kmx git

Commit	Date	Message
ed95962b	2018-05-24T21:58:40	path: hand-code the zero-width joiner as UTF-8
cfed1be8	2018-05-24T20:28:36	submodule: plug leaks from the escape detection
a3df20cf	2018-05-24T19:00:13	submodule: the repostiory for _name_is_valid should not be const We might modify caches due to us trying to load the configuration to figure out what kinds of filesystem protections we should have.
08d4b459	2018-05-22T15:48:38	index: stat before creating the entry This is so we have it available for the path validity checking. In a later commit we will start rejecting `.gitmodules` files as symlinks.
a9e60994	2018-05-23T08:40:17	path: check for a symlinked .gitmodules in fs-agnostic code We still compare case-insensitively to protect more thoroughly as we don't know what specifics we'll see on the system and it's the behaviour from git.
f650153a	2018-05-24T19:05:59	submodule: replace index with strchr which exists on Windows
be20626a	2018-05-22T20:37:23	checkout: change symlinked .gitmodules file test to expect failure When dealing with `core.proectNTFS` and `core.protectHFS` we do check against `.gitmodules` but we still have a failing test as the non-filesystem codepath does not check for it.
aa003557	2018-05-22T16:13:47	path: reject .gitmodules as a symlink Any part of the library which asks the question can pass in the mode to have it checked against `.gitmodules` being a symlink. This is particularly relevant for adding entries to the index from the worktree and for checking out files.
37dc60b6	2018-05-16T11:56:04	path: provide a generic dogit checking function for HFS This lets us check for other kinds of reserved files.
916af8ea	2018-05-14T16:03:15	submodule: also validate Windows-separated paths for validity Otherwise we would also admit `..\..\foo\bar` as a valid path and fail to protect Windows users. Ideally we would check for both separators without the need for the copied string, but this'll get us over the RCE.
c7cac088	2018-05-22T15:21:08	path: accept the name length as a parameter We may take in names from the middle of a string so we want the caller to let us know how long the path component is that we should be checking.
e6c757a7	2018-04-30T13:47:15	submodule: ignore submodules which include path traversal in their name If the we decide that the "name" of the submodule (i.e. its path inside `.git/modules/`) is trying to escape that directory or otherwise trick us, we ignore the configuration for that submodule. This leaves us with a half-configured submodule when looking it up by path, but it's the same result as if the configuration really were missing. The name check is potentially more strict than it needs to be, but it lets us re-use the check we're doing for the checkout. The function that encapsulates this logic is ready to be exported but we don't want to do that in a security release so it remains internal for now.
6442f1f1	2018-04-30T13:03:44	submodule: add a failing test for a submodule escaping .git/modules We should pretend such submdules do not exist as it can lead to RCE.
ed357be1	2018-05-22T14:16:45	checkout: add a failing test for refusing a symlinked .gitmodules We want to reject these as they cause compatibility issues and can lead to git writing to files outside of the repository.
d7ee21ee	2018-05-22T13:58:24	path: expose dotgit detection functions per filesystem These will be used by the checkout code to detect them for the particular filesystem they're on.
f907a6f5	2018-05-18T15:16:53	path: hide the dotgit file functions These can't go into the public API yet as we don't want to introduce API or ABI changes in a security release.
0cc14627	2018-05-16T15:56:04	path: add functions to detect .gitconfig and .gitattributes
26b3cec0	2018-05-16T15:42:08	path: add a function to detect an .gitmodules file Given a path component it knows what to pass to the filesystem-specific functions so we're protected even from trees which try to use the 8.3 naming rules to get around us matching on the filename exactly. The logic and test strings come from the equivalent git change.
dd364dde	2018-05-16T14:47:04	path: provide a generic function for checking dogit files on NTFS It checks against the 8.3 shortname variants, including the one which includes the checksum as part of its name.
6311e886	2018-03-23T07:38:34	Merge pull request #4594 from pks-t/pks/mempack-assert odb: fix writing to fake write streams
a52b4c51	2018-03-23T09:59:46	odb: fix writing to fake write streams In commit 7ec7aa4a7 (odb: assert on logic errors when writing objects, 2018-02-01), the check for whether we are trying to overflowing the fake stream buffer was changed from returning an error to raising an assert. The conversion forgot though that the logic around `assert`s are basically inverted. Previously, if the statement stream->written + len > steram->size evaluated to true, we would return a `-1`. Now we are asserting that this statement is true, and in case it is not we will raise an error. So the conversion to the `assert` in fact changed the behaviour to the complete opposite intention. Fix the assert by inverting its condition again and add a regression test.
904307af	2018-03-23T09:58:57	tests: add tests for the mempack ODB backend Our mempack ODB backend has no test coverage at all right now. Add a simple test suite to at least have some coverage of the most basic operations on the ODB.
72e60347	2018-03-20T23:16:36	Merge pull request #4588 from libgit2/ethomson/bitbucket online tests: update auth for bitbucket test
54bf4d14	2018-03-20T07:47:27	online tests: update auth for bitbucket test Update the settings to use a specific read-only token for accessing our test repositories in Bitbucket.
5585e358	2018-03-20T00:59:21	Merge pull request #4563 from libgit2/ethomson/ssh-unescape Refactor `gitno_extract_url_parts`
30333e82	2018-02-28T13:00:04	Update tests
16210877	2018-02-28T12:59:47	Unescape repo before constructing ssh request
8a2cdbd3	2018-02-28T12:58:58	Rename unescape and make non-static
9108959a	2018-03-14T15:03:35	buf: add tests for percent decoding
0e4f3d9d	2018-03-03T21:47:22	gitno_extract_url_parts: decode hostnames RFC 3986 says that hostnames can be percent encoded. Percent decode hostnames in our URLs.
05551ca0	2018-03-03T20:14:54	Remove now unnecessary `gitno_unescape`
60e7848e	2018-03-03T20:13:30	gitno_extract_url_parts: use `git_buf`s Now that we can decode percent-encoded strings as part of `git_buf`s, use that decoder in `gitno_extract_url_parts`.
6f577906	2018-03-03T20:09:09	ssh urls: use `git_buf_decode_percent` Use `git_buf_decode_percent` so that we can avoid allocating a temporary buffer.
8070a357	2018-03-03T18:47:35	Introduce `git_buf_decode_percent` Introduce a function to take a percent-encoded string (URI encoded, described by RFC 1738) and decode it into a `git_buf`.
31985775	2018-03-19T23:07:44	Merge pull request #4584 from libgit2/ethomson/bitbucket online::clone: skip creds fallback test
