Log

Author Commit Date CI Message
Carlos Martín Nieto 9e723db8 2018-05-24T20:28:36 submodule: plug leaks from the escape detection
Carlos Martín Nieto c16ebaa6 2018-05-24T19:05:59 submodule: replace index with strchr which exists on Windows
Carlos Martín Nieto 91a4849d 2018-05-24T19:00:13 submodule: the repostiory for _name_is_valid should not be const We might modify caches due to us trying to load the configuration to figure out what kinds of filesystem protections we should have.
Carlos Martín Nieto 1f570a29 2018-05-23T08:40:17 path: check for a symlinked .gitmodules in fs-agnostic code We still compare case-insensitively to protect more thoroughly as we don't know what specifics we'll see on the system and it's the behaviour from git.
Carlos Martín Nieto 3fbfae26 2018-05-22T20:37:23 checkout: change symlinked .gitmodules file test to expect failure When dealing with `core.proectNTFS` and `core.protectHFS` we do check against `.gitmodules` but we still have a failing test as the non-filesystem codepath does not check for it.
Carlos Martín Nieto a7168b47 2018-05-22T16:13:47 path: reject .gitmodules as a symlink Any part of the library which asks the question can pass in the mode to have it checked against `.gitmodules` being a symlink. This is particularly relevant for adding entries to the index from the worktree and for checking out files.
Carlos Martín Nieto 58ff913a 2018-05-22T15:48:38 index: stat before creating the entry This is so we have it available for the path validity checking. In a later commit we will start rejecting `.gitmodules` files as symlinks.
Carlos Martín Nieto 02c80ad7 2018-05-22T15:21:08 path: accept the name length as a parameter We may take in names from the middle of a string so we want the caller to let us know how long the path component is that we should be checking.
Carlos Martín Nieto a145f2b6 2018-05-22T14:16:45 checkout: add a failing test for refusing a symlinked .gitmodules We want to reject these as they cause compatibility issues and can lead to git writing to files outside of the repository.
Carlos Martín Nieto 490cbaa9 2018-05-22T13:58:24 path: expose dotgit detection functions per filesystem These will be used by the checkout code to detect them for the particular filesystem they're on.
Carlos Martín Nieto 177dcfc7 2018-05-18T15:16:53 path: hide the dotgit file functions These can't go into the public API yet as we don't want to introduce API or ABI changes in a security release.
Carlos Martín Nieto 0aa65f8d 2018-05-16T15:56:04 path: add functions to detect .gitconfig and .gitattributes
Carlos Martín Nieto 9de97ae7 2018-05-16T15:42:08 path: add a function to detect an .gitmodules file Given a path component it knows what to pass to the filesystem-specific functions so we're protected even from trees which try to use the 8.3 naming rules to get around us matching on the filename exactly. The logic and test strings come from the equivalent git change.
Carlos Martín Nieto 22973e09 2018-05-16T14:47:04 path: provide a generic function for checking dogit files on NTFS It checks against the 8.3 shortname variants, including the one which includes the checksum as part of its name.
Carlos Martín Nieto 0283fc46 2018-05-16T11:56:04 path: provide a generic dogit checking function for HFS This lets us check for other kinds of reserved files.
Carlos Martín Nieto 397abe98 2018-05-14T16:03:15 submodule: also validate Windows-separated paths for validity Otherwise we would also admit `..\..\foo\bar` as a valid path and fail to protect Windows users. Ideally we would check for both separators without the need for the copied string, but this'll get us over the RCE.
Carlos Martín Nieto 6b15ceac 2018-04-30T13:47:15 submodule: ignore submodules which include path traversal in their name If the we decide that the "name" of the submodule (i.e. its path inside `.git/modules/`) is trying to escape that directory or otherwise trick us, we ignore the configuration for that submodule. This leaves us with a half-configured submodule when looking it up by path, but it's the same result as if the configuration really were missing. The name check is potentially more strict than it needs to be, but it lets us re-use the check we're doing for the checkout. The function that encapsulates this logic is ready to be exported but we don't want to do that in a security release so it remains internal for now.
