src/path.c


Log

Author Commit Date CI Message
Edward Thomson 16b1a756 2020-04-05T18:33:55 path: use GIT_ASSERT
Edward Thomson 2cfa31c4 2020-04-05T18:30:07 path: remove unused git_path_topdir
Dan Tull cce966c3 2020-10-06T17:51:14 Change bare free to allocator free. The info pointer was allocated with git__malloc, so needs to be free'd with git__free. This bug can lurk pretty easily since if there's no custom allocator this is fine.
Patrick Steinhardt a6c9e0b3 2020-06-08T12:40:47 tree-wide: mark local functions as static We've accumulated quite some functions which are never used outside of their respective code unit, but which are lacking the `static` keyword. Add it to reduce their linkage scope and allow the compiler to optimize better.
Edward Thomson 14ff3516 2019-12-03T23:15:47 path: support non-ascii drive letters on dos Windows/DOS only supports drive letters that are alpha characters A-Z. However, you can `subst` any one-character as a drive letter, including numbers or even emoji. Test that we can identify emoji as drive letters.
Edward Thomson e4034dfa 2019-12-03T19:24:59 path: protect NTFS everywhere Enable core.protectNTFS by default everywhere and in every codepath, not just on checkout.
Edward Thomson b8464342 2019-12-03T17:47:31 path: rename function that detects end of filename The function `only_spaces_and_dots` used to detect the end of the filename on win32. Now we look at spaces and dots _before_ the end of the string _or_ a `:` character, which would signify a win32 alternate data stream. Thus, rename the function `ntfs_end_of_filename` to indicate that it detects the (virtual) end of a filename, that any further characters would be elided to the given path.
Johannes Schindelin e1832eb2 2019-09-18T16:33:18 path: also guard `.gitmodules` against NTFS Alternate Data Streams We just safe-guarded `.git` against NTFS Alternate Data Stream-related attack vectors, and now it is time to do the same for `.gitmodules`. Note: In the added regression test, we refrain from verifying all kinds of variations between short names and NTFS Alternate Data Streams: as the new code disallows _all_ Alternate Data Streams of `.gitmodules`, it is enough to test one in order to know that all of them are guarded against. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Johannes Schindelin 3f7851ea 2019-09-18T14:32:05 Disallow NTFS Alternate Data Stream attacks, even on Linux/macOS A little-known feature of NTFS is that it offers to store metadata in so-called "Alternate Data Streams" (inspired by Apple's "resource forks") that are copied together with the file they are associated with. These Alternate Data Streams can be accessed via `<file name>:<stream name>:<stream type>`. Directories, too, have Alternate Data Streams, and they even have a default stream type `$INDEX_ALLOCATION`. Which means that `abc/` and `abc::$INDEX_ALLOCATION/` are actually equivalent. This is of course another attack vector on the Git directory that we definitely want to prevent. On Windows, we already do this incidentally, by disallowing colons in file/directory names. While it looks as if files'/directories' Alternate Data Streams are not accessible in the Windows Subsystem for Linux, and neither via CIFS/SMB-mounted network shares in Linux, it _is_ possible to access them on SMB-mounted network shares on macOS. Therefore, let's go the extra mile and prevent this particular attack _everywhere_. To keep things simple, let's just disallow *any* Alternate Data Stream of `.git`. This is libgit2's variant of CVE-2019-1352. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Dan Skorupski 44d5e47d 2019-08-24T10:39:56 Fix include casing for case-sensitive filesystems.
Johannes Schindelin cb1439c9 2019-06-19T12:59:27 config: validate ownership of C:\ProgramData\Git\config before using it When the VirtualStore feature is in effect, it is safe to let random users write into C:\ProgramData because other users won't see those files. This seemed to be the case when we introduced support for C:\ProgramData\Git\config. However, when that feature is not in effect (which seems to be the case in newer Windows 10 versions), we'd rather not use those files unless they come from a trusted source, such as an administrator. This change imitates the strategy chosen by PowerShell's native OpenSSH port to Windows regarding host key files: if a system file is owned neither by an administrator, a system account, or the current user, it is ignored.
