Skip to main content

Browse the archive

swh:1:snp:87728f882295b5ba27035837248a04c5be121c53
sort by:
Revision Author Date Message Commit Date
6e9e91e Junio C Hamano 27 September 2018, 18:44:07 UTC Git 2.17.2 Signed-off-by: Junio C Hamano <gitster@pobox.com> 27 September 2018, 18:44:07 UTC
1a7fd1f Jeff King 24 September 2018, 08:42:19 UTC fsck: detect submodule paths starting with dash As with urls, submodule paths with dashes are ignored by git, but may end up confusing older versions. Detecting them via fsck lets us prevent modern versions of git from being a vector to spread broken .gitmodules to older versions. Compared to blocking leading-dash urls, though, this detection may be less of a good idea: 1. While such paths provide confusing and broken results, they don't seem to actually work as option injections against anything except "cd". In particular, the submodule code seems to canonicalize to an absolute path before running "git clone" (so it passes /your/clone/-sub). 2. It's more likely that we may one day make such names actually work correctly. Even after we revert this fsck check, it will continue to be a hassle until hosting servers are all updated. On the other hand, it's not entirely clear that the behavior in older versions is safe. And if we do want to eventually allow this, we may end up doing so with a special syntax anyway (e.g., writing "./-sub" in the .gitmodules file, and teaching the submodule code to canonicalize it when comparing). So on balance, this is probably a good protection. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 27 September 2018, 18:41:31 UTC
a124133 Jeff King 24 September 2018, 08:37:17 UTC fsck: detect submodule urls starting with dash Urls with leading dashes can cause mischief on older versions of Git. We should detect them so that they can be rejected by receive.fsckObjects, preventing modern versions of git from being a vector by which attacks can spread. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 27 September 2018, 18:41:26 UTC
e43aab7 Junio C Hamano 27 September 2018, 18:41:02 UTC Sync with 2.16.5 * maint-2.16: Git 2.16.5 Git 2.15.3 Git 2.14.5 submodule-config: ban submodule paths that start with a dash submodule-config: ban submodule urls that start with dash submodule--helper: use "--" to signal end of clone options 27 September 2018, 18:41:02 UTC
27d05d1 Junio C Hamano 27 September 2018, 18:38:32 UTC Git 2.16.5 Signed-off-by: Junio C Hamano <gitster@pobox.com> 27 September 2018, 18:38:32 UTC
424aac6 Junio C Hamano 27 September 2018, 18:35:43 UTC Sync with 2.15.3 * maint-2.15: Git 2.15.3 Git 2.14.5 submodule-config: ban submodule paths that start with a dash submodule-config: ban submodule urls that start with dash submodule--helper: use "--" to signal end of clone options 27 September 2018, 18:35:43 UTC
924c623 Junio C Hamano 27 September 2018, 18:33:47 UTC Git 2.15.3 Signed-off-by: Junio C Hamano <gitster@pobox.com> 27 September 2018, 18:33:47 UTC
902df9f Junio C Hamano 27 September 2018, 18:20:22 UTC Sync with Git 2.14.4 * maint-2.14: Git 2.14.5 submodule-config: ban submodule paths that start with a dash submodule-config: ban submodule urls that start with dash submodule--helper: use "--" to signal end of clone options 27 September 2018, 18:20:22 UTC
d0832b2 Junio C Hamano 27 September 2018, 18:19:11 UTC Git 2.14.5 Signed-off-by: Junio C Hamano <gitster@pobox.com> 27 September 2018, 18:19:11 UTC
273c614 Jeff King 24 September 2018, 08:39:55 UTC submodule-config: ban submodule paths that start with a dash We recently banned submodule urls that look like command-line options. This is the matching change to ban leading-dash paths. As with the urls, this should not break any use cases that currently work. Even with our "--" separator passed to git-clone, git-submodule.sh gets confused. Without the code portion of this patch, the clone of "-sub" added in t7417 would yield results like: /path/to/git-submodule: 410: cd: Illegal option -s /path/to/git-submodule: 417: cd: Illegal option -s /path/to/git-submodule: 410: cd: Illegal option -s /path/to/git-submodule: 417: cd: Illegal option -s Fetched in submodule path '-sub', but it did not contain b56243f8f4eb91b2f1f8109452e659f14dd3fbe4. Direct fetching of that commit failed. Moreover, naively adding such a submodule doesn't work: $ git submodule add $url -sub The following path is ignored by one of your .gitignore files: -sub even though there is no such ignore pattern (the test script hacks around this with a well-placed "git mv"). Unlike leading-dash urls, though, it's possible that such a path _could_ be useful if we eventually made it work. So this commit should be seen not as recommending a particular policy, but rather temporarily closing off a broken and possibly dangerous code-path. We may revisit this decision later. There are two minor differences to the tests in t7416 (that covered urls): 1. We don't have a "./-sub" escape hatch to make this work, since the submodule code expects to be able to match canonical index names to the path field (so you are free to add submodule config with that path, but we would never actually use it, since an index entry would never start with "./"). 2. After this patch, cloning actually succeeds. Since we ignore the submodule.*.path value, we fail to find a config stanza for our submodule at all, and simply treat it as inactive. We still check for the "ignoring" message. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 27 September 2018, 16:34:59 UTC
f6adec4 Jeff King 24 September 2018, 08:36:30 UTC submodule-config: ban submodule urls that start with dash The previous commit taught the submodule code to invoke our "git clone $url $path" with a "--" separator so that we aren't confused by urls or paths that start with dashes. However, that's just one code path. It's not clear if there are others, and it would be an easy mistake to add one in the future. Moreover, even with the fix in the previous commit, it's quite hard to actually do anything useful with such an entry. Any url starting with a dash must fall into one of three categories: - it's meant as a file url, like "-path". But then any clone is not going to have the matching path, since it's by definition relative inside the newly created clone. If you spell it as "./-path", the submodule code sees the "/" and translates this to an absolute path, so it at least works (assuming the receiver has the same filesystem layout as you). But that trick does not apply for a bare "-path". - it's meant as an ssh url, like "-host:path". But this already doesn't work, as we explicitly disallow ssh hostnames that begin with a dash (to avoid option injection against ssh). - it's a remote-helper scheme, like "-scheme::data". This _could_ work if the receiver bends over backwards and creates a funny-named helper like "git-remote--scheme". But normally there would not be any helper that matches. Since such a url does not work today and is not likely to do anything useful in the future, let's simply disallow them entirely. That protects the existing "git clone" path (in a belt-and-suspenders way), along with any others that might exist. Our tests cover two cases: 1. A file url with "./" continues to work, showing that there's an escape hatch for people with truly silly repo names. 2. A url starting with "-" is rejected. Note that we expect case (2) to fail, but it would have done so even without this commit, for the reasons given above. So instead of just expecting failure, let's also check for the magic word "ignoring" on stderr. That lets us know that we failed for the right reason. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 27 September 2018, 16:34:58 UTC
