-03-05), Git was taught to handle absolute Windows paths, i.e. paths that start with a drive letter and a colon. Unbeknownst to us, while drive letters of physical drives are limited to letters of the English alphabet, there is a way to assign virtual drive letters to arbitrary directories, via the `subst` command, which is _not_ limited to English letters. It is therefore possible to have absolute Windows paths of the form `1:\what\the\hex.txt`. Even "better": pretty much arbitrary Unicode letters can also be used, e.g. `ä:\tschibät.sch`. While it can be sensibly argued that users who set up such funny drive letters really seek adverse consequences, the Windows Operating System is known to be a platform where many users are at the mercy of administrators who have their very own idea of what constitutes a reasonable setup. Therefore, let's just make sure that such funny paths are still considered absolute paths by Git, on Windows. In addition to Unicode characters, pretty much any character is a valid drive letter, as far as `subst` is concerned, even `:` and `"` or even a space character. While it is probably the opposite of smart to use them, let's safeguard `is_dos_drive_prefix()` against all of them. Note: `[::1]:repo` is a valid URL, but not a valid path on Windows. As `[` is now considered a valid drive letter, we need to be very careful to avoid misinterpreting such a string as valid local path in `url_is_local_not_ssh()`. To do that, we use the just-introduced function `is_valid_path()` (which will label the string as invalid file name because of the colon characters). This fixes CVE-2019-1351. Reported-by: Nicolas Joly <Nicolas.Joly@microsoft.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 05 December 2019, 14:37:07 UTC |
| 379e51d | Johannes Schindelin | 19 September 2019, 22:12:37 UTC | quote-stress-test: offer to test quoting arguments for MSYS2 sh It is unfortunate that we need to quote arguments differently on Windows, depending whether we build a command-line for MSYS2's `sh` or for other Windows executables. We already have a test helper to verify the latter, with this patch we can also verify the former. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 05 December 2019, 14:37:06 UTC |
| 7530a62 | Johannes Schindelin | 19 September 2019, 21:46:31 UTC | quote-stress-test: allow skipping some trials When the, say, 93rd trial run fails, it is a good idea to have a way to skip the first 92 trials and dig directly into the 93rd in a debugger. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 05 December 2019, 14:37:06 UTC |
| 817ddd6 | Johannes Schindelin | 05 September 2019, 11:44:21 UTC | mingw: refuse to access paths with illegal characters Certain characters are not admissible in file names on Windows, even if Cygwin/MSYS2 (and therefore, Git for Windows' Bash) pretend that they are, e.g. `:`, `<`, `>`, etc Let's disallow those characters explicitly in Windows builds of Git. Note: just like trailing spaces or periods, it _is_ possible on Windows to create commits adding files with such illegal characters, as long as the operation leaves the worktree untouched. To allow for that, we continue to guard `is_valid_win32_path()` behind the config setting `core.protectNTFS`, so that users _can_ continue to do that, as long as they turn the protections off via that config setting. Among other problems, this prevents Git from trying to write to an "NTFS Alternate Data Stream" (which refers to metadata stored alongside a file, under a special name: "<filename>:<stream-name>"). This fix therefore also prevents an attack vector that was exploited in demonstrations of a number of recently-fixed security bugs. Further reading on illegal characters in Win32 filenames: https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 05 December 2019, 14:37:06 UTC |
| d2c84da | Johannes Schindelin | 05 September 2019, 11:27:53 UTC | mingw: refuse to access paths with trailing spaces or periods When creating a directory on Windows whose path ends in a space or a period (or chains thereof), the Win32 API "helpfully" trims those. For example, `mkdir("abc ");` will return success, but actually create a directory called `abc` instead. This stems back to the DOS days, when all file names had exactly 8 characters plus exactly 3 characters for the file extension, and the only way to have shorter names was by padding with spaces. Sadly, this "helpful" behavior is a bit inconsistent: after a successful `mkdir("abc ");`, a `mkdir("abc /def")` will actually _fail_ (because the directory `abc ` does not actually exist). Even if it would work, we now have a serious problem because a Git repository could contain directories `abc` and `abc `, and on Windows, they would be "merged" unintentionally. As these paths are illegal on Windows, anyway, let's disallow any accesses to such paths on that Operating System. For practical reasons, this behavior is still guarded by the config setting `core.protectNTFS`: it is possible (and at least two regression tests make use of it) to create commits without involving the worktree. In such a scenario, it is of course possible -- even on Windows -- to create such file names. Among other consequences, this patch disallows submodules' paths to end in spaces on Windows (which would formerly have confused Git enough to try to write into incorrect paths, anyway). While this patch does not fix a vulnerability on its own, it prevents an attack vector that was exploited in demonstrations of a number of recently-fixed security bugs. The regression test added to `t/t7417-submodule-path-url.sh` reflects that attack vector. Note that we have to adjust the test case "prevent git~1 squatting on Windows" in `t/t7415-submodule-names.sh` because of a very subtle issue. It tries to clone two submodules whose names differ only in a trailing period character, and as a consequence their git directories differ in the same way. Previously, when Git tried to clone the second submodule, it thought that the git directory already existed (because on Windows, when you create a directory with the name `b.` it actually creates `b`), but with this patch, the first submodule's clone will fail because of the illegal name of the git directory. Therefore, when cloning the second submodule, Git will take a different code path: a fresh clone (without an existing git directory). Both code paths fail to clone the second submodule, both because the the corresponding worktree directory exists and is not empty, but the error messages are worded differently. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 05 December 2019, 14:37:06 UTC |