Carlos Martín Nieto 7553763a 2018-04-30T13:03:44 submodule: add a failing test for a submodule escaping .git/modules We should pretend such submdules do not exist as it can lead to RCE.
Edward Thomson 86353a72 2018-04-22T14:57:02 Merge pull request #4173 from tiennou/mbedtls mbedTLS support
Edward Thomson 5d346c11 2018-04-22T14:51:00 Merge pull request #4525 from pks-t/pks/config-iterate-in-order Configuration entry iteration in order
Edward Thomson 2b967226 2018-04-22T14:43:18 Merge pull request #4580 from pks-t/pks/diff-like-git-coalesce blame_git: fix coalescing step never being executed
Patrick Steinhardt 0ad2372b 2018-04-20T21:25:01 Merge pull request #4636 from tiennou/fix/leaks Fix leaks in master
Patrick Steinhardt 232dd4de 2018-04-20T20:36:31 Merge pull request #4635 from tiennou/fix/leaks-v0.27.1 Leak fixes for v0.27.1
Patrick Steinhardt 8d138f89 2018-04-20T20:28:48 Merge pull request #4577 from csware/reflog-worktree-head worktree: Read worktree specific reflog for HEAD
Etienne Samson 25100d6d 2018-04-19T19:17:07 tests: free the worktree in add_with_explicit_branch Valgrind log: ==2711== 305 (48 direct, 257 indirect) bytes in 1 blocks are definitely lost in loss record 576 of 624 ==2711== at 0x4C2CC70: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==2711== by 0x5E079E: git__calloc (util.h:99) ==2711== by 0x5E0D21: open_worktree_dir (worktree.c:134) ==2711== by 0x5E0F23: git_worktree_lookup (worktree.c:176) ==2711== by 0x5E1972: git_worktree_add (worktree.c:388) ==2711== by 0x551F23: test_worktree_worktree__add_with_explicit_branch (worktree.c:292) ==2711== by 0x45853E: clar_run_test (clar.c:222) ==2711== by 0x4587E1: clar_run_suite (clar.c:286) ==2711== by 0x458B04: clar_parse_args (clar.c:362) ==2711== by 0x458CAB: clar_test_run (clar.c:428) ==2711== by 0x45665C: main (main.c:24)
Etienne Samson 592b200c 2018-04-18T21:41:44 refspec: check for valid parameters in git_refspec__dwim_one CID:1383993, "In git_refspec__dwim_one: All paths that lead to this null pointer comparison already dereference the pointer earlier (CWE-476)"
Etienne Samson df4937b8 2018-04-18T20:57:16 remote: repo is optional here As per CID:1378747, we might be called with a NULL repo, which would be deferenced in write_add_refspec
Etienne Samson 8122ef98 2018-04-19T01:08:18 worktree: fix calloc of the wrong object type
Etienne Samson 836ec316 2018-04-19T01:05:05 local: fix a leaking reference when iterating over a symref Valgrind log : ==17702== 18 bytes in 1 blocks are indirectly lost in loss record 69 of 1,123 ==17702== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==17702== by 0x5FDBB49: strdup (strdup.c:42) ==17702== by 0x632B3E: git__strdup (util.h:106) ==17702== by 0x632D2C: git_reference__alloc_symbolic (refs.c:64) ==17702== by 0x62E0AF: loose_lookup (refdb_fs.c:408) ==17702== by 0x62E636: refdb_fs_backend__iterator_next (refdb_fs.c:565) ==17702== by 0x62CD8E: git_refdb_iterator_next (refdb.c:147) ==17702== by 0x6347F2: git_reference_next (refs.c:838) ==17702== by 0x6345CB: git_reference_foreach (refs.c:748) ==17702== by 0x66BE62: local_download_pack (local.c:579) ==17702== by 0x5DB48F: git_fetch_download_pack (fetch.c:148) ==17702== by 0x639028: git_remote_download (remote.c:932) ==17702== by 0x63919A: git_remote_fetch (remote.c:969) ==17702== by 0x4ABEDD: test_fetchhead_nonetwork__fetch_into_repo_with_symrefs (nonetwork.c:362) ==17702== by 0x4125D9: clar_run_test (clar.c:222) ==17702== by 0x41287C: clar_run_suite (clar.c:286) ==17702== by 0x412DDE: clar_test_run (clar.c:433) ==17702== by 0x4105E1: main (main.c:24)