Patrick Steinhardt ded77bb1 2019-06-29T09:58:34 path: extract function to check whether a path supports symlinks When initializing a repository, we need to check whether its working directory supports symlinks to correctly set the initial value of the "core.symlinks" config variable. The code to check the filesystem is reusable in other parts of our codebase, like for example in our tests to determine whether certain tests can be expected to succeed or not. Extract the code into a new function `git_path_supports_symlinks` to avoid duplicate implementations. Remove a duplicate implementation in the repo test helper code.
Patrick Steinhardt 658022c4 2019-07-18T13:53:41 configuration: cvar -> configmap `cvar` is an unhelpful name. Refactor its usage to `configmap` for more clarity.
Edward Thomson aca3f701 2019-05-20T07:09:46 path: safely cast path calculation
Patrick Steinhardt f7c6795f 2019-06-07T10:20:35 path: only treat paths starting with '\' as absolute on Win32 Windows-based systems treat paths starting with '\' as absolute, either referring to the current drive's root (e.g. "\foo" might refer to "C:\foo") or to a network path (e.g. "\\host\foo"). On the other hand, (most?) systems that are not based on Win32 accept backslashes as valid characters that may be part of the filename, and thus we cannot treat them to identify absolute paths. Change the logic to only paths starting with '\' as absolute on the Win32 platform. Add tests to avoid regressions and document behaviour.
Edward Thomson f673e232 2018-12-27T13:47:34 git_error: use new names in internal APIs and usage Move to the `git_error` name in the internal API for error-related functions.
Etienne Samson be4717d2 2018-09-18T12:12:06 path: fix "comparison always true" warning
Edward Thomson 44291868 2018-09-12T10:53:03 path validation: `char` is not signed by default. ARM treats its `char` type as `unsigned type` by default; as a result, testing a `char` value as being `< 0` is always false. This is a warning on ARM, which is promoted to an error given our use of `-Werror`. Per ISO 9899:199, section "6.2.5 Types": > The three types char, signed char, and unsigned char are collectively > called the character types. The implementation shall define char to > have the same range, representation, and behavior as either signed > char or unsigned char. > ... > Irrespective of the choice made, char is a separate type from the other > two and is not compatible with either.
Edward Thomson 3be73011 2018-06-11T18:26:22 Merge pull request #4436 from pks-t/pks/packfile-stream-free pack: rename `git_packfile_stream_free`
Patrick Steinhardt ecf4f33a 2018-02-08T11:14:48 Convert usage of `git_buf_free` to new `git_buf_dispose`
Patrick Steinhardt 92159bd4 2018-05-30T12:18:04 path: unify `git_path_is_*` APIs Right now, there's quite a lot of different function calls to determine whether a path component matches a specific name after normalization from the filesystem. We have a function for each of {gitattributes, gitmodules, gitignore} multiplicated with {generic, NTFS, HFS} checks. In the long time, this is unmaintainable in case there are e.g. new filesystems with specific semantics, blowing up the number of functions we need to implement. Replace all functions with a simple `git_path_is_gitfile` function, which accepts an enum pointing out the filename that is to be checked against as well as the filesystem normalizations to check for. This greatly simplifies implementation at the expense of the caller having to invoke a somewhat longer function call.
Carlos Martín Nieto 1f570a29 2018-05-23T08:40:17 path: check for a symlinked .gitmodules in fs-agnostic code We still compare case-insensitively to protect more thoroughly as we don't know what specifics we'll see on the system and it's the behaviour from git.
Carlos Martín Nieto a7168b47 2018-05-22T16:13:47 path: reject .gitmodules as a symlink Any part of the library which asks the question can pass in the mode to have it checked against `.gitmodules` being a symlink. This is particularly relevant for adding entries to the index from the worktree and for checking out files.
Carlos Martín Nieto 02c80ad7 2018-05-22T15:21:08 path: accept the name length as a parameter We may take in names from the middle of a string so we want the caller to let us know how long the path component is that we should be checking.
Carlos Martín Nieto 490cbaa9 2018-05-22T13:58:24 path: expose dotgit detection functions per filesystem These will be used by the checkout code to detect them for the particular filesystem they're on.
