Fork of git SCM with my patches. http://git.kilabit.info/git/atom?h=v2.19.4 2020-03-17T20:43:08Z 2020-03-17T20:43:08Z Junio C Hamano gitster@pobox.com 2020-03-17T20:37:37Z urn:sha1:a5979d7009017c79b0100b7b66e8567b3ad7b022 Signed-off-by: Junio C Hamano <gitster@pobox.com> 2020-03-17T20:34:12Z Junio C Hamano gitster@pobox.com 2020-03-17T20:34:12Z urn:sha1:21a3e5016bb218dc9b016284c88ba685bc446b70 Signed-off-by: Junio C Hamano <gitster@pobox.com> 2020-03-17T20:25:33Z Junio C Hamano gitster@pobox.com 2020-03-17T20:23:48Z urn:sha1:c42c0f12972194564f039dcf580d89ca14ae72d6 Signed-off-by: Junio C Hamano <gitster@pobox.com> 2020-03-12T06:56:50Z Jeff King peff@peff.net 2020-03-11T22:48:24Z urn:sha1:07259e74ec1237c836874342c65650bdee8a3993 The credential protocol can't handle values with newlines. We already detect and block any such URLs from being used with credential helpers, but let's also add an fsck check to detect and block gitmodules files with such URLs. That will let us notice the problem earlier when transfer.fsckObjects is turned on. And in particular it will prevent bad objects from spreading, which may protect downstream users running older versions of Git. We'll file this under the existing gitmodulesUrl flag, which covers URLs with option injection. There's really no need to distinguish the exact flaw in the URL in this context. Likewise, I've expanded the description of t7416 to cover all types of bogus URLs. 2020-03-12T06:55:24Z Jeff King peff@peff.net 2020-03-12T05:31:11Z urn:sha1:c716fe4bd917e013bf376a678b3a924447777b2d The credential protocol can't represent newlines in values, but URLs can embed percent-encoded newlines in various components. A previous commit taught the low-level writing routines to die() when encountering this, but we can be a little friendlier to the user by detecting them earlier and handling them gracefully. This patch teaches credential_from_url() to notice such components, issue a warning, and blank the credential (which will generally result in prompting the user for a username and password). We blank the whole credential in this case. Another option would be to blank only the invalid component. However, we're probably better off not feeding a partially-parsed URL result to a credential helper. We don't know how a given helper would handle it, so we're better off to err on the side of matching nothing rather than something unexpected. The die() call in credential_write() is _probably_ impossible to reach after this patch. Values should end up in credential structs only by URL parsing (which is covered here), or by reading credential protocol input (which by definition cannot read a newline into a value). But we should definitely keep the low-level check, as it's our final and most accurate line of defense against protocol injection attacks. Arguably it could become a BUG(), but it probably doesn't matter much either way. Note that the public interface of credential_from_url() grows a little more than we need here. We'll use the extra flexibility in a future patch to help fsck catch these cases. 2020-03-12T06:55:17Z Jeff King peff@peff.net 2020-03-11T22:11:37Z urn:sha1:17f1c0b8c7e447aa62f85dc355bb48133d2812f2 The credential tests have a "check" function which feeds some input to git-credential and checks the stdout and stderr. We look for exact matches in the output. For stdout, this makes sense; the output is the credential protocol. But for stderr, we may be showing various diagnostic messages, or the prompts fed to the askpass program, which could be translated. Let's mark them as such. 2020-03-12T06:55:16Z Jeff King peff@peff.net 2020-03-11T21:53:41Z urn:sha1:9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b The credential protocol that we use to speak to helpers can't represent values with newlines in them. This was an intentional design choice to keep the protocol simple, since none of the values we pass should generally have newlines. However, if we _do_ encounter a newline in a value, we blindly transmit it in credential_write(). Such values may break the protocol syntax, or worse, inject new valid lines into the protocol stream. The most likely way for a newline to end up in a credential struct is by decoding a URL with a percent-encoded newline. However, since the bug occurs at the moment we write the value to the protocol, we'll catch it there. That should leave no possibility of accidentally missing a code path that can trigger the problem. At this level of the code we have little choice but to die(). However, since we'd not ever expect to see this case outside of a malicious URL, that's an acceptable outcome. Reported-by: Felix Wilhelm <fwilhelm@google.com> 2019-12-06T15:30:40Z Johannes Schindelin johannes.schindelin@gmx.de 2019-12-04T21:29:33Z urn:sha1:caccc527ca7f4b3e6f4bb6775cbff94b27741482 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> 2019-12-06T15:30:38Z Johannes Schindelin johannes.schindelin@gmx.de 2019-12-04T21:27:04Z urn:sha1:7c9fbda6e2e0ac4a491863253aeedeafb3cb9dab * maint-2.18: (33 commits) Git 2.18.2 Git 2.17.3 Git 2.16.6 test-drop-caches: use `has_dos_drive_prefix()` Git 2.15.4 Git 2.14.6 mingw: handle `subst`-ed "DOS drives" mingw: refuse to access paths with trailing spaces or periods mingw: refuse to access paths with illegal characters unpack-trees: let merged_entry() pass through do_add_entry()'s errors quote-stress-test: offer to test quoting arguments for MSYS2 sh t6130/t9350: prepare for stringent Win32 path validation quote-stress-test: allow skipping some trials quote-stress-test: accept arguments to test via the command-line tests: add a helper to stress test argument quoting mingw: fix quoting of arguments Disallow dubiously-nested submodule git directories protect_ntfs: turn on NTFS protection by default path: also guard `.gitmodules` against NTFS Alternate Data Streams is_ntfs_dotgit(): speed it up ... 2019-12-06T15:29:17Z Johannes Schindelin johannes.schindelin@gmx.de 2019-12-04T21:22:52Z urn:sha1:9877106b01cbd346b862cc8cd2c52e496dd40ed5 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>