98afac7 Jeff King 24 September 2018, 08:32:15 UTC submodule--helper: use "--" to signal end of clone options When we clone a submodule, we call "git clone $url $path". But there's nothing to say that those components can't begin with a dash themselves, confusing git-clone into thinking they're options. Let's pass "--" to make it clear what we expect. There's no test here, because it's actually quite hard to make these names work, even with "git clone" parsing them correctly. And we're going to restrict these cases even further in future commits. So we'll leave off testing until then; this is just the minimal fix to prevent us from doing something stupid with a badly formed entry. Reported-by: joernchen <joernchen@phenoelit.de> Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 27 September 2018, 16:34:55 UTC
fc54c1a Junio C Hamano 22 May 2018, 05:28:26 UTC Git 2.17.1 Signed-off-by: Junio C Hamano <gitster@pobox.com> 22 May 2018, 05:28:26 UTC
9e84a6d Junio C Hamano 22 May 2018, 05:26:05 UTC Merge branch 'jk/submodule-fsck-loose' into maint * jk/submodule-fsck-loose: fsck: complain when .gitmodules is a symlink index-pack: check .gitmodules files with --strict unpack-objects: call fsck_finish() after fscking objects fsck: call fsck_finish() after fscking objects fsck: check .gitmodules content fsck: handle promisor objects in .gitmodules check fsck: detect gitmodules files fsck: actually fsck blob data fsck: simplify ".git" check index-pack: make fsck error message more specific 22 May 2018, 05:26:05 UTC
68f95b2 Junio C Hamano 22 May 2018, 05:25:26 UTC Sync with Git 2.16.4 * maint-2.16: Git 2.16.4 Git 2.15.2 Git 2.14.4 Git 2.13.7 verify_path: disallow symlinks in .gitmodules update-index: stat updated files earlier verify_dotfile: mention case-insensitivity in comment verify_path: drop clever fallthrough skip_prefix: add case-insensitive variant is_{hfs,ntfs}_dotgitmodules: add tests is_ntfs_dotgit: match other .git files is_hfs_dotgit: match other .git files is_ntfs_dotgit: use a size_t for traversing string submodule-config: verify submodule names as paths 22 May 2018, 05:25:26 UTC
a42a58d Junio C Hamano 22 May 2018, 05:18:51 UTC Git 2.16.4 Signed-off-by: Junio C Hamano <gitster@pobox.com> 22 May 2018, 05:18:51 UTC
0230204 Junio C Hamano 22 May 2018, 05:18:06 UTC Sync with Git 2.15.2 * maint-2.15: Git 2.15.2 Git 2.14.4 Git 2.13.7 verify_path: disallow symlinks in .gitmodules update-index: stat updated files earlier verify_dotfile: mention case-insensitivity in comment verify_path: drop clever fallthrough skip_prefix: add case-insensitive variant is_{hfs,ntfs}_dotgitmodules: add tests is_ntfs_dotgit: match other .git files is_hfs_dotgit: match other .git files is_ntfs_dotgit: use a size_t for traversing string submodule-config: verify submodule names as paths 22 May 2018, 05:18:06 UTC
d33c875 Junio C Hamano 22 May 2018, 05:15:59 UTC Git 2.15.2 Signed-off-by: Junio C Hamano <gitster@pobox.com> 22 May 2018, 05:15:59 UTC
9e0f06d Junio C Hamano 22 May 2018, 05:15:14 UTC Sync with Git 2.14.4 * maint-2.14: Git 2.14.4 Git 2.13.7 verify_path: disallow symlinks in .gitmodules update-index: stat updated files earlier verify_dotfile: mention case-insensitivity in comment verify_path: drop clever fallthrough skip_prefix: add case-insensitive variant is_{hfs,ntfs}_dotgitmodules: add tests is_ntfs_dotgit: match other .git files is_hfs_dotgit: match other .git files is_ntfs_dotgit: use a size_t for traversing string submodule-config: verify submodule names as paths 22 May 2018, 05:15:14 UTC
4dde7b8 Junio C Hamano 22 May 2018, 05:12:02 UTC Git 2.14.4 Signed-off-by: Junio C Hamano <gitster@pobox.com> 22 May 2018, 05:12:02 UTC
7b01c71 Junio C Hamano 22 May 2018, 05:10:49 UTC Sync with Git 2.13.7 * maint-2.13: Git 2.13.7 verify_path: disallow symlinks in .gitmodules update-index: stat updated files earlier verify_dotfile: mention case-insensitivity in comment verify_path: drop clever fallthrough skip_prefix: add case-insensitive variant is_{hfs,ntfs}_dotgitmodules: add tests is_ntfs_dotgit: match other .git files is_hfs_dotgit: match other .git files is_ntfs_dotgit: use a size_t for traversing string submodule-config: verify submodule names as paths 22 May 2018, 05:10:49 UTC
0114f71 Junio C Hamano 22 May 2018, 04:50:36 UTC Git 2.13.7 Signed-off-by: Junio C Hamano <gitster@pobox.com> 22 May 2018, 04:50:36 UTC
8528c31 Junio C Hamano 22 May 2018, 04:48:26 UTC Merge branch 'jk/submodule-fix-loose' into maint-2.13 * jk/submodule-fix-loose: verify_path: disallow symlinks in .gitmodules update-index: stat updated files earlier verify_dotfile: mention case-insensitivity in comment verify_path: drop clever fallthrough skip_prefix: add case-insensitive variant is_{hfs,ntfs}_dotgitmodules: add tests is_ntfs_dotgit: match other .git files is_hfs_dotgit: match other .git files is_ntfs_dotgit: use a size_t for traversing string submodule-config: verify submodule names as paths 22 May 2018, 04:48:26 UTC
b7b1fca Jeff King 05 May 2018, 00:03:35 UTC fsck: complain when .gitmodules is a symlink We've recently forbidden .gitmodules to be a symlink in verify_path(). And it's an easy way to circumvent our fsck checks for .gitmodules content. So let's complain when we see it. Signed-off-by: Jeff King <peff@peff.net> 22 May 2018, 03:55:12 UTC