| cc756ed | Johannes Schindelin | 09 September 2019, 11:56:15 UTC | unpack-trees: let merged_entry() pass through do_add_entry()'s errors A `git clone` will end with exit code 0 when `merged_entry()` returns a positive value during a call of `unpack_trees()` to `traverse_trees()`. The reason is that `unpack_trees()` will interpret a positive value not to be an error. The problem is, however, that `add_index_entry()` (which is called by `merged_entry()` can report an error, and we really should fail the entire clone in such a case. Let's fix this problem, in preparation for a Windows-specific patch disallowing `mkdir()` with directory names that contain a trailing space (which is illegal on NTFS): we want `git clone` to abort when a path cannot be checked out due to that condition. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 05 December 2019, 14:37:06 UTC |
| 35edce2 | Johannes Schindelin | 09 September 2019, 13:43:35 UTC | t6130/t9350: prepare for stringent Win32 path validation On Windows, file names cannot contain asterisks nor newline characters. In an upcoming commit, we will make this limitation explicit, disallowing even the creation of commits that introduce such file names. However, in the test scripts touched by this patch, we _know_ that those paths won't be checked out, so we _want_ to allow such file names. Happily, the stringent path validation will be guarded via the `core.protectNTFS` flag, so all we need to do is to force that flag off temporarily. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 05 December 2019, 14:37:06 UTC |
| 55953c7 | Johannes Schindelin | 20 September 2019, 17:09:39 UTC | quote-stress-test: accept arguments to test via the command-line When the stress test reported a problem with quoting certain arguments, it is helpful to have a facility to play with those arguments in order to find out whether variations of those arguments are affected, too. Let's allow `test-run-command quote-stress-test -- <args>` to be used for that purpose. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 05 December 2019, 14:36:53 UTC |
| ad15592 | Garima Singh | 18 September 2019, 20:03:59 UTC | tests: add a helper to stress test argument quoting On Windows, we have to do all the command-line argument quoting ourselves. Worse: we have to have two versions of said quoting, one for MSYS2 programs (which have their own dequoting rules) and the rest. We care mostly about the rest, and to make sure that that works, let's have a stress test that comes up with all kinds of awkward arguments, verifying that a spawned sub-process receives those unharmed. Signed-off-by: Garima Singh <garima.singh@microsoft.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 05 December 2019, 14:36:52 UTC |
| 6d86841 | Johannes Schindelin | 13 September 2019, 14:32:43 UTC | mingw: fix quoting of arguments We need to be careful to follow proper quoting rules. For example, if an argument contains spaces, we have to quote them. Double-quotes need to be escaped. Backslashes need to be escaped, but only if they are followed by a double-quote character. We need to be _extra_ careful to consider the case where an argument ends in a backslash _and_ needs to be quoted: in this case, we append a double-quote character, i.e. the backslash now has to be escaped! The current code, however, fails to recognize that, and therefore can turn an argument that ends in a single backslash into a quoted argument that now ends in an escaped double-quote character. This allows subsequent command-line parameters to be split and part of them being mistaken for command-line options, e.g. through a maliciously-crafted submodule URL during a recursive clone. Technically, we would not need to quote _all_ arguments which end in a backslash _unless_ the argument needs to be quoted anyway. For example, `test\` would not need to be quoted, while `test \` would need to be. To keep the code simple, however, and therefore easier to reason about and ensure its correctness, we now _always_ quote an argument that ends in a backslash. This addresses CVE-2019-1350. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 05 December 2019, 14:36:51 UTC |
| 9102f95 | Johannes Schindelin | 09 September 2019, 19:04:41 UTC | protect_ntfs: turn on NTFS protection by default Back in the DOS days, in the FAT file system, file names always consisted of a base name of length 8 plus a file extension of length 3. Shorter file names were simply padded with spaces to the full 8.3 format. Later, the FAT file system was taught to support _also_ longer names, with an 8.3 "short name" as primary file name. While at it, the same facility allowed formerly illegal file names, such as `.git` (empty base names were not allowed), which would have the "short name" `git~1` associated with it. For backwards-compatibility, NTFS supports alternative 8.3 short filenames, too, even if starting with Windows Vista, they are only generated on the system drive by default. We addressed the problem that the `.git/` directory can _also_ be accessed via `git~1/` (when short names are enabled) in 2b4c6efc821 (read-cache: optionally disallow NTFS .git variants, 2014-12-16), i.e. since Git v1.9.5, by introducing the config setting `core.protectNTFS` and enabling it by default on Windows. In the meantime, Windows 10 introduced the "Windows