Fork of git SCM with my patches. http://git.kilabit.info/git/atom?h=v2.25.4 2020-04-19T23:31:07Z 2020-04-19T23:31:07Z Jonathan Nieder jrnieder@gmail.com 2020-04-19T23:31:07Z urn:sha1:7397ca33730626f682845f8691b39c305535611e This merges up the security fix from v2.17.5. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> 2020-04-19T23:30:34Z Jonathan Nieder jrnieder@gmail.com 2020-04-19T23:30:34Z urn:sha1:b86a4be245d0ba077c97c6ab6b1cdbeb9dcc1342 This merges up the security fix from v2.17.5. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> 2020-04-19T23:30:27Z Jonathan Nieder jrnieder@gmail.com 2020-04-19T23:30:27Z urn:sha1:f2771efd07b51edae023db95fcca39c72a0397fe This merges up the security fix from v2.17.5. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> 2020-04-19T23:30:19Z Jonathan Nieder jrnieder@gmail.com 2020-04-19T23:30:19Z urn:sha1:c9808fa014aa88cc306705d308d1d9065d567ddc This merges up the security fix from v2.17.5. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> 2020-04-19T23:30:08Z Jonathan Nieder jrnieder@gmail.com 2020-04-19T23:30:08Z urn:sha1:9206d27eb5e76bbb3a4e59e3c53f92eaa0caa97b This merges up the security fix from v2.17.5. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> 2020-04-19T23:28:57Z Jonathan Nieder jrnieder@gmail.com 2020-04-19T23:28:57Z urn:sha1:041bc65923e13313ca1b77681c3b2950b5e0a163 This merges up the security fix from v2.17.5. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> 2020-04-19T23:26:41Z Jonathan Nieder jrnieder@gmail.com 2020-04-19T23:26:41Z urn:sha1:76b54ee9b9944ee70422ac24884f78769cf264f1 This merges up the security fix from v2.17.5. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> 2020-04-19T23:24:14Z Jonathan Nieder jrnieder@gmail.com 2020-04-19T23:24:14Z urn:sha1:ba6f0905fdb9e65c1ac5fbc79c9a4ef0b59b3e68 This merges up the security fix from v2.17.5. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> 2020-04-19T23:10:58Z Jeff King peff@peff.net 2020-04-19T06:34:55Z urn:sha1:df5be6dc3fd18c294ec93a9af0321334e3f92c9c Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> 2020-04-19T23:10:58Z Jonathan Nieder jrnieder@gmail.com 2020-04-19T03:57:22Z urn:sha1:1a3609e402a062ef7b11f197fe96c28cabca132c Git's URL parser interprets https:///example.com/repo.git to have no host and a path of "example.com/repo.git". Curl, on the other hand, internally redirects it to https://example.com/repo.git. As a result, until "credential: parse URL without host as empty host, not unset", tricking a user into fetching from such a URL would cause Git to send credentials for another host to example.com. Teach fsck to block and detect .gitmodules files using such a URL to prevent sharing them with Git versions that are not yet protected. A relative URL in a .gitmodules file could also be used to trigger this. The relative URL resolver used for .gitmodules does not normalize sequences of slashes and can follow ".." components out of the path part and to the host part of a URL, meaning that such a relative URL can be used to traverse from a https://foo.example.com/innocent superproject to a https:///attacker.example.com/exploit submodule. Fortunately, redundant extra slashes in .gitmodules are rare, so we can catch this by detecting one after a leading sequence of "./" and "../" components. Helped-by: Jeff King <peff@peff.net> Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> Reviewed-by: Jeff King <peff@peff.net>