73c3f0f Jeff King 04 May 2018, 23:45:01 UTC index-pack: check .gitmodules files with --strict Now that the internal fsck code has all of the plumbing we need, we can start checking incoming .gitmodules files. Naively, it seems like we would just need to add a call to fsck_finish() after we've processed all of the objects. And that would be enough to cover the initial test included here. But there are two extra bits: 1. We currently don't bother calling fsck_object() at all for blobs, since it has traditionally been a noop. We'd actually catch these blobs in fsck_finish() at the end, but it's more efficient to check them when we already have the object loaded in memory. 2. The second pass done by fsck_finish() needs to access the objects, but we're actually indexing the pack in this process. In theory we could give the fsck code a special callback for accessing the in-pack data, but it's actually quite tricky: a. We don't have an internal efficient index mapping oids to packfile offsets. We only generate it on the fly as part of writing out the .idx file. b. We'd still have to reconstruct deltas, which means we'd basically have to replicate all of the reading logic in packfile.c. Instead, let's avoid running fsck_finish() until after we've written out the .idx file, and then just add it to our internal packed_git list. This does mean that the objects are "in the repository" before we finish our fsck checks. But unpack-objects already exhibits this same behavior, and it's an acceptable tradeoff here for the same reason: the quarantine mechanism means that pushes will be fully protected. In addition to a basic push test in t7415, we add a sneaky pack that reverses the usual object order in the pack, requiring that index-pack access the tree and blob during the "finish" step. This already works for unpack-objects (since it will have written out loose objects), but we'll check it with this sneaky pack for good measure. Signed-off-by: Jeff King <peff@peff.net> 22 May 2018, 03:55:12 UTC
6e328d6 Jeff King 04 May 2018, 23:40:08 UTC unpack-objects: call fsck_finish() after fscking objects As with the previous commit, we must call fsck's "finish" function in order to catch any queued objects for .gitmodules checks. This second pass will be able to access any incoming objects, because we will have exploded them to loose objects by now. This isn't quite ideal, because it means that bad objects may have been written to the object database (and a subsequent operation could then reference them, even if the other side doesn't send the objects again). However, this is sufficient when used with receive.fsckObjects, since those loose objects will all be placed in a temporary quarantine area that will get wiped if we find any problems. Signed-off-by: Jeff King <peff@peff.net> 22 May 2018, 03:55:12 UTC
1995b5e Jeff King 02 May 2018, 21:20:35 UTC fsck: call fsck_finish() after fscking objects Now that the internal fsck code is capable of checking .gitmodules files, we just need to teach its callers to use the "finish" function to check any queued objects. With this, we can now catch the malicious case in t7415 with git-fsck. Signed-off-by: Jeff King <peff@peff.net> 22 May 2018, 03:55:12 UTC
ed8b10f Jeff King 02 May 2018, 21:25:27 UTC fsck: check .gitmodules content This patch detects and blocks submodule names which do not match the policy set forth in submodule-config. These should already be caught by the submodule code itself, but putting the check here means that newer versions of Git can protect older ones from malicious entries (e.g., a server with receive.fsckObjects will block the objects, protecting clients which fetch from it). As a side effect, this means fsck will also complain about .gitmodules files that cannot be parsed (or were larger than core.bigFileThreshold). Signed-off-by: Jeff King <peff@peff.net> 22 May 2018, 03:55:12 UTC
2738744 Jeff King 14 May 2018, 16:22:48 UTC fsck: handle promisor objects in .gitmodules check If we have a tree that points to a .gitmodules blob but don't have that blob, we can't check its contents. This produces an fsck error when we encounter it. But in the case of a promisor object, this absence is expected, and we must not complain. Note that this can technically circumvent our transfer.fsckObjects check. Imagine a client fetches a tree, but not the matching .gitmodules blob. An fsck of the incoming objects will show that we don't have enough information. Later, we do fetch the actual blob. But we have no idea that it's a .gitmodules file. The only ways to get around this would be to re-scan all of the existing trees whenever new ones enter (which is expensive), or to somehow persist the gitmodules_found set between fsck runs (which is complicated). In practice, it's probably OK to ignore the problem. Any repository which has all of the objects (including the one serving the promisor packs) can perform the checks. Since promisor packs are inherently about a hierarchical topology in which clients rely on upstream repositories, those upstream repositories can protect all of their downstream clients from broken objects. Signed-off-by: Jeff King <peff@peff.net> 22 May 2018, 03:55:12 UTC
159e7b0 Jeff King 02 May 2018, 21:20:08 UTC fsck: detect gitmodules files In preparation for performing fsck checks on .gitmodules files, this commit plumbs in the actual detection of the files. Note that unlike most other fsck checks, this cannot be a property of a single object: we must know that the object is found at a ".gitmodules" path at the root tree of a commit. Since the fsck code only sees one object at a time, we have to mark the related objects to fit the puzzle together. When we see a commit we mark its tree as a root tree, and when we see a root tree with a .gitmodules file, we mark the corresponding blob to be checked. In an ideal world, we'd check the objects in topological order: commits followed by trees followed by blobs. In that case we can avoid ever loading an object twice, since all markings would be complete by the time we get to the marked objects. And indeed, if we are checking a single packfile, this is the order in which Git will generally write the objects. But we can't count on that: 1. git-fsck may show us the objects in arbitrary order (loose objects are fed in sha1 order, but we may also have multiple packs, and we process each pack fully in sequence). 2. The type ordering is just what git-pack-objects happens to write now. The pack format does not require a specific order, and it's possible that future versions of Git (or a custom version trying to fool official Git's fsck checks!) may order it differently. 3. We may not even be fscking all of the relevant objects at once. Consider pushing with transfer.fsckObjects, where one push adds a blob at path "foo", and then a second push adds the same blob at path ".gitmodules". The blob is not part of the second push at all, but we need to mark and check it. So in the general case, we need to make up to three passes over the objects: once to make sure we've seen all commits, then once to cover any trees we might have missed, and then a final pass to cover any .gitmodules blobs we found in the second pass. We can simplify things a bit by loosening the requirement that we find .gitmodules only at root trees. Technically a file like "subdir/.gitmodules" is not parsed by Git, but it's not unreasonable for us to declare that Git is aware of all ".gitmodules" files and make them eligible for checking. That lets us drop the root-tree requirement, which eliminates one pass entirely. And it makes our worst case much better: instead of potentially queueing every root tree to be re-examined, the worst case is that we queue each unique .gitmodules blob for a second look. This patch just adds the boilerplate to find .gitmodules files. The actual content checks will come in a subsequent commit. Signed-off-by: Jeff King <peff@peff.net> 22 May 2018, 03:55:12 UTC
