src/signature.c


Log

Author Commit Date CI Message
Edward Thomson f673e232 2018-12-27T13:47:34 git_error: use new names in internal APIs and usage Move to the `git_error` name in the internal API for error-related functions.
Patrick Steinhardt 52f859fd 2018-11-09T19:32:08 signature: fix out-of-bounds read when parsing timezone offset When parsing a signature's timezone offset, we first check whether there is a timezone at all by verifying that there are still bytes left to read following the time itself. The check thus looks like `time_end + 1 < buffer_end`, which is actually correct in this case. After setting the timezone's start pointer to that location, we compute the remaining bytes by using the formula `buffer_end - tz_start + 1`, re-using the previous `time_end + 1`. But this is in fact missing the braces around `(tz_start + 1)`, thus leading to an overestimation of the remaining bytes by a length of two. In case of a non-NUL terminated buffer, this will result in an overflow. The function `git_signature__parse` is only used in two locations. First is `git_signature_from_buffer`, which only accepts a string without a length. The string thus necessarily has to be NUL terminated and cannot trigger the issue. The other function is `git_commit__parse_raw`, which can in fact trigger the error as it may receive non-NUL terminated commit data. But as objects read from the ODB are always NUL-terminated by us as a cautionary measure, it cannot trigger the issue either. In other words, this error does not have any impact on security.
Patrick Steinhardt 3db9aa6f 2018-10-18T11:32:48 signature: avoid out-of-bounds reads when parsing signature dates We use `git__strtol64` and `git__strtol32` to parse the trailing commit or author date and timezone of signatures. As signatures are usually part of a commit or tag object and thus essentially untrusted data, the buffer may be misformatted and may not be `NUL` terminated. This may lead to an out-of-bounds read. Fix the issue by using `git__strntol64` and `git__strntol32` instead.
Patrick Steinhardt 9994cd3f 2018-06-25T11:56:52 treewide: remove use of C++ style comments C++ style comment ("//") are not specified by the ISO C90 standard and thus do not conform to it. While libgit2 aims to conform to C90, we did not enforce it until now, which is why quite a lot of these non-conforming comments have snuck into our codebase. Do a tree-wide conversion of all C++ style comments to the supported C style comments to allow us enforcing strict C90 compliance in a later commit.
Nika Layzell 56303e1a 2018-05-07T11:59:00 mailmap: API and style cleanup
Nika Layzell 8ff0504d 2018-04-08T03:01:14 mailmap: Rewrite API to support accurate mailmap resolution
Nika Layzell 18ff9bab 2018-03-27T22:48:03 mailmap: API and style cleanup
Nika Layzell 57cfeab9 2018-03-26T15:05:37 mailmap: Switch mailmap parsing to use the git_parse module
Nika Layzell e3dcaca5 2018-03-17T18:15:01 mailmap: Integrate mailmaps with blame and signatures
Henry Kleynhans f063dafb 2017-11-12T10:56:50 signature: distinguish +0000 and -0000 UTC offsets Git considers '-0000' a valid offset for signature lines. They need to be treated as _not_ equal to a '+0000' signature offset. Parsing a signature line stores the offset in a signed integer which does not distinguish between `+0` and `-0`. This patch adds an additional flag `sign` to the `git_time` in the `signature` object which is populated with the sign of the offset. In addition to exposing this information to the user, this information is also used to compare signatures. /cc @pks-t @ethomson
Edward Thomson 1560b580 2017-08-15T10:35:47 Merge pull request #4288 from pks-t/pks/include-fixups Include fixups
Carlos Martín Nieto d1dbb3ae 2017-07-12T07:40:16 signature: don't leave a dangling pointer to the strings on parse failure If the signature is invalid but we detect that after allocating the strings, we free them. We however leave that pointer dangling in the structure the caller gave us, which can lead to double-free. Set these pointers to `NULL` after freeing their memory to avoid this.