03c58778	2018-03-19T09:20:35	online::clone: skip creds fallback test At present, we have three online tests against bitbucket: one which specifies the credentials in the payload, one which specifies the correct credentials in the URL and a final one that specifies the incorrect credentials in the URL. Bitbucket has begun responding to the latter test with a 403, which causes us to fail. Break these three tests into separate tests so that we can skip the latter until this is resolved on Bitbucket's end or until we can change the test to a different provider.
937e7e26	2018-03-13T13:04:38	Merge pull request #4544 from josharian/docs pathspec: improve git_pathspec_flag_t doc rendering
7b66bfe2	2018-03-12T10:09:49	Merge pull request #4575 from pks-t/pks/index-secfixes-master Index parsing fixes
358cc2e2	2018-03-12T09:50:00	Merge pull request #4396 from libgit2/cmn/config-regex-is-normalised config: specify how we match the regular expressions
2f89bd90	2018-03-11T12:36:13	config: explicitly state that subsections are case-sensitive
3db1af1f	2018-03-08T12:36:46	index: error out on unreasonable prefix-compressed path lengths When computing the complete path length from the encoded prefix-compressed path, we end up just allocating the complete path without ever checking what the encoded path length actually is. This can easily lead to a denial of service by just encoding an unreasonable long path name inside of the index. Git already enforces a maximum path length of 4096 bytes. As we also have that enforcement ready in some places, just make sure that the resulting path is smaller than GIT_PATH_MAX. Reported-by: Krishna Ram Prakash R <krp@gtux.in> Reported-by: Vivek Parikh <viv0411.parikh@gmail.com>
3207ddb0	2018-03-08T12:00:27	index: fix out-of-bounds read with invalid index entry prefix length The index format in version 4 has prefix-compressed entries, where every index entry can compress its path by using a path prefix of the previous entry. Since implmenting support for this index format version in commit 5625d86b9 (index: support index v4, 2016-05-17), though, we do not correctly verify that the prefix length that we want to reuse is actually smaller or equal to the amount of characters than the length of the previous index entry's path. This can lead to a an integer underflow and subsequently to an out-of-bounds read. Fix this by verifying that the prefix is actually smaller than the previous entry's path length. Reported-by: Krishna Ram Prakash R <krp@gtux.in> Reported-by: Vivek Parikh <viv0411.parikh@gmail.com>
58a6fe94	2018-03-08T11:49:19	index: convert `read_entry` to return entry size via an out-param The function `read_entry` does not conform to our usual coding style of returning stuff via the out parameter and to use the return value for reporting errors. Due to most of our code conforming to that pattern, it has become quite natural for us to actually return `-1` in case there is any error, which has also slipped in with commit 5625d86b9 (index: support index v4, 2016-05-17). As the function returns an `size_t` only, though, the return value is wrapped around, causing the caller of `read_tree` to continue with an invalid index entry. Ultimately, this can lead to a double-free. Improve code and fix the bug by converting the function to return the index entry size via an out parameter and only using the return value to indicate errors. Reported-by: Krishna Ram Prakash R <krp@gtux.in> Reported-by: Vivek Parikh <viv0411.parikh@gmail.com>
d11c4a1a	2018-03-08T13:13:04	Merge pull request #4571 from jacquesg/overflow Integer overflow
e666495b	2018-03-08T08:31:49	cmake: enable shift count overflow warning
5f6383ca	2018-03-08T08:17:29	diff: ensure an unsigned number is shifted
515683c7	2018-03-07T12:39:28	Merge pull request #4567 from pks-t/pks/zlib-update deps: upgrade embedded zlib to version 1.2.11
4c5330cb	2018-03-07T10:33:41	deps: upgrade embedded zlib to version 1.2.11 The current version of zlib bundled with libgit2 is version 1.2.8. This version has several CVEs assigned: - CVE-2016-9843 - CVE-2016-9841 - CVE-2016-9842 - CVE-2016-9840 Upgrade the bundled version to the current release 1.2.11, which has these vulnerabilities fixes.
2d2a6025	2018-03-04T12:17:17	Merge pull request #4541 from libgit2/cmn/odb-streaming-read-changelog CHANGELOG: mention the change to `git_odb_open_rstream`
adf7d094	2018-03-04T12:17:06	Merge pull request #4559 from jacquesg/worktree-const Worktree lock reason should be const
53e692af	2018-03-02T12:49:54	worktree: rename parameter creason to reason
12356076	2018-03-02T12:41:04	worktree: lock reason should be const
8353e4b5	2018-02-22T09:20:31	CHANGELOG: mention the change to `git_odb_open_rstream`
8a8ea1db	2018-02-28T18:14:52	Merge pull request #4552 from libgit2/cmn/config-header-common Cast less blindly between configuration objects
e8e490b2	2018-02-28T17:01:47	Merge pull request #4554 from pks-t/pks/curl-init curl: initialize and cleanup global curl state
9cd0c6f1	2018-02-28T16:01:16	config: return an error if config_refresh is called on a snapshot Instead of treating it as a no-op, treat it as a programming error and return the same kind of error as if you called to set or delete variables on a snapshot.
17bef3b8	2018-02-28T15:01:43	Merge pull request #4553 from libgit2/cmn/tree-write-initialise tree: initialize the id we use for testing submodule insertions
fb884c62	2018-02-28T14:59:09	Merge pull request #4555 from libgit2/ethomson/strncmp_stdcall win32: strncmp -> git__strncmp for win32 STDCALL
2022b004	2018-02-28T12:06:59	curl: explicitly initialize and cleanup global curl state Our curl-based streams make use of the easy curl interface. This interface automatically initializes and de-initializes the global curl state by calling out to `curl_global_init` and `curl_global_cleanup`. Thus, all global state will be repeatedly re-initialized when creating multiple curl streams in succession. Despite being inefficient, this is not thread-safe due to `curl_global_init` being not thread-safe itself. Thus a multi-threaded programing handling multiple curl streams at the same time is inherently racy. Fix the issue by globally initializing and cleaning up curl's state.
a33deeb4	2018-02-28T12:20:23	win32: strncmp -> git__strncmp The win32 C library is compiled cdecl, however when configured with `STDCALL=ON`, our functions (and function pointers) will use the stdcall calling convention. You cannot set a `__stdcall` function pointer to a `__cdecl` function, so it's easier to just use our `git__strncmp` instead of sorting that mess out.
a554d588	2018-02-28T12:21:08	tree: initialize the id we use for testing submodule insertions Instead of laving it uninitialized and relying on luck for it to be non-zero, let's give it a dummy hash so we make valgrind happy (in this case the hash comes from `sha1sum </dev/null`.