Subsystem for Linux" (short: WSL), i.e. a way to run Linux applications/distributions in a thinly-isolated subsystem on Windows (giving rise to many a "2016 is the Year of Linux on the Desktop" jokes). WSL is getting increasingly popular, also due to the painless way Linux application can operate directly ("natively") on files on Windows' file system: the Windows drives are mounted automatically (e.g. `C:` as `/mnt/c/`). Taken together, this means that we now have to enable the safe-guards of Git v1.9.5 also in WSL: it is possible to access a `.git` directory inside `/mnt/c/` via the 8.3 name `git~1` (unless short name generation was disabled manually). Since regular Linux distributions run in WSL, this means we have to enable `core.protectNTFS` at least on Linux, too. To enable Services for Macintosh in Windows NT to store so-called resource forks, NTFS introduced "Alternate Data Streams". Essentially, these constitute additional metadata that are connected to (and copied with) their associated files, and they are accessed via pseudo file names of the form `filename:<stream-name>:<stream-type>`. In a recent patch, we extended `core.protectNTFS` to also protect against accesses via NTFS Alternate Data Streams, e.g. to prevent contents of the `.git/` directory to be "tracked" via yet another alternative file name. While it is not possible (at least by default) to access files via NTFS Alternate Data Streams from within WSL, the defaults on macOS when mounting network shares via SMB _do_ allow accessing files and directories in that way. Therefore, we need to enable `core.protectNTFS` on macOS by default, too, and really, on any Operating System that can mount network shares via SMB/CIFS. A couple of approaches were considered for fixing this: 1. We could perform a dynamic NTFS check similar to the `core.symlinks` check in `init`/`clone`: instead of trying to create a symbolic link in the `.git/` directory, we could create a test file and try to access `.git/config` via 8.3 name and/or Alternate Data Stream. 2. We could simply "flip the switch" on `core.protectNTFS`, to make it "on by default". The obvious downside of 1. is that it won't protect worktrees that were clone with a vulnerable Git version already. We considered patching code paths that check out files to check whether we're running on an NTFS system dynamically and persist the result in the repository-local config setting `core.protectNTFS`, but in the end decided that this solution would be too fragile, and too involved. The obvious downside of 2. is that everybody will have to "suffer" the performance penalty incurred from calling `is_ntfs_dotgit()` on every path, even in setups where. After the recent work to accelerate `is_ntfs_dotgit()` in most cases, it looks as if the time spent on validating ten million random file names increases only negligibly (less than 20ms, well within the standard deviation of ~50ms). Therefore the benefits outweigh the cost. Another downside of this is that paths that might have been acceptable previously now will be forbidden. Realistically, though, this is an improvement because public Git hosters already would reject any `git push` that contains such file names. Note: There might be a similar problem mounting HFS+ on Linux. However, this scenario has been considered unlikely and in light of the cost (in the aforementioned benchmark, `core.protectHFS = true` increased the time from ~440ms to ~610ms), it was decided _not_ to touch the default of `core.protectHFS`. This change addresses CVE-2019-1353. Reported-by: Nicolas Joly <Nicolas.Joly@microsoft.com> Helped-by: Garima Singh <garima.singh@microsoft.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 05 December 2019, 14:36:51 UTC |
| 3a85dc7 | Johannes Schindelin | 06 September 2019, 19:09:35 UTC | is_ntfs_dotgit(): speed it up Previously, this function was written without focusing on speed, intending to make reviewing the code as easy as possible, to avoid any bugs in this critical code. Turns out: we can do much better on both accounts. With this patch, we make it as fast as this developer can make it go: - We avoid the call to `is_dir_sep()` and make all the character comparisons explicit. - We avoid the cost of calling `strncasecmp()` and unroll the test for `.git` and `git~1`, not even using `tolower()` because it is faster to compare against two constant values. - We look for `.git` and `.git~1` first thing, and return early if not found. - We also avoid calling a separate function for detecting chains of spaces and periods. Each of these improvements has a noticeable impact on the speed of `is_ntfs_dotgit()`. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 05 December 2019, 14:36:51 UTC |
| a8dee3c | Johannes Schindelin | 01 October 2019, 21:27:18 UTC | Disallow dubiously-nested submodule git directories Currently it is technically possible to let a submodule's git directory point right into the git dir of a sibling submodule. Example: the git directories of two submodules with the names `hippo` and `hippo/hooks` would be `.git/modules/hippo/` and `.git/modules/hippo/hooks/`, respectively, but the latter is already intended to house the former's hooks. In most cases, this is just confusing, but there is also a (quite contrived) attack vector where Git can be fooled into mistaking remote content for file contents it wrote itself during a recursive clone. Let's plug this bug. To do so, we introduce the new function `validate_submodule_git_dir()` which simply verifies that no git dir exists for any leading directories of the submodule name (if there are any). Note: this patch specifically continues to allow sibling modules names of the form `core/lib`, `core/doc`, etc, as long as `core` is not a submodule name. This fixes CVE-2019-1387. Reported-by: Nicolas Joly <Nicolas.Joly@microsoft.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 05 December 2019, 14:36:51 UTC |
