mingw: disallow backslash characters in tree objects' file names

The backslash character is not a valid part of a file name on Windows. Hence it is dangerous to allow writing files that were unpacked from tree objects, when the stored file name contains a backslash character: it will be misinterpreted as directory separator. This not only causes ambiguity when a tree contains a blob `a\b` and a tree `a` that contains a blob `b`, but it also can be used as part of an attack vector to side-step the careful protections against writing into the `.git/` directory during a clone of a maliciously-crafted repository. Let's prevent that, addressing CVE-2019-1354. Note: we guard against backslash characters in tree objects' file names _only_ on Windows (because on other platforms, even on those where NTFS volumes can be mounted, the backslash character is _not_ a directory separator), and _only_ when `core.protectNTFS = true` (because users might need to generate tree objects for other platforms, of course without touching the worktree, e.g. using `git update-index --cacheinfo`). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
6 years ago · e1d911dd4c
4 changed files with 13 additions and 3 deletions
--- a/t/t1450-fsck.sh
+++ b/t/t1450-fsck.sh
@ -419,6 +419,7 @@ while read name path pretty; do
				@@ -419,6 +419,7 @@ while read name path pretty; do
 		(
 			git init $name-$type &&
 			cd $name-$type &&
+			git config core.protectNTFS false &&
 			echo content >file &&
 			git add file &&
 			git commit -m base &&
--- a/t/t7415-submodule-names.sh
+++ b/t/t7415-submodule-names.sh
@ -89,16 +89,18 @@ test_expect_success MINGW 'prevent git~1 squatting on Windows' '
				@@ -89,16 +89,18 @@ test_expect_success MINGW 'prevent git~1 squatting on Windows' '
 			git hash-object -w --stdin)" &&
 		rev="$(git rev-parse --verify HEAD)" &&
 		hash="$(echo x | git hash-object -w --stdin)" &&
-		git update-index --add \
+		git -c core.protectNTFS=false update-index --add \
 			--cacheinfo 100644,$modules,.gitmodules \
 			--cacheinfo 160000,$rev,c \
 			--cacheinfo 160000,$rev,d\\a \
 			--cacheinfo 100644,$hash,d./a/x \
 			--cacheinfo 100644,$hash,d./a/..git &&
 		test_tick &&
-		git commit -m "module"
+		git -c core.protectNTFS=false commit -m "module" &&
+		test_must_fail git show HEAD: 2>err &&
+		test_i18ngrep backslash err
 	) &&
-	test_must_fail git \
+	test_must_fail git -c core.protectNTFS=false \
 		clone --recurse-submodules squatting squatting-clone 2>err &&
 	test_i18ngrep "directory not empty" err &&
 	! grep gitdir squatting-clone/d/a/git~2
--- a/t/t9350-fast-export.sh
+++ b/t/t9350-fast-export.sh
@ -421,6 +421,7 @@ test_expect_success 'directory becomes symlink'        '
				@@ -421,6 +421,7 @@ test_expect_success 'directory becomes symlink'        '

 test_expect_success 'fast-export quotes pathnames' '
 	git init crazy-paths &&
+	test_config -C crazy-paths core.protectNTFS false &&
 	(cd crazy-paths &&
 	 blob=$(echo foo | git hash-object -w --stdin) &&
 	 git update-index --add \
--- a/tree-walk.c
+++ b/tree-walk.c
@ -41,6 +41,12 @@ static int decode_tree_entry(struct tree_desc *desc, const char *buf, unsigned l
				@@ -41,6 +41,12 @@ static int decode_tree_entry(struct tree_desc *desc, const char *buf, unsigned l
 		strbuf_addstr(err, _("empty filename in tree entry"));
 		return -1;
 	}
+#ifdef GIT_WINDOWS_NATIVE
+	if (protect_ntfs && strchr(path, '\\')) {
+		strbuf_addf(err, _("filename in tree entry contains backslash: '%s'"), path);
+		return -1;
+	}
+#endif
 	len = strlen(path) + 1;

 	/* Initialize the descriptor entry */