Merge branch 'tb/clone-local-symlinks' into maint-2.30

Resolve a security vulnerability (CVE-2023-22490) where `clone_local()` is used in conjunction with non-local transports, leading to arbitrary path exfiltration. * tb/clone-local-symlinks: dir-iterator: prevent top-level symlinks without FOLLOW_SYMLINKS clone: delay picking a transport until after get_repo_path() t5619: demonstrate clone_local() with ambiguous transport
author: Taylor Blau <me@ttaylorr.com> 2023-01-25 14:58:38 -0500
committer: Johannes Schindelin <johannes.schindelin@gmx.de> 2023-02-06 09:09:14 +0100
commit: 2c9a4c731010685b86559c06637aeef2ac5ea06e (patch)
tree: 94ef671b634c0516c9643aa5e685ca31c0793453 /dir-iterator.h
parent: 0227130244c007870c106fc613903d078730e45c (diff)
parent: bffc762f87ae8d18c6001bf0044a76004245754c (diff)
download: git-2c9a4c731010685b86559c06637aeef2ac5ea06e.tar.xz
1 files changed, 5 insertions, 0 deletions
diff --git a/dir-iterator.h b/dir-iterator.h
index 08229157c6..e3b6ff2800 100644
--- a/dir-iterator.h
+++ b/dir-iterator.h
@@ -61,6 +61,11 @@
  *   not the symlinks themselves, which is the default behavior. Broken
  *   symlinks are ignored.
  *
+ *   Note: setting DIR_ITERATOR_FOLLOW_SYMLINKS affects resolving the
+ *   starting path as well (e.g., attempting to iterate starting at a
+ *   symbolic link pointing to a directory without FOLLOW_SYMLINKS will
+ *   result in an error).
+ *
  * Warning: circular symlinks are also followed when
  * DIR_ITERATOR_FOLLOW_SYMLINKS is set. The iteration may end up with
  * an ELOOP if they happen and DIR_ITERATOR_PEDANTIC is set.
author	Taylor Blau <me@ttaylorr.com>	2023-01-25 14:58:38 -0500
committer	Johannes Schindelin <johannes.schindelin@gmx.de>	2023-02-06 09:09:14 +0100
commit	2c9a4c731010685b86559c06637aeef2ac5ea06e (patch)
tree	94ef671b634c0516c9643aa5e685ca31c0793453 /dir-iterator.h
parent	0227130244c007870c106fc613903d078730e45c (diff)
parent	bffc762f87ae8d18c6001bf0044a76004245754c (diff)
download	git-2c9a4c731010685b86559c06637aeef2ac5ea06e.tar.xz