7ac4f3a Jeff King 02 May 2018, 19:44:51 UTC fsck: actually fsck blob data Because fscking a blob has always been a noop, we didn't bother passing around the blob data. In preparation for content-level checks, let's fix up a few things: 1. The fsck_object() function just returns success for any blob. Let's a noop fsck_blob(), which we can fill in with actual logic later. 2. The fsck_loose() function in builtin/fsck.c just threw away blob content after loading it. Let's hold onto it until after we've called fsck_object(). The easiest way to do this is to just drop the parse_loose_object() helper entirely. Incidentally, this also fixes a memory leak: if we successfully loaded the object data but did not parse it, we would have left the function without freeing it. 3. When fsck_loose() loads the object data, it does so with a custom read_loose_object() helper. This function streams any blobs, regardless of size, under the assumption that we're only checking the sha1. Instead, let's actually load blobs smaller than big_file_threshold, as the normal object-reading code-paths would do. This lets us fsck small files, and a NULL return is an indication that the blob was so big that it needed to be streamed, and we can pass that information along to fsck_blob(). Signed-off-by: Jeff King <peff@peff.net> 22 May 2018, 03:55:12 UTC
ed9c322 Jeff King 13 May 2018, 16:35:37 UTC fsck: simplify ".git" check There's no need for us to manually check for ".git"; it's a subset of the other filesystem-specific tests. Dropping it makes our code slightly shorter. More importantly, the existing code may make a reader wonder why ".GIT" is not covered here, and whether that is a bug (it isn't, as it's also covered in the filesystem-specific tests). Signed-off-by: Jeff King <peff@peff.net> 22 May 2018, 03:55:12 UTC
db5a58c Jeff King 02 May 2018, 20:37:09 UTC index-pack: make fsck error message more specific If fsck reports an error, we say only "Error in object". This isn't quite as bad as it might seem, since the fsck code would have dumped some errors to stderr already. But it might help to give a little more context. The earlier output would not have even mentioned "fsck", and that may be a clue that the "fsck.*" or "*.fsckObjects" config may be relevant. Signed-off-by: Jeff King <peff@peff.net> 22 May 2018, 03:55:12 UTC
eedd594 Jeff King 15 May 2018, 14:15:18 UTC Merge branch 'jk/submodule-name-verify-fix' into jk/submodule-name-verify-fsck * jk/submodule-name-verify-fix: verify_path: disallow symlinks in .gitmodules update-index: stat updated files earlier verify_path: drop clever fallthrough skip_prefix: add icase-insensitive variant is_{hfs,ntfs}_dotgitmodules: add tests path: match NTFS short names for more .git files is_hfs_dotgit: match other .git files is_ntfs_dotgit: use a size_t for traversing string submodule-config: verify submodule names as paths Note that this includes two bits of evil-merge: - there's a new call to verify_path() that doesn't actually have a mode available. It should be OK to pass "0" here, since we're just manipulating the untracked cache, not an actual index entry. - the lstat() in builtin/update-index.c:update_one() needs to be updated to handle the fsmonitor case (without this it still behaves correctly, but does an unnecessary lstat). 22 May 2018, 03:54:28 UTC
10ecfa7 Jeff King 05 May 2018, 00:03:35 UTC verify_path: disallow symlinks in .gitmodules There are a few reasons it's not a good idea to make .gitmodules a symlink, including: 1. It won't be portable to systems without symlinks. 2. It may behave inconsistently, since Git may look at this file in the index or a tree without bothering to resolve any symbolic links. We don't do this _yet_, but the config infrastructure is there and it's planned for the future. With some clever code, we could make (2) work. And some people may not care about (1) if they only work on one platform. But there are a few security reasons to simply disallow it: a. A symlinked .gitmodules file may circumvent any fsck checks of the content. b. Git may read and write from the on-disk file without sanity checking the symlink target. So for example, if you link ".gitmodules" to "../oops" and run "git submodule add", we'll write to the file "oops" outside the repository. Again, both of those are problems that _could_ be solved with sufficient code, but given the complications in (1) and (2), we're better off just outlawing it explicitly. Note the slightly tricky call to verify_path() in update-index's update_one(). There we may not have a mode if we're not updating from the filesystem (e.g., we might just be removing the file). Passing "0" as the mode there works fine; since it's not a symlink, we'll just skip the extra checks. Signed-off-by: Jeff King <peff@peff.net> 22 May 2018, 03:50:11 UTC
eb12dd0 Jeff King 14 May 2018, 15:00:56 UTC update-index: stat updated files earlier In the update_one(), we check verify_path() on the proposed path before doing anything else. In preparation for having verify_path() look at the file mode, let's stat the file earlier, so we can check the mode accurately. This is made a bit trickier by the fact that this function only does an lstat in a few code paths (the ones that flow down through process_path()). So we can speculatively do the lstat() here and pass the results down, and just use a dummy mode for cases where we won't actually be updating the index from the filesystem. Signed-off-by: Jeff King <peff@peff.net> 22 May 2018, 03:50:11 UTC
641084b Jeff King 15 May 2018, 13:56:50 UTC verify_dotfile: mention case-insensitivity in comment We're more restrictive than we need to be in matching ".GIT" on case-sensitive filesystems; let's make a note that this is intentional. Signed-off-by: Jeff King <peff@peff.net> 22 May 2018, 03:50:11 UTC
e19e5e6 Jeff King 13 May 2018, 17:00:23 UTC verify_path: drop clever fallthrough We check ".git" and ".." in the same switch statement, and fall through the cases to share the end-of-component check. While this saves us a line or two, it makes modifying the function much harder. Let's just write it out. Signed-off-by: Jeff King <peff@peff.net> 22 May 2018, 03:50:11 UTC