| 4778452 | Johannes Schindelin | 16 September 2019, 11:26:40 UTC | Merge branch 'prevent-name-squatting-on-windows' This patch series fixes an issue where Git could formerly have been tricked into creating a `.git` file with an unexpected (and therefore unprotected) NTFS short name. Incidentally, it also fixes an issue where a tree entry containing a backslash could be tricked into following a symbolic link, i.e. Git could be tricked into writing files outside the worktree. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 04 December 2019, 12:23:22 UTC |
| a7b1ad3 | Johannes Schindelin | 03 October 2019, 18:44:34 UTC | Merge branch 'jk/fast-import-unsafe' The `--export-marks` option of `git fast-import` is exposed also via the in-stream command `feature export-marks=...` and it allows overwriting arbitrary paths. This topic branch prevents the in-stream version, to prevent arbitrary file accesses by `git fast-import` streams coming from untrusted sources (e.g. in remote helpers that are based on `git fast-import`). This fixes CVE-2019-1348. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 04 December 2019, 12:23:22 UTC |
| e1d911d | Johannes Schindelin | 12 September 2019, 12:54:05 UTC | mingw: disallow backslash characters in tree objects' file names The backslash character is not a valid part of a file name on Windows. Hence it is dangerous to allow writing files that were unpacked from tree objects, when the stored file name contains a backslash character: it will be misinterpreted as directory separator. This not only causes ambiguity when a tree contains a blob `a\b` and a tree `a` that contains a blob `b`, but it also can be used as part of an attack vector to side-step the careful protections against writing into the `.git/` directory during a clone of a maliciously-crafted repository. Let's prevent that, addressing CVE-2019-1354. Note: we guard against backslash characters in tree objects' file names _only_ on Windows (because on other platforms, even on those where NTFS volumes can be mounted, the backslash character is _not_ a directory separator), and _only_ when `core.protectNTFS = true` (because users might need to generate tree objects for other platforms, of course without touching the worktree, e.g. using `git update-index --cacheinfo`). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 04 December 2019, 12:20:05 UTC |
| 0060fd1 | Johannes Schindelin | 12 September 2019, 12:20:39 UTC | clone --recurse-submodules: prevent name squatting on Windows In addition to preventing `.git` from being tracked by Git, on Windows we also have to prevent `git~1` from being tracked, as the default NTFS short name (also known as the "8.3 filename") for the file name `.git` is `git~1`, otherwise it would be possible for malicious repositories to write directly into the `.git/` directory, e.g. a `post-checkout` hook that would then be executed _during_ a recursive clone. When we implemented appropriate protections in 2b4c6efc821 (read-cache: optionally disallow NTFS .git variants, 2014-12-16), we had analyzed carefully that the `.git` directory or file would be guaranteed to be the first directory entry to be written. Otherwise it would be possible e.g. for a file named `..git` to be assigned the short name `git~1` and subsequently, the short name generated for `.git` would be `git~2`. Or `git~3`. Or even `~9999999` (for a detailed explanation of the lengths we have to go to protect `.gitmodules`, see the commit message of e7cb0b4455c (is_ntfs_dotgit: match other .git files, 2018-05-11)). However, by exploiting two issues (that will be addressed in a related patch series close by), it is currently possible to clone a submodule into a non-empty directory: - On Windows, file names cannot end in a space or a period (for historical reasons: the period separating the base name from the file extension was not actually written to disk, and the base name/file extension was space-padded to the full 8/3 characters, respectively). Helpfully, when creating a directory under the name, say, `sub.`, that trailing period is trimmed automatically and the actual name on disk is `sub`. This means that while Git thinks that the submodule names `sub` and `sub.` are different, they both access `.git/modules/sub/`. - While the backslash character is a valid file name character on Linux, it is not so on Windows. As Git tries to be cross-platform, it therefore allows backslash characters in the file names stored in tree objects. Which means that it is totally possible that a submodule `c` sits next to a file `c\..git`, and on Windows, during recursive clone a file called `..git` will be written into `c/`, of course _before_ the submodule is cloned. Note that the actual exploit is not quite as simple as having a submodule `c` next to a file `c\..git`, as we have to make sure that the directory `.git/modules/b` already exists when the submodule is checked out, otherwise a different code path is taken in `module_clone()` that does _not_ allow a non-empty submodule directory to exist already. Even if we will address both issues nearby (the next commit will disallow backslash characters in tree entries' file names on Windows, and another patch will disallow creating directories/files with trailing spaces or periods), it is a wise idea to defend in depth against this sort of attack vector: when submodules are cloned recursively, we now _require_ the directory to be empty, addressing CVE-2019-1349. Note: the code path we patch is shared with the code path of `git submodule update --init`, which must not expect, in general, that the directory is empty. Hence we have to introduce the new option `--force-init` and hand it all the way down from `git submodule` to the actual `git submodule--helper` process that performs the initial clone. Reported-by: Nicolas Joly <Nicolas.Joly@microsoft.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | 04 December 2019, 12:20:05 UTC |