Patrick Steinhardt 0c7f49dd 2017-06-30T13:39:01 Make sure to always include "common.h" first Next to including several files, our "common.h" header also declares various macros which are then used throughout the project. As such, we have to make sure to always include this file first in all implementation files. Otherwise, we might encounter problems or even silent behavioural differences due to macros or defines not being defined as they should be. So in fact, our header and implementation files should make sure to always include "common.h" first. This commit does so by establishing a common include pattern. Header files inside of "src" will now always include "common.h" as its first other file, separated by a newline from all the other includes to make it stand out as special. There are two cases for the implementation files. If they do have a matching header file, they will always include this one first, leading to "common.h" being transitively included as first file. If they do not have a matching header file, they instead include "common.h" as first file themselves. This fixes the outlined problems and will become our standard practice for header and source files inside of the "src/" from now on.
Edward Thomson 34c13106 2017-05-01T21:32:24 signature: free dup'd buffers on parse error
Edward Thomson 909d5494 2016-12-29T12:25:15 giterr_set: consistent error messages Error messages should be sentence fragments, and therefore: 1. Should not begin with a capital letter, 2. Should not conclude with punctuation, and 3. Should not end a sentence and begin a new one
Andreas Henriksson 23c9ff86 2016-12-17T17:33:13 Fix off-by-one problems in git_signature__parse Etc/GMT-14 aka UTC+14:00 is a thing.... https://en.wikipedia.org/wiki/UTC%2B14:00 Also allow offsets on the last minute (59). Addresses: https://bugs.debian.org/841532 Fixes: #3970
Edward Thomson d383c39b 2016-04-28T12:47:14 Introduce `git_signature_from_buffer` Allow users to construct a signature from the type of signature lines that actually appear in commits.
Patrick Steinhardt 038d7af0 2016-02-15T11:30:48 signature: use GITERR_CHECK_ALLOC to check for OOM situation When checking for out of memory situations we usually use the GITERR_CHECK_ALLOC macro. Besides conforming to our current code base it adds the benefit of silencing errors in Coverity due to Coverity handling the macro's error path as abort.
Vicent Marti 307c4a2b 2015-10-21T11:58:44 signature: Strip crud just like Git does
Edward Thomson a35a9890 2014-07-17T18:25:03 Introduce git_rebase_commit Commit the current patch of a rebase process.
Carlos Martín Nieto bdeb8772 2014-06-28T07:29:46 signature: add a dup function which takes a pool This will be used by the transaction code.
Carlos Martín Nieto 76e3c43f 2014-09-10T18:13:34 signature: don't allow empty emails A signature is made up of a non-empty name and a non-empty email so let's validate that. This also brings us more in line with git, which also rejects ident with an empty email.
Carlos Martín Nieto ac99d86b 2014-05-07T11:34:32 repository: introduce a convenience config snapshot method Accessing the repository's config and immediately taking a snapshot of it is a common operation, so let's provide a convenience function for it.
Carlos Martín Nieto 29c4cb09 2014-03-15T03:53:36 Use config snapshotting This way we can assume we have a consistent view of the config situation when we're looking up remote, branch, pack-objects, etc.
Russell Belfer 80c29fe9 2014-01-17T10:45:11 Add git_commit_amend API This adds an API to amend an existing commit, basically a shorthand for creating a new commit filling in missing parameters from the values of an existing commit. As part of this, I also added a new "sys" API to create a commit using a callback to get the parents. This allowed me to rewrite all the other commit creation APIs so that temporary allocations are no longer needed.
Arthur Schreiber 29be3a6d 2014-01-14T21:33:35 Align git_signature_dup. This changes git_signature_dup to actually honor oom conditions raised by the call to git__strdup. It also aligns it with the error code return pattern used everywhere else.
Ben Straub b20c40a8 2013-11-12T19:02:28 Don't leak memory when duplicating a NULL signature
Russell Belfer ce23330f 2013-08-16T14:34:51 Add new git_signature_default API using config This adds a new API for creating a signature that uses the config to look up "user.name" and "user.email".
Vicent Martí 93da7af7 2013-06-12T14:52:47 Merge pull request #1642 from arrbee/diff-function-context Diff code reorg plus function context in diff headers
Carlos Martín Nieto 24ec6999 2013-06-11T10:48:00 signature: extend trimming to more whitespace There are all sorts of misconfiguration in the wild. We already rely on the signature constructor to trim SP. Extend the logic to use `isspace` to decide whether a character should be trimmed.
