Commit Graph

10817 Commits (eb288bc455ac67e3ceeff90daf6f25972bb586d0)

Author SHA1 Message Date
Johannes Schindelin eb288bc455 Git 2.16.6
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2019-12-06 16:27:20 +01:00
Johannes Schindelin 9ac92fed5b Sync with 2.15.4
* maint-2.15: (29 commits)
  Git 2.15.4
  Git 2.14.6
  mingw: handle `subst`-ed "DOS drives"
  mingw: refuse to access paths with trailing spaces or periods
  mingw: refuse to access paths with illegal characters
  unpack-trees: let merged_entry() pass through do_add_entry()'s errors
  quote-stress-test: offer to test quoting arguments for MSYS2 sh
  t6130/t9350: prepare for stringent Win32 path validation
  quote-stress-test: allow skipping some trials
  quote-stress-test: accept arguments to test via the command-line
  tests: add a helper to stress test argument quoting
  mingw: fix quoting of arguments
  Disallow dubiously-nested submodule git directories
  protect_ntfs: turn on NTFS protection by default
  path: also guard `.gitmodules` against NTFS Alternate Data Streams
  is_ntfs_dotgit(): speed it up
  mingw: disallow backslash characters in tree objects' file names
  path: safeguard `.git` against NTFS Alternate Streams Accesses
  clone --recurse-submodules: prevent name squatting on Windows
  is_ntfs_dotgit(): only verify the leading segment
  ...
2019-12-06 16:27:18 +01:00
Johannes Schindelin 7cdafcaacf Git 2.15.4
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2019-12-06 16:26:58 +01:00
Jonathan Nieder e904deb89d submodule: reject submodule.update = !command in .gitmodules
Since ac1fbbda20 (submodule: do not copy unknown update mode from
.gitmodules, 2013-12-02), Git has been careful to avoid copying

	[submodule "foo"]
		update = !run an arbitrary scary command

from .gitmodules to a repository's local config, copying in the
setting 'update = none' instead.  The gitmodules(5) manpage documents
the intention:

	The !command form is intentionally ignored here for security
	reasons

Unfortunately, starting with v2.20.0-rc0 (which integrated ee69b2a9
(submodule--helper: introduce new update-module-mode helper,
2018-08-13, first released in v2.20.0-rc0)), there are scenarios where
we *don't* ignore it: if the config store contains no
submodule.foo.update setting, the submodule-config API falls back to
reading .gitmodules and the repository-supplied !command gets run
after all.

This was part of a general change over time in submodule support to
read more directly from .gitmodules, since unlike .git/config it
allows a project to change values between branches and over time
(while still allowing .git/config to override things).  But it was
never intended to apply to this kind of dangerous configuration.

The behavior change was not advertised in ee69b2a9's commit message
and was missed in review.

Let's take the opportunity to make the protection more robust, even in
Git versions that are technically not affected: instead of quietly
converting 'update = !command' to 'update = none', noisily treat it as
an error.  Allowing the setting but treating it as meaning something
else was just confusing; users are better served by seeing the error
sooner.  Forbidding the construct makes the semantics simpler and
means we can check for it in fsck (in a separate patch).

As a result, the submodule-config API cannot read this value from
.gitmodules under any circumstance, and we can declare with confidence

	For security reasons, the '!command' form is not accepted
	here.

Reported-by: Joern Schneeweisz <jschneeweisz@gitlab.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Johannes Schindelin <Johannes.Schindelin@gmx.de>
2019-12-06 16:26:58 +01:00
Johannes Schindelin d3ac8c3f27 Sync with 2.14.6
* maint-2.14: (28 commits)
  Git 2.14.6
  mingw: handle `subst`-ed "DOS drives"
  mingw: refuse to access paths with trailing spaces or periods
  mingw: refuse to access paths with illegal characters
  unpack-trees: let merged_entry() pass through do_add_entry()'s errors
  quote-stress-test: offer to test quoting arguments for MSYS2 sh
  t6130/t9350: prepare for stringent Win32 path validation
  quote-stress-test: allow skipping some trials
  quote-stress-test: accept arguments to test via the command-line
  tests: add a helper to stress test argument quoting
  mingw: fix quoting of arguments
  Disallow dubiously-nested submodule git directories
  protect_ntfs: turn on NTFS protection by default
  path: also guard `.gitmodules` against NTFS Alternate Data Streams
  is_ntfs_dotgit(): speed it up
  mingw: disallow backslash characters in tree objects' file names
  path: safeguard `.git` against NTFS Alternate Streams Accesses
  clone --recurse-submodules: prevent name squatting on Windows
  is_ntfs_dotgit(): only verify the leading segment
  test-path-utils: offer to run a protectNTFS/protectHFS benchmark
  ...
2019-12-06 16:26:55 +01:00
Johannes Schindelin 66d2a6159f Git 2.14.6
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2019-12-06 16:26:15 +01:00
Jeff King a52ed76142 fast-import: disallow "feature import-marks" by default
As with export-marks in the previous commit, import-marks can access the
filesystem. This is significantly less dangerous than export-marks
because it only involves reading from arbitrary paths, rather than
writing them. However, it could still be surprising and have security
implications (e.g., exfiltrating data from a service that accepts
fast-import streams).

