kmx git

Commit	Date	Message
534b70af	2018-06-07T12:30:59	Merge pull request #4558 from tiennou/travis/war-on-leaks travis: war on leaks
20306d36	2018-06-06T14:31:28	Merge pull request #4665 from neithernut/fix-refdb-glob refdb_fs: fix regression: failure when globbing for non-existant references
991bf691	2018-06-06T13:55:16	Merge pull request #4673 from pks-t/pks/submodule-dupes-simplify-test tests: submodule: do not rely on config iteration order
61eaaadf	2018-04-20T23:11:30	travis: enable -Werror in the script instead of using the matrix
1f4ada2a	2018-04-20T23:11:23	travis: let cmake perform the build & install step The goal is to let cmake manage the parallelism
234443e3	2018-04-20T23:11:22	valgrind: silence invalid free in libc atexit handler ==17851== Invalid free() / delete / delete[] / realloc() ==17851== at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==17851== by 0x60BBE2B: __libc_freeres (in /lib/x86_64-linux-gnu/libc-2.19.so) ==17851== by 0x4A256BC: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-amd64-linux.so) ==17851== by 0x5F8F16A: __run_exit_handlers (exit.c:97) ==17851== by 0x5F8F1F4: exit (exit.c:104) ==17851== by 0x5F74F4B: (below main) (libc-start.c:321) ==17851== Address 0x63153c0 is 0 bytes inside data symbol "noai6ai_cached"
149790b9	2018-04-20T23:11:28	scripts: remove extraneous semicolons
dd75885a	2018-04-20T23:11:20	valgrind: silence libssh2 leaking something from gcrypt ==2957== 912 bytes in 19 blocks are still reachable in loss record 323 of 369 ==2957== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==2957== by 0x675B120: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==2957== by 0x675BDF8: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==2957== by 0x675FE0D: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==2957== by 0x6761DC4: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==2957== by 0x676477E: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==2957== by 0x675B071: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==2957== by 0x675B544: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==2957== by 0x675914B: gcry_control (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==2957== by 0x5D30EC9: libssh2_init (in /usr/lib/x86_64-linux-gnu/libssh2.so.1.0.1) ==2957== by 0x66BCCD: git_transport_ssh_global_init (ssh.c:910) ==2957== by 0x616443: init_common (global.c:65)
573c4089	2018-04-20T23:11:19	valgrind: skip buf::oom test
4c969618	2018-04-20T23:11:27	scripts: use leaks on macOS
c0c9e9ee	2018-04-20T23:11:17	valgrind: silence curl_global_init leaks ==18109== 664 bytes in 1 blocks are still reachable in loss record 279 of 339 ==18109== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==18109== by 0x675B120: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==18109== by 0x675C13C: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==18109== by 0x675C296: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==18109== by 0x679BD14: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==18109== by 0x679CC64: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==18109== by 0x6A64946: ??? (in /usr/lib/x86_64-linux-gnu/libgnutls.so.26.22.6) ==18109== by 0x6A116E8: ??? (in /usr/lib/x86_64-linux-gnu/libgnutls.so.26.22.6) ==18109== by 0x6A01114: gnutls_global_init (in /usr/lib/x86_64-linux-gnu/libgnutls.so.26.22.6) ==18109== by 0x52A6C78: ??? (in /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4.3.0) ==18109== by 0x5285ADC: curl_global_init (in /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4.3.0) ==18109== by 0x663524: git_curl_stream_global_init (curl.c:44)
74b0a432	2018-04-20T23:11:16	travis: split valgrind check in its own script
0fb8c1d0	2018-04-20T23:11:25	valgrind: bump num-callers to 50 for fuller stack traces
2f4e7cb0	2018-04-20T23:11:14	travis: split testing from building
8178c70f	2018-06-06T09:23:01	tests: submodule: do not rely on config iteration order The test submodule::lookup::duplicated_path, which tries to verify that we detect submodules with duplicated paths, currently relies on the gitmodules file of "submod2_target". While this file has two gitmodules with the same path, one of these gitmodules has an empty name and thus does not pass `git_submodule_name_is_valid`. Because of this, the test is in fact dependent on the iteration order in which we process the submodules. In fact the "valid" submodule comes first, the "invalid" submodule will cause the desired error. In fact the "invalid" submodule comes first, it will be skipped due to its name being invalid, and we will not see the desired error. While this works on the master branch just right due to the refactoring of our config code, where iteration order is now deterministic, this breaks on all older maintenance branches. Fix the issue by simply using `cl_git_rewritefile` to rewrite the gitmodules file. This greatly simplifies the test and also makes the intentions of it much clearer.
54990d75	2018-06-06T08:36:43	Merge pull request #4641 from pks-t/pks/submodule-names-memleak Detect duplicated submodules for the same path
d7eca4c3	2018-06-01T08:57:17	refdb_fs: add test for globbing of nonexistant refs
05e891f1	2018-06-01T08:44:30	refdb_fs: test whether the base directory exists when globbing This commit fixes a regression introduced by 20a2b02d9a1bcb4825ec49605146223c565dcacf The commit introduced an optimization for finding references using a glob: rather than iterating over all references and matching each one against the glob, we would iterate only over references within the directory common to all possible references which may match against the glob. However, contrary to the `ref/` directory, which was the previous entry point for the iteration, this directory may not exist. In this case, the optimization causes an error (`ENOENT`) rather than the iterator simply yielding no references. This patch fixes the regression by checkign for this specific case.
bae6ed62	2018-06-01T13:17:28	Merge pull request #4530 from tiennou/fix/docurium-missing-includes Fix docurium missing includes
