Fork of git SCM with my patches. http://git.kilabit.info/git/atom?h=v2.31.3 2022-04-13T22:21:08Z 2022-04-13T22:21:08Z Junio C Hamano gitster@pobox.com 2022-04-13T22:21:08Z urn:sha1:09f66d65f87e0a547c186e4027368a826a965256 Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-04-13T20:31:29Z Junio C Hamano gitster@pobox.com 2022-04-13T20:31:29Z urn:sha1:17083c79ae842b51d82518e2efe5281346acea0e Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-04-13T19:42:51Z Derrick Stolee derrickstolee@github.com 2022-04-13T15:32:31Z urn:sha1:0f85c4a30b072a26d74af8bbf63cc8f6a5dfc1b8 With the addition of the safe.directory in 8959555ce (setup_git_directory(): add an owner check for the top-level directory, 2022-03-02) released in v2.35.2, we are receiving feedback from a variety of users about the feature. Some users have a very large list of shared repositories and find it cumbersome to add this config for every one of them. In a more difficult case, certain workflows involve running Git commands within containers. The container boundary prevents any global or system config from communicating `safe.directory` values from the host into the container. Further, the container almost always runs as a different user than the owner of the directory in the host. To simplify the reactions necessary for these users, extend the definition of the safe.directory config value to include a possible '*' value. This value implies that all directories are safe, providing a single setting to opt-out of this protection. Note that an empty assignment of safe.directory clears all previous values, and this is already the case with the "if (!value || !*value)" condition. Signed-off-by: Derrick Stolee <derrickstolee@github.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-04-13T19:42:51Z Matheus Valadares me@m28.io 2022-04-13T15:32:30Z urn:sha1:bb50ec3cc300eeff3aba7a2bea145aabdb477d31 It seems that nothing is ever checking to make sure the safe directories in the configs actually have the key safe.directory, so some unrelated config that has a value with a certain directory would also make it a safe directory. Signed-off-by: Matheus Valadares <me@m28.io> Signed-off-by: Derrick Stolee <derrickstolee@github.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-04-13T19:42:49Z Derrick Stolee derrickstolee@github.com 2022-04-13T15:32:29Z urn:sha1:e47363e5a8bdf5144059d664c45c0975243ef05b It is difficult to change the ownership on a directory in our test suite, so insert a new GIT_TEST_ASSUME_DIFFERENT_OWNER environment variable to trick Git into thinking we are in a differently-owned directory. This allows us to test that the config is parsed correctly. Signed-off-by: Derrick Stolee <derrickstolee@github.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-03-23T23:24:29Z Johannes Schindelin johannes.schindelin@gmx.de 2022-03-17T09:57:32Z urn:sha1:44de39c45c65134f4a6e02e7702a5db70a71041d Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> 2022-03-23T23:24:29Z Johannes Schindelin johannes.schindelin@gmx.de 2022-03-17T09:57:31Z urn:sha1:6a2381a3e5176b8deb69c799ed2b600366d36d39 * maint-2.30: Git 2.30.3 setup_git_directory(): add an owner check for the top-level directory Add a function to determine whether a path is owned by the current user 2022-03-23T23:22:17Z Johannes Schindelin johannes.schindelin@gmx.de 2022-03-17T09:15:15Z urn:sha1:cb95038137e9e66fc6a6b4a0e8db62bcc521b709 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> 2022-03-23T23:21:08Z Johannes Schindelin johannes.schindelin@gmx.de 2022-03-23T22:00:41Z urn:sha1:fdcad5a53e14bd397e4fa323e7fd0c3bf16dd373 When determining the length of the longest ancestor of a given path with respect to to e.g. `GIT_CEILING_DIRECTORIES`, we special-case the root directory by returning 0 (i.e. we pretend that the path `/` does not end in a slash by virtually stripping it). That is the correct behavior because when normalizing paths, the root directory is special: all other directory paths have their trailing slash stripped, but not the root directory's path (because it would become the empty string, which is not a legal path). However, this special-casing of the root directory in `longest_ancestor_length()` completely forgets about Windows-style root directories, e.g. `C:\`. These _also_ get normalized with a trailing slash (because `C:` would actually refer to the current directory on that drive, not necessarily to its root directory). In fc56c7b34b (mingw: accomodate t0060-path-utils for MSYS2, 2016-01-27), we almost got it right. We noticed that `longest_ancestor_length()` expects a slash _after_ the matched prefix, and if the prefix already ends in a slash, the normalized path won't ever match and -1 is returned. But then that commit went astray: The correct fix is not to adjust the _tests_ to expect an incorrect -1 when that function is fed a prefix that ends in a slash, but instead to treat such a prefix as if the trailing slash had been removed. Likewise, that function needs to handle the case where it is fed a path that ends in a slash (not only a prefix that ends in a slash): if it matches the prefix (plus trailing slash), we still need to verify that the path does not end there, otherwise the prefix is not actually an ancestor of the path but identical to it (and we need to return -1 in that case). With these two adjustments, we no longer need to play games in t0060 where we only add `$rootoff` if the passed prefix is different from the MSYS2 pseudo root, instead we also add it for the MSYS2 pseudo root itself. We do have to be careful to skip that logic entirely for Windows paths, though, because they do are not subject to that MSYS2 pseudo root treatment. This patch fixes the scenario where a user has set `GIT_CEILING_DIRECTORIES=C:\`, which would be ignored otherwise. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> 2022-03-21T12:16:26Z Johannes Schindelin johannes.schindelin@gmx.de 2022-03-02T11:23:04Z urn:sha1:8959555cee7ec045958f9b6dd62e541affb7e7d9 It poses a security risk to search for a git directory outside of the directories owned by the current user. For example, it is common e.g. in computer pools of educational institutes to have a "scratch" space: a mounted disk with plenty of space that is regularly swiped where any authenticated user can create a directory to do their work. Merely navigating to such a space with a Git-enabled `PS1` when there is a maliciously-crafted `/scratch/.git/` can lead to a compromised account. The same holds true in multi-user setups running Windows, as `C:\` is writable to every authenticated user by default. To plug this vulnerability, we stop Git from accepting top-level directories owned by someone other than the current user. We avoid looking at the ownership of each and every directories between the current and the top-level one (if there are any between) to avoid introducing a performance bottleneck. This new default behavior is obviously incompatible with the concept of shared repositories, where we expect the top-level directory to be owned by only one of its legitimate users. To re-enable that use case, we add support for adding exceptions from the new default behavior via the config setting `safe.directory`. The `safe.directory` config setting is only respected in the system and global configs, not from repository configs or via the command-line, and can have multiple values to allow for multiple shared repositories. We are particularly careful to provide a helpful message to any user trying to use a shared repository. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>