Patrick Steinhardt 709e099c 2018-04-20T11:00:46 Merge pull request #4631 from andreasbaumann/struct_stat_file_offset_bits fixed stack smashing due to wrong size of struct stat on the stack
Andreas Baumann fac7eac4 2018-04-19T15:21:52 fixed stack smashing due to wrong size of struct stat on the stack on 32-bit systems with 64-bit file descriptor offsets enabled (added -D_FILE_OFFSET_BITS=64 when compiling the test suite)
Edward Thomson d906a879 2018-04-17T23:39:54 Merge pull request #4476 from pks-t/pks/backport-script scripts: add backporting script
Edward Thomson 8529ac9b 2018-04-17T23:38:46 Merge pull request #4524 from pks-t/pks/worktree-refs worktree: add ability to create worktree with pre-existing branch
Edward Thomson 1fd26760 2018-04-17T23:33:06 Merge pull request #4618 from tiennou/fix/pwned-references refs: preserve the owning refdb when duping reference
Edward Thomson d7f413c0 2018-04-17T20:07:36 crlf: update CHANGELOG
Edward Thomson 99ec4fdb 2018-04-17T20:06:30 crlf: wrap line
Edward Thomson 2ad24a4e 2018-04-17T20:05:35 tests: add information about the crlf data generator The CRLF data generator is somewhat obscure; add information about how to use it and what it does.
Sven Strickroth a5115842 2017-01-28T18:31:11 crlf: update checkout logic to reflect Git 2.9+ behaviour Signed-off-by: Sven Strickroth <email@cs-ware.de>
Sven Strickroth ad5a696e 2017-01-28T17:11:55 tests: crlf: update POSIX test data to reflect Git 2.9+ behavior Update with vanilla Git 2.11.0 on Debian Signed-off-by: Sven Strickroth <email@cs-ware.de>
Sven Strickroth f65eea44 2017-01-28T17:08:59 tests: crlf: update Windows test data to reflect Git 2.9+ behavior Update with "git version 2.11.0.windows.3" Signed-off-by: Sven Strickroth <email@cs-ware.de>
Edward Thomson 286a6765 2018-04-17T14:32:56 Merge pull request #4522 from csware/submodules-should-report-parse-errors Submodules-API should report .gitmodules parse errors instead of ignoring them
Edward Thomson e5f32e81 2018-04-17T00:08:20 Merge pull request #4514 from tiennou/fix/pkt-type-enum Typedef git_pkt_type and clarify recv_pkt return type
Edward Thomson fd634019 2018-04-16T15:42:35 Merge pull request #4556 from libgit2/ethomson/proxy_pass_in_env online::clone: validate user:pass in HTTP_PROXY
Edward Thomson 17339cb3 2018-04-16T15:35:56 Merge pull request #4596 from pks-t/pks/ssh-disconnect transports: ssh: disconnect session before freeing it
Edward Thomson 1926163a 2018-04-16T15:33:43 Merge pull request #4622 from pks-t/pks/revwalk-hide-newer-parents revwalk: fix uninteresting revs sometimes not limiting graphwalk
Edward Thomson 69870a67 2018-04-16T15:19:37 Merge pull request #4614 from pks-t/pks/gitignore-trailing-spaces attr_file: fix handling of directory patterns with trailing spaces
Patrick Steinhardt 54fd80e3 2018-04-12T13:32:27 revwalk: fix uninteresting revs sometimes not limiting graphwalk When we want to limit our graphwalk, we use the heuristic of checking whether the newest limiting (uninteresting) revision is newer than the oldest interesting revision. We do so by inspecting whether the first item's commit time of the user-supplied list of revisions is newer than the last added interesting revision. This is wrong though, as the user supplied list is in no way guaranteed to be sorted by increasing commit dates. This could lead us to abort the revwalk early before applying all relevant limiting revisions, outputting revisions which should in fact have been hidden. Fix the heuristic by instead checking whether _any_ of the limiting commits was made earlier than the last interesting commit. Add a test.