41a8092 Jeff King 13 May 2018, 16:57:14 UTC skip_prefix: add case-insensitive variant We have the convenient skip_prefix() helper, but if you want to do case-insensitive matching, you're stuck doing it by hand. We could add an extra parameter to the function to let callers ask for this, but the function is small and somewhat performance-critical. Let's just re-implement it for the case-insensitive version. Signed-off-by: Jeff King <peff@peff.net> 22 May 2018, 03:50:11 UTC
dc2d9ba Johannes Schindelin 12 May 2018, 20:16:51 UTC is_{hfs,ntfs}_dotgitmodules: add tests This tests primarily for NTFS issues, but also adds one example of an HFS+ issue. Thanks go to Congyi Wu for coming up with the list of examples where NTFS would possibly equate the filename with `.gitmodules`. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Jeff King <peff@peff.net> 22 May 2018, 03:50:11 UTC
e7cb0b4 Johannes Schindelin 11 May 2018, 14:03:54 UTC is_ntfs_dotgit: match other .git files When we started to catch NTFS short names that clash with .git, we only looked for GIT~1. This is sufficient because we only ever clone into an empty directory, so .git is guaranteed to be the first subdirectory or file in that directory. However, even with a fresh clone, .gitmodules is *not* necessarily the first file to be written that would want the NTFS short name GITMOD~1: a malicious repository can add .gitmodul0000 and friends, which sorts before `.gitmodules` and is therefore checked out *first*. For that reason, we have to test not only for ~1 short names, but for others, too. It's hard to just adapt the existing checks in is_ntfs_dotgit(): since Windows 2000 (i.e., in all Windows versions still supported by Git), NTFS short names are only generated in the <prefix>~<number> form up to number 4. After that, a *different* prefix is used, calculated from the long file name using an undocumented, but stable algorithm. For example, the short name of .gitmodules would be GITMOD~1, but if it is taken, and all of ~2, ~3 and ~4 are taken, too, the short name GI7EBA~1 will be used. From there, collisions are handled by incrementing the number, shortening the prefix as needed (until ~9999999 is reached, in which case NTFS will not allow the file to be created). We'd also want to handle .gitignore and .gitattributes, which suffer from a similar problem, using the fall-back short names GI250A~1 and GI7D29~1, respectively. To accommodate for that, we could reimplement the hashing algorithm, but it is just safer and simpler to provide the known prefixes. This algorithm has been reverse-engineered and described at https://usn.pw/blog/gen/2015/06/09/filenames/, which is defunct but still available via https://web.archive.org/. These can be recomputed by running the following Perl script: -- snip -- use warnings; use strict; sub compute_short_name_hash ($) { my $checksum = 0; foreach (split('', $_[0])) { $checksum = ($checksum * 0x25 + ord($_)) & 0xffff; } $checksum = ($checksum * 314159269) & 0xffffffff; $checksum = 1 + (~$checksum & 0x7fffffff) if ($checksum & 0x80000000); $checksum -= (($checksum * 1152921497) >> 60) * 1000000007; return scalar reverse sprintf("%x", $checksum & 0xffff); } print compute_short_name_hash($ARGV[0]); -- snap -- E.g., running that with the argument ".gitignore" will result in "250a" (which then becomes "gi250a" in the code). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Jeff King <peff@peff.net> 22 May 2018, 03:50:11 UTC
0fc333b Jeff King 02 May 2018, 19:23:45 UTC is_hfs_dotgit: match other .git files Both verify_path() and fsck match ".git", ".GIT", and other variants specific to HFS+. Let's allow matching other special files like ".gitmodules", which we'll later use to enforce extra restrictions via verify_path() and fsck. Signed-off-by: Jeff King <peff@peff.net> 22 May 2018, 03:50:11 UTC
11a9f4d Jeff King 13 May 2018, 16:09:42 UTC is_ntfs_dotgit: use a size_t for traversing string We walk through the "name" string using an int, which can wrap to a negative value and cause us to read random memory before our array (e.g., by creating a tree with a name >2GB, since "int" is still 32 bits even on most 64-bit platforms). Worse, this is easy to trigger during the fsck_tree() check, which is supposed to be protecting us from malicious garbage. Note one bit of trickiness in the existing code: we sometimes assign -1 to "len" at the end of the loop, and then rely on the "len++" in the for-loop's increment to take it back to 0. This is still legal with a size_t, since assigning -1 will turn into SIZE_MAX, which then wraps around to 0 on increment. Signed-off-by: Jeff King <peff@peff.net> 22 May 2018, 03:50:11 UTC
0383bbb Jeff King 30 April 2018, 07:25:25 UTC submodule-config: verify submodule names as paths Submodule "names" come from the untrusted .gitmodules file, but we blindly append them to $GIT_DIR/modules to create our on-disk repo paths. This means you can do bad things by putting "../" into the name (among other things). Let's sanity-check these names to avoid building a path that can be exploited. There are two main decisions: 1. What should the allowed syntax be? It's tempting to reuse verify_path(), since submodule names typically come from in-repo paths. But there are two reasons not to: a. It's technically more strict than what we need, as we really care only about breaking out of the $GIT_DIR/modules/ hierarchy. E.g., having a submodule named "foo/.git" isn't actually dangerous, and it's possible that somebody has manually given such a funny name. b. Since we'll eventually use this checking logic in fsck to prevent downstream repositories, it should be consistent across platforms. Because verify_path() relies on is_dir_sep(), it wouldn't block "foo\..\bar" on a non-Windows machine. 2. Where should we enforce it? These days most of the .gitmodules reads go through submodule-config.c, so I've put it there in the reading step. That should cover all of the C code. We also construct the name for "git submodule add" inside the git-submodule.sh script. This is probably not a big deal for security since the name is coming from the user anyway, but it would be polite to remind them if the name they pick is invalid (and we need to expose the name-checker to the shell anyway for our test scripts). This patch issues a warning when reading .gitmodules and just ignores the related config entry completely. This will generally end up producing a sensible error, as it works the same as a .gitmodules file which is missing a submodule entry (so "submodule update" will barf, but "git clone --recurse-submodules" will print an error but not abort the clone. There is one minor oddity, which is that we print the warning once per malformed config key (since that's how the config subsystem gives us the entries). So in the new test, for example, the user would see three warnings. That's OK, since the intent is that this case should never come up outside of malicious repositories (and then it might even benefit the user to see the message multiple times). Credit for finding this vulnerability and the proof of concept from which the test script was adapted goes to Etienne Stalmans. Signed-off-by: Jeff King <peff@peff.net> 22 May 2018, 03:50:11 UTC