Let's lump it (and its "if-exists" counterpart) in with export-marks,
and enable the in-stream version only if --allow-unsafe-features is set.

Signed-off-by: Jeff King <peff@peff.net>
2019-12-04 13:20:04 +01:00
Jeff King 68061e3470 fast-import: disallow "feature export-marks" by default
The fast-import stream command "feature export-marks=<path>" lets the
stream write marks to an arbitrary path. This may be surprising if you
are running fast-import against an untrusted input (which otherwise
cannot do anything except update Git objects and refs).

Let's disallow the use of this feature by default, and provide a
command-line option to re-enable it (you can always just use the
command-line --export-marks as well, but the in-stream version provides
an easy way for exporters to control the process).

This is a backwards-incompatible change, since the default is flipping
to the new, safer behavior. However, since the main users of the
in-stream versions would be import/export-based remote helpers, and
since we trust remote helpers already (which are already running
arbitrary code), we'll pass the new option by default when reading a
remote helper's stream. This should minimize the impact.

Note that the implementation isn't totally simple, as we have to work
around the fact that fast-import doesn't parse its command-line options
until after it has read any "feature" lines from the stream. This is how
it lets command-line options override in-stream. But in our case, it's
important to parse the new --allow-unsafe-features first.

There are three options for resolving this:

  1. Do a separate "early" pass over the options. This is easy for us to
     do because there are no command-line options that allow the
     "unstuck" form (so there's no chance of us mistaking an argument
     for an option), though it does introduce a risk of incorrect
     parsing later (e.g,. if we convert to parse-options).

  2. Move the option parsing phase back to the start of the program, but
     teach the stream-reading code never to override an existing value.
     This is tricky, because stream "feature" lines override each other
     (meaning we'd have to start tracking the source for every option).

  3. Accept that we might parse a "feature export-marks" line that is
     forbidden, as long we don't _act_ on it until after we've parsed
     the command line options.

     This would, in fact, work with the current code, but only because
     the previous patch fixed the export-marks parser to avoid touching
     the filesystem.

     So while it works, it does carry risk of somebody getting it wrong
     in the future in a rather subtle and unsafe way.

I've gone with option (1) here as simple, safe, and unlikely to cause
regressions.

This fixes CVE-2019-1348.

