Browse Source

Git 2.25.3

Signed-off-by: Junio C Hamano <gitster@pobox.com>
maint v2.25.3
Junio C Hamano 5 years ago
parent
commit
67b0a24910
  1. 16
      Documentation/RelNotes/2.17.4.txt
  2. 5
      Documentation/RelNotes/2.18.3.txt
  3. 5
      Documentation/RelNotes/2.19.4.txt
  4. 5
      Documentation/RelNotes/2.20.3.txt
  5. 5
      Documentation/RelNotes/2.21.2.txt
  6. 5
      Documentation/RelNotes/2.22.3.txt
  7. 5
      Documentation/RelNotes/2.23.2.txt
  8. 5
      Documentation/RelNotes/2.24.2.txt
  9. 5
      Documentation/RelNotes/2.25.3.txt
  10. 2
      GIT-VERSION-GEN
  11. 2
      RelNotes
  12. 38
      credential.c
  13. 15
      credential.h
  14. 16
      fsck.c
  15. 2
      t/lib-credential.sh
  16. 14
      t/t0300-credentials.sh
  17. 18
      t/t7416-submodule-dash-url.sh

16
Documentation/RelNotes/2.17.4.txt

@ -0,0 +1,16 @@ @@ -0,0 +1,16 @@
Git v2.17.4 Release Notes
=========================

This release is to address the security issue: CVE-2020-5260

Fixes since v2.17.3
-------------------

* With a crafted URL that contains a newline in it, the credential
helper machinery can be fooled to give credential information for
a wrong host. The attack has been made impossible by forbidding
a newline character in any value passed via the credential
protocol.

Credit for finding the vulnerability goes to Felix Wilhelm of Google
Project Zero.

5
Documentation/RelNotes/2.18.3.txt

@ -0,0 +1,5 @@ @@ -0,0 +1,5 @@
Git v2.18.3 Release Notes
=========================

This release merges the security fix that appears in v2.17.4; see
the release notes for that version for details.

5
Documentation/RelNotes/2.19.4.txt

@ -0,0 +1,5 @@ @@ -0,0 +1,5 @@
Git v2.19.4 Release Notes
=========================

This release merges the security fix that appears in v2.17.4; see
the release notes for that version for details.

5
Documentation/RelNotes/2.20.3.txt

@ -0,0 +1,5 @@ @@ -0,0 +1,5 @@
Git v2.20.3 Release Notes
=========================

This release merges the security fix that appears in v2.17.4; see
the release notes for that version for details.

5
Documentation/RelNotes/2.21.2.txt

@ -0,0 +1,5 @@ @@ -0,0 +1,5 @@
Git v2.21.2 Release Notes
=========================

This release merges the security fix that appears in v2.17.4; see
the release notes for that version for details.

5
Documentation/RelNotes/2.22.3.txt

@ -0,0 +1,5 @@ @@ -0,0 +1,5 @@
Git v2.22.3 Release Notes
=========================

This release merges the security fix that appears in v2.17.4; see
the release notes for that version for details.

5
Documentation/RelNotes/2.23.2.txt

@ -0,0 +1,5 @@ @@ -0,0 +1,5 @@
Git v2.23.2 Release Notes
=========================

This release merges the security fix that appears in v2.17.4; see
the release notes for that version for details.

5
Documentation/RelNotes/2.24.2.txt

@ -0,0 +1,5 @@ @@ -0,0 +1,5 @@
Git v2.24.2 Release Notes
=========================

This release merges the security fix that appears in v2.17.4; see
the release notes for that version for details.

5
Documentation/RelNotes/2.25.3.txt

@ -0,0 +1,5 @@ @@ -0,0 +1,5 @@
Git v2.25.3 Release Notes
=========================

This release merges the security fix that appears in v2.17.4; see
the release notes for that version for details.

2
GIT-VERSION-GEN

@ -1,7 +1,7 @@ @@ -1,7 +1,7 @@
#!/bin/sh

GVF=GIT-VERSION-FILE
DEF_VER=v2.25.2
DEF_VER=v2.25.3

LF='
'

2
RelNotes

@ -1 +1 @@ @@ -1 +1 @@
Documentation/RelNotes/2.25.2.txt
Documentation/RelNotes/2.25.3.txt

38
credential.c

@ -195,6 +195,8 @@ static void credential_write_item(FILE *fp, const char *key, const char *value) @@ -195,6 +195,8 @@ static void credential_write_item(FILE *fp, const char *key, const char *value)
{
if (!value)
return;
if (strchr(value, '\n'))
die("credential value for %s contains newline", key);
fprintf(fp, "%s=%s\n", key, value);
}

@ -322,7 +324,22 @@ void credential_reject(struct credential *c) @@ -322,7 +324,22 @@ void credential_reject(struct credential *c)
c->approved = 0;
}

void credential_from_url(struct credential *c, const char *url)
static int check_url_component(const char *url, int quiet,
const char *name, const char *value)
{
if (!value)
return 0;
if (!strchr(value, '\n'))
return 0;

if (!quiet)
warning(_("url contains a newline in its %s component: %s"),
name, url);
return -1;
}

int credential_from_url_gently(struct credential *c, const char *url,
int quiet)
{
const char *at, *colon, *cp, *slash, *host, *proto_end;