468165c Junio C Hamano 02 April 2018, 17:13:35 UTC Git 2.17 Signed-off-by: Junio C Hamano <gitster@pobox.com> 02 April 2018, 17:13:35 UTC
1614dd0 Junio C Hamano 02 April 2018, 17:12:38 UTC Merge tag 'l10n-2.17.0-rnd1' of git://github.com/git-l10n/git-po l10n for Git 2.17.0 round 1 * tag 'l10n-2.17.0-rnd1' of git://github.com/git-l10n/git-po: l10n: de.po: translate 132 new messages l10n: zh_CN: review for git v2.17.0 l10n round 1 l10n: zh_CN: for git v2.17.0 l10n round 1 l10n: ko.po: Update Korean translation l10n: fr.po: v2.17.0 no fuzzy l10n: sv.po: Update Swedish translation (3376t0f0u) l10n: Update Catalan translation l10n: fr.po v2.17.0 round 1 l10n: vi.po(3376t): Updated Vietnamese translation for v2.17 l10n: bg.po: Updated Bulgarian translation (3376t) l10n: es.po: Update Spanish translation 2.17.0 l10n: git.pot: v2.17.0 round 1 (132 new, 44 removed) l10n: es.po: fixes to Spanish translation 02 April 2018, 17:12:38 UTC
5f94417 Junio C Hamano 02 April 2018, 17:10:54 UTC Merge branch 'pw/add-p-single' Hotfix. * pw/add-p-single: add -p: fix 2.17.0-rc* regression due to moved code 02 April 2018, 17:10:55 UTC
fd2fb4a Ævar Arnfjörð Bjarmason 31 March 2018, 12:50:58 UTC add -p: fix 2.17.0-rc* regression due to moved code Fix a regression in 88f6ffc1c2 ("add -p: only bind search key if there's more than one hunk", 2018-02-13) which is present in 2.17.0-rc*, but not 2.16.0. In Perl, regex variables like $1 always refer to the last regex match. When the aforementioned change added a new regex match between the old match and the corresponding code that was expecting $1, the $1 variable would always be undef, since the newly inserted regex match doesn't have any captures. As a result the "/" feature to search for a string in a hunk by regex completely broke, on git.git: $ perl -pi -e 's/Git/Tig/g' README.md $ ./git --exec-path=$PWD add -p [..] Stage this hunk [y,n,q,a,d,j,J,g,/,s,e,?]? s Split into 4 hunks. [...] Stage this hunk [y,n,q,a,d,j,J,g,/,s,e,?]? /Many Use of uninitialized value $1 in string eq at /home/avar/g/git/git-add--interactive line 1568, <STDIN> line 1. search for regex? Many I.e. the initial "/regex" command wouldn't work, and would always emit a warning and ask again for a regex, now it works as intended again. Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 01 April 2018, 04:54:28 UTC
8bb6d60 Ralf Thielow 16 March 2018, 17:41:16 UTC l10n: de.po: translate 132 new messages Translate 132 new messages came from git.pot update in abc8de64d (l10n: git.pot: v2.17.0 round 1 (132 new, 44 removed)). Signed-off-by: Ralf Thielow <ralf.thielow@gmail.com> 31 March 2018, 11:21:09 UTC
c2a499e Junio C Hamano 29 March 2018, 22:39:59 UTC Merge branch 'jh/partial-clone' Hotfix. * jh/partial-clone: upload-pack: disable object filtering when disabled by config unpack-trees: release oid_array after use in check_updates() 29 March 2018, 22:39:59 UTC
c7620bd Jonathan Nieder 28 March 2018, 20:33:03 UTC upload-pack: disable object filtering when disabled by config When upload-pack gained partial clone support (v2.17.0-rc0~132^2~12, 2017-12-08), it was guarded by the uploadpack.allowFilter config item to allow server operators to control when they start supporting it. That config item didn't go far enough, though: it controls whether the 'filter' capability is advertised, but if a (custom) client ignores the capability advertisement and passes a filter specification anyway, the server would handle that despite allowFilter being false. This is particularly significant if a security bug is discovered in this new experimental partial clone code. Installations without uploadpack.allowFilter ought not to be affected since they don't intend to support partial clone, but they would be swept up into being vulnerable. Simplify and limit the attack surface by making uploadpack.allowFilter disable the feature, not just the advertisement of it. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 29 March 2018, 22:39:31 UTC
610f809 Ray Chen 29 March 2018, 07:09:20 UTC l10n: zh_CN: review for git v2.17.0 l10n round 1 Signed-off-by: Ray Chen <oldsharp@gmail.com> 29 March 2018, 14:09:39 UTC
31e5e17 Jiang Xin 22 February 2018, 01:17:34 UTC l10n: zh_CN: for git v2.17.0 l10n round 1 Translate 132 new messages (3376t0f0u) for git 2.17.0-rc0. Reviewed-by: 依云 <lilydjwg@gmail.com> Reviewed-by: Fangyi Zhou <fangyi.zhou@yuriko.moe> Signed-off-by: Jiang Xin <worldhello.net@gmail.com> 29 March 2018, 14:09:39 UTC
03df495 Junio C Hamano 28 March 2018, 18:05:14 UTC Git 2.17-rc2 Signed-off-by: Junio C Hamano <gitster@pobox.com> 28 March 2018, 18:05:14 UTC
72d30c7 Junio C Hamano 28 March 2018, 18:04:25 UTC Merge branch 'tg/stash-doc-typofix' Hotfix. * tg/stash-doc-typofix: git-stash.txt: remove extra square bracket 28 March 2018, 18:04:25 UTC
2081fa7 Junio C Hamano 28 March 2018, 18:04:25 UTC Merge branch 'pc/submodule-helper' Hotfix. * pc/submodule-helper: submodule deinit: handle non existing pathspecs gracefully 28 March 2018, 18:04:25 UTC
87cc76f Junio C Hamano 28 March 2018, 18:04:24 UTC Merge branch 'nd/parseopt-completion' Hotfix for recently graduated topic that give help to completion scripts from the Git subcommands that are being completed * nd/parseopt-completion: t9902: disable test on the list of merge-strategies under GETTEXT_POISON completion: clear cached --options when sourcing the completion script 28 March 2018, 18:04:24 UTC
1be5ae8 Changwoo Ryu 19 March 2018, 04:59:50 UTC l10n: ko.po: Update Korean translation Signed-off-by: Changwoo Ryu <cwryu@debian.org> Signed-off-by: Sihyeon Jang <uneedsihyeon@gmail.com> Signed-off-by: Gwan-gyeong Mun <elongbug@gmail.com> Reviewed-by: Changwoo Ryu <cwryu@debian.org> 28 March 2018, 14:41:20 UTC
9748e39 Stefan Beller 27 March 2018, 23:28:24 UTC submodule deinit: handle non existing pathspecs gracefully This fixes a regression introduced in 2e612731b5 (submodule: port submodule subcommand 'deinit' from shell to C, 2018-01-15), when handling pathspecs that do not exist gracefully. This restores the historic behavior of reporting the pathspec as unknown and returning instead of reporting a bug. Reported-by: Peter Oberndorfer <kumbayo84@arcor.de> Signed-off-by: Stefan Beller <sbeller@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 28 March 2018, 05:07:13 UTC