771dfd1d	2018-05-30T10:52:51	Merge pull request #4627 from libgit2/ethomson/template github: update issue template
8a14846b	2018-05-30T10:51:10	Merge pull request #4661 from laomaiweng/patch-1 streams: openssl: add missing check on OPENSSL_LEGACY_API
9c698a25	2018-05-30T10:34:58	submodule: remove useless mask computations Previous to dfda2f68e (submodule: remove the per-repo cache, 2015-04-27), we tried to cache our submodules per repository to avoid having to reload it too frequently. As it created some headaches with regards to multithreading, we removed that cache. Previous to that removal, we had to compute what submodule status to refresh. The mask computation was not removed, though, resulting in confusing and actually dead code. While it seems like the mask is currently in use in a conditional, it is not, as we unconditionally assign to the mask previous to that condition. Remove all mask computations to clean up stale code.
cf5030a3	2018-05-30T08:38:28	submodule: refactor loading submodule names The function `load_submodule_names` was always being called with a newly allocated string map, which was then getting filled by the function. Move the string map allocation into `load_submodule_names`, instead, and pass the whole map back to the caller in case no error occurs. This change helps to avoid misuse by handing in pre-populated maps.
b2a389c8	2018-05-30T08:35:06	submodule: detect duplicated submodule paths When loading submodule names, we build a map of submodule paths and their respective names. While looping over the configuration keys, we do not check though whether a submodule path was seen already. This leads to a memory leak in case we have multiple submodules with the same path, as we just overwrite the old value in the map in that case. Fix the error by verifying that the path to be added is not yet part of the string map. Git does not allow to have multiple submodules for a path anyway, so we now do the same and detect this duplication, reporting it to the user.
36ae5c93	2018-05-30T08:25:19	Merge pull request #4656 from tiennou/fix/mbedtls-no-pkgconfig mbedtls: don't require mbedtls from our pkgconfig file
b1cab70b	2018-05-30T02:15:09	streams: openssl: add missing check on OPENSSL_LEGACY_API The `CRYPTO_THREADID` type is no longer available in OpenSSL ≥ 1.1.0 with deprecated features disabled, and causes build failures. Since the `threadid_cb()` function is only ever called by `git_openssl_set_locking()` when `defined(OPENSSL_LEGACY_API)`, only define it then.
7f6c1ce9	2018-05-29T21:04:39	Merge pull request #4660 from libgit2/cmn/submodule-traversal Fixes for CVE 2018-11235
491722e8	2018-05-29T19:27:59	CHANGELOG: mention fixes for CVE-2018-11235
64a78a80	2018-05-25T09:28:52	mbedtls: don't require mbedtls from our pkgconfig file mbedTLS has no pkgconfig file, hence we can't require it. For now, pass its link flags as our own.
d050acf7	2018-05-25T10:28:15	Merge pull request #4653 from stinb/junction-point-diff-from-git Added note about Windows junction points to the differences from git document
57e343d7	2018-05-24T21:58:40	path: hand-code the zero-width joiner as UTF-8
9e723db8	2018-05-24T20:28:36	submodule: plug leaks from the escape detection
c16ebaa6	2018-05-24T19:05:59	submodule: replace index with strchr which exists on Windows
91a4849d	2018-05-24T19:00:13	submodule: the repostiory for _name_is_valid should not be const We might modify caches due to us trying to load the configuration to figure out what kinds of filesystem protections we should have.
1f570a29	2018-05-23T08:40:17	path: check for a symlinked .gitmodules in fs-agnostic code We still compare case-insensitively to protect more thoroughly as we don't know what specifics we'll see on the system and it's the behaviour from git.
3fbfae26	2018-05-22T20:37:23	checkout: change symlinked .gitmodules file test to expect failure When dealing with `core.proectNTFS` and `core.protectHFS` we do check against `.gitmodules` but we still have a failing test as the non-filesystem codepath does not check for it.
a7168b47	2018-05-22T16:13:47	path: reject .gitmodules as a symlink Any part of the library which asks the question can pass in the mode to have it checked against `.gitmodules` being a symlink. This is particularly relevant for adding entries to the index from the worktree and for checking out files.
58ff913a	2018-05-22T15:48:38	index: stat before creating the entry This is so we have it available for the path validity checking. In a later commit we will start rejecting `.gitmodules` files as symlinks.
02c80ad7	2018-05-22T15:21:08	path: accept the name length as a parameter We may take in names from the middle of a string so we want the caller to let us know how long the path component is that we should be checking.
a145f2b6	2018-05-22T14:16:45	checkout: add a failing test for refusing a symlinked .gitmodules We want to reject these as they cause compatibility issues and can lead to git writing to files outside of the repository.
490cbaa9	2018-05-22T13:58:24	path: expose dotgit detection functions per filesystem These will be used by the checkout code to detect them for the particular filesystem they're on.
d54c34a7	2018-05-21T17:04:11	docs: added note regarding difference in treatment of junction points from git
177dcfc7	2018-05-18T15:16:53	path: hide the dotgit file functions These can't go into the public API yet as we don't want to introduce API or ABI changes in a security release.
0aa65f8d	2018-05-16T15:56:04	path: add functions to detect .gitconfig and .gitattributes
9de97ae7	2018-05-16T15:42:08	path: add a function to detect an .gitmodules file Given a path component it knows what to pass to the filesystem-specific functions so we're protected even from trees which try to use the 8.3 naming rules to get around us matching on the filename exactly. The logic and test strings come from the equivalent git change.