Patrick Steinhardt c587d806 2018-04-12T09:11:26 Merge pull request #4613 from pks-t/pks/local-fetch-symrefs transports: local: fix assert when fetching into repo with symrefs
Patrick Steinhardt 251d8771 2018-04-06T12:24:10 attr_file: fix handling of directory patterns with trailing spaces When comparing whether a path matches a directory rule, we pass the both the path and directory name to `fnmatch` with `GIT_ATTR_FNMATCH_DIRECTORY` being set. `fnmatch` expects the pattern to contain no trailing directory '/', which is why we try to always strip patterns of trailing slashes. We do not handle that case correctly though when the pattern itself has trailing spaces, causing the match to fail. Fix the issue by stripping trailing spaces and tabs for a rule previous to checking whether the pattern is a directory pattern with a trailing '/'. This replaces the whitespace-stripping in our ignore file parsing code, which was stripping whitespaces too late. Add a test to catch future breakage.
Etienne Samson 13a77274 2018-02-26T21:33:55 smart: typo
Etienne Samson 2cf9b84c 2018-04-11T19:13:42 smart: free the pkt when we fail to store it
Etienne Samson 32586d5e 2018-04-11T19:03:57 smart: separate error handling from pkt handling
Etienne Samson 01381149 2018-02-26T21:27:10 smart: make out arguments explicit on recv_pkt
Etienne Samson 08961c9d 2017-08-22T16:29:07 smart: typedef git_pkt_type and clarify recv_pkt return type
Etienne Samson cb2da47e 2018-03-29T22:14:17 travis: pass -fPIC when configuring mbedtls
Etienne Samson ec79b0fd 2018-03-29T22:14:04 mbedtls: fix libgit2 hanging due to incomplete writes
Etienne Samson 2419cccd 2018-03-29T22:14:02 mbedtls: default cipher list support
Etienne Samson 60e1ad92 2018-03-29T22:14:01 mbedtls: add global initialization
Etienne Samson 6c6be3ce 2018-03-29T22:13:59 mbedtls: use libmbedcrypto for hashing
Etienne Samson 1a1875f3 2018-03-29T22:13:58 mbedtls: proper certificate verification
Etienne Samson ca3b2234 2018-03-29T22:13:56 mbedtls: initial support
Etienne Samson 10aff3d5 2018-03-29T22:14:15 travis: just grab what we need from mbedtls
Etienne Samson 54554757 2018-03-29T22:14:14 cmake: make our preferred backend ordering consistent
Etienne Samson e3d764a4 2018-03-29T22:14:12 tests: clarify comment
Etienne Samson b3e0280d 2018-03-29T22:14:11 mbedtls: display error codes as hex for consistency with mbedTLS docs Remaining parts of https://github.com/JuliaLang/julia/blob/8d47a314537779c8fb86642c54925613628a91b0/deps/patches/libgit2-mbedtls-fixup.patch
Etienne Samson 382ed1e8 2018-03-29T22:14:09 mbedtls: load default CA certificates
Etienne Samson 1edde0bc 2018-03-29T22:14:08 mbedtls: use mbedTLS certificate verification Taken from https://github.com/JuliaLang/julia/blob/8d47a314537779c8fb86642c54925613628a91b0/deps/patches/libgit2-mbedtls-verify.patch, with some modifications.
Etienne Samson 4165bb7f 2018-03-29T22:14:06 mbedtls: use our own certificate validation Otherwise REQUIRED means that `git_stream_certificate` will always error. We're doing the mbedtls check in verify_server_cert though.