| a52ed76 | Jeff King | 29 August 2019, 19:08:42 UTC | fast-import: disallow "feature import-marks" by default As with export-marks in the previous commit, import-marks can access the filesystem. This is significantly less dangerous than export-marks because it only involves reading from arbitrary paths, rather than writing them. However, it could still be surprising and have security implications (e.g., exfiltrating data from a service that accepts fast-import streams). Let's lump it (and its "if-exists" counterpart) in with export-marks, and enable the in-stream version only if --allow-unsafe-features is set. Signed-off-by: Jeff King <peff@peff.net> | 04 December 2019, 12:20:04 UTC |
| 68061e3 | Jeff King | 29 August 2019, 18:37:26 UTC | fast-import: disallow "feature export-marks" by default The fast-import stream command "feature export-marks=<path>" lets the stream write marks to an arbitrary path. This may be surprising if you are running fast-import against an untrusted input (which otherwise cannot do anything except update Git objects and refs). Let's disallow the use of this feature by default, and provide a command-line option to re-enable it (you can always just use the command-line --export-marks as well, but the in-stream version provides an easy way for exporters to control the process). This is a backwards-incompatible change, since the default is flipping to the new, safer behavior. However, since the main users of the in-stream versions would be import/export-based remote helpers, and since we trust remote helpers already (which are already running arbitrary code), we'll pass the new option by default when reading a remote helper's stream. This should minimize the impact. Note that the implementation isn't totally simple, as we have to work around the fact that fast-import doesn't parse its command-line options until after it has read any "feature" lines from the stream. This is how it lets command-line options override in-stream. But in our case, it's important to parse the new --allow-unsafe-features first. There are three options for resolving this: 1. Do a separate "early" pass over the options. This is easy for us to do because there are no command-line options that allow the "unstuck" form (so there's no chance of us mistaking an argument for an option), though it does introduce a risk of incorrect parsing later (e.g,. if we convert to parse-options). 2. Move the option parsing phase back to the start of the program, but teach the stream-reading code never to override an existing value. This is tricky, because stream "feature" lines override each other (meaning we'd have to start tracking the source for every option). 3. Accept that we might parse a "feature export-marks" line that is forbidden, as long we don't _act_ on it until after we've parsed the command line options. This would, in fact, work with the current code, but only because the previous patch fixed the export-marks parser to avoid touching the filesystem. So while it works, it does carry risk of somebody getting it wrong in the future in a rather subtle and unsafe way. I've gone with option (1) here as simple, safe, and unlikely to cause regressions. This fixes CVE-2019-1348. Signed-off-by: Jeff King <peff@peff.net> | 04 December 2019, 12:20:04 UTC |
| 0196830 | Jeff King | 29 August 2019, 17:33:48 UTC | fast-import: delay creating leading directories for export-marks When we parse the --export-marks option, we don't immediately open the file, but we do create any leading directories. This can be especially confusing when a command-line option overrides an in-stream one, in which case we'd create the leading directory for the in-stream file, even though we never actually write the file. Let's instead create the directories just before opening the file, which means we'll create only useful directories. Note that this could change the handling of relative paths if we chdir() in between, but we don't actually do so; the only permanent chdir is from setup_git_directory() which runs before either code path (potentially we should take the pre-setup dir into account to avoid surprising the user, but that's an orthogonal change). The test just adapts the existing "override" test to use paths with leading directories. This checks both that the correct directory is created (which worked before but was not tested), and that the overridden one is not (our new fix here). While we're here, let's also check the error result of safe_create_leading_directories(). We'd presumably notice any failure immediately after when we try to open the file itself, but we can give a more specific error message in this case. Signed-off-by: Jeff King <peff@peff.net> | 04 December 2019, 12:20:04 UTC |
| e075dba | Jeff King | 29 August 2019, 17:07:04 UTC | fast-import: stop creating leading directories for import-marks When asked to import marks from "subdir/file.marks", we create the leading directory "subdir" if it doesn't exist. This makes no sense for importing marks, where we only ever open the path for reading. Most of the time this would be a noop, since if the marks file exists, then the leading directories exist, too. But if it doesn't (e.g., because --import-marks-if-exists was used), then we'd create the useless directory. This dates back to 580d5f83e7 (fast-import: always create marks_file directories, 2010-03-29). Even then it was useless, so it seems to have been added in error alongside the --export-marks case (which _is_ helpful). Signed-off-by: Jeff King <peff@peff.net> | 04 December 2019, 12:20:04 UTC |
| 11e934d | Jeff King | 29 August 2019, 15:25:45 UTC | fast-import: tighten parsing of boolean command line options We parse options like "--max-pack-size=" using skip_prefix(), which makes sense to get at the bytes after the "=". However, we also parse "--quiet" and "--stats" with skip_prefix(), which allows things like "--quiet-nonsense" to behave like "--quiet". This was a mistaken conversion in 0f6927c229 (fast-import: put option parsing code in separate functions, 2009-12-04). Let's tighten this to an exact match, which was the original intent. Signed-off-by: Jeff King <peff@peff.net> | 04 December 2019, 12:20:04 UTC |