22973e09	2018-05-16T14:47:04	path: provide a generic function for checking dogit files on NTFS It checks against the 8.3 shortname variants, including the one which includes the checksum as part of its name.
0283fc46	2018-05-16T11:56:04	path: provide a generic dogit checking function for HFS This lets us check for other kinds of reserved files.
397abe98	2018-05-14T16:03:15	submodule: also validate Windows-separated paths for validity Otherwise we would also admit `..\..\foo\bar` as a valid path and fail to protect Windows users. Ideally we would check for both separators without the need for the copied string, but this'll get us over the RCE.
6b15ceac	2018-04-30T13:47:15	submodule: ignore submodules which include path traversal in their name If the we decide that the "name" of the submodule (i.e. its path inside `.git/modules/`) is trying to escape that directory or otherwise trick us, we ignore the configuration for that submodule. This leaves us with a half-configured submodule when looking it up by path, but it's the same result as if the configuration really were missing. The name check is potentially more strict than it needs to be, but it lets us re-use the check we're doing for the checkout. The function that encapsulates this logic is ready to be exported but we don't want to do that in a security release so it remains internal for now.
f9cf9a04	2018-05-09T14:51:57	Merge pull request #4642 from pks-t/pks/cmake-resolve-pkgconfig cmake: resolve libraries found by pkg-config
0a19c151	2018-05-09T14:14:06	Merge pull request #4629 from neithernut/enhance-glob-perf refdb_fs: enhance performance of globbing
81c9894f	2018-05-09T14:06:57	Merge pull request #4645 from pks-t/pks/racy-init-deinit global: adjust init count under lock
6c2939d6	2018-05-09T13:57:17	Merge pull request #4646 from pks-t/pks/gcc-8.1-warnings Fix GCC 8.1 warnings
8ab470f5	2018-04-27T15:31:43	cmake: remove now-useless LIBGIT2_LIBDIRS handling With the recent change of always resolving pkg-config libraries to their full path, we do not have to manage the LIBGIT2_LIBDIRS variable anymore. The only other remaining user of LIBGIT2_LIBDIRS is winhttp, which is a CMake-style library target and can thus be resolved by CMake automatically. Remove the variable to simplify our build system a bit.
0f62e4c7	2018-04-27T10:38:49	cmake: resolve libraries found by pkg-config Libraries found by CMake modules are usually handled with their full path. This makes linking against those libraries a lot more robust when it comes to libraries in non-standard locations, as otherwise we might mix up libraries from different locations when link directories are given. One excemption are libraries found by PKG_CHECK_MODULES. Instead of returning libraries with their complete path, it will return the variable names as well as a set of link directories. In case where multiple sets of the same library are installed in different locations, this can lead the compiler to link against the wrong libraries in the end, when link directories of other dependencies are added. To fix this shortcoming, we need to manually resolve library paths returned by CMake against their respective library directories. This is an easy task to do with `FIND_LIBRARY`.
bf70fa4b	2018-03-22T23:27:28	docs: move comment so docurium sees it
ca5a15e5	2018-03-22T23:27:27	docs: standardize comment block for git_*_init_options functions
04c48afc	2018-04-20T21:07:17	docs: standardize struct git_*_options comments
c7b42f44	2018-04-11T22:26:31	docs: fix comment style
3ec35d9c	2018-03-26T20:23:59	attr: fix typo
78ea5adc	2018-03-22T23:27:35	branch: typo
bf46d458	2018-03-22T23:27:34	docs: move blame options struct field comments
132f2ce0	2018-03-22T23:27:33	docs: change Docurium input directory Most files under `git2/sys` have their includes prefixed with `git2`. Since Docurium exports its input headers in a temporary directory without the `git2` prefix, all those headers fail to parse.
25e8a293	2018-03-22T23:27:31	docs: correct defgroup
29afb257	2018-03-22T23:27:30	docs: fix incorrect codeblock on output
8ee183a2	2018-03-22T23:27:25	docs: missing documentation comment
f46c360e	2018-03-22T23:27:24	docs: move callback-specific documentation to the callback
efad967a	2018-03-22T23:27:23	docs: fix some comment-marker typos
96576372	2018-03-22T23:27:21	docs: fix more missing includes
84bcae6c	2018-03-22T23:27:20	docs: add buffer.h & oid.h to types.h Otherwise docurium/clang chokes on the types, and ignores the documentation comments altogether.
81ea9957	2018-05-07T15:36:40	Merge pull request #4630 from tiennou/fix/worktree-from-bare Worktrees can be made from bare repositories
a82082d0	2018-04-20T08:38:50	worktree: a worktree can be made from a bare repository
c7964c22	2018-04-18T22:40:46	repository: being a worktree means we're not really bare We were previously conflating any error into GIT_ENOTFOUND, which might or might not be correct. This fixes the code so a config error is bubbled up, as well as preserving the semantics in the face of worktree-repositories
a5723236	2018-05-07T13:46:55	Merge pull request #4605 from cjhoward92/docs/cli-differences docs: add documentation to state differences from the git cli
bb468ada	2018-05-07T13:44:15	Merge pull request #4542 from stanhu/sh-sanitize-utf8-hunk-header Sanitize the hunk header to ensure it contains UTF-8 valid data
9d83a2b0	2018-02-22T22:55:50	Sanitize the hunk header to ensure it contains UTF-8 valid data The diff driver truncates the hunk header text to 80 bytes, which can truncate 4-byte Unicode characters and introduce garbage characters in the diff output. This change sanitizes the hunk header before it is displayed. This mirrors the test in git: https://github.com/git/git/blob/master/t/t4025-hunk-header.sh Closes https://github.com/libgit2/rugged/issues/716
0c6f631c	2018-05-04T16:20:29	Merge pull request #4380 from cjhoward92/examples/ls-files examples: ls-files: add ls-files to list paths in the index