2424e64c	2018-02-28T12:06:02	config: harden our use of the backend objects a bit When we create an iterator we don't actually know that we have a live config object and we must instead only rely on the header. We fixed it to use this in a previous commit, but this makes it harder to misuse by converting to use the header object in the typecast. We also guard inside the `config_refresh` function against being given a snapshot (although callers right now do check).
1785de4e	2018-02-28T11:46:17	config: move the level field into the header We use it in a few places where we might have a full object or a snapshot so move it to where we can actually access it.
c1524b2e	2018-02-28T11:33:11	config: move the repository to the diskfile header We pass this around and when creating a new iterator we need to read the repository pointer. Put it in a common place so we can reach it regardless of whether we got a full object or a snapshot.
c9d59c61	2018-02-27T12:45:21	Merge pull request #4545 from libgit2/ethomson/checkout_filemode Respect core.filemode in checkout
b4dde78a	2018-02-27T12:43:47	Merge pull request #4550 from libgit2/ethomson/winhttp winhttp: enable TLS 1.2
5ecb6220	2018-02-25T15:46:51	winhttp: enable TLS 1.2 on Windows 7 and earlier Versions of Windows prior to Windows 8 do not enable TLS 1.2 by default, though support may exist. Try to enable TLS 1.2 support explicitly on connections. This request may fail if the operating system does not have TLS 1.2 support - the initial release of Vista lacks TLS 1.2 support (though it is available as a software update) and XP completely lacks TLS 1.2 support. If this request does fail, the HTTP context is still valid, and still maintains the original protocol support. So we ignore the failure from this operation.
934e6a3b	2018-02-27T11:24:30	winhttp: include constants for TLS 1.1/1.2 support For platforms that do not define `WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1` and/or `WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2`.
8c8db980	2018-02-27T10:32:29	mingw: update TLS option flags Include the constants for `WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1` and `WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2` so that they can be used by mingw. This updates both the `deps/winhttp` framework (for classic mingw) and adds the defines for mingw64, which does not use that framework.
7d906370	2018-02-25T23:08:14	Merge pull request #4549 from libgit2/ethomson/travis_libssh travis: use custom libssh2-1-dev package
ca22cb5e	2018-02-25T22:43:12	travis: use custom libssh2-1-dev package To avoid pull requests needing to rebase, keep the libssh2-1-dev package as the development package for libssh2. Reverting to the original Debian package structure.
5a69b120	2018-02-25T19:58:19	Merge pull request #4548 from libgit2/ethomson/travis_libssh travis: use custom libssh2 package
c5eb8b4a	2018-02-25T14:08:51	travis: use custom libssh2 package Use the custom libssh2 package that is a backport of libssh2 1.8.0 to Ubuntu trusty.
c214ba19	2018-02-20T00:35:27	checkout: respect core.filemode when comparing filemodes Fixes #4504
275693e2	2018-02-20T12:45:40	checkout test: ensure workdir mode is simplified Ensure that when examining the working directory for checkout that the mode is correctly simplified. Git only pays attention to whether a file is executable or not. When examining a working directory, we should coalesce modes in the working directory to either `0755` (indicating that a file is executable) or `0644` (indicating that it is not). Test this by giving the file an exotic mode, and ensuring that when checkout out a branch that changes the file's contents, that we do not have a checkout conflict.
ec96db57	2018-02-20T00:32:38	checkout test: add core.filemode checkout tests Add two tests for filemode. The first ensures that `core.filemode=true` is honored: if we have changed the filemode such that a file that _was_ executable (mode 0755) is now executable (mode 0644) and we go to check out a branch that has otherwise changed the contents of the file, then we should raise a checkout conflict for that file. The second ensures that `core.filemode=false` is honored: in the same situation, we set a file that was executable to be non-executable, and check out the branch that changes the contents of the file. However, since `core.filemode` is false, we do not detect the filemode change. We run these tests on both operating systems that obey `core.filemode` (eg, POSIX) and those that have no conception of filemode (eg, Win32). This ensures that `core.filemode` is always honored, as it is a cache of the underlying filesystem's settings. This ensures that we do not make assumptions based on the operating system, and honor the configuration setting even if it were misconfigured.
18d9c847	2018-02-20T00:32:38	testrepo: add new branch Add a new branch to the `testrepo` repository, where the `README` file has changed to executable. This branch enables typechange tests between the new `executable` branch and `master`.
b72717b0	2018-02-23T08:19:49	pathspec: improve git_pathspec_flag_t doc rendering By placing docs per enum value rather than in a large block, the automated doc generation tool can make nicer docs, as could other automated tools, such as the mooted https://github.com/libgit2/git2go/issues/427. The current rendering is somewhat ugly: https://libgit2.github.com/libgit2/#HEAD/type/git_pathspec_flag_t No textual changes, just reorganization.
809b0ca6	2018-02-20T22:06:53	Merge pull request #4533 from pks-t/pks/v0.27.0-rc1 v0.27.0-rc1: version bump
23d4a91b	2018-02-16T08:38:44	Update version number to v0.27
0f239682	2018-02-20T16:49:13	CHANGELOG: third batch of updates to the changelog for v0.27.0
ad006d87	2018-02-15T11:13:14	docs: document increasing the version number for releases
894ccf4b	2018-02-20T16:14:54	Merge pull request #4535 from libgit2/ethomson/checkout_typechange_with_index_and_wd checkout: when examining index (instead of workdir), also examine mode
afc5124b	2018-02-20T14:35:17	Merge pull request #4539 from pks-t/pks/diff_renames_with_rewrites diff_tform: fix rename detection with rewrite/delete pair
4e4771dc	2018-02-19T22:10:44	checkout test: further ensure workdir perms are updated When both the index _and_ the working directory has changed permissions on a file permissions on a file - but only the permissions, such that the contents of the file are identical - ensure that `git_checkout` updates the permissions to match the checkout target.
8858a684	2018-02-19T22:09:27	checkout test: ensure workdir perms are updated When the working directory has changed permissions on a file - but only the permissions, such that the contents of the file are identical - ensure that `git_checkout` updates the permissions to match the checkout target.