0a790f0 Thomas Gummerer 26 March 2018, 21:11:47 UTC git-stash.txt: remove extra square bracket In 1ada5020b3 ("stash: use stash_push for no verb form", 2017-02-28), when the pathspec argument was introduced in 'git stash', that was also documented. However I forgot to remove an extra square bracket after the '--message' argument, even though the square bracket should have been after the pathspec argument (where it was also added). Remove the extra square bracket after the '--message' argument, to show that the pathspec argument should be used with the 'push' verb. While the pathspec argument can be used without the push verb, that's a special case described later in the man page, and removing the first extra square bracket instead of the second one makes the synopis easier to understand. Signed-off-by: Thomas Gummerer <t.gummerer@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 28 March 2018, 02:09:13 UTC
9f242a1 René Scharfe 25 March 2018, 16:31:48 UTC unpack-trees: release oid_array after use in check_updates() Signed-off-by: Rene Scharfe <l.s.r@web.de> Signed-off-by: Junio C Hamano <gitster@pobox.com> 25 March 2018, 17:51:46 UTC
edc320e Jiang Xin 25 March 2018, 13:24:02 UTC Merge branch 'fr_v2.17.0' of git://github.com/jnavila/git * 'fr_v2.17.0' of git://github.com/jnavila/git: l10n: fr.po: v2.17.0 no fuzzy 25 March 2018, 13:24:02 UTC
7be97e4 Jean-Noël Avila 23 March 2018, 22:03:37 UTC l10n: fr.po: v2.17.0 no fuzzy Signed-off-by: Jean-Noël Avila <jn.avila@free.fr> 23 March 2018, 22:03:37 UTC
b60e88c Junio C Hamano 23 March 2018, 17:40:06 UTC t9902: disable test on the list of merge-strategies under GETTEXT_POISON The code to learn the list of merge strategies from the output of "git merge -s help" forces C locale, so that it can notice the message shown to indicate where the list starts in the output. However, GETTEXT_POISON build corrupts its output even when run in the C locale, and we cannot expect this test to succeed. Signed-off-by: Junio C Hamano <gitster@pobox.com> 23 March 2018, 18:27:52 UTC
90bbd50 Junio C Hamano 22 March 2018, 21:36:51 UTC Sync with Git 2.16.3 22 March 2018, 21:36:51 UTC
d32eb83 Junio C Hamano 22 March 2018, 21:24:45 UTC Git 2.16.3 Signed-off-by: Junio C Hamano <gitster@pobox.com> 22 March 2018, 21:24:45 UTC
88595eb Junio C Hamano 22 March 2018, 21:24:25 UTC Merge branch 'ms/non-ascii-ticks' into maint Doc markup fix. * ms/non-ascii-ticks: Documentation/gitsubmodules.txt: avoid non-ASCII apostrophes 22 March 2018, 21:24:26 UTC
393eee1 Junio C Hamano 22 March 2018, 21:24:25 UTC Merge branch 'jk/cached-commit-buffer' into maint Code clean-up. * jk/cached-commit-buffer: revision: drop --show-all option commit: drop uses of get_cached_commit_buffer() 22 March 2018, 21:24:25 UTC
c9bc2c5 Junio C Hamano 22 March 2018, 21:24:25 UTC Merge branch 'sm/mv-dry-run-update' into maint Code clean-up. * sm/mv-dry-run-update: mv: remove unneeded 'if (!show_only)' t7001: add test case for --dry-run 22 March 2018, 21:24:25 UTC
342215b Junio C Hamano 22 March 2018, 21:24:24 UTC Merge branch 'tg/worktree-create-tracking' into maint Hotfix for a recent topic. * tg/worktree-create-tracking: git-worktree.txt: fix indentation of example and text of 'add' command git-worktree.txt: fix missing ")" typo 22 March 2018, 21:24:24 UTC
8bfeb0e Junio C Hamano 22 March 2018, 21:24:24 UTC Merge branch 'gs/test-unset-xdg-cache-home' into maint Test update. * gs/test-unset-xdg-cache-home: test-lib.sh: unset XDG_CACHE_HOME 22 March 2018, 21:24:24 UTC
e092248 Junio C Hamano 22 March 2018, 21:24:23 UTC Merge branch 'sb/status-doc-fix' into maint Docfix. * sb/status-doc-fix: Documentation/git-status: clarify status table for porcelain mode 22 March 2018, 21:24:23 UTC
9ea8e0c Junio C Hamano 22 March 2018, 21:24:22 UTC Merge branch 'rd/typofix' into maint Typofix. * rd/typofix: Correct mispellings of ".gitmodule" to ".gitmodules" t/: correct obvious typo "detahced" 22 March 2018, 21:24:22 UTC
5a03f1d Junio C Hamano 22 March 2018, 21:24:21 UTC Merge branch 'bp/fsmonitor' into maint Doc update for a recently added feature. * bp/fsmonitor: fsmonitor: update documentation to remove reference to invalid config settings 22 March 2018, 21:24:21 UTC
dfc20a5 Junio C Hamano 22 March 2018, 21:24:21 UTC Merge branch 'bc/doc-interpret-trailers-grammofix' into maint Docfix. * bc/doc-interpret-trailers-grammofix: docs/interpret-trailers: fix agreement error 22 March 2018, 21:24:21 UTC
68559c4 Junio C Hamano 22 March 2018, 21:24:19 UTC Merge branch 'sg/doc-test-must-fail-args' into maint Devdoc update. * sg/doc-test-must-fail-args: t: document 'test_must_fail ok=<signal-name>' 22 March 2018, 21:24:20 UTC
67b7dd3 Junio C Hamano 22 March 2018, 21:24:19 UTC Merge branch 'rj/sparse-updates' into maint Devtool update. * rj/sparse-updates: Makefile: suppress a sparse warning for pack-revindex.c config.mak.uname: remove SPARSE_FLAGS setting for cygwin 22 March 2018, 21:24:19 UTC
2e1062d Junio C Hamano 22 March 2018, 21:24:18 UTC Merge branch 'jk/gettext-poison' into maint Test updates. * jk/gettext-poison: git-sh-i18n: check GETTEXT_POISON before USE_GETTEXT_SCHEME t0205: drop redundant test 22 March 2018, 21:24:19 UTC
34f6f0e Junio C Hamano 22 March 2018, 21:24:18 UTC Merge branch 'nd/ignore-glob-doc-update' into maint Doc update. * nd/ignore-glob-doc-update: gitignore.txt: elaborate shell glob syntax 22 March 2018, 21:24:18 UTC
fda2326 Junio C Hamano 22 March 2018, 21:24:17 UTC Merge branch 'rs/cocci-strbuf-addf-to-addstr' into maint * rs/cocci-strbuf-addf-to-addstr: cocci: simplify check for trivial format strings 22 March 2018, 21:24:17 UTC
e55521b Junio C Hamano 22 March 2018, 21:24:17 UTC Merge branch 'jc/worktree-add-short-help' into maint Error message fix. * jc/worktree-add-short-help: worktree: say that "add" takes an arbitrary commit in short-help 22 March 2018, 21:24:17 UTC
9c34129 Junio C Hamano 22 March 2018, 21:24:17 UTC Merge branch 'tz/doc-show-defaults-to-head' into maint Doc update. * tz/doc-show-defaults-to-head: doc: mention 'git show' defaults to HEAD 22 March 2018, 21:24:17 UTC
3112c3f Junio C Hamano 22 March 2018, 21:24:16 UTC Merge branch 'nd/shared-index-fix' into maint Code clean-up. * nd/shared-index-fix: read-cache: don't write index twice if we can't write shared index read-cache.c: move tempfile creation/cleanup out of write_shared_index read-cache.c: change type of "temp" in write_shared_index() 22 March 2018, 21:24:16 UTC
bffce88 Junio C Hamano 22 March 2018, 21:24:16 UTC Merge branch 'jc/mailinfo-cleanup-fix' into maint Corner case bugfix. * jc/mailinfo-cleanup-fix: mailinfo: avoid segfault when can't open files 22 March 2018, 21:24:16 UTC
b502aa4 Junio C Hamano 22 March 2018, 21:24:15 UTC Merge branch 'rb/hashmap-h-compilation-fix' into maint Code clean-up. * rb/hashmap-h-compilation-fix: hashmap.h: remove unused variable 22 March 2018, 21:24:15 UTC
