Revision e1d911dd4c7b76a5a8cec0f5c8de15981e34da83 authored by Johannes Schindelin on 12 September 2019, 12:54:05 UTC, committed by Johannes Schindelin on 04 December 2019, 12:20:05 UTC
The backslash character is not a valid part of a file name on Windows. Hence it is dangerous to allow writing files that were unpacked from tree objects, when the stored file name contains a backslash character: it will be misinterpreted as directory separator. This not only causes ambiguity when a tree contains a blob `a\b` and a tree `a` that contains a blob `b`, but it also can be used as part of an attack vector to side-step the careful protections against writing into the `.git/` directory during a clone of a maliciously-crafted repository. Let's prevent that, addressing CVE-2019-1354. Note: we guard against backslash characters in tree objects' file names _only_ on Windows (because on other platforms, even on those where NTFS volumes can be mounted, the backslash character is _not_ a directory separator), and _only_ when `core.protectNTFS = true` (because users might need to generate tree objects for other platforms, of course without touching the worktree, e.g. using `git update-index --cacheinfo`). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
1 parent 0060fd1
sha1dc_git.c
/*
* This code is included at the end of sha1dc/sha1.c with the
* SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_C macro.
*/
void git_SHA1DCFinal(unsigned char hash[20], SHA1_CTX *ctx)
{
if (!SHA1DCFinal(hash, ctx))
return;
die("SHA-1 appears to be part of a collision attack: %s",
sha1_to_hex(hash));
}
void git_SHA1DCUpdate(SHA1_CTX *ctx, const void *vdata, unsigned long len)
{
const char *data = vdata;
/* We expect an unsigned long, but sha1dc only takes an int */
while (len > INT_MAX) {
SHA1DCUpdate(ctx, data, INT_MAX);
data += INT_MAX;
len -= INT_MAX;
}
SHA1DCUpdate(ctx, data, len);
}
Computing file changes ...