ce7080a0	2018-02-20T10:38:27	diff_tform: fix rename detection with rewrite/delete pair A rewritten file can either be classified as a modification of its contents or of a delete of the complete file followed by an addition of the new content. This distinction becomes important when we want to detect renames for rewrites. Given a scenario where a file "a" has been deleted and another file "b" has been renamed to "a", this should be detected as a deletion of "a" followed by a rename of "a" -> "b". Thus, splitting of the original rewrite into a delete/add pair is important here. This splitting is represented by a flag we can set at the current delta. While the flag is already being set in case we want to break rewrites, we do not do so in case where the `GIT_DIFF_FIND_RENAMES_FROM_REWRITES` flag is set. This can trigger an assert when we try to match the source and target deltas. Fix the issue by setting the `GIT_DIFF_FLAG__TO_SPLIT` flag at the delta when it is a rename target and `GIT_DIFF_FIND_RENAMES_FROM_REWRITES` is set.
80e77b87	2018-02-20T10:03:48	tests: add rename-rewrite scenarios to "renames" repository Add two more scenarios to the "renames" repository. The first scenario has a major rewrite of a file and a delete of another file, the second scenario has a deletion of a file and rename of another file to the deleted file. Both scenarios will be used in the following commit.
d91da1da	2018-02-20T09:54:58	tests: diff::rename: use defines for commit OIDs While we frequently reuse commit OIDs throughout the file, we do not have any constants to refer to these commits. Make this a bit easier to read by giving the commit OIDs somewhat descriptive names of what kind of commit they refer to.
d7fea1e1	2018-02-18T16:10:33	checkout: take mode into account when comparing index to baseline When checking out a file, we determine whether the baseline (what we expect to be in the working directory) actually matches the contents of the working directory. This is safe behavior to prevent us from overwriting changes in the working directory. We look at the index to optimize this test: if we know that the index matches the working directory, then we can simply look at the index data compared to the baseline. We have historically compared the baseline to the index entry by oid. However, we must also compare the mode of the two items to ensure that they are identical. Otherwise, we will refuse to update the working directory for a mode change.
952cf714	2018-02-19T10:51:29	Merge pull request #4537 from pks-t/pks/tests-filemode-uninitialized-memory tests: index::filemodes: fix use of uninitialized memory
cabe16df	2018-02-19T10:18:59	tests: index::filemodes: fix use of uninitialized memory The new index entry structure was not being initialized to all-zeroes. As that structure is used to add a new entry to the current index, and the hashing algorithm of the index making use of the uninitialized flags to calculate the state, we might miscompute the hash of the entry and add it at the wrong position. Later lookups would then fail. Initialize the structure with `memset` to fix the test breaking on some platforms.
f1ad004c	2018-02-18T22:29:48	Merge pull request #4529 from libgit2/ethomson/index_add_requires_files git_index_add_frombuffer: only accept files/links
574671ba	2018-02-18T10:16:15	Merge pull request #4534 from pks-t/pks/build-warnings Fix build warnings
5f774dbf	2018-02-11T10:14:13	git_index_add_frombuffer: only accept files/links Ensure that the buffer given to `git_index_add_frombuffer` represents a regular blob, an executable blob, or a link. Explicitly reject commit entries (submodules) - it makes little sense to allow users to add a submodule from a string; there's no possible path to success.
92324d84	2018-02-16T11:28:53	util: clean up header includes While "util.h" declares the macro `git__tolower`, which simply resorts to tolower(3P) on Unix-like systems, the <ctype.h> header is only being included in "util.c". Thus, anybody who has included "util.h" without having <ctype.h> included will fail to compile as soon as the macro is in use. Furthermore, we can clean up additional includes in "util.c" and simply replace them with an include for "common.h".
06b8a40f	2018-02-16T11:29:46	Explicitly mark fallthrough cases with comments A lot of compilers nowadays generate warnings when there are cases in a switch statement which implicitly fall through to the next case. To avoid this warning, the last line in the case that is falling through can have a comment matching a regular expression, where one possible comment body would be `/* fall through */`. An alternative to the comment would be an explicit attribute like e.g. `[[clang::fallthrough]` or `__attribute__ ((fallthrough))`. But GCC only introduced support for such an attribute recently with GCC 7. Thus, and also because the fallthrough comment is supported by most compilers, we settle for using comments instead. One shortcoming of that method is that compilers are very strict about that. Most interestingly, that comment _really_ has to be the last line. In case a closing brace follows the comment, the heuristic will fail.
7c6e9175	2018-02-16T11:11:11	index: shut up warning on uninitialized variable Even though the `entry` variable will always be initialized when `read_entry` returns success and even though we never dereference `entry` in case `read_entry` fails, GCC prints a warning about uninitialized use. Just initialize the pointer to `NULL` in order to shut GCC up.
522f3e4b	2018-02-16T10:50:54	CMakeLists: increase strict aliasing level to 3 The strict aliasing rules disallow dereferencing the pointer to a variable of a certain type as another type, which is frequently used e.g. when casting structs to their base type. We currently have the warning level for strict aliasing rules set to `2`, which is described by gcc(1) as being "Aggressive, quick, not too precise." And in fact, we experience quite a lot of warnings when doing a release build due to that. GCC provides multiple levels, where higher levels are more accurate, but also slower due to the additional analysis required. Still, we want to have warning level 3 instead of 2 to avoid the current warnings we have in the Travis CI release builds. As this is the default warning level when no level is passed to `-Wstrict-aliasing`, we can just remove the level and use that default.
84f03b3a	2018-02-16T10:48:55	streams: openssl: fix use of uninitialized variable When verifying the server certificate, we do try to make sure that the hostname actually matches the certificate alternative names. In cases where the host is either an IPv4 or IPv6 address, we have to compare the binary representations of the hostname with the declared IP address of the certificate. We only do that comparison in case we were successfully able to parse the hostname as an IP, which would always result in the memory region being initialized. Still, GCC 6.4.0 was complaining about usage of non-initialized memory. Fix the issue by simply asserting that `addr` needs to be initialized. This shuts up the GCC warning.