Signed-off-by: Jeff King <peff@peff.net>
2019-12-04 13:20:04 +01:00
Junio C Hamano 27d05d1a1a Git 2.16.5
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-27 11:38:32 -07:00
Junio C Hamano 424aac653a Sync with 2.15.3
* maint-2.15:
  Git 2.15.3
  Git 2.14.5
  submodule-config: ban submodule paths that start with a dash
  submodule-config: ban submodule urls that start with dash
  submodule--helper: use "--" to signal end of clone options
2018-09-27 11:35:43 -07:00
Junio C Hamano 924c623e1c Git 2.15.3
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-27 11:33:47 -07:00
Junio C Hamano 902df9f5c4 Sync with Git 2.14.4
* maint-2.14:
  Git 2.14.5
  submodule-config: ban submodule paths that start with a dash
  submodule-config: ban submodule urls that start with dash
  submodule--helper: use "--" to signal end of clone options
2018-09-27 11:20:22 -07:00
Junio C Hamano d0832b2847 Git 2.14.5
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-27 11:19:11 -07:00
Junio C Hamano a42a58d7b6 Git 2.16.4
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-05-22 14:18:51 +09:00
Junio C Hamano 023020401d Sync with Git 2.15.2
* maint-2.15:
  Git 2.15.2
  Git 2.14.4
  Git 2.13.7
  verify_path: disallow symlinks in .gitmodules
  update-index: stat updated files earlier
  verify_dotfile: mention case-insensitivity in comment
  verify_path: drop clever fallthrough
  skip_prefix: add case-insensitive variant
  is_{hfs,ntfs}_dotgitmodules: add tests
  is_ntfs_dotgit: match other .git files
  is_hfs_dotgit: match other .git files
  is_ntfs_dotgit: use a size_t for traversing string
  submodule-config: verify submodule names as paths
2018-05-22 14:18:06 +09:00
Junio C Hamano d33c87517a Git 2.15.2
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-05-22 14:15:59 +09:00
Junio C Hamano 9e0f06d55d Sync with Git 2.14.4
* maint-2.14:
  Git 2.14.4
  Git 2.13.7
  verify_path: disallow symlinks in .gitmodules
  update-index: stat updated files earlier
  verify_dotfile: mention case-insensitivity in comment
  verify_path: drop clever fallthrough
  skip_prefix: add case-insensitive variant
  is_{hfs,ntfs}_dotgitmodules: add tests
  is_ntfs_dotgit: match other .git files
  is_hfs_dotgit: match other .git files
  is_ntfs_dotgit: use a size_t for traversing string
  submodule-config: verify submodule names as paths
2018-05-22 14:15:14 +09:00
Junio C Hamano 4dde7b8799 Git 2.14.4
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-05-22 14:12:02 +09:00
Junio C Hamano 7b01c71b64 Sync with Git 2.13.7
* maint-2.13:
  Git 2.13.7
  verify_path: disallow symlinks in .gitmodules
  update-index: stat updated files earlier
  verify_dotfile: mention case-insensitivity in comment
  verify_path: drop clever fallthrough
  skip_prefix: add case-insensitive variant
  is_{hfs,ntfs}_dotgitmodules: add tests
  is_ntfs_dotgit: match other .git files
  is_hfs_dotgit: match other .git files
  is_ntfs_dotgit: use a size_t for traversing string
  submodule-config: verify submodule names as paths
2018-05-22 14:10:49 +09:00
Junio C Hamano 0114f71344 Git 2.13.7
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-05-22 13:50:36 +09:00
Junio C Hamano d32eb83c1d Git 2.16.3
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-03-22 14:24:45 -07:00
Junio C Hamano 88595ebceb Merge branch 'ms/non-ascii-ticks' into maint
Doc markup fix.

* ms/non-ascii-ticks:
  Documentation/gitsubmodules.txt: avoid non-ASCII apostrophes
2018-03-22 14:24:26 -07:00
Junio C Hamano 342215be59 Merge branch 'tg/worktree-create-tracking' into maint
Hotfix for a recent topic.

* tg/worktree-create-tracking:
  git-worktree.txt: fix indentation of example and text of 'add' command
  git-worktree.txt: fix missing ")" typo
2018-03-22 14:24:24 -07:00
Junio C Hamano e09224812a Merge branch 'sb/status-doc-fix' into maint
Docfix.

* sb/status-doc-fix:
  Documentation/git-status: clarify status table for porcelain mode
2018-03-22 14:24:23 -07:00
Junio C Hamano 9ea8e0ca81 Merge branch 'rd/typofix' into maint
Typofix.

* rd/typofix:
  Correct mispellings of ".gitmodule" to ".gitmodules"
  t/: correct obvious typo "detahced"
2018-03-22 14:24:22 -07:00
Junio C Hamano 5a03f1d75a Merge branch 'bp/fsmonitor' into maint
Doc update for a recently added feature.

* bp/fsmonitor:
  fsmonitor: update documentation to remove reference to invalid config settings
2018-03-22 14:24:21 -07:00
Junio C Hamano dfc20a5e3c Merge branch 'bc/doc-interpret-trailers-grammofix' into maint
Docfix.

* bc/doc-interpret-trailers-grammofix:
  docs/interpret-trailers: fix agreement error
2018-03-22 14:24:21 -07:00
Junio C Hamano 34f6f0eca2 Merge branch 'nd/ignore-glob-doc-update' into maint
Doc update.