1bf57b5a	2018-05-04T15:27:11	tests: iterator::workdir: fix GCC warning Since GCC 8.1, the compiler performs some bounds checking when copying static data into arrays with a known size. In one test, we print a format string of "%s/sub%02d" into a buffer of 64 bytes. The input buffer for the first "%s" is bounded to at most 63 characters, plus four bytes for the static string "/sub" plus two more bytes for "%02d". Thus, our target buffer needs to be at least 70 bytes in size, including the NUL byte. There seems to be a bug in the analysis, though, because GCC will not account for the limiting "%02" prefix, treating it as requiring the same count of bytes as a "%d". Thus, we end up at 79 bytes that are required to fix the warning. To make it look nicer and less special, we just round the buffer size up to 80 bytes.
0750d0cc	2018-05-04T15:25:22	tests: refs::normalize: simplify code to avoid GCC warning Since version 8.1, GCC will do some automatic bounds checking when printing static content into a buffer with known size. The bounds checking doesn't yet work quite right in all scenarios and may thus lead to false positives. Fix one of these false positives in refs::normalize by simplifying the code.
ba5e39ac	2018-05-04T15:25:11	streams: openssl: fix bogus warning on unused parameter Our provided callback function `threadid_cb(CRYPTO_THREADID *threadid)` sets up a unique thread ID by asking pthread for the current thread ID. Since openssl version 1.1, `CRYPTO_THREADID_set_numeric` is simply a no-op macro, leaving the `threadid` argument unused after the preprocessor has processed the macro. GCC does not account for that situation and will thus complain about `threadid` being unused. Silence this warning by using `GIT_UNUSED(threadid)`.
0933fdc5	2018-05-04T13:40:54	global: adjust init count under lock Our global initialization functions `git_libgit2_init()` and `git_libgit2_shutdown()` both adjust a global init counter to determine whether we are the first respectively last user of libgit2. On Unix-systems do not do so under lock, though, which opens the possibility of a race between these two functions: Thread 1 Thread 2 git__n_inits = 0; git_libgit2_init(); git_atomic_inc(&git__n_inits); /* git__n_inits == 1 / git_libgit2_shutdown(); if (git_atomic_dec(&git__n_inits) != 0) / git__n_inits == 0, no early exit here */ pthread_mutex_lock(&_init_mutex); shutdown_common(); pthread_mutex_unlock(&_init_mutex); pthread_mutex_lock(&_init_mutex); init_once(); pthread_mutex_unlock(&_init_mutex); So we can end up in a situation where we try to shutdown shared data structures before they have been initialized. Fix the race by always locking `_init_mutex` before incrementing or decrementing `git__n_inits`.
8aa437ef	2018-05-02T07:55:26	tests: ls-files: use puts instead of printf and fix typos
77799325	2018-05-02T07:46:53	docs: update differences-from-git to be more concise
26a09a93	2018-04-30T21:34:36	Merge pull request #4608 from pks-t/pks/openssl-api-cleanup OpenSSL legacy API cleanups
7553763a	2018-04-30T13:03:44	submodule: add a failing test for a submodule escaping .git/modules We should pretend such submdules do not exist as it can lead to RCE.
173a0375	2018-02-08T23:50:14	openssl: remove leftover #ifdef This is the "OpenSSL available" global init function after all
b33b6d33	2018-04-30T09:27:47	Merge pull request #4640 from mkeeler/worktree-convenience2 worktree: add functions to get name and path
20a2b02d	2018-04-18T19:23:40	refdb_fs: enable root arbitration for fixed portion of globs A glob used for iteration may start with an entire path containing no special characters. If we start scanning for references within that path rather than in `refs/`, we may end up scanning only a small fraction of all references.
27e98cf7	2018-04-18T19:21:22	refdb_fs: prepare arbitration of the root used for ref iteration Instead of a hardcoded "refs", we may choose a different directory within the git directory as the root from which we look for references.
5ace1494	2018-04-26T11:45:38	Merge pull request #4633 from csware/worktree-delereref Fix deletion of unrelated branch on worktree
3da1ad20	2018-04-24T17:09:34	worktree: add functions to get name and path
45a3b9cd	2018-04-24T17:12:49	tests: fix issue with /tmp paths on macOS[1]
86353a72	2018-04-22T14:57:02	Merge pull request #4173 from tiennou/mbedtls mbedTLS support
5d346c11	2018-04-22T14:51:00	Merge pull request #4525 from pks-t/pks/config-iterate-in-order Configuration entry iteration in order
2b967226	2018-04-22T14:43:18	Merge pull request #4580 from pks-t/pks/diff-like-git-coalesce blame_git: fix coalescing step never being executed
0ad2372b	2018-04-20T21:25:01	Merge pull request #4636 from tiennou/fix/leaks Fix leaks in master
232dd4de	2018-04-20T20:36:31	Merge pull request #4635 from tiennou/fix/leaks-v0.27.1 Leak fixes for v0.27.1
8d138f89	2018-04-20T20:28:48	Merge pull request #4577 from csware/reflog-worktree-head worktree: Read worktree specific reflog for HEAD
25100d6d	2018-04-19T19:17:07	tests: free the worktree in add_with_explicit_branch Valgrind log: ==2711== 305 (48 direct, 257 indirect) bytes in 1 blocks are definitely lost in loss record 576 of 624 ==2711== at 0x4C2CC70: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==2711== by 0x5E079E: git__calloc (util.h:99) ==2711== by 0x5E0D21: open_worktree_dir (worktree.c:134) ==2711== by 0x5E0F23: git_worktree_lookup (worktree.c:176) ==2711== by 0x5E1972: git_worktree_add (worktree.c:388) ==2711== by 0x551F23: test_worktree_worktree__add_with_explicit_branch (worktree.c:292) ==2711== by 0x45853E: clar_run_test (clar.c:222) ==2711== by 0x4587E1: clar_run_suite (clar.c:286) ==2711== by 0x458B04: clar_parse_args (clar.c:362) ==2711== by 0x458CAB: clar_test_run (clar.c:428) ==2711== by 0x45665C: main (main.c:24)
592b200c	2018-04-18T21:41:44	refspec: check for valid parameters in git_refspec__dwim_one CID:1383993, "In git_refspec__dwim_one: All paths that lead to this null pointer comparison already dereference the pointer earlier (CWE-476)"