ed95962b

2018-05-24T21:58:40

path: hand-code the zero-width joiner as UTF-8

cfed1be8

2018-05-24T20:28:36

submodule: plug leaks from the escape detection

a3df20cf

2018-05-24T19:00:13

submodule: the repostiory for _name_is_valid should not be const We might modify caches due to us trying to load the configuration to figure out what kinds of filesystem protections we should have.

08d4b459

2018-05-22T15:48:38

index: stat before creating the entry This is so we have it available for the path validity checking. In a later commit we will start rejecting `.gitmodules` files as symlinks.

a9e60994

2018-05-23T08:40:17

path: check for a symlinked .gitmodules in fs-agnostic code We still compare case-insensitively to protect more thoroughly as we don't know what specifics we'll see on the system and it's the behaviour from git.

f650153a

2018-05-24T19:05:59

submodule: replace index with strchr which exists on Windows

be20626a

2018-05-22T20:37:23

checkout: change symlinked .gitmodules file test to expect failure When dealing with `core.proectNTFS` and `core.protectHFS` we do check against `.gitmodules` but we still have a failing test as the non-filesystem codepath does not check for it.

aa003557

2018-05-22T16:13:47

path: reject .gitmodules as a symlink Any part of the library which asks the question can pass in the mode to have it checked against `.gitmodules` being a symlink. This is particularly relevant for adding entries to the index from the worktree and for checking out files.

37dc60b6

2018-05-16T11:56:04

path: provide a generic dogit checking function for HFS This lets us check for other kinds of reserved files.

916af8ea

2018-05-14T16:03:15

submodule: also validate Windows-separated paths for validity Otherwise we would also admit `..\..\foo\bar` as a valid path and fail to protect Windows users. Ideally we would check for both separators without the need for the copied string, but this'll get us over the RCE.

c7cac088

2018-05-22T15:21:08

path: accept the name length as a parameter We may take in names from the middle of a string so we want the caller to let us know how long the path component is that we should be checking.

e6c757a7

2018-04-30T13:47:15

submodule: ignore submodules which include path traversal in their name If the we decide that the "name" of the submodule (i.e. its path inside `.git/modules/`) is trying to escape that directory or otherwise trick us, we ignore the configuration for that submodule. This leaves us with a half-configured submodule when looking it up by path, but it's the same result as if the configuration really were missing. The name check is potentially more strict than it needs to be, but it lets us re-use the check we're doing for the checkout. The function that encapsulates this logic is ready to be exported but we don't want to do that in a security release so it remains internal for now.

6442f1f1

2018-04-30T13:03:44

submodule: add a failing test for a submodule escaping .git/modules We should pretend such submdules do not exist as it can lead to RCE.

ed357be1

2018-05-22T14:16:45

checkout: add a failing test for refusing a symlinked .gitmodules We want to reject these as they cause compatibility issues and can lead to git writing to files outside of the repository.

d7ee21ee

2018-05-22T13:58:24

path: expose dotgit detection functions per filesystem These will be used by the checkout code to detect them for the particular filesystem they're on.

f907a6f5

2018-05-18T15:16:53

path: hide the dotgit file functions These can't go into the public API yet as we don't want to introduce API or ABI changes in a security release.

0cc14627

2018-05-16T15:56:04

path: add functions to detect .gitconfig and .gitattributes

26b3cec0

2018-05-16T15:42:08

path: add a function to detect an .gitmodules file Given a path component it knows what to pass to the filesystem-specific functions so we're protected even from trees which try to use the 8.3 naming rules to get around us matching on the filename exactly. The logic and test strings come from the equivalent git change.

dd364dde

2018-05-16T14:47:04

path: provide a generic function for checking dogit files on NTFS It checks against the 8.3 shortname variants, including the one which includes the checksum as part of its name.