* nd/ignore-glob-doc-update:
  gitignore.txt: elaborate shell glob syntax
2018-03-22 14:24:18 -07:00
Junio C Hamano 9c34129e6b Merge branch 'tz/doc-show-defaults-to-head' into maint
Doc update.

* tz/doc-show-defaults-to-head:
  doc: mention 'git show' defaults to HEAD
2018-03-22 14:24:17 -07:00
Junio C Hamano 60736db161 Merge branch 'ks/submodule-doc-updates' into maint
Doc updates.

* ks/submodule-doc-updates:
  Doc/git-submodule: improve readability and grammar of a sentence
  Doc/gitsubmodules: make some changes to improve readability and syntax
2018-03-22 14:24:14 -07:00
Junio C Hamano 721dce003f Merge branch 'jt/http-redact-cookies' into maint
The http tracing code, often used to debug connection issues,
learned to redact potentially sensitive information from its output
so that it can be more safely sharable.

* jt/http-redact-cookies:
  http: support omitting data from traces
  http: support cookie redaction when tracing
2018-03-22 14:24:09 -07:00
Junio C Hamano c1ab3b8a44 Merge branch 'ab/commit-m-with-fixup' into maint
"git commit --fixup" did not allow "-m<message>" option to be used
at the same time; allow it to annotate resulting commit with more
text.

* ab/commit-m-with-fixup:
  commit: add support for --fixup <commit> -m"<extra message>"
  commit doc: document that -c, -C, -F and --fixup with -m error
2018-02-27 10:43:54 -08:00
Junio C Hamano 12accdc023 Merge branch 'nd/ita-wt-renames-in-status' into maint
"git status" after moving a path in the working tree (hence making
it appear "removed") and then adding with the -N option (hence
making that appear "added") detected it as a rename, but did not
report the  old and new pathnames correctly.

* nd/ita-wt-renames-in-status:
  wt-status.c: handle worktree renames
  wt-status.c: rename rename-related fields in wt_status_change_data
  wt-status.c: catch unhandled diff status codes
  wt-status.c: coding style fix
  Use DIFF_DETECT_RENAME for detect_rename assignments
  t2203: test status output with porcelain v2 format
2018-02-27 10:39:35 -08:00
Motoki Seki 1316416903 Documentation/gitsubmodules.txt: avoid non-ASCII apostrophes
In gitsubmodules.txt, a few non-ASCII apostrophes are used to spell
possessive, e.g. "submodule's".  These unfortunately are not
rendered at https://git-scm.com/docs/gitsubmodules correctly by the
renderer used there.

Use ASCII apostrophes instead to work around the problem.  It also
is good to be consistent, as there are possessives spelled with
ASCII apostrophes.

Signed-off-by: Motoki Seki <marmot.motoki@gmail.com>
Acked-by: Stefan Beller <sbeller@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-02-22 13:03:15 -08:00
Eric Sunshine d023df1ee6 git-worktree.txt: fix indentation of example and text of 'add' command
When 4e85333197 (worktree: make add <path> <branch> dwim, 2017-11-26)
added an example command in a literal code block, it neglected to
insert a mandatory "+" line before the block. This omission resulted
in both the literal code block and the (existing) paragraph following
the block to be outdented, even though they should be indented under
the 'add' sub-command along with the rest of the text pertaining to
that command. Furthermore, the mandatory "+" line separating the code
block from the following text got rendered as a leading character on
the line ("+ If <commit-ish>...") rather than being treated as a
formatting directive.

Fix these problems by adding the missing "+" line before the example
code block.

Signed-off-by: Eric Sunshine <sunshine@sunshineco.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-02-16 13:12:27 -08:00
Eric Sunshine 661a5a382e git-worktree.txt: fix missing ")" typo
Add the closing ")" to a parenthetical phrase introduced by 4e85333197
(worktree: make add <path> <branch> dwim, 2017-11-26).

While at it, add a missing ":" at the end of the same sentence since
it precedes an example literal command block.

Reported-by: Mike Nordell <tamlin.thefirst@gmail.com>
Signed-off-by: Eric Sunshine <sunshine@sunshineco.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-02-16 13:11:40 -08:00
Junio C Hamano ffa9524972 Git 2.16.2
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-02-15 15:21:23 -08:00
Junio C Hamano c93150cfb0 Merge branch 'ab/doc-cat-file-e-still-shows-errors' into maint
Doc update.

