Revision e1d911dd4c7b76a5a8cec0f5c8de15981e34da83 authored by Johannes Schindelin on 12 September 2019, 12:54:05 UTC, committed by Johannes Schindelin on 04 December 2019, 12:20:05 UTC
The backslash character is not a valid part of a file name on Windows. Hence it is dangerous to allow writing files that were unpacked from tree objects, when the stored file name contains a backslash character: it will be misinterpreted as directory separator. This not only causes ambiguity when a tree contains a blob `a\b` and a tree `a` that contains a blob `b`, but it also can be used as part of an attack vector to side-step the careful protections against writing into the `.git/` directory during a clone of a maliciously-crafted repository. Let's prevent that, addressing CVE-2019-1354. Note: we guard against backslash characters in tree objects' file names _only_ on Windows (because on other platforms, even on those where NTFS volumes can be mounted, the backslash character is _not_ a directory separator), and _only_ when `core.protectNTFS = true` (because users might need to generate tree objects for other platforms, of course without touching the worktree, e.g. using `git update-index --cacheinfo`). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
1 parent 0060fd1
unpack-trees.h
#ifndef UNPACK_TREES_H
#define UNPACK_TREES_H
#include "string-list.h"
#define MAX_UNPACK_TREES 8
struct unpack_trees_options;
struct exclude_list;
typedef int (*merge_fn_t)(const struct cache_entry * const *src,
struct unpack_trees_options *options);
enum unpack_trees_error_types {
ERROR_WOULD_OVERWRITE = 0,
ERROR_NOT_UPTODATE_FILE,
ERROR_NOT_UPTODATE_DIR,
ERROR_WOULD_LOSE_UNTRACKED_OVERWRITTEN,
ERROR_WOULD_LOSE_UNTRACKED_REMOVED,
ERROR_BIND_OVERLAP,
ERROR_SPARSE_NOT_UPTODATE_FILE,
ERROR_WOULD_LOSE_ORPHANED_OVERWRITTEN,
ERROR_WOULD_LOSE_ORPHANED_REMOVED,
ERROR_WOULD_LOSE_SUBMODULE,
NB_UNPACK_TREES_ERROR_TYPES
};
/*
* Sets the list of user-friendly error messages to be used by the
* command "cmd" (either merge or checkout), and show_all_errors to 1.
*/
void setup_unpack_trees_porcelain(struct unpack_trees_options *opts,
const char *cmd);
struct unpack_trees_options {
unsigned int reset,
merge,
update,
index_only,
nontrivial_merge,
trivial_merges_only,
verbose_update,
aggressive,
skip_unmerged,
initial_checkout,
diff_index_cached,
debug_unpack,
skip_sparse_checkout,
gently,
exiting_early,
show_all_errors,
dry_run;
const char *prefix;
int cache_bottom;
struct dir_struct *dir;
struct pathspec *pathspec;
merge_fn_t fn;
const char *msgs[NB_UNPACK_TREES_ERROR_TYPES];
/*
* Store error messages in an array, each case
* corresponding to a error message type
*/
struct string_list unpack_rejects[NB_UNPACK_TREES_ERROR_TYPES];
int head_idx;
int merge_size;
struct cache_entry *df_conflict_entry;
void *unpack_data;
struct index_state *dst_index;
struct index_state *src_index;
struct index_state result;
struct exclude_list *el; /* for internal use */
};
extern int unpack_trees(unsigned n, struct tree_desc *t,
struct unpack_trees_options *options);
int threeway_merge(const struct cache_entry * const *stages,
struct unpack_trees_options *o);
int twoway_merge(const struct cache_entry * const *src,
struct unpack_trees_options *o);
int bind_merge(const struct cache_entry * const *src,
struct unpack_trees_options *o);
int oneway_merge(const struct cache_entry * const *src,
struct unpack_trees_options *o);
#endif
Computing file changes ...