6311e886

2018-03-23T07:38:34

Merge pull request #4594 from pks-t/pks/mempack-assert odb: fix writing to fake write streams

a52b4c51

2018-03-23T09:59:46

odb: fix writing to fake write streams In commit 7ec7aa4a7 (odb: assert on logic errors when writing objects, 2018-02-01), the check for whether we are trying to overflowing the fake stream buffer was changed from returning an error to raising an assert. The conversion forgot though that the logic around `assert`s are basically inverted. Previously, if the statement stream->written + len > steram->size evaluated to true, we would return a `-1`. Now we are asserting that this statement is true, and in case it is not we will raise an error. So the conversion to the `assert` in fact changed the behaviour to the complete opposite intention. Fix the assert by inverting its condition again and add a regression test.

904307af

2018-03-23T09:58:57

tests: add tests for the mempack ODB backend Our mempack ODB backend has no test coverage at all right now. Add a simple test suite to at least have some coverage of the most basic operations on the ODB.

72e60347

2018-03-20T23:16:36

Merge pull request #4588 from libgit2/ethomson/bitbucket online tests: update auth for bitbucket test

54bf4d14

2018-03-20T07:47:27

online tests: update auth for bitbucket test Update the settings to use a specific read-only token for accessing our test repositories in Bitbucket.

5585e358

2018-03-20T00:59:21

Merge pull request #4563 from libgit2/ethomson/ssh-unescape Refactor `gitno_extract_url_parts`

30333e82

2018-02-28T13:00:04

Update tests

16210877

2018-02-28T12:59:47

Unescape repo before constructing ssh request

8a2cdbd3

2018-02-28T12:58:58

Rename unescape and make non-static

9108959a

2018-03-14T15:03:35

buf: add tests for percent decoding

0e4f3d9d

2018-03-03T21:47:22

gitno_extract_url_parts: decode hostnames RFC 3986 says that hostnames can be percent encoded. Percent decode hostnames in our URLs.

05551ca0

2018-03-03T20:14:54

Remove now unnecessary `gitno_unescape`

60e7848e

2018-03-03T20:13:30

gitno_extract_url_parts: use `git_buf`s Now that we can decode percent-encoded strings as part of `git_buf`s, use that decoder in `gitno_extract_url_parts`.

6f577906

2018-03-03T20:09:09

ssh urls: use `git_buf_decode_percent` Use `git_buf_decode_percent` so that we can avoid allocating a temporary buffer.

8070a357

2018-03-03T18:47:35

Introduce `git_buf_decode_percent` Introduce a function to take a percent-encoded string (URI encoded, described by RFC 1738) and decode it into a `git_buf`.

31985775

2018-03-19T23:07:44

Merge pull request #4584 from libgit2/ethomson/bitbucket online::clone: skip creds fallback test

03c58778

2018-03-19T09:20:35

online::clone: skip creds fallback test At present, we have three online tests against bitbucket: one which specifies the credentials in the payload, one which specifies the correct credentials in the URL and a final one that specifies the incorrect credentials in the URL. Bitbucket has begun responding to the latter test with a 403, which causes us to fail. Break these three tests into separate tests so that we can skip the latter until this is resolved on Bitbucket's end or until we can change the test to a different provider.

937e7e26

2018-03-13T13:04:38

Merge pull request #4544 from josharian/docs pathspec: improve git_pathspec_flag_t doc rendering

7b66bfe2

2018-03-12T10:09:49

Merge pull request #4575 from pks-t/pks/index-secfixes-master Index parsing fixes

358cc2e2

2018-03-12T09:50:00

Merge pull request #4396 from libgit2/cmn/config-regex-is-normalised config: specify how we match the regular expressions

2f89bd90

2018-03-11T12:36:13

config: explicitly state that subsections are case-sensitive

3db1af1f

2018-03-08T12:36:46

index: error out on unreasonable prefix-compressed path lengths When computing the complete path length from the encoded prefix-compressed path, we end up just allocating the complete path without ever checking what the encoded path length actually is. This can easily lead to a denial of service by just encoding an unreasonable long path name inside of the index. Git already enforces a maximum path length of 4096 bytes. As we also have that enforcement ready in some places, just make sure that the resulting path is smaller than GIT_PATH_MAX. Reported-by: Krishna Ram Prakash R <krp@gtux.in> Reported-by: Vivek Parikh <viv0411.parikh@gmail.com>

3207ddb0

2018-03-08T12:00:27

index: fix out-of-bounds read with invalid index entry prefix length The index format in version 4 has prefix-compressed entries, where every index entry can compress its path by using a path prefix of the previous entry. Since implmenting support for this index format version in commit 5625d86b9 (index: support index v4, 2016-05-17), though, we do not correctly verify that the prefix length that we want to reuse is actually smaller or equal to the amount of characters than the length of the previous index entry's path. This can lead to a an integer underflow and subsequently to an out-of-bounds read. Fix this by verifying that the prefix is actually smaller than the previous entry's path length. Reported-by: Krishna Ram Prakash R <krp@gtux.in> Reported-by: Vivek Parikh <viv0411.parikh@gmail.com>

58a6fe94

2018-03-08T11:49:19

index: convert `read_entry` to return entry size via an out-param The function `read_entry` does not conform to our usual coding style of returning stuff via the out parameter and to use the return value for reporting errors. Due to most of our code conforming to that pattern, it has become quite natural for us to actually return `-1` in case there is any error, which has also slipped in with commit 5625d86b9 (index: support index v4, 2016-05-17). As the function returns an `size_t` only, though, the return value is wrapped around, causing the caller of `read_tree` to continue with an invalid index entry. Ultimately, this can lead to a double-free. Improve code and fix the bug by converting the function to return the index entry size via an out parameter and only using the return value to indicate errors. Reported-by: Krishna Ram Prakash R <krp@gtux.in> Reported-by: Vivek Parikh <viv0411.parikh@gmail.com>

d11c4a1a

2018-03-08T13:13:04

Merge pull request #4571 from jacquesg/overflow Integer overflow

e666495b

2018-03-08T08:31:49

cmake: enable shift count overflow warning

5f6383ca

2018-03-08T08:17:29

diff: ensure an unsigned number is shifted

515683c7

2018-03-07T12:39:28

Merge pull request #4567 from pks-t/pks/zlib-update deps: upgrade embedded zlib to version 1.2.11