Russell Belfer 114f5a6c 2013-06-10T10:10:39 Reorganize diff and add basic diff driver This is a significant reorganization of the diff code to break it into a set of more clearly distinct files and to document the new organization. Hopefully this will make the diff code easier to understand and to extend. This adds a new `git_diff_driver` object that looks of diff driver information from the attributes and the config so that things like function content in diff headers can be provided. The full driver spec is not implemented in the commit - this is focused on the reorganization of the code and putting the driver hooks in place. This also removes a few #includes from src/repository.h that were overbroad, but as a result required extra #includes in a variety of places since including src/repository.h no longer results in pulling in the whole world.
Scott J. Goldman dc33b3d7 2013-06-02T02:13:45 Don't bail on parsing commits with an invalid timezone git doesn't do that, and it's not something that's usually actionable to fix. if you have a git repository with one bad timezone in the history, it's too late to change it most likely.
nulltoken 1fed6b07 2013-05-13T21:57:37 Fix trailing whitespaces
Vicent Marti f0ab7372 2013-05-15T17:51:57 signature: Lenient when dupping, strict when creating
Nicolas Viennot 9e46f676 2013-04-18T00:55:20 Return error for empty name/email
Vicent Marti cf80993a 2013-02-20T18:46:10 signature: Small cleanup
Vicent Marti 41051e3f 2013-02-20T17:09:51 signature: Shut up MSVC, you silly goose
Vicent Marti c51880ee 2013-02-20T17:03:18 Simplify signature parsing
Russell Belfer 965e4e2d 2013-01-21T13:19:41 Parse commit time as uint64_t to avoid overflow The commit time is already stored as a git_time_t, but we were parsing is as a uint32_t. This just switches the parser to use uint64_t which will handle dates further in the future (and adds some tests of those future dates).
Edward Thomson 359fc2d2 2013-01-08T17:07:25 update copyrights
Ben Straub de70aea6 2012-12-03T12:41:50 Remove GIT_SIGNATURE_VERSION and friends
Ben Straub 4ec197f3 2012-11-30T12:52:42 Deploy GIT_SIGNATURE_INIT
nulltoken b97c169e 2012-09-04T10:01:18 Fix MSVC compilation warnings
Carlos Martín Nieto d03d309b 2012-08-28T18:02:12 signature: make the OS give us the offset for git_signature_now There is a better and less fragile way to calculate time offsets. Let the OS take care of dealing with DST and simply take the the offset between the local time and UTC that it gives us.
nulltoken 8aedf1d5 2012-07-05T17:02:03 signature: prevent angle bracket usage in identity
Ben Straub 9ecf860d 2012-06-06T13:24:25 Rename posix wrappers with 'p_' prefix.
Ben Straub 56a5000d 2012-06-05T12:52:44 Merge branch 'development' into rev-parse Conflicts: src/util.h tests-clar/refs/branches/listall.c
Vicent Martí e172cf08 2012-05-18T01:21:06 errors: Rename the generic return codes
Ben Straub 1ce4cc01 2012-05-15T15:41:05 Fix date.c build in msvc. Ported the win32 implementations of gmtime_r, localtime_r, and gettimeofday to be part of the posix compatibility layer, and fixed git_signature_now to use them.
Russell Belfer 44ef8b1b 2012-04-13T13:00:10 Fix warnings on 64-bit windows builds This fixes all the warnings on win64 except those in deps, which come from the regex code.
Russell Belfer a4c291ef 2012-03-20T21:57:38 Convert reflog to new errors Cleaned up some other issues.