| 816f806 | Jeff King | 29 August 2019, 17:43:23 UTC | t9300: create marks files for double-import-marks test Our tests confirm that providing two "import-marks" options in a fast-import stream is an error. However, the invoked command would fail even without covering this case, because the marks files themselves do not actually exist. Let's create the files to make sure we fail for the right reason (we actually do, because the option parsing happens before we open anything, but this future-proofs our test). Signed-off-by: Jeff King <peff@peff.net> | 04 December 2019, 12:20:03 UTC |
| f94804c | Jeff King | 29 August 2019, 15:19:18 UTC | t9300: drop some useless uses of cat These waste a process, and make the line longer than it needs to be. Signed-off-by: Jeff King <peff@peff.net> | 04 December 2019, 12:20:03 UTC |
| 8104ec9 | Junio C Hamano | 24 February 2019, 15:55:19 UTC | Git 2.21 Signed-off-by: Junio C Hamano <gitster@pobox.com> | 24 February 2019, 15:55:19 UTC |
| 572e460 | Junio C Hamano | 24 February 2019, 15:18:00 UTC | Merge branch 'yn/checkout-doc-fix' Doc fix. * yn/checkout-doc-fix: checkout doc: fix an unmatched double-quote pair | 24 February 2019, 15:18:00 UTC |
| a1997da | Junio C Hamano | 24 February 2019, 15:03:39 UTC | Merge tag 'l10n-2.21.0-rnd2' of git://github.com/git-l10n/git-po l10n-2.21.0-rnd2 * tag 'l10n-2.21.0-rnd2' of git://github.com/git-l10n/git-po: l10n: bg.po: Updated Bulgarian translation (4363t) l10n: update German translation l10n: zh_CN: Revision for git v2.21.0 l10n l10n: zh_CN: for git v2.21.0 l10n round 1~2 l10n: bg.po: correct typo l10n: Update Swedish translation (4363t0f0u) l10n: de.po: fix grammar in message for tag.c l10n: de.po: fix a message for index-pack.c l10n: de.po: consistent translation of 'root commit' l10n: it: update the Italian translation l10n: es: 2.21.0 round 2 l10n: el: add Greek l10n team and essential translations l10n: fr.po v2.21.0 rnd 2 l10n: fr.po Fix some typos from round3 l10n: fr.po Fix some typos l10n: Fixes to Catalan translation l10n: git.pot: v2.21.0 round 2 (3 new, 3 removed) l10n: git.pot: v2.21.0 round 1 (214 new, 38 removed) l10n: zh_CN: fix typo of submodule init message l10n: Update Catalan translation | 24 February 2019, 15:03:39 UTC |
| 39ffebd | Johannes Schindelin | 23 February 2019, 14:49:23 UTC | README: adjust for final Azure Pipeline ID During the six months of development of the Azure Pipelines support, the patches went through quite a few iterations of changes, and to test those iterations, a temporary build definition was used. In the meantime, Azure Pipelines support made it to `master`, and we now have a regular Azure Pipeline, installed via the common GitHub App workflow. This new pipeline has a different name (git.git instead of test-git.git), and a new ID (11 instead of 2). Let's adjust the badge in our README to reflect that final shape of the Azure Pipeline. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com> | 24 February 2019, 05:27:04 UTC |
| c5c0a5f | Yoichi Nakayama | 23 February 2019, 06:33:40 UTC | checkout doc: fix an unmatched double-quote pair Signed-off-by: Yoichi Nakayama <yoichi.nakayama@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> | 24 February 2019, 05:24:25 UTC |
| ab8f4f5 | Alexander Shopov | 23 February 2019, 16:39:07 UTC | l10n: bg.po: Updated Bulgarian translation (4363t) Signed-off-by: Alexander Shopov <ash@kambanaria.org> | 23 February 2019, 21:29:23 UTC |
| c65a288 | Junio C Hamano | 23 February 2019, 05:20:19 UTC | Merge branch 'ab/bsd-fixes' Test portability fix. * ab/bsd-fixes: commit-graph tests: fix unportable "dd" invocation tests: fix unportable "\?" and "\+" regex syntax | 23 February 2019, 05:20:19 UTC |
| 60a3fbf | Junio C Hamano | 23 February 2019, 05:20:19 UTC | Merge branch 'ab/workaround-dash-bug-in-test' * ab/workaround-dash-bug-in-test: tests: avoid syntax triggering old dash bug | 23 February 2019, 05:20:19 UTC |
| b9cc405 | Ævar Arnfjörð Bjarmason | 21 February 2019, 19:28:49 UTC | commit-graph tests: fix unportable "dd" invocation Change an unportable invocation of "dd" with count=0, that wanted to truncate the commit-graph file. In POSIX it is unspecified what happens when count=0 is provided[1]. The NetBSD "dd" behavior differs from GNU (and seemingly other BSDs), which has left this test broken since d2b86fbaa1 ("commit-graph: fix buffer read-overflow", 2019-01-15). Copying from /dev/null would seek/truncate to seek=$zero_pos and stop immediately after that (without being able to copy anything), which is the right way to truncate the file. 1. http://pubs.opengroup.org/onlinepubs/9699919799/utilities/dd.html Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Helped-by: SZEDER Gábor <szeder.dev@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> | 22 February 2019, 19:20:56 UTC |
| e7bc80b | Jiang Xin | 22 February 2019, 14:18:12 UTC | Merge branch 'master' of https://github.com/ralfth/git-po-de | 22 February 2019, 14:18:12 UTC |
| e5a5d5c | Ralf Thielow | 22 February 2019, 07:45:40 UTC | l10n: update German translation Signed-off-by: Ralf Thielow <ralf.thielow@gmail.com> Reviewed-by: Matthias Rüster <matthias.ruester@gmail.com> | 22 February 2019, 07:47:26 UTC |
| 4abf20f | Ævar Arnfjörð Bjarmason | 21 February 2019, 19:28:48 UTC | tests: fix unportable "\?" and "\+" regex syntax Fix widely supported but non-POSIX basic regex syntax introduced in [1] and [2]. On GNU, NetBSD and FreeBSD the following works: $ echo xy >f $ grep 'xy\?' f; echo $? xy 0 The same goes for "\+". The "?" and "+" syntax is not in the BRE syntax, just in ERE, but on some implementations it can be invoked by prefixing the meta-operator with "\", but not on OpenBSD: $ uname -a OpenBSD obsd.my.domain 6.2 GENERIC#132 amd64 $ grep --version grep version 0.9 $ grep 'xy\?' f; echo $? 1 Let's fix this by moving to ERE syntax instead, where "?" and "+" are universally supported: $ grep -E 'xy?' f; echo $? xy 0 1. 2ed5c8e174 ("describe: setup working tree for --dirty", 2019-02-03) 2. c801170b0c ("t6120: test for describe with a bare repository", 2019-02-03) Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> | 22 February 2019, 04:58:19 UTC |