534b70af

2018-06-07T12:30:59

Merge pull request #4558 from tiennou/travis/war-on-leaks travis: war on leaks

20306d36

2018-06-06T14:31:28

Merge pull request #4665 from neithernut/fix-refdb-glob refdb_fs: fix regression: failure when globbing for non-existant references

991bf691

2018-06-06T13:55:16

Merge pull request #4673 from pks-t/pks/submodule-dupes-simplify-test tests: submodule: do not rely on config iteration order

61eaaadf

2018-04-20T23:11:30

travis: enable -Werror in the script instead of using the matrix

1f4ada2a

2018-04-20T23:11:23

travis: let cmake perform the build & install step The goal is to let cmake manage the parallelism

234443e3

2018-04-20T23:11:22

valgrind: silence invalid free in libc atexit handler ==17851== Invalid free() / delete / delete[] / realloc() ==17851== at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==17851== by 0x60BBE2B: __libc_freeres (in /lib/x86_64-linux-gnu/libc-2.19.so) ==17851== by 0x4A256BC: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-amd64-linux.so) ==17851== by 0x5F8F16A: __run_exit_handlers (exit.c:97) ==17851== by 0x5F8F1F4: exit (exit.c:104) ==17851== by 0x5F74F4B: (below main) (libc-start.c:321) ==17851== Address 0x63153c0 is 0 bytes inside data symbol "noai6ai_cached"

149790b9

2018-04-20T23:11:28

scripts: remove extraneous semicolons

dd75885a

2018-04-20T23:11:20

valgrind: silence libssh2 leaking something from gcrypt ==2957== 912 bytes in 19 blocks are still reachable in loss record 323 of 369 ==2957== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==2957== by 0x675B120: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==2957== by 0x675BDF8: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==2957== by 0x675FE0D: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==2957== by 0x6761DC4: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==2957== by 0x676477E: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==2957== by 0x675B071: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==2957== by 0x675B544: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==2957== by 0x675914B: gcry_control (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==2957== by 0x5D30EC9: libssh2_init (in /usr/lib/x86_64-linux-gnu/libssh2.so.1.0.1) ==2957== by 0x66BCCD: git_transport_ssh_global_init (ssh.c:910) ==2957== by 0x616443: init_common (global.c:65)

573c4089

2018-04-20T23:11:19

valgrind: skip buf::oom test

4c969618

2018-04-20T23:11:27

scripts: use leaks on macOS

c0c9e9ee

2018-04-20T23:11:17

valgrind: silence curl_global_init leaks ==18109== 664 bytes in 1 blocks are still reachable in loss record 279 of 339 ==18109== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==18109== by 0x675B120: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==18109== by 0x675C13C: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==18109== by 0x675C296: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==18109== by 0x679BD14: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==18109== by 0x679CC64: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.11.8.2) ==18109== by 0x6A64946: ??? (in /usr/lib/x86_64-linux-gnu/libgnutls.so.26.22.6) ==18109== by 0x6A116E8: ??? (in /usr/lib/x86_64-linux-gnu/libgnutls.so.26.22.6) ==18109== by 0x6A01114: gnutls_global_init (in /usr/lib/x86_64-linux-gnu/libgnutls.so.26.22.6) ==18109== by 0x52A6C78: ??? (in /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4.3.0) ==18109== by 0x5285ADC: curl_global_init (in /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4.3.0) ==18109== by 0x663524: git_curl_stream_global_init (curl.c:44)

74b0a432

2018-04-20T23:11:16

travis: split valgrind check in its own script

0fb8c1d0

2018-04-20T23:11:25

valgrind: bump num-callers to 50 for fuller stack traces

2f4e7cb0

2018-04-20T23:11:14

travis: split testing from building

8178c70f

2018-06-06T09:23:01

tests: submodule: do not rely on config iteration order The test submodule::lookup::duplicated_path, which tries to verify that we detect submodules with duplicated paths, currently relies on the gitmodules file of "submod2_target". While this file has two gitmodules with the same path, one of these gitmodules has an empty name and thus does not pass `git_submodule_name_is_valid`. Because of this, the test is in fact dependent on the iteration order in which we process the submodules. In fact the "valid" submodule comes first, the "invalid" submodule will cause the desired error. In fact the "invalid" submodule comes first, it will be skipped due to its name being invalid, and we will not see the desired error. While this works on the master branch just right due to the refactoring of our config code, where iteration order is now deterministic, this breaks on all older maintenance branches. Fix the issue by simply using `cl_git_rewritefile` to rewrite the gitmodules file. This greatly simplifies the test and also makes the intentions of it much clearer.

54990d75

2018-06-06T08:36:43

Merge pull request #4641 from pks-t/pks/submodule-names-memleak Detect duplicated submodules for the same path

d7eca4c3

2018-06-01T08:57:17

refdb_fs: add test for globbing of nonexistant refs

05e891f1

2018-06-01T08:44:30

refdb_fs: test whether the base directory exists when globbing This commit fixes a regression introduced by 20a2b02d9a1bcb4825ec49605146223c565dcacf The commit introduced an optimization for finding references using a glob: rather than iterating over all references and matching each one against the glob, we would iterate only over references within the directory common to all possible references which may match against the glob. However, contrary to the `ref/` directory, which was the previous entry point for the iteration, this directory may not exist. In this case, the optimization causes an error (`ENOENT`) rather than the iterator simply yielding no references. This patch fixes the regression by checkign for this specific case.

bae6ed62

2018-06-01T13:17:28

Merge pull request #4530 from tiennou/fix/docurium-missing-includes Fix docurium missing includes

771dfd1d

2018-05-30T10:52:51

Merge pull request #4627 from libgit2/ethomson/template github: update issue template

8a14846b

2018-05-30T10:51:10

Merge pull request #4661 from laomaiweng/patch-1 streams: openssl: add missing check on OPENSSL_LEGACY_API