Russell Belfer 4aa7de15 2012-03-19T17:49:46 Convert indexer, notes, sha1_lookup, and signature More files moved to new error handling style.
schu 5e0de328 2012-02-13T17:10:24 Update Copyright header Signed-off-by: schu <schu-github@schulog.org>
Russell Belfer 97769280 2011-11-30T11:27:15 Use git_buf for path storage instead of stack-based buffers This converts virtually all of the places that allocate GIT_PATH_MAX buffers on the stack for manipulating paths to use git_buf objects instead. The patch is pretty careful not to touch the public API for libgit2, so there are a few places that still use GIT_PATH_MAX. This extends and changes some details of the git_buf implementation to add a couple of extra functions and to make error handling easier. This includes serious alterations to all the path.c functions, and several of the fileops.c ones, too. Also, there are a number of new functions that parallel existing ones except that use a git_buf instead of a stack-based buffer (such as git_config_find_global_r that exists alongsize git_config_find_global). This also modifies the win32 version of p_realpath to allocate whatever buffer size is needed to accommodate the realpath instead of hardcoding a GIT_PATH_MAX limit, but that change needs to be tested still.
Vicent Marti 3286c408 2011-10-28T14:51:13 global: Properly use `git__` memory wrappers Ensure that all memory related functions (malloc, calloc, strdup, free, etc) are using their respective `git__` wrappers.
Brodie Rao 6f2856f3 2011-10-05T15:17:37 signature: don't blow up trying to parse names containing '>' When trying to find the end of an email, instead of starting at the beginning of the signature, we start at the end of the name (after the first '<'). This brings libgit2 more in line with Git's behavior when reading out existing signatures. However, note that Git does not allow names like these through the usual porcelain; instead, it silently strips any '>' characters it sees.
nulltoken ad196c6a 2011-09-21T23:17:39 config: make git_config_[get|set]_long() able to properly deal with 8 bytes wide values Should fix issue #419. Signed-off-by: nulltoken <emeric.fermas@gmail.com>
Vicent Martí 71a4c1f1 2011-09-18T20:07:59 Merge pull request #384 from kiryl/warnings Add more -W flags to CFLAGS
Vicent Marti bb742ede 2011-09-19T01:54:32 Cleanup legal data 1. The license header is technically not valid if it doesn't have a copyright signature. 2. The COPYING file has been updated with the different licenses used in the project. 3. The full GPLv2 header in each file annoys me.
David Boyce 784b3b49 2011-09-12T23:44:39 Fixed typo in example Makefile code and slimmed it down more. Reverted signature of git_signature_new. Removed error check wrappers (voted down). Made Makefile work out of the box on Linux and Solaris when standard cmake build instructions for the library are followed.
David Boyce 0251733e 2011-09-12T23:39:47 Changes to allow examples/*.c to compile and link. This required on change to the signature of an API function (git_signature_new). Also, the examples/general.c had a lot of unchecked return values which were addresed with a couple of macros. The resulting example still does not work correctly but at least now it fails with an error message rather than not compiling or dumping core. Example runtime issues may be addressed in a later commit.
Kirill A. Shutemov d568d585 2011-08-30T23:55:22 CMakefile: add -Wmissing-prototypes and fix warnings Signed-off-by: Kirill A. Shutemov <kirill@shutemov.name>
schu 63396a39 2011-08-03T15:57:33 signature: adjust API to return error codes git_signature_new() and git_signature_now() currently don't return error codes. Change the API to return error codes and not pointers to let the user handle errors properly. Signed-off-by: schu <schu-github@schulog.org>
schu 5274c31a 2011-08-03T01:17:31 signature.c: fix off-by-one error Signed-off-by: schu <schu-github@schulog.org>
nulltoken 7757be33 2011-07-10T07:48:52 reflog: Fix reflog writer/reader - Use a space to separate oids and signature - Enforce test coverage - Make test run in a temporary folder in order not to alter the test repository
Vicent Marti d483a911 2011-07-08T18:31:05 signature: Fix optional header
Vicent Marti 06c43821 2011-07-09T02:37:16 Remove unused methods The direct-writes commit left some (slow) internals methods that were no longer needed. These have been removed. Also, the Reflog code was using the old `git_signature__write`, so it has been rewritten to use a normal buffer and the new `writebuf` signature writer. It's now slightly simpler and faster.