Etienne Samson 262dfcf0 2018-03-29T22:14:05 mbedtls: enable Travis CI tests
Etienne Samson 2dc54855 2018-04-10T23:49:44 tests: ensure worktrees' head have owners too
Etienne Samson 5e19a7f9 2018-04-10T21:16:43 refs: preserve the owning refdb when duping reference This fixes a segfault in git_reference_owner on references returned from git_reference__read_head and git_reference_dup ones.
Patrick Steinhardt 6c55fbf3 2018-04-06T10:39:16 transports: local: fix assert when fetching into repo with symrefs When fetching into a repository which has symbolic references via the "local" transport we run into an assert. The assert is being triggered while we negotiate the packfile between the two repositories. When hiding known revisions from the packbuilder revwalk, we unconditionally hide all references of the local refdb. In case one of these references is a symbolic reference, though, this means we're trying to hide a `NULL` OID, which triggers the assert. Fix the issue by only hiding OID references from the revwalk. Add a test to catch this issue in the future.
Patrick Steinhardt 0eca4230 2018-04-06T10:03:09 Merge pull request #4597 from cjhoward92/fix/cert-check-docs remote/proxy: fix git_transport_certificate_check_db description
Patrick Steinhardt a57f42ac 2018-04-06T09:40:34 Merge pull request #4587 from rcjsuen/patch-2 Flag options in describe.h as being optional
Patrick Steinhardt 83d6327d 2018-04-06T09:39:03 Merge pull request #4611 from erikvanzijst/erik/status_char diff: Add missing GIT_DELTA_TYPECHANGE -> 'T' mapping.
Patrick Steinhardt e0af6d12 2018-04-06T09:33:38 Merge pull request #4609 from pks-t/pks/appveyor-kxe-typo appveyor: fix typo in registry key to disable DHE
Erik van Zijst cd6a4323 2018-04-04T21:29:03 typo: Fixed a trivial typo in test function.
Erik van Zijst bc5ced66 2018-04-04T21:28:31 diff: Add missing GIT_DELTA_TYPECHANGE -> 'T' mapping. This adds the 'T' status character to git_diff_status_char() for diff entries that change type.
Patrick Steinhardt 3a72b0e2 2018-04-03T12:31:35 appveyor: fix typo in registry key to disable DHE Commit 723e1e976 (appveyor: disable DHE to avoid spurious failures, 2018-03-29) added a workaround to fix spurious test failures due to a bug in Windows' SChannel implementation. The workaround only worked by accident, though, as the registry key was in fact mistyped. Fix the typo.
Patrick Steinhardt d9007dc8 2018-04-03T11:36:27 Merge pull request #4607 from Sp1l/private/fix-libressl-2.7 Fix build with LibreSSL 2.7
Patrick Steinhardt c42261a3 2018-04-03T09:38:38 Merge pull request #4603 from pks-t/pks/appveyor-winhttp-workaround appveyor: workaround for intermittent test failures
Patrick Steinhardt b5e0cfa7 2018-04-03T09:32:33 Merge pull request #4601 from bgermann/master sha1dc: update to fix errors with endianess
Bernard Spil 7490d449 2018-04-02T20:00:07 Fix build with LibreSSL 2.7 LibreSSL 2.7 adds OpenSSL 1.1 API Signed-off-by: Bernard Spil <brnrd@FreeBSD.org>
Patrick Steinhardt dc27772c 2018-03-30T13:12:26 Merge pull request #4378 from cjhoward92/fix/submodule-add-check-index submodule: check index for path and prefix before adding submodule
Edward Thomson b3c3415d 2018-03-29T14:20:21 Merge pull request #4602 from pks-t/pks/mempack-memleak odb: mempack: fix leaking objects when freeing mempacks
Patrick Steinhardt 723e1e97 2018-03-29T13:35:27 appveyor: disable DHE to avoid spurious failures Our CI builds have intermittent failures in our online tests, e.g. with the message "A provided buffer was too small". This is not a programming error in libgit2 but rather an error in the SChannel component of Windows. Under certain circumstances involving Diffie-Hellman key exchange, SChannel is unable to correctly handle input from the server. This bug has already been fixed in recent patches for Windows 10 and Windows Server 2016, but they are not yet available for AppVeyor. Manually pamper over that issue by disabling all ciphersuites using DHE via the registry. While this disables more ciphers than necessary, we really don't care for that at all but just want to avoid build failures due to that bug. See [1], [2] or [3] for additional information. 1: https://github.com/aws/aws-sdk-cpp/issues/671 2: https://github.com/dotnet/corefx/issues/7812 3: https://support.microsoft.com/en-us/help/2992611/ms14-066-vulnerability-in-schannel-could-allow-remote-code-execution-n
Patrick Steinhardt fbe52fa3 2018-03-29T10:18:51 util: fix missing headers for MinGW environments There are multiple references to undefined functions in the Microsoft builds. Add headers to make them known.