* ab/doc-cat-file-e-still-shows-errors:
  cat-file doc: document that -e will return some output
2018-02-15 15:18:15 -08:00
Junio C Hamano d4e528ef6a Merge branch 'as/read-tree-prefix-doc-fix' into maint
Doc update.

* as/read-tree-prefix-doc-fix:
  doc/read-tree: remove obsolete remark
2018-02-15 15:18:14 -08:00
Stefan Beller e4e5da2796 Documentation/git-status: clarify status table for porcelain mode
It is possible to have the output ' A' from 'git status --porcelain'
by adding a file using the '--intend-to-add' flag.  Make this clear by
adding the pattern in the table of the documentation.

However the mode 'DM' (deleted in the index, modified in the working tree)
is not possible in the non-merge case in which the file only shows
as 'D ' (and adding it back to the worktree would show an additional line
of an '??' untracked file). It is also not possible in the merge case as
then the mode involves a 'U' on one side of the merge.
Remove that pattern.

Reported-by: Ross Light <light@google.com>
Signed-off-by: Stefan Beller <sbeller@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-02-15 11:07:52 -08:00
Robert P. J. Day 5aea9fe6cc Correct mispellings of ".gitmodule" to ".gitmodules"
There are a small number of misspellings, ".gitmodule", scattered
throughout the code base, correct them ... no apparent functional
changes.

Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-02-14 11:34:34 -08:00
Ben Peart 4ccf461f56 fsmonitor: update documentation to remove reference to invalid config settings
Remove the reference to setting core.fsmonitor to `true` (or `false`) as those
are not valid settings.

Signed-off-by: Ben Peart <benpeart@microsoft.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-02-14 10:27:26 -08:00
brian m. carlson 760f1ad101 docs/interpret-trailers: fix agreement error
In the description of git interpret-trailers, we describe "a group…of
lines" that have certain characteristics.  Ensure both options
describing this group use a singular verb for parallelism.

Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-02-13 09:45:45 -08:00
Duy Nguyen 2e22a85e5c gitignore.txt: elaborate shell glob syntax
`fnmatch(3)` is a great mention if the intended audience is
programmers. For normal users it's probably better to spell out what
a shell glob is.

This paragraph is updated to roughly tell (or remind) what the main
wildcards are supposed to do. All the details are still hidden away
behind the `fnmatch(3)` wall because bringing the whole specification
here may be too much.

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-02-02 10:56:46 -08:00
Todd Zullinger 9f5258cbb8 doc: mention 'git show' defaults to HEAD
When 'git show' is called without any object it defaults to HEAD.  This
has been true since d4ed9793fd ("Simplify common default options setup
for built-in log family.", 2006-04-16).

The SYNOPSIS suggests that the object argument is required.  Clarify
that it is not required and note the default.

Signed-off-by: Todd Zullinger <tmz@pobox.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-01-30 13:12:18 -08:00
Junio C Hamano 8279ed033f Git 2.16.1
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-01-21 21:14:25 -08:00
Jonathan Tan 8ba18e6fa4 http: support omitting data from traces
GIT_TRACE_CURL provides a way to debug what is being sent and received
over HTTP, with automatic redaction of sensitive information. But it
also logs data transmissions, which significantly increases the log file
size, sometimes unnecessarily. Add an option "GIT_TRACE_CURL_NO_DATA" to
allow the user to omit such data transmissions.

Signed-off-by: Jonathan Tan <jonathantanmy@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-01-19 13:06:57 -08:00
Jonathan Tan 83411783c3 http: support cookie redaction when tracing
When using GIT_TRACE_CURL, Git already redacts the "Authorization:" and
"Proxy-Authorization:" HTTP headers. Extend this redaction to a
user-specified list of cookies, specified through the
"GIT_REDACT_COOKIES" environment variable.

Signed-off-by: Jonathan Tan <jonathantanmy@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-01-19 13:06:50 -08:00
Junio C Hamano 2512f15446 Git 2.16
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-01-17 13:06:51 -08:00
Kaartic Sivaraam e1b3f3dd38 Doc/git-submodule: improve readability and grammar of a sentence
While at it, correctly quote important words.

Signed-off-by: Kaartic Sivaraam <kaartic.sivaraam@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-01-16 11:34:36 -08:00