Vicent Marti afeecf4f 2011-07-09T02:10:46 odb: Direct writes are back DIRECT WRITES ARE BACK AND FASTER THAN EVER. The streaming writer to the ODB was an overkill for the smaller objects like Commit and Tags; most of the streaming logic was taking too long. This commit makes Commits, Tags and Trees to be built-up in memory, and then written to disk in 2 pushes (header + data), instead of streaming everything. This is *always* faster, even for big files (since the git_filebuf class still does streaming writes when the memory cache overflows). This is also a gazillion lines of code smaller, because we don't have to precompute the final size of the object before starting the stream (this was kind of defeating the point of streaming, anyway). Blobs are still written with full streaming instead of loading them in memory, since this is still the fastest way. A new `git_buf` class has been added. It's missing some features, but it'll get there.
schu 6727e300 2011-06-19T23:06:53 git_signature__write: make header optionally Signed-off-by: schu <schu-github@schulog.org>
Vicent Marti 9f86ec52 2011-07-05T02:28:18 signature: Fix warnings Add extra braces to avoid ambiguous if-else. Also, free() doesn't need a check.
nulltoken a01acc47 2011-07-03T14:03:43 signature: straighten the creation of a signature - Fails on empty name and/or email - Trims leading and trailing spaces of name and email
nulltoken 42a1b5e1 2011-07-01T17:59:10 signature: enhance relaxed parsing of bogus signatures Final fix for issue #278
schu 8b2c913a 2011-06-29T14:48:09 git_signature__parse: make parsing less strict git_signature__parse used to be very strict about what's a well-formed signature. Since git_signature__parse is used only when reading already existing signatures, we should not care about if it's a valid signature too much but rather show what we got. Reported-by: nulltoken <emeric.fermas@gmail.com> Signed-off-by: schu <schu-github@schulog.org>
Kirill A. Shutemov 932d1baf 2011-06-30T19:52:34 cleanup: remove trailing spaces Signed-off-by: Kirill A. Shutemov <kirill@shutemov.name>
Carlos Martín Nieto 5f25149e 2011-06-28T22:04:27 sig: allow empty names Signed-off-by: Carlos Martín Nieto <carlos@cmartin.tk>
Vicent Marti e053c911 2011-06-28T19:52:41 commit: Allow spaces inside email addresses Core Git doesn't care when people use spaces in the email address, even though this kind of foolery receives the capital punishment in several states of the USA. We must obey.
Vicent Marti fea400f8 2011-06-01T23:41:30 signature: Fix compilation
David Glesser fbfc7580 2011-05-31T18:38:59 Fix tag and signature parsing Before this commit, malformed tag and signature were considered as valid by the parser. See the test t3800-mktag.sh of git to see example of malformed tag and signature.
Jakob Pfender 00556496 2011-05-19T14:59:10 signature.c: Move to new error handling mechanism
Carlos Martín Nieto 5de24ec7 2011-05-10T17:38:41 Move signature.c to the new error handling Signed-off-by: Carlos Martín Nieto <cmn@elego.de>
Vicent Marti 53b7560b 2011-04-09T16:16:09 Fix `time_t` conversion on Win32
Vicent Marti 14eb94ee 2011-04-09T16:06:17 Fix `gmtime` issues in Win32
Vicent Marti 8416c9ad 2011-04-09T15:31:12 Rename `git_signature_new_now` The new name is more cool.
Carlos Martín Nieto 9e9e6ae1 2011-04-05T16:15:54 Add API git_signature_new_now Most tags will have a timestamp of whenever the code is running and dealing with time and timezones is error-prone. Optimize for this case by adding a function which causes the signature to be created with a current timestamp. Signed-off-by: Carlos Martín Nieto <cmn@elego.de>
Carlos Martín Nieto 076141a1 2011-04-07T14:38:03 Add a few malloc checks Add checks to see if malloc failed when allocating the tag members and signature members. Signed-off-by: Carlos Martín Nieto <cmn@elego.de>
Vicent Marti c6e65aca 2011-04-09T15:22:11 Properly check `strtol` for errors We are now using a custom `strtol` implementation to make sure we're not missing any overflow errors.
Vicent Marti 720d5472 2011-04-02T12:42:04 Change `parse` methods to const buffer Signed-off-by: Vicent Marti <tanoku@gmail.com>
nulltoken 56d8ca26 2011-03-20T18:36:25 Switch from time_t to git_time_t git_time_t is defined as a signed 64 integer. This allows a true predictable multiplatform behavior.