9c698a25

2018-05-30T10:34:58

submodule: remove useless mask computations Previous to dfda2f68e (submodule: remove the per-repo cache, 2015-04-27), we tried to cache our submodules per repository to avoid having to reload it too frequently. As it created some headaches with regards to multithreading, we removed that cache. Previous to that removal, we had to compute what submodule status to refresh. The mask computation was not removed, though, resulting in confusing and actually dead code. While it seems like the mask is currently in use in a conditional, it is not, as we unconditionally assign to the mask previous to that condition. Remove all mask computations to clean up stale code.

cf5030a3

2018-05-30T08:38:28

submodule: refactor loading submodule names The function `load_submodule_names` was always being called with a newly allocated string map, which was then getting filled by the function. Move the string map allocation into `load_submodule_names`, instead, and pass the whole map back to the caller in case no error occurs. This change helps to avoid misuse by handing in pre-populated maps.

b2a389c8

2018-05-30T08:35:06

submodule: detect duplicated submodule paths When loading submodule names, we build a map of submodule paths and their respective names. While looping over the configuration keys, we do not check though whether a submodule path was seen already. This leads to a memory leak in case we have multiple submodules with the same path, as we just overwrite the old value in the map in that case. Fix the error by verifying that the path to be added is not yet part of the string map. Git does not allow to have multiple submodules for a path anyway, so we now do the same and detect this duplication, reporting it to the user.

36ae5c93

2018-05-30T08:25:19

Merge pull request #4656 from tiennou/fix/mbedtls-no-pkgconfig mbedtls: don't require mbedtls from our pkgconfig file

b1cab70b

2018-05-30T02:15:09

streams: openssl: add missing check on OPENSSL_LEGACY_API The `CRYPTO_THREADID` type is no longer available in OpenSSL ≥ 1.1.0 with deprecated features disabled, and causes build failures. Since the `threadid_cb()` function is only ever called by `git_openssl_set_locking()` when `defined(OPENSSL_LEGACY_API)`, only define it then.

7f6c1ce9

2018-05-29T21:04:39

Merge pull request #4660 from libgit2/cmn/submodule-traversal Fixes for CVE 2018-11235

491722e8

2018-05-29T19:27:59

CHANGELOG: mention fixes for CVE-2018-11235

64a78a80

2018-05-25T09:28:52

mbedtls: don't require mbedtls from our pkgconfig file mbedTLS has no pkgconfig file, hence we can't require it. For now, pass its link flags as our own.

d050acf7

2018-05-25T10:28:15

Merge pull request #4653 from stinb/junction-point-diff-from-git Added note about Windows junction points to the differences from git document

57e343d7

2018-05-24T21:58:40

path: hand-code the zero-width joiner as UTF-8

9e723db8

2018-05-24T20:28:36

submodule: plug leaks from the escape detection

c16ebaa6

2018-05-24T19:05:59

submodule: replace index with strchr which exists on Windows

91a4849d

2018-05-24T19:00:13

submodule: the repostiory for _name_is_valid should not be const We might modify caches due to us trying to load the configuration to figure out what kinds of filesystem protections we should have.

1f570a29

2018-05-23T08:40:17

path: check for a symlinked .gitmodules in fs-agnostic code We still compare case-insensitively to protect more thoroughly as we don't know what specifics we'll see on the system and it's the behaviour from git.

3fbfae26

2018-05-22T20:37:23

checkout: change symlinked .gitmodules file test to expect failure When dealing with `core.proectNTFS` and `core.protectHFS` we do check against `.gitmodules` but we still have a failing test as the non-filesystem codepath does not check for it.

a7168b47

2018-05-22T16:13:47

path: reject .gitmodules as a symlink Any part of the library which asks the question can pass in the mode to have it checked against `.gitmodules` being a symlink. This is particularly relevant for adding entries to the index from the worktree and for checking out files.

58ff913a

2018-05-22T15:48:38

index: stat before creating the entry This is so we have it available for the path validity checking. In a later commit we will start rejecting `.gitmodules` files as symlinks.

02c80ad7

2018-05-22T15:21:08

path: accept the name length as a parameter We may take in names from the middle of a string so we want the caller to let us know how long the path component is that we should be checking.

a145f2b6

2018-05-22T14:16:45

checkout: add a failing test for refusing a symlinked .gitmodules We want to reject these as they cause compatibility issues and can lead to git writing to files outside of the repository.

490cbaa9

2018-05-22T13:58:24

path: expose dotgit detection functions per filesystem These will be used by the checkout code to detect them for the particular filesystem they're on.

d54c34a7

2018-05-21T17:04:11

docs: added note regarding difference in treatment of junction points from git

177dcfc7

2018-05-18T15:16:53

path: hide the dotgit file functions These can't go into the public API yet as we don't want to introduce API or ABI changes in a security release.

0aa65f8d

2018-05-16T15:56:04

path: add functions to detect .gitconfig and .gitattributes

9de97ae7

2018-05-16T15:42:08

path: add a function to detect an .gitmodules file Given a path component it knows what to pass to the filesystem-specific functions so we're protected even from trees which try to use the 8.3 naming rules to get around us matching on the filename exactly. The logic and test strings come from the equivalent git change.

22973e09

2018-05-16T14:47:04

path: provide a generic function for checking dogit files on NTFS It checks against the 8.3 shortname variants, including the one which includes the checksum as part of its name.

0283fc46

2018-05-16T11:56:04

path: provide a generic dogit checking function for HFS This lets us check for other kinds of reserved files.

397abe98

2018-05-14T16:03:15

submodule: also validate Windows-separated paths for validity Otherwise we would also admit `..\..\foo\bar` as a valid path and fail to protect Windows users. Ideally we would check for both separators without the need for the copied string, but this'll get us over the RCE.