Carlos Martín Nieto 0aa65f8d 2018-05-16T15:56:04 path: add functions to detect .gitconfig and .gitattributes
Carlos Martín Nieto 9de97ae7 2018-05-16T15:42:08 path: add a function to detect an .gitmodules file Given a path component it knows what to pass to the filesystem-specific functions so we're protected even from trees which try to use the 8.3 naming rules to get around us matching on the filename exactly. The logic and test strings come from the equivalent git change.
Carlos Martín Nieto 22973e09 2018-05-16T14:47:04 path: provide a generic function for checking dogit files on NTFS It checks against the 8.3 shortname variants, including the one which includes the checksum as part of its name.
Carlos Martín Nieto 0283fc46 2018-05-16T11:56:04 path: provide a generic dogit checking function for HFS This lets us check for other kinds of reserved files.
Patrick Steinhardt 0c7f49dd 2017-06-30T13:39:01 Make sure to always include "common.h" first Next to including several files, our "common.h" header also declares various macros which are then used throughout the project. As such, we have to make sure to always include this file first in all implementation files. Otherwise, we might encounter problems or even silent behavioural differences due to macros or defines not being defined as they should be. So in fact, our header and implementation files should make sure to always include "common.h" first. This commit does so by establishing a common include pattern. Header files inside of "src" will now always include "common.h" as its first other file, separated by a newline from all the other includes to make it stand out as special. There are two cases for the implementation files. If they do have a matching header file, they will always include this one first, leading to "common.h" being transitively included as first file. If they do not have a matching header file, they instead include "common.h" as first file themselves. This fixes the outlined problems and will become our standard practice for header and source files inside of the "src/" from now on.
Patrick Steinhardt 78a8f68f 2017-06-06T14:57:31 path: only set dotgit flags when configs were read
Patrick Steinhardt a76d7502 2017-03-28T09:12:34 path: short-circuit `git_path_apply_relative` on error Short-circuit the call to `git_path_resolve_relative` in case `git_buf_joinpath` returns an error. While this does not fix any immediate errors, the resulting code is easier to read and handles potential new error conditions raised by `git_buf_joinpath`.
Patrick Steinhardt cffd616a 2017-03-28T09:08:41 path: handle error returned by `git_buf_joinpath` In the `_check_dir_contents` function, we first allocate memory for joining the directory and subdirectory together and afterwards use `git_buf_joinpath`. While this function in fact should not fail as memory is already allocated, err on the safe side and check for returned errors.
Patrick Steinhardt 9e8d75c7 2017-02-08T11:41:10 path: ensure dirname on Win32 prefix always has a trailing '/' When calling `git_path_dirname_r` on a Win32 prefix, e.g. a drive or network share prefix, we always want to return the trailing '/'. This does not work currently when passing in a path like 'C:', where the '/' would not be appended correctly. Fix this by appending a '/' if we try to normalize a Win32 prefix and there is no trailing '/'.
Patrick Steinhardt 5d59520c 2017-02-07T20:30:11 path: get correct dirname for Windows root Getting the dirname of a filesystem root should return the filesystem root itself. E.g. the dirname of "/" is always "/". On Windows, we emulate this behavior and as such, we should return e.g. "C:/" if calling dirname on "C:/". But we currently fail to do so and instead return ".", as we do not check if we actually have a Windows prefix before stripping off the last directory component. Fix this by calling out to `win32_prefix_length` immediately after stripping trailing slashes, returning early if we have a prefix.
Patrick Steinhardt d8c06070 2017-02-07T20:21:38 path: extract `win32_path_prefix` function Extract code which determines if a path is at a Windows system's root. This incluses drive prefixes (e.g. "C:\") as well as network computer names (e.g. "//computername/").
Edward Thomson 909d5494 2016-12-29T12:25:15 giterr_set: consistent error messages Error messages should be sentence fragments, and therefore: 1. Should not begin with a capital letter, 2. Should not conclude with punctuation, and 3. Should not end a sentence and begin a new one
Patrick Steinhardt 6cf575b1 2016-11-25T15:01:04 path: remove unused local variable
Carlos Martín Nieto ce5553d4 2016-03-10T22:01:09 refdb: bubble up locked files on the read side On Windows we can find locked files even when reading a reference or the packed-refs file. Bubble up the error in this case as well to allow callers on Windows to retry more intelligently.