| 54fca18 | Jiang Xin | 20 February 2019, 13:40:54 UTC | Merge branch 'bg-submodule-helper-typo' of github.com:pclouds/git-po | 20 February 2019, 13:40:54 UTC |
| c2d8f4c | Nguyễn Thái Ngọc Duy | 20 February 2019, 09:59:24 UTC | l10n: bg.po: correct typo Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com> | 20 February 2019, 13:32:40 UTC |
| 35ee755 | Junio C Hamano | 19 February 2019, 21:20:23 UTC | Git 2.21-rc2 Signed-off-by: Junio C Hamano <gitster@pobox.com> | 19 February 2019, 21:20:23 UTC |
| c5b456b | Junio C Hamano | 19 February 2019, 21:18:08 UTC | Merge branch 'js/test-tool-gen-nuls' * js/test-tool-gen-nuls: tests: teach the test-tool to generate NUL bytes and use it | 19 February 2019, 21:18:08 UTC |
| 2c804ff | Junio C Hamano | 19 February 2019, 21:18:08 UTC | Merge branch 'mk/t5562-no-input-to-too-large-an-input-test' * mk/t5562-no-input-to-too-large-an-input-test: t5562: do not depend on /dev/zero Revert "t5562: replace /dev/zero with a pipe from generate_zero_bytes" | 19 February 2019, 21:18:08 UTC |
| 455d0be | Junio C Hamano | 19 February 2019, 21:18:08 UTC | Merge branch 'mk/t5562-do-not-reuse-output-files' * mk/t5562-do-not-reuse-output-files: t5562: do not reuse output files | 19 February 2019, 21:18:08 UTC |
| 0539071 | Max Kirillov | 24 November 2018, 09:37:19 UTC | t5562: do not reuse output files Some expected failures of git-http-backend leaves running its children (receive-pack or upload-pack) which still hold opened descriptors to act.err and with some probability they live long enough to write there their failure messages after next test has already truncated the files. This causes occasional failures of the test script. Avoid the issue by using separated output and error file for each test, apprending the test number to their name. Reported-by: Carlo Arenas <carenas@gmail.com> Helped-by: Carlo Arenas <carenas@gmail.com> Helped-by: Junio C Hamano <gitster@pobox.com> Signed-off-by: Max Kirillov <max@max630.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> | 19 February 2019, 21:04:37 UTC |
| d5cfd14 | Johannes Schindelin | 14 February 2019, 21:33:12 UTC | tests: teach the test-tool to generate NUL bytes and use it In cc95bc2025 (t5562: replace /dev/zero with a pipe from generate_zero_bytes, 2019-02-09), we replaced usage of /dev/zero (which is not available on NonStop, apparently) by a Perl script snippet to generate NUL bytes. Sadly, it does not seem to work on NonStop, as t5562 reportedly hangs. Worse, this also hangs in the Ubuntu 16.04 agents of the CI builds on Azure Pipelines: for some reason, the Perl script snippet that is run via `generate_zero_bytes` in t5562's 'CONTENT_LENGTH overflow ssite_t' test case tries to write out an infinite amount of NUL bytes unless a broken pipe is encountered, that snippet never encounters the broken pipe, and keeps going until the build times out. Oddly enough, this does not reproduce on the Windows and macOS agents, nor in a local Ubuntu 18.04. This developer tried for a day to figure out the exact circumstances under which this hang happens, to no avail, the details remain a mystery. In the end, though, what counts is that this here change incidentally fixes that hang (maybe also on NonStop?). Even more positively, it gets rid of yet another unnecessary Perl invocation. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com> | 19 February 2019, 18:22:21 UTC |
| 7094175 | Max Kirillov | 15 February 2019, 16:42:37 UTC | t5562: do not depend on /dev/zero It was reported [1] that NonStop platform does not have /dev/zero. The test uses /dev/zero as a dummy input. Passing case (http-backed failed because of too big input size) should not be reading anything from it. If http-backend would erroneously try to read any data returning EOF probably would be even safer than providing some meaningless data. Replace /dev/zero with /dev/null to avoid issues with platforms which do not have /dev/zero. [1] https://public-inbox.org/git/20190209185930.5256-4-randall.s.becker@rogers.com/ Reported-by: Randall S. Becker <rsbecker@nexbridge.com> Signed-off-by: Max Kirillov <max@max630.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> | 19 February 2019, 18:19:32 UTC |
| d991948 | Junio C Hamano | 19 February 2019, 18:18:15 UTC | Revert "t5562: replace /dev/zero with a pipe from generate_zero_bytes" Revert cc95bc20 ("t5562: replace /dev/zero with a pipe from generate_zero_bytes", 2019-02-09), as not feeding anything to the command is a better way to test it. | 19 February 2019, 18:19:22 UTC |
| a8a6b15 | Sebastian Staudt | 03 February 2019, 10:33:39 UTC | l10n: de.po: fix grammar in message for tag.c Signed-off-by: Sebastian Staudt <koraktor@gmail.com> | 19 February 2019, 12:53:29 UTC |
| 40cbe8a | Sebastian Staudt | 03 February 2019, 10:32:20 UTC | l10n: de.po: fix a message for index-pack.c Signed-off-by: Sebastian Staudt <koraktor@gmail.com> | 19 February 2019, 12:53:29 UTC |
| 567349f | Sebastian Staudt | 03 February 2019, 10:21:14 UTC | l10n: de.po: consistent translation of 'root commit' 'root commit' is usually translated as 'Root-Commit'. But in one occasion it‘s translated as 'Basis-Commit' which is the translation for 'base commit'. Signed-off-by: Sebastian Staudt <koraktor@gmail.com> | 19 February 2019, 12:53:29 UTC |
| bb236fb | Alessandro Menti | 17 February 2019, 17:04:51 UTC | l10n: it: update the Italian translation Signed-off-by: Alessandro Menti <alessandro.menti@alessandromenti.it> | 19 February 2019, 02:07:24 UTC |
| 10e6e9f | Jiang Xin | 17 February 2019, 07:28:15 UTC | Merge branch 'master' of https://github.com/Softcatala/git-po | 17 February 2019, 07:28:15 UTC |