6b15ceac

2018-04-30T13:47:15

submodule: ignore submodules which include path traversal in their name If the we decide that the "name" of the submodule (i.e. its path inside `.git/modules/`) is trying to escape that directory or otherwise trick us, we ignore the configuration for that submodule. This leaves us with a half-configured submodule when looking it up by path, but it's the same result as if the configuration really were missing. The name check is potentially more strict than it needs to be, but it lets us re-use the check we're doing for the checkout. The function that encapsulates this logic is ready to be exported but we don't want to do that in a security release so it remains internal for now.

f9cf9a04

2018-05-09T14:51:57

Merge pull request #4642 from pks-t/pks/cmake-resolve-pkgconfig cmake: resolve libraries found by pkg-config

0a19c151

2018-05-09T14:14:06

Merge pull request #4629 from neithernut/enhance-glob-perf refdb_fs: enhance performance of globbing

81c9894f

2018-05-09T14:06:57

Merge pull request #4645 from pks-t/pks/racy-init-deinit global: adjust init count under lock

6c2939d6

2018-05-09T13:57:17

Merge pull request #4646 from pks-t/pks/gcc-8.1-warnings Fix GCC 8.1 warnings

8ab470f5

2018-04-27T15:31:43

cmake: remove now-useless LIBGIT2_LIBDIRS handling With the recent change of always resolving pkg-config libraries to their full path, we do not have to manage the LIBGIT2_LIBDIRS variable anymore. The only other remaining user of LIBGIT2_LIBDIRS is winhttp, which is a CMake-style library target and can thus be resolved by CMake automatically. Remove the variable to simplify our build system a bit.

0f62e4c7

2018-04-27T10:38:49

cmake: resolve libraries found by pkg-config Libraries found by CMake modules are usually handled with their full path. This makes linking against those libraries a lot more robust when it comes to libraries in non-standard locations, as otherwise we might mix up libraries from different locations when link directories are given. One excemption are libraries found by PKG_CHECK_MODULES. Instead of returning libraries with their complete path, it will return the variable names as well as a set of link directories. In case where multiple sets of the same library are installed in different locations, this can lead the compiler to link against the wrong libraries in the end, when link directories of other dependencies are added. To fix this shortcoming, we need to manually resolve library paths returned by CMake against their respective library directories. This is an easy task to do with `FIND_LIBRARY`.

bf70fa4b

2018-03-22T23:27:28

docs: move comment so docurium sees it

ca5a15e5

2018-03-22T23:27:27

docs: standardize comment block for git_*_init_options functions

04c48afc

2018-04-20T21:07:17

docs: standardize struct git_*_options comments

c7b42f44

2018-04-11T22:26:31

docs: fix comment style

3ec35d9c

2018-03-26T20:23:59

attr: fix typo

78ea5adc

2018-03-22T23:27:35

branch: typo

bf46d458

2018-03-22T23:27:34

docs: move blame options struct field comments

132f2ce0

2018-03-22T23:27:33

docs: change Docurium input directory Most files under `git2/sys` have their includes prefixed with `git2`. Since Docurium exports its input headers in a temporary directory without the `git2` prefix, all those headers fail to parse.

25e8a293

2018-03-22T23:27:31

docs: correct defgroup

29afb257

2018-03-22T23:27:30

docs: fix incorrect codeblock on output

8ee183a2

2018-03-22T23:27:25

docs: missing documentation comment

f46c360e

2018-03-22T23:27:24

docs: move callback-specific documentation to the callback

efad967a

2018-03-22T23:27:23

docs: fix some comment-marker typos

96576372

2018-03-22T23:27:21

docs: fix more missing includes

84bcae6c

2018-03-22T23:27:20

docs: add buffer.h & oid.h to types.h Otherwise docurium/clang chokes on the types, and ignores the documentation comments altogether.

81ea9957

2018-05-07T15:36:40

Merge pull request #4630 from tiennou/fix/worktree-from-bare Worktrees can be made from bare repositories

a82082d0

2018-04-20T08:38:50

worktree: a worktree can be made from a bare repository

c7964c22

2018-04-18T22:40:46

repository: being a worktree means we're not really bare We were previously conflating any error into GIT_ENOTFOUND, which might or might not be correct. This fixes the code so a config error is bubbled up, as well as preserving the semantics in the face of worktree-repositories

a5723236

2018-05-07T13:46:55

Merge pull request #4605 from cjhoward92/docs/cli-differences docs: add documentation to state differences from the git cli

bb468ada

2018-05-07T13:44:15

Merge pull request #4542 from stanhu/sh-sanitize-utf8-hunk-header Sanitize the hunk header to ensure it contains UTF-8 valid data

9d83a2b0

2018-02-22T22:55:50

Sanitize the hunk header to ensure it contains UTF-8 valid data The diff driver truncates the hunk header text to 80 bytes, which can truncate 4-byte Unicode characters and introduce garbage characters in the diff output. This change sanitizes the hunk header before it is displayed. This mirrors the test in git: https://github.com/git/git/blob/master/t/t4025-hunk-header.sh Closes https://github.com/libgit2/rugged/issues/716

0c6f631c

2018-05-04T16:20:29

Merge pull request #4380 from cjhoward92/examples/ls-files examples: ls-files: add ls-files to list paths in the index

1bf57b5a

2018-05-04T15:27:11

tests: iterator::workdir: fix GCC warning Since GCC 8.1, the compiler performs some bounds checking when copying static data into arrays with a known size. In one test, we print a format string of "%s/sub%02d" into a buffer of 64 bytes. The input buffer for the first "%s" is bounded to at most 63 characters, plus four bytes for the static string "/sub" plus two more bytes for "%02d". Thus, our target buffer needs to be at least 70 bytes in size, including the NUL byte. There seems to be a bug in the analysis, though, because GCC will not account for the limiting "%02" prefix, treating it as requiring the same count of bytes as a "%d". Thus, we end up at 79 bytes that are required to fix the warning. To make it look nicer and less special, we just round the buffer size up to 80 bytes.