Patrick Steinhardt b81fe7c9 2016-11-14T10:07:13 path: pass string instead of git_buf to giterr_set
Edward Thomson d34f6826 2014-04-08T17:18:47 Patch parsing from patch files
Edward Thomson ba6f86eb 2016-03-18T17:33:46 Introduce `git_path_common_dirlen`
Patrick Steinhardt 42c05ed5 2016-02-23T10:02:44 path: use GITERR_CHECK_ALLOC_BUF to verify passed in buffer
Edward Thomson 318b825e 2016-02-16T17:11:46 index: allow read of index w/ illegal entries Allow `git_index_read` to handle reading existing indexes with illegal entries. Allow the low-level `git_index_add` to add properly formed `git_index_entry`s even if they contain paths that would be illegal for the current filesystem (eg, `AUX`). Continue to disallow `git_index_add_bypath` from adding entries that are illegal universally illegal (eg, `.git`, `foo/../bar`).
Thomas Edvalson 95746a57 2015-12-14T19:21:09 Fix a couple function signatures
Edward Thomson 0862ec2e 2015-09-17T09:58:38 core::mkdir tests: ensure we don't stomp symlinks in mkdir In `mkdir` and `mkdir_r`, ensure that we don't try to remove symlinks that are in our way.
Edward Thomson 9d905541 2015-09-13T14:18:08 diriter: don't double '/' on posix The canonical directory path of the root directory of a volume on POSIX already ends in a slash (eg, `/`). This is true only at the root. Do not add a slash to paths in this case.
Edward Thomson 5a466bef 2015-09-13T13:59:41 diriter: don't double '/' on Windows The canonical directory path of the root directory of a volume on windows already ends in a slash (eg, `c:/`). This is true only at the volume root. Do not add a slash to paths in this case.
John Haley eba784d2 2015-08-05T10:19:06 Fix duplicate basenames to support older VS With Visual Studio versions 2008 and older they ignore the full path to files and only check the basename of the file to find a collision. Additionally, having duplicate basenames can break other build tools like GYP. This fixes https://github.com/libgit2/libgit2/issues/3356
Edward Thomson 2dfd5eae 2015-07-24T15:05:16 Merge pull request #3307 from libgit2/cmn/submodule-backslash Normalize submodule urls before looking at them
Sven Strickroth 318bb763 2015-07-21T23:36:39 Make libgit2 work on Windows Vista again (fixes issue #3316) Signed-off-by: Sven Strickroth <email@cs-ware.de>
Carlos Martín Nieto a58854a0 2015-07-13T17:11:19 submodule, path: extract slash conversion Extract the backslash-to-slash conversion into a helper function.
Carlos Martín Nieto caab22c0 2015-06-23T15:41:58 buffer: don't allow growing borrowed buffers When we don't own a buffer (asize=0) we currently allow the usage of grow to copy the memory into a buffer we do own. This muddles the meaning of grow, and lets us be a bit cavalier with ownership semantics. Don't allow this any more. Usage of grow should be restricted to buffers which we know own their own memory. If unsure, we must not attempt to modify it.
Pierre-Olivier Latour 85a5e8eb 2015-06-17T09:00:23 Fixed Xcode 6.1 build warnings
Pierre-Olivier Latour 0f4d9c03 2015-06-15T09:52:40 Fixed Xcode 6.1 build warnings
Carlos Martín Nieto 25bd0aaf 2015-06-15T13:28:08 path: remove unnecessary readdir_r usage Arguably all uses of readdir_r are unnecessary, but in this case especially so, as the directory handle only exists within this function, so we don't race with anybody.
Jeff Hostetler 95639dbb 2015-06-12T08:50:48 Fix memory leak on windows in diriter.
Carlos Martín Nieto 82a7a24c 2015-06-08T15:22:01 Merge pull request #3165 from ethomson/downcase Downcase
Carlos Martín Nieto 8da44047 2015-06-06T03:55:28 path: error out if the callback returns an error When the callback returns an error, we should stop immediately. This broke when trying to make sure we pass specific errors up the chain. This broke cancelling out of the loose backend's foreach.
Edward Thomson 75a4636f 2015-05-29T16:56:38 git__tolower: a tolower() that isn't dumb Some brain damaged tolower() implementations appear to want to take the locale into account, and this may require taking some insanely aggressive lock on the locale and slowing down what should be the most trivial of trivial calls for people who just want to downcase ASCII.