4c5330cb

2018-03-07T10:33:41

deps: upgrade embedded zlib to version 1.2.11 The current version of zlib bundled with libgit2 is version 1.2.8. This version has several CVEs assigned: - CVE-2016-9843 - CVE-2016-9841 - CVE-2016-9842 - CVE-2016-9840 Upgrade the bundled version to the current release 1.2.11, which has these vulnerabilities fixes.

2d2a6025

2018-03-04T12:17:17

Merge pull request #4541 from libgit2/cmn/odb-streaming-read-changelog CHANGELOG: mention the change to `git_odb_open_rstream`

adf7d094

2018-03-04T12:17:06

Merge pull request #4559 from jacquesg/worktree-const Worktree lock reason should be const

53e692af

2018-03-02T12:49:54

worktree: rename parameter creason to reason

12356076

2018-03-02T12:41:04

worktree: lock reason should be const

8353e4b5

2018-02-22T09:20:31

CHANGELOG: mention the change to `git_odb_open_rstream`

8a8ea1db

2018-02-28T18:14:52

Merge pull request #4552 from libgit2/cmn/config-header-common Cast less blindly between configuration objects

e8e490b2

2018-02-28T17:01:47

Merge pull request #4554 from pks-t/pks/curl-init curl: initialize and cleanup global curl state

9cd0c6f1

2018-02-28T16:01:16

config: return an error if config_refresh is called on a snapshot Instead of treating it as a no-op, treat it as a programming error and return the same kind of error as if you called to set or delete variables on a snapshot.

17bef3b8

2018-02-28T15:01:43

Merge pull request #4553 from libgit2/cmn/tree-write-initialise tree: initialize the id we use for testing submodule insertions

fb884c62

2018-02-28T14:59:09

Merge pull request #4555 from libgit2/ethomson/strncmp_stdcall win32: strncmp -> git__strncmp for win32 STDCALL

2022b004

2018-02-28T12:06:59

curl: explicitly initialize and cleanup global curl state Our curl-based streams make use of the easy curl interface. This interface automatically initializes and de-initializes the global curl state by calling out to `curl_global_init` and `curl_global_cleanup`. Thus, all global state will be repeatedly re-initialized when creating multiple curl streams in succession. Despite being inefficient, this is not thread-safe due to `curl_global_init` being not thread-safe itself. Thus a multi-threaded programing handling multiple curl streams at the same time is inherently racy. Fix the issue by globally initializing and cleaning up curl's state.

a33deeb4

2018-02-28T12:20:23

win32: strncmp -> git__strncmp The win32 C library is compiled cdecl, however when configured with `STDCALL=ON`, our functions (and function pointers) will use the stdcall calling convention. You cannot set a `__stdcall` function pointer to a `__cdecl` function, so it's easier to just use our `git__strncmp` instead of sorting that mess out.

a554d588

2018-02-28T12:21:08

tree: initialize the id we use for testing submodule insertions Instead of laving it uninitialized and relying on luck for it to be non-zero, let's give it a dummy hash so we make valgrind happy (in this case the hash comes from `sha1sum </dev/null`.

2424e64c

2018-02-28T12:06:02

config: harden our use of the backend objects a bit When we create an iterator we don't actually know that we have a live config object and we must instead only rely on the header. We fixed it to use this in a previous commit, but this makes it harder to misuse by converting to use the header object in the typecast. We also guard inside the `config_refresh` function against being given a snapshot (although callers right now do check).

1785de4e

2018-02-28T11:46:17

config: move the level field into the header We use it in a few places where we might have a full object or a snapshot so move it to where we can actually access it.

c1524b2e

2018-02-28T11:33:11

config: move the repository to the diskfile header We pass this around and when creating a new iterator we need to read the repository pointer. Put it in a common place so we can reach it regardless of whether we got a full object or a snapshot.

c9d59c61

2018-02-27T12:45:21

Merge pull request #4545 from libgit2/ethomson/checkout_filemode Respect core.filemode in checkout

b4dde78a

2018-02-27T12:43:47

Merge pull request #4550 from libgit2/ethomson/winhttp winhttp: enable TLS 1.2

5ecb6220

2018-02-25T15:46:51

winhttp: enable TLS 1.2 on Windows 7 and earlier Versions of Windows prior to Windows 8 do not enable TLS 1.2 by default, though support may exist. Try to enable TLS 1.2 support explicitly on connections. This request may fail if the operating system does not have TLS 1.2 support - the initial release of Vista lacks TLS 1.2 support (though it is available as a software update) and XP completely lacks TLS 1.2 support. If this request does fail, the HTTP context is still valid, and still maintains the original protocol support. So we ignore the failure from this operation.

934e6a3b

2018-02-27T11:24:30

winhttp: include constants for TLS 1.1/1.2 support For platforms that do not define `WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1` and/or `WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2`.

8c8db980

2018-02-27T10:32:29

mingw: update TLS option flags Include the constants for `WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1` and `WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2` so that they can be used by mingw. This updates both the `deps/winhttp` framework (for classic mingw) and adds the defines for mingw64, which does not use that framework.

7d906370

2018-02-25T23:08:14

Merge pull request #4549 from libgit2/ethomson/travis_libssh travis: use custom libssh2-1-dev package

ca22cb5e

2018-02-25T22:43:12

travis: use custom libssh2-1-dev package To avoid pull requests needing to rebase, keep the libssh2-1-dev package as the development package for libssh2. Reverting to the original Debian package structure.