Patrick Steinhardt b6276ae0 2018-03-29T09:15:48 odb: mempack: fix leaking objects when freeing mempacks When a ODB mempack gets free'd, we take no measures at all to free its contents, most notably the objects added to the database, resulting in a memory leak. Call `git_mempack_reset` previous to freeing the ODB structures themselves, which takes care of releasing all associated data structures.
bgermann c9e5ba09 2018-03-28T17:37:39 sha1dc: update to fix errors with endianess This updates the version of SHA1DC to c3e1304ea3.
Carson Howard 69a282da 2018-03-28T06:48:55 submodule: add more robust error handling when a submodule path is found on add
Patrick Steinhardt 75203d03 2018-03-16T11:18:02 blame_git: fix coalescing step never being executed Since blame has been imported from git.git and had its first share of refactorings in b6f60a4d9 (Clean up ported code, 2013-09-21), the code is actually not doing the coalescing step of the generated blame. While the code to do the coalescing does exist, it is never being called as the function `git_blame__like_git` will directly return from its `while (true)` loop. The function that was being imported from git.git was the `assign_blame` function from "builtin/blame.c" from 717d1462b (git-blame --incremental, 2007-01-28), which hasn't really changed much. Upon taking an initial look, one can seet hat `coalesce` is actually never getting called in `assign_blame`, as well, so one may assume that not calling `coalesce` by accident is actually the right thing. But it is not, as `coalesce` is being called ever since cee7f245d (git-pickaxe: blame rewritten., 2006-10-19) after the blame has been done in the caller of `assign_blame`. Thus we can conclude the code of libgit2 is actually buggy since forever. To fix the issue, simply break out of the loop instead of doing a direct return. Note that this does not alter behaviour in any way visible to our tests, which is unfortunate. But in order to not diverge from what git.git does, I'd rather adapt to how it is being done upstream in order to avoid breaking certain edge cases than to just remove that code.
Patrick Steinhardt 9e8bc726 2018-03-28T08:55:59 Merge pull request #4598 from cjhoward92/fix/remove-unused-merge-result types: remove unused git_merge_result
Carson Howard 370ecdb2 2018-03-27T10:10:09 types: remove unused git_merge_result `git_merge_result` is currently unused in the codebase and generates a blank page in the [documentation](https://libgit2.github.com/libgit2/#HEAD/type/git_merge_result).
Carson Howard e6c720ea 2018-03-27T10:05:21 remote/proxy: fix git_transport_certificate_check_db comment
Sven Strickroth eb0a3afd 2018-03-11T15:35:56 worktree: Read worktree specific reflog for HEAD Signed-off-by: Sven Strickroth <email@cs-ware.de>
Sven Strickroth e55b5373 2018-02-08T12:36:47 Submodule API should report .gitmodules parse errors Signed-off-by: Sven Strickroth <email@cs-ware.de>
Carson Howard c07abd65 2018-03-27T07:37:34 submodule: add better error handling to is_path_occupied
Carson Howard b282ca79 2018-01-06T10:57:32 submodule: change can_add_submodule to is_path_occupied
Carson Howard 677d393c 2017-12-18T10:28:37 tests: submodule: insert index entries directly into index
Carson Howard ef9a7749 2017-11-19T20:59:59 submodule: update index check to check path before directory and fix tests