Carlos Martín Nieto 8a4d77f9 2015-05-15T12:15:45 path: don't let direach overwrite the callback's error message This function deals with functions doing IO which means the amount of errors that can happen is quit large. It does not help if it always ovewrites the underlying error message with a less understandable version of "something went wrong". Instead, only use this generic message if there was no error set by the callback.
Edward Thomson be3f1049 2015-05-01T11:27:44 diriter: actually use iconv on mac
Edward Thomson cd39e4e2 2015-04-29T18:12:51 git_buf_put_w: introduce utf16->utf8 conversion
Edward Thomson f63a1b72 2015-04-29T17:23:02 git_path_diriter: use FindFirstFile in win32 Using FindFirstFile and FindNextFile in win32 allows us to use the directory information that is returned, instead of us having to get the file attributes all over again, which is a distinct cost savings on win32.
Edward Thomson 5c387b6c 2015-04-29T14:31:59 git_path_diriter: next shouldn't take path ptr The _next method shouldn't take a path pointer (and a path_len pointer) as 100% of current users use the full path and ignore the filename. Plus let's add some docs and a unit test.
Edward Thomson 7ef005f1 2015-04-29T14:04:01 git_path_dirload_with_stat: moved to fs_iterator
Edward Thomson ba8ef18a 2015-04-29T13:28:29 git_path_dirload_with_stat: use git_path_diriter
Edward Thomson 07bbc045 2015-04-29T11:58:10 git_path_dirload: use git_path_diriter
Edward Thomson edbfc52c 2015-04-29T11:05:27 git_path: introduce 'git_path_diriter' Introduce a new `git_path_diriter` that can iterate directories efficiently for each platform.
Jozef Matula 2a069761 2015-04-08T16:30:44 ISO C90 forbids mixed declarations and code GIT_UNUSED() macro generates code therefore it should be used after variable declarations.
Edward Thomson 4196dd8e 2015-02-26T15:33:58 repository: Introduce "reserved names" A repository can have multiple "reserved names" now, not just a single "short name" for the repository folder itself. Refactor to include a git_repository__reserved_names that returns all the reserved names for a repository.
Edward Thomson f1453c59 2015-02-12T12:19:37 Make our overflow check look more like gcc/clang's Make our overflow checking look more like gcc and clang's, so that we can substitute it out with the compiler instrinsics on platforms that support it. This means dropping the ability to pass `NULL` as an out parameter. As a result, the macros also get updated to reflect this as well.
Edward Thomson 392702ee 2015-02-09T23:41:13 allocations: test for overflow of requested size Introduce some helper macros to test integer overflow from arithmetic and set error message appropriately.
Edward Thomson 1fbfcdfc 2015-01-12T15:48:53 git_path_join_unrooted: return base len The documentation for `git_path_join_unrooted` states that the base length will be returned, so that consumers like checkout know where to start creating directories instead of always creating directories at the directory root.
Linquize 6fd00266 2014-12-19T23:54:01 COM0 is a valid path, although Windows Explorer does not allow to create this
Edward Thomson ec74b40c 2014-12-16T18:53:55 Introduce core.protectHFS and core.protectNTFS Validate HFS ignored char ".git" paths when `core.protectHFS` is specified. Validate NTFS invalid ".git" paths when `core.protectNTFS` is specified.
Vicent Marti 8e35527d 2014-12-16T13:03:02 path: Use UTF8 iteration for HFS chars
Edward Thomson 11d67b75 2014-12-10T19:12:16 checkout: disallow bad paths on HFS HFS filesystems ignore some characters like U+200C. When these characters are included in a path, they will be ignored for the purposes of comparison with other paths. Thus, if you have a ".git" folder, a folder of ".git<U+200C>" will also match. Protect our ".git" folder by ensuring that ".git<U+200C>" and friends do not match it.