0750d0cc

2018-05-04T15:25:22

tests: refs::normalize: simplify code to avoid GCC warning Since version 8.1, GCC will do some automatic bounds checking when printing static content into a buffer with known size. The bounds checking doesn't yet work quite right in all scenarios and may thus lead to false positives. Fix one of these false positives in refs::normalize by simplifying the code.

ba5e39ac

2018-05-04T15:25:11

streams: openssl: fix bogus warning on unused parameter Our provided callback function `threadid_cb(CRYPTO_THREADID *threadid)` sets up a unique thread ID by asking pthread for the current thread ID. Since openssl version 1.1, `CRYPTO_THREADID_set_numeric` is simply a no-op macro, leaving the `threadid` argument unused after the preprocessor has processed the macro. GCC does not account for that situation and will thus complain about `threadid` being unused. Silence this warning by using `GIT_UNUSED(threadid)`.

0933fdc5

2018-05-04T13:40:54

global: adjust init count under lock Our global initialization functions `git_libgit2_init()` and `git_libgit2_shutdown()` both adjust a global init counter to determine whether we are the first respectively last user of libgit2. On Unix-systems do not do so under lock, though, which opens the possibility of a race between these two functions: Thread 1 Thread 2 git__n_inits = 0; git_libgit2_init(); git_atomic_inc(&git__n_inits); /* git__n_inits == 1 */ git_libgit2_shutdown(); if (git_atomic_dec(&git__n_inits) != 0) /* git__n_inits == 0, no early exit here */ pthread_mutex_lock(&_init_mutex); shutdown_common(); pthread_mutex_unlock(&_init_mutex); pthread_mutex_lock(&_init_mutex); init_once(); pthread_mutex_unlock(&_init_mutex); So we can end up in a situation where we try to shutdown shared data structures before they have been initialized. Fix the race by always locking `_init_mutex` before incrementing or decrementing `git__n_inits`.

8aa437ef

2018-05-02T07:55:26

tests: ls-files: use puts instead of printf and fix typos

77799325

2018-05-02T07:46:53

docs: update differences-from-git to be more concise

26a09a93

2018-04-30T21:34:36

Merge pull request #4608 from pks-t/pks/openssl-api-cleanup OpenSSL legacy API cleanups

7553763a

2018-04-30T13:03:44

submodule: add a failing test for a submodule escaping .git/modules We should pretend such submdules do not exist as it can lead to RCE.

173a0375

2018-02-08T23:50:14

openssl: remove leftover #ifdef This is the "OpenSSL available" global init function after all

b33b6d33

2018-04-30T09:27:47

Merge pull request #4640 from mkeeler/worktree-convenience2 worktree: add functions to get name and path

20a2b02d

2018-04-18T19:23:40

refdb_fs: enable root arbitration for fixed portion of globs A glob used for iteration may start with an entire path containing no special characters. If we start scanning for references within that path rather than in `refs/`, we may end up scanning only a small fraction of all references.

27e98cf7

2018-04-18T19:21:22

refdb_fs: prepare arbitration of the root used for ref iteration Instead of a hardcoded "refs", we may choose a different directory within the git directory as the root from which we look for references.

5ace1494

2018-04-26T11:45:38

Merge pull request #4633 from csware/worktree-delereref Fix deletion of unrelated branch on worktree

3da1ad20

2018-04-24T17:09:34

worktree: add functions to get name and path

45a3b9cd

2018-04-24T17:12:49

tests: fix issue with /tmp paths on macOS[1]

86353a72

2018-04-22T14:57:02

Merge pull request #4173 from tiennou/mbedtls mbedTLS support

5d346c11

2018-04-22T14:51:00

Merge pull request #4525 from pks-t/pks/config-iterate-in-order Configuration entry iteration in order

2b967226

2018-04-22T14:43:18

Merge pull request #4580 from pks-t/pks/diff-like-git-coalesce blame_git: fix coalescing step never being executed

0ad2372b

2018-04-20T21:25:01

Merge pull request #4636 from tiennou/fix/leaks Fix leaks in master

232dd4de

2018-04-20T20:36:31

Merge pull request #4635 from tiennou/fix/leaks-v0.27.1 Leak fixes for v0.27.1

8d138f89

2018-04-20T20:28:48

Merge pull request #4577 from csware/reflog-worktree-head worktree: Read worktree specific reflog for HEAD

25100d6d

2018-04-19T19:17:07

tests: free the worktree in add_with_explicit_branch Valgrind log: ==2711== 305 (48 direct, 257 indirect) bytes in 1 blocks are definitely lost in loss record 576 of 624 ==2711== at 0x4C2CC70: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==2711== by 0x5E079E: git__calloc (util.h:99) ==2711== by 0x5E0D21: open_worktree_dir (worktree.c:134) ==2711== by 0x5E0F23: git_worktree_lookup (worktree.c:176) ==2711== by 0x5E1972: git_worktree_add (worktree.c:388) ==2711== by 0x551F23: test_worktree_worktree__add_with_explicit_branch (worktree.c:292) ==2711== by 0x45853E: clar_run_test (clar.c:222) ==2711== by 0x4587E1: clar_run_suite (clar.c:286) ==2711== by 0x458B04: clar_parse_args (clar.c:362) ==2711== by 0x458CAB: clar_test_run (clar.c:428) ==2711== by 0x45665C: main (main.c:24)

592b200c

2018-04-18T21:41:44

refspec: check for valid parameters in git_refspec__dwim_one CID:1383993, "In git_refspec__dwim_one: All paths that lead to this null pointer comparison already dereference the pointer earlier (CWE-476)"

thodg/libgit2

Log