@ -336,7 +353,7 @@ void credential_from_url(struct credential *c, const char *url) @@ -336,7 +353,7 @@ void credential_from_url(struct credential *c, const char *url)
*/
proto_end = strstr(url, "://");
if (!proto_end)
return;
return 0;
cp = proto_end + 3;
at = strchr(cp, '@');
colon = strchr(cp, ':');
@ -371,4 +388,21 @@ void credential_from_url(struct credential *c, const char *url) @@ -371,4 +388,21 @@ void credential_from_url(struct credential *c, const char *url)
while (p > c->path && *p == '/')
*p-- = '\0';
}

if (check_url_component(url, quiet, "username", c->username) < 0 ||
check_url_component(url, quiet, "password", c->password) < 0 ||
check_url_component(url, quiet, "protocol", c->protocol) < 0 ||
check_url_component(url, quiet, "host", c->host) < 0 ||
check_url_component(url, quiet, "path", c->path) < 0)
return -1;

return 0;
}

void credential_from_url(struct credential *c, const char *url)
{
if (credential_from_url_gently(c, url, 0) < 0) {
warning(_("skipping credential lookup for url: %s"), url);
credential_clear(c);
}
}

15
credential.h

@ -172,8 +172,21 @@ void credential_reject(struct credential *); @@ -172,8 +172,21 @@ void credential_reject(struct credential *);
int credential_read(struct credential *, FILE *);
void credential_write(const struct credential *, FILE *);

/* Parse a URL into broken-down credential fields. */
/*
* Parse a url into a credential struct, replacing any existing contents.
*
* If the url can't be parsed (e.g., a missing "proto://" component), the
* resulting credential will be empty but we'll still return success from the
* "gently" form.
*
* If we encounter a component which cannot be represented as a credential
* value (e.g., because it contains a newline), the "gently" form will return
* an error but leave the broken state in the credential object for further
* examination. The non-gentle form will issue a warning to stderr and return
* an empty credential.
*/
void credential_from_url(struct credential *, const char *url);
int credential_from_url_gently(struct credential *, const char *url, int quiet);

int credential_match(const struct credential *have,
const struct credential *want);

16
fsck.c

@ -15,6 +15,7 @@ @@ -15,6 +15,7 @@
#include "packfile.h"
#include "submodule-config.h"
#include "config.h"
#include "credential.h"
#include "help.h"

static struct oidset gitmodules_found = OIDSET_INIT;
@ -910,6 +911,19 @@ done: @@ -910,6 +911,19 @@ done:
return ret;
}

static int check_submodule_url(const char *url)
{
struct credential c = CREDENTIAL_INIT;
int ret;

if (looks_like_command_line_option(url))
return -1;

ret = credential_from_url_gently(&c, url, 1);
credential_clear(&c);
return ret;
}

struct fsck_gitmodules_data {
const struct object_id *oid;
struct fsck_options *options;
@ -935,7 +949,7 @@ static int fsck_gitmodules_fn(const char *var, const char *value, void *vdata) @@ -935,7 +949,7 @@ static int fsck_gitmodules_fn(const char *var, const char *value, void *vdata)
"disallowed submodule name: %s",
name);
if (!strcmp(key, "url") && value &&
looks_like_command_line_option(value))
check_submodule_url(value) < 0)
data->ret |= report(data->options,
data->oid, OBJ_BLOB,
FSCK_MSG_GITMODULES_URL,

2
t/lib-credential.sh

@ -19,7 +19,7 @@ check() { @@ -19,7 +19,7 @@ check() {
false
fi &&
test_cmp expect-stdout stdout &&
test_cmp expect-stderr stderr
test_i18ncmp expect-stderr stderr
}

read_chunk() {

14
t/t0300-credentials.sh

@ -308,4 +308,18 @@ test_expect_success 'empty helper spec resets helper list' ' @@ -308,4 +308,18 @@ test_expect_success 'empty helper spec resets helper list' '
EOF
'

test_expect_success 'url parser ignores embedded newlines' '
check fill <<-EOF
url=https://one.example.com?%0ahost=two.example.com/
--
username=askpass-username
password=askpass-password
--
warning: url contains a newline in its host component: https://one.example.com?%0ahost=two.example.com/
warning: skipping credential lookup for url: https://one.example.com?%0ahost=two.example.com/
askpass: Username:
askpass: Password:
EOF
'

test_done

18
t/t7416-submodule-dash-url.sh

@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@
#!/bin/sh

test_description='check handling of .gitmodule url with dash'
test_description='check handling of disallowed .gitmodule urls'
. ./test-lib.sh

test_expect_success 'create submodule with protected dash in url' '
@ -60,4 +60,20 @@ test_expect_success 'trailing backslash is handled correctly' ' @@ -60,4 +60,20 @@ test_expect_success 'trailing backslash is handled correctly' '
test_i18ngrep ! "unknown option" err
'

test_expect_success 'fsck rejects embedded newline in url' '
# create an orphan branch to avoid existing .gitmodules objects
git checkout --orphan newline &&
cat >.gitmodules <<-\EOF &&
[submodule "foo"]
url = "https://one.example.com?%0ahost=two.example.com/foo.git"
EOF
git add .gitmodules &&
git commit -m "gitmodules with newline" &&
test_when_finished "rm -rf dst" &&
git init --bare dst &&
git -C dst config transfer.fsckObjects true &&
test_must_fail git push dst HEAD 2>err &&
grep gitmodulesUrl err
'

test_done

Loading…
Cancel
Save