Edward Thomson a64119e3 2014-11-25T18:13:00 checkout: disallow bad paths on win32 Disallow: 1. paths with trailing dot 2. paths with trailing space 3. paths with trailing colon 4. paths that are 8.3 short names of .git folders ("GIT~1") 5. paths that are reserved path names (COM1, LPT1, etc). 6. paths with reserved DOS characters (colons, asterisks, etc) These paths would (without \\?\ syntax) be elided to other paths - for example, ".git." would be written as ".git". As a result, writing these paths literally (using \\?\ syntax) makes them hard to operate with from the shell, Windows Explorer or other tools. Disallow these.
Edward Thomson 5a7cd1bc 2014-10-25T19:53:53 iterator: free paths when skipping them
Edward Thomson 969b6a47 2014-10-11T11:23:34 is_empty_dir (wi32): cope with empty mount points FindFirstFile will fail with INVALID_HANDLE_VALUE if there are no children to the given path, which can happen if the given path is a file (and obviously has no children) or if the given path is an empty mount point. (Most directories have at least directory entries '.' and '..', but ridiculously another volume mounted in another drive letter's path space do not, and thus have nothing to enumerate.) If FindFirstFile fails, check if this is a directory-like thing (a mount point).
Erdur 44802c55 2014-09-30T16:19:24 path: fix invalid access
Vicent Marti 276d9ea3 2014-09-17T15:39:57 Merge pull request #2571 from libgit2/vmg/walk-up-path Fix `git_path_walk_up` to work with non-rooted paths
Vicent Marti 4592b62e 2014-09-17T15:26:48 Merge pull request #2572 from cirosantilli/factor-void Replace void casts with GIT_UNUSED.
Ciro Santilli c5cf8cad 2014-09-17T15:19:08 Replace void casts with GIT_UNUSED.
The rugged tests are fragile bbb988a5 2014-09-17T14:52:31 path: Fix `git_path_walk_up` to work with non-rooted paths
Carlos Martín Nieto 25abbc27 2014-09-17T03:19:40 Clean up some leaks in the test suite
Edward Thomson 0ee9f31c 2014-08-20T10:23:39 Introduce git_path_make_relative
Russell Belfer f18234fa 2014-08-08T13:17:50 Don't report status on named pipes Git skips entries in directories that are not S_ISDIR, S_ISREG, or S_ISLNK, so let's make libgit2 do the same thing.
Alan Rogers 7d0ab0fa 2014-07-22T15:08:24 Merge remote-tracking branch 'origin/master' into fix-git-status-list-new-unreadable-folder
Edward Thomson 529fd30d 2014-07-08T15:45:50 Handle local file:/// paths on Windows Windows can't handle a path like `/c:/foo`; when turning file:/// URIs into local paths, we must strip the leading slash.
Alan Rogers dc49e1b5 2014-06-04T15:36:28 Merge remote-tracking branch 'origin/development' into fix-git-status-list-new-unreadable-folder Conflicts: include/git2/diff.h
Alan Rogers 54c02d21 2014-06-04T15:27:00 Clear out the struct.
Carlos Martín Nieto 18d7896c 2014-06-03T21:47:53 clone: re-use the local transport's path resolution Whe already worked out the kinks with the function used in the local transport. Expose it and make use of it in the local clone method instead of trying to work it out again.
Alan Rogers 86c9d3da 2014-05-21T22:54:34 Return GIT_FILEMODE_UNREADABLE for files that fail to stat.
Alan Rogers 90553479 2014-05-20T17:40:28 Rename GIT_ENOACCESS -> GIT_EUNREADABLE
Alan Rogers dc4906f1 2014-05-15T17:40:28 Skip unreadable files for now.
Alan Rogers 158c8ba1 2014-05-15T16:54:46 Return a specific error for EACCES.
Russell Belfer 43a04135 2014-05-08T13:52:46 Pass unconverted data when iconv doesn't like it When using Iconv to convert unicode data and iconv doesn't like the source data (because it thinks that it's not actual UTF-8), instead of stopping the operation, just use the unconverted data. This will generally do the right thing on the filesystem, since that is the source of the non-UTF-8 path data anyhow. This adds some tests for creating and looking up branches with messy Unicode names. Also, this takes the helper function that was previously internal to `git_repository_init` and makes it into `git_path_does_fs_decompose_unicode` which is a useful in tests to understand what the expected results should be.
Philip Kelley 7110000d 2014-04-22T10:21:19 React to feedback for UTF-8 <-> WCHAR and reparse work