| cf69bca | Christopher Diaz Riveros | 06 February 2019, 13:36:53 UTC | l10n: es: 2.21.0 round 2 Signed-off-by: Christopher Diaz Riveros <chrisadr@gentoo.org> | 16 February 2019, 20:22:07 UTC |
| 9922d5c | Jiang Xin | 16 February 2019, 01:54:53 UTC | Merge branch 'fr_2.21.0_rnd2' of git://github.com/jnavila/git | 16 February 2019, 01:54:53 UTC |
| 4953cf6 | Jimmy Angelakos | 15 February 2019, 02:28:19 UTC | l10n: el: add Greek l10n team and essential translations Signed-off-by: Jimmy Angelakos <vyruss@hellug.gr> | 16 February 2019, 01:49:53 UTC |
| b3225a4 | Jean-Noël Avila | 13 February 2019, 19:35:13 UTC | l10n: fr.po v2.21.0 rnd 2 Signed-off-by: Jean-Noël Avila <jn.avila@free.fr> | 15 February 2019, 21:19:50 UTC |
| 02705d3 | Fabien Villepinte | 20 December 2018, 08:59:45 UTC | l10n: fr.po Fix some typos from round3 Signed-off-by: Fabien Villepinte <fabien.villepinte@gmail.com> | 15 February 2019, 21:14:23 UTC |
| 5a05494 | Fabien Villepinte | 17 December 2018, 11:51:58 UTC | l10n: fr.po Fix some typos Signed-off-by: Fabien Villepinte <fabien.villepinte@gmail.com> | 15 February 2019, 21:14:23 UTC |
| ca1b411 | Johannes Schindelin | 15 February 2019, 15:17:45 UTC | mingw: safe-guard a bit more against getenv() problems Running up to v2.21.0, we fixed two bugs that were made prominent by the Windows-specific change to retain copies of only the 30 latest getenv() calls' returned strings, invalidating any copies of previous getenv() calls' return values. While this really shines a light onto bugs of the form where we hold onto getenv()'s return values without copying them, it is also a real problem for users. And even if Jeff King's patches merged via 773e408881 (Merge branch 'jk/save-getenv-result', 2019-01-29) provide further work on that front, we are far from done. Just one example: on Windows, we unset environment variables when spawning new processes, which potentially invalidates strings that were previously obtained via getenv(), and therefore we have to duplicate environment values that are somehow involved in spawning new processes (e.g. GIT_MAN_VIEWER in show_man_page()). We do not have a chance to investigate, let address, all of those issues in time for v2.21.0, so let's at least help Windows users by increasing the number of getenv() calls' return values that are kept valid. The number 64 was determined by looking at the average number of getenv() calls per process in the entire test suite run on Windows (which is around 40) and then adding a bit for good measure. And it is a power of two (which would have hit yesterday's theme perfectly). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com> | 15 February 2019, 18:25:28 UTC |
| bdc017d | Jordi Mas | 15 February 2019, 15:43:59 UTC | l10n: Fixes to Catalan translation Signed-off-by: Jordi Mas <jmas@softcatala.org> | 15 February 2019, 15:43:59 UTC |
| 7f95bc7 | Jiang Xin | 15 February 2019, 02:12:14 UTC | l10n: git.pot: v2.21.0 round 2 (3 new, 3 removed) Introduce 3 update messages for v2.21.0 l10n round 2 from commit 32ceace39f (Fix typos in translatable strings for v2.21.0, 2019-02-11). Signed-off-by: Jiang Xin <worldhello.net@gmail.com> | 15 February 2019, 02:21:59 UTC |
| a603d94 | Jiang Xin | 15 February 2019, 02:09:07 UTC | Merge branch 'master' of git://git.kernel.org/pub/scm/git/git | 15 February 2019, 02:09:07 UTC |
| 2d08f3d | Junio C Hamano | 14 February 2019, 22:28:22 UTC | Merge branch 'ea/rebase-compat-doc-fix' * ea/rebase-compat-doc-fix: docs/git-rebase: remove redundant entry in incompatible options list | 14 February 2019, 22:28:22 UTC |
| 4e09a7b | Junio C Hamano | 14 February 2019, 22:28:21 UTC | Merge branch 'jc/no-grepping-for-strerror-in-tests' * jc/no-grepping-for-strerror-in-tests: t1404: do not rely on the exact phrasing of strerror() | 14 February 2019, 22:28:21 UTC |
| f1e112a | Junio C Hamano | 14 February 2019, 22:28:20 UTC | Merge branch 'jt/fetch-v2-sideband' "git fetch" and "git upload-pack" learned to send all exchange over the sideband channel while talking the v2 protocol. * jt/fetch-v2-sideband: t/lib-httpd: pass GIT_TEST_SIDEBAND_ALL through Apache | 14 February 2019, 22:28:21 UTC |
| 6f07c7b | Junio C Hamano | 14 February 2019, 22:28:20 UTC | Merge branch 'en/rebase-merge-on-sequencer' "git rebase --merge" as been reimplemented by reusing the internal machinery used for "git rebase -i". * en/rebase-merge-on-sequencer: git-rebase.txt: update to reflect merge now implemented on sequencer | 14 February 2019, 22:28:20 UTC |
| 29d03f8 | Elijah Newren | 14 February 2019, 20:25:41 UTC | git-rebase.txt: update to reflect merge now implemented on sequencer Since commit 8fe9c3f21dff (Merge branch 'en/rebase-merge-on-sequencer', 2019-02-06), --merge now uses the interactive backend (and matches its behavior) so there is no separate merge backend anymore. Fix an oversight in the docs that should have been updated with the previous change. Signed-off-by: Elijah Newren <newren@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> | 14 February 2019, 21:23:58 UTC |
| e18edc7 | Todd Zullinger | 14 February 2019, 06:35:13 UTC | t/lib-httpd: pass GIT_TEST_SIDEBAND_ALL through Apache 07c3c2aa16 ("tests: define GIT_TEST_SIDEBAND_ALL", 2019-01-16) added GIT_TEST_SIDEBAND_ALL to the apache.conf PassEnv list. Avoid warnings from Apache when the variable is unset, as we do for GIT_VALGRIND* and GIT_TRACE, from f628825481 ("t/lib-httpd: handle running under --valgrind", 2012-07-24) and 89c57ab3f0 ("t: pass GIT_TRACE through Apache", 2015-03-13), respectively. Signed-off-by: Todd Zullinger <tmz@pobox.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> | 14 February 2019, 21:18:20 UTC |
| c777cd8 | Junio C Hamano | 14 February 2019, 20:16:20 UTC | t1404: do not rely on the exact phrasing of strerror() Not even in C locale, it is wrong to expect that the exact phrasing "File exists" is used to show EEXIST. Reported-by: Randall S. Becker <rsbecker@nexbridge.com> Helped-by: Duy Nguyen <pclouds@gmail.com> Helped-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> | 14 February 2019, 20:17:38 UTC |