9bcb489 Junio C Hamano 22 March 2018, 21:24:14 UTC Merge branch 'rs/describe-unique-abbrev' into maint Code clean-up. * rs/describe-unique-abbrev: describe: use strbuf_add_unique_abbrev() for adding short hashes 22 March 2018, 21:24:14 UTC
60736db Junio C Hamano 22 March 2018, 21:24:13 UTC Merge branch 'ks/submodule-doc-updates' into maint Doc updates. * ks/submodule-doc-updates: Doc/git-submodule: improve readability and grammar of a sentence Doc/gitsubmodules: make some changes to improve readability and syntax 22 March 2018, 21:24:14 UTC
b1bdf46 Junio C Hamano 22 March 2018, 21:24:13 UTC Merge branch 'cl/t9001-cleanup' into maint Test clean-up. * cl/t9001-cleanup: t9001: use existing helper in send-email test 22 March 2018, 21:24:13 UTC
6ef449e Junio C Hamano 22 March 2018, 21:24:12 UTC Merge branch 'bw/oidmap-autoinit' into maint Code clean-up. * bw/oidmap-autoinit: oidmap: ensure map is initialized 22 March 2018, 21:24:12 UTC
dab684f Junio C Hamano 22 March 2018, 21:24:12 UTC Merge branch 'sg/test-i18ngrep' into maint Test fixes. * sg/test-i18ngrep: t: make 'test_i18ngrep' more informative on failure t: validate 'test_i18ngrep's parameters t: move 'test_i18ncmp' and 'test_i18ngrep' to 'test-lib-functions.sh' t5536: let 'test_i18ngrep' read the file without redirection t5510: consolidate 'grep' and 'test_i18ngrep' patterns t4001: don't run 'git status' upstream of a pipe t6022: don't run 'git merge' upstream of a pipe t5812: add 'test_i18ngrep's missing filename parameter t5541: add 'test_i18ngrep's missing filename parameter 22 March 2018, 21:24:12 UTC
d78b7eb Junio C Hamano 22 March 2018, 21:24:12 UTC Merge branch 'jt/fsck-code-cleanup' into maint Plug recently introduced leaks in fsck. * jt/fsck-code-cleanup: fsck: fix leak when traversing trees 22 March 2018, 21:24:12 UTC
34b9ec8 Junio C Hamano 22 March 2018, 21:24:11 UTC Merge branch 'ew/svn-branch-segfault-fix' into maint Workaround for segfault with more recent versions of SVN. * ew/svn-branch-segfault-fix: git-svn: control destruction order to avoid segfault 22 March 2018, 21:24:11 UTC
091853a Junio C Hamano 22 March 2018, 21:24:11 UTC Merge branch 'nd/list-merge-strategy' into maint Completion of "git merge -s<strategy>" (in contrib/) did not work well in non-C locale. * nd/list-merge-strategy: completion: fix completing merge strategies on non-C locales 22 March 2018, 21:24:11 UTC
f936c9b Junio C Hamano 22 March 2018, 21:24:10 UTC Merge branch 'jk/daemon-fixes' into maint Assorted fixes to "git daemon". * jk/daemon-fixes: daemon: fix length computation in newline stripping t/lib-git-daemon: add network-protocol helpers daemon: handle NULs in extended attribute string daemon: fix off-by-one in logging extended attributes t/lib-git-daemon: record daemon log t5570: use ls-remote instead of clone for interp tests 22 March 2018, 21:24:11 UTC
b0e0fc2 Junio C Hamano 22 March 2018, 21:24:10 UTC Merge branch 'tg/split-index-fixes' into maint The split-index mode had a few corner case bugs fixed. * tg/split-index-fixes: travis: run tests with GIT_TEST_SPLIT_INDEX split-index: don't write cache tree with null oid entries read-cache: fix reading the shared index for other repos 22 March 2018, 21:24:10 UTC
7e44d80 Junio C Hamano 22 March 2018, 21:24:10 UTC Merge branch 'mr/packed-ref-store-fix' into maint Crash fix for a corner case where an error codepath tried to unlock what it did not acquire lock on. * mr/packed-ref-store-fix: files_initial_transaction_commit(): only unlock if locked 22 March 2018, 21:24:10 UTC
721dce0 Junio C Hamano 22 March 2018, 21:24:09 UTC Merge branch 'jt/http-redact-cookies' into maint The http tracing code, often used to debug connection issues, learned to redact potentially sensitive information from its output so that it can be more safely sharable. * jt/http-redact-cookies: http: support omitting data from traces http: support cookie redaction when tracing 22 March 2018, 21:24:09 UTC
b322219 Junio C Hamano 22 March 2018, 21:24:09 UTC Merge branch 'nd/diff-flush-before-warning' into maint Avoid showing a warning message in the middle of a line of "git diff" output. * nd/diff-flush-before-warning: diff.c: flush stdout before printing rename warnings 22 March 2018, 21:24:09 UTC
573ce03 Junio C Hamano 22 March 2018, 21:24:08 UTC Merge branch 'sg/travis-build-during-script-phase' into maint Build the executable in 'script' phase in Travis CI integration, to follow the established practice, rather than during 'before_script' phase. This allows the CI categorize the failures better ('failed' is project's fault, 'errored' is build environment's). * sg/travis-build-during-script-phase: travis-ci: build Git during the 'script' phase 22 March 2018, 21:24:08 UTC
8b0eaa4 SZEDER Gábor 22 March 2018, 14:16:04 UTC completion: clear cached --options when sourcing the completion script The established way to update the completion script in an already running shell is to simply source it again: this brings in any new --options and features, and clears caching variables. E.g. it clears the variables caching the list of (all|porcelain) git commands, so when they are later lazy-initialized again, then they will list and cache any newly installed commmands as well. Unfortunately, since d401f3debc (git-completion.bash: introduce __gitcomp_builtin, 2018-02-09) and subsequent patches this doesn't work for a lot of git commands' options. To eliminate a lot of hard-to-maintain hard-coded lists of options, those commits changed the completion script to use a bunch of programmatically created and lazy-initialized variables to cache the options of those builtin porcelain commands that use parse-options. These variables are not cleared upon sourcing the completion script, therefore they continue caching the old lists of options, even when some commands recently learned new options or when deprecated options were removed. Always 'unset' these variables caching the options of builtin commands when sourcing the completion script. Redirect 'unset's stderr to /dev/null, because ZSH's 'unset' complains if it's invoked without any arguments, i.e. no variables caching builtin's options are set. This can happen, if someone were to source the completion script twice without completing any --options in between. Bash stays silent in this case. Add tests to ensure that these variables are indeed cleared when the completion script is sourced; not just the variables caching options, but all other caching variables, i.e. the variables caching commands, porcelain commands and merge strategies as well. Signed-off-by: SZEDER Gábor <szeder.dev@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 22 March 2018, 17:22:09 UTC
back to top