Vicent Marti 72a3fe42 2011-03-18T19:38:49 I broke your bindings Hey. Apologies in advance -- I broke your bindings. This is a major commit that includes a long-overdue redesign of the whole object-database structure. This is expected to be the last major external API redesign of the library until the first non-alpha release. Please get your bindings up to date with these changes. They will be included in the next minor release. Sorry again! Major features include: - Real caching and refcounting on parsed objects - Real caching and refcounting on objects read from the ODB - Streaming writes & reads from the ODB - Single-method writes for all object types - The external API is now partially thread-safe The speed increases are significant in all aspects, specially when reading an object several times from the ODB (revwalking) and when writing big objects to the ODB. Here's a full changelog for the external API: blob.h ------ - Remove `git_blob_new` - Remove `git_blob_set_rawcontent` - Remove `git_blob_set_rawcontent_fromfile` - Rename `git_blob_writefile` -> `git_blob_create_fromfile` - Change `git_blob_create_fromfile`: The `path` argument is now relative to the repository's working dir - Add `git_blob_create_frombuffer` commit.h -------- - Remove `git_commit_new` - Remove `git_commit_add_parent` - Remove `git_commit_set_message` - Remove `git_commit_set_committer` - Remove `git_commit_set_author` - Remove `git_commit_set_tree` - Add `git_commit_create` - Add `git_commit_create_v` - Add `git_commit_create_o` - Add `git_commit_create_ov` tag.h ----- - Remove `git_tag_new` - Remove `git_tag_set_target` - Remove `git_tag_set_name` - Remove `git_tag_set_tagger` - Remove `git_tag_set_message` - Add `git_tag_create` - Add `git_tag_create_o` tree.h ------ - Change `git_tree_entry_2object`: New signature is `(git_object **object_out, git_repository *repo, git_tree_entry *entry)` - Remove `git_tree_new` - Remove `git_tree_add_entry` - Remove `git_tree_remove_entry_byindex` - Remove `git_tree_remove_entry_byname` - Remove `git_tree_clearentries` - Remove `git_tree_entry_set_id` - Remove `git_tree_entry_set_name` - Remove `git_tree_entry_set_attributes` object.h ------------ - Remove `git_object_new - Remove `git_object_write` - Change `git_object_close`: This method is now *mandatory*. Not closing an object causes a memory leak. odb.h ----- - Remove type `git_rawobj` - Remove `git_rawobj_close` - Rename `git_rawobj_hash` -> `git_odb_hash` - Change `git_odb_hash`: New signature is `(git_oid *id, const void *data, size_t len, git_otype type)` - Add type `git_odb_object` - Add `git_odb_object_close` - Change `git_odb_read`: New signature is `(git_odb_object **out, git_odb *db, const git_oid *id)` - Change `git_odb_read_header`: New signature is `(size_t *len_p, git_otype *type_p, git_odb *db, const git_oid *id)` - Remove `git_odb_write` - Add `git_odb_open_wstream` - Add `git_odb_open_rstream` odb_backend.h ------------- - Change type `git_odb_backend`: New internal signatures are as follows int (* read)(void **, size_t *, git_otype *, struct git_odb_backend *, const git_oid *) int (* read_header)(size_t *, git_otype *, struct git_odb_backend *, const git_oid *) int (* writestream)(struct git_odb_stream **, struct git_odb_backend *, size_t, git_otype) int (* readstream)( struct git_odb_stream **, struct git_odb_backend *, const git_oid *) - Add type `git_odb_stream` - Add enum `git_odb_streammode` Signed-off-by: Vicent Marti <tanoku@gmail.com>
nulltoken 8ea7fbc0 2010-12-18T22:27:26 Fixed a nasty bug which was preventing correct generation of the signature.
Vicent Marti 638c2ca4 2010-12-18T02:10:25 Rename 'git_person' to 'git_signature' The new signature struct is public, and contains information about the timezone offset. Must be free'd manually by the user. Signed-off-by: Vicent Marti <tanoku@gmail.com>