5a69b120

2018-02-25T19:58:19

Merge pull request #4548 from libgit2/ethomson/travis_libssh travis: use custom libssh2 package

c5eb8b4a

2018-02-25T14:08:51

travis: use custom libssh2 package Use the custom libssh2 package that is a backport of libssh2 1.8.0 to Ubuntu trusty.

c214ba19

2018-02-20T00:35:27

checkout: respect core.filemode when comparing filemodes Fixes #4504

275693e2

2018-02-20T12:45:40

checkout test: ensure workdir mode is simplified Ensure that when examining the working directory for checkout that the mode is correctly simplified. Git only pays attention to whether a file is executable or not. When examining a working directory, we should coalesce modes in the working directory to either `0755` (indicating that a file is executable) or `0644` (indicating that it is not). Test this by giving the file an exotic mode, and ensuring that when checkout out a branch that changes the file's contents, that we do not have a checkout conflict.

ec96db57

2018-02-20T00:32:38

checkout test: add core.filemode checkout tests Add two tests for filemode. The first ensures that `core.filemode=true` is honored: if we have changed the filemode such that a file that _was_ executable (mode 0755) is now executable (mode 0644) and we go to check out a branch that has otherwise changed the contents of the file, then we should raise a checkout conflict for that file. The second ensures that `core.filemode=false` is honored: in the same situation, we set a file that was executable to be non-executable, and check out the branch that changes the contents of the file. However, since `core.filemode` is false, we do not detect the filemode change. We run these tests on both operating systems that obey `core.filemode` (eg, POSIX) and those that have no conception of filemode (eg, Win32). This ensures that `core.filemode` is always honored, as it is a cache of the underlying filesystem's settings. This ensures that we do not make assumptions based on the operating system, and honor the configuration setting even if it were misconfigured.

18d9c847

2018-02-20T00:32:38

testrepo: add new branch Add a new branch to the `testrepo` repository, where the `README` file has changed to executable. This branch enables typechange tests between the new `executable` branch and `master`.

b72717b0

2018-02-23T08:19:49

pathspec: improve git_pathspec_flag_t doc rendering By placing docs per enum value rather than in a large block, the automated doc generation tool can make nicer docs, as could other automated tools, such as the mooted https://github.com/libgit2/git2go/issues/427. The current rendering is somewhat ugly: https://libgit2.github.com/libgit2/#HEAD/type/git_pathspec_flag_t No textual changes, just reorganization.

809b0ca6

2018-02-20T22:06:53

Merge pull request #4533 from pks-t/pks/v0.27.0-rc1 v0.27.0-rc1: version bump

23d4a91b

2018-02-16T08:38:44

Update version number to v0.27

0f239682

2018-02-20T16:49:13

CHANGELOG: third batch of updates to the changelog for v0.27.0

ad006d87

2018-02-15T11:13:14

docs: document increasing the version number for releases

894ccf4b

2018-02-20T16:14:54

Merge pull request #4535 from libgit2/ethomson/checkout_typechange_with_index_and_wd checkout: when examining index (instead of workdir), also examine mode

afc5124b

2018-02-20T14:35:17

Merge pull request #4539 from pks-t/pks/diff_renames_with_rewrites diff_tform: fix rename detection with rewrite/delete pair

4e4771dc

2018-02-19T22:10:44

checkout test: further ensure workdir perms are updated When both the index _and_ the working directory has changed permissions on a file permissions on a file - but only the permissions, such that the contents of the file are identical - ensure that `git_checkout` updates the permissions to match the checkout target.

8858a684

2018-02-19T22:09:27

checkout test: ensure workdir perms are updated When the working directory has changed permissions on a file - but only the permissions, such that the contents of the file are identical - ensure that `git_checkout` updates the permissions to match the checkout target.

ce7080a0

2018-02-20T10:38:27

diff_tform: fix rename detection with rewrite/delete pair A rewritten file can either be classified as a modification of its contents or of a delete of the complete file followed by an addition of the new content. This distinction becomes important when we want to detect renames for rewrites. Given a scenario where a file "a" has been deleted and another file "b" has been renamed to "a", this should be detected as a deletion of "a" followed by a rename of "a" -> "b". Thus, splitting of the original rewrite into a delete/add pair is important here. This splitting is represented by a flag we can set at the current delta. While the flag is already being set in case we want to break rewrites, we do not do so in case where the `GIT_DIFF_FIND_RENAMES_FROM_REWRITES` flag is set. This can trigger an assert when we try to match the source and target deltas. Fix the issue by setting the `GIT_DIFF_FLAG__TO_SPLIT` flag at the delta when it is a rename target and `GIT_DIFF_FIND_RENAMES_FROM_REWRITES` is set.

80e77b87

2018-02-20T10:03:48

tests: add rename-rewrite scenarios to "renames" repository Add two more scenarios to the "renames" repository. The first scenario has a major rewrite of a file and a delete of another file, the second scenario has a deletion of a file and rename of another file to the deleted file. Both scenarios will be used in the following commit.

d91da1da

2018-02-20T09:54:58

tests: diff::rename: use defines for commit OIDs While we frequently reuse commit OIDs throughout the file, we do not have any constants to refer to these commits. Make this a bit easier to read by giving the commit OIDs somewhat descriptive names of what kind of commit they refer to.

d7fea1e1

2018-02-18T16:10:33

checkout: take mode into account when comparing index to baseline When checking out a file, we determine whether the baseline (what we expect to be in the working directory) actually matches the contents of the working directory. This is safe behavior to prevent us from overwriting changes in the working directory. We look at the index to optimize this test: if we know that the index matches the working directory, then we can simply look at the index data compared to the baseline. We have historically compared the baseline to the index entry by oid. However, we must also compare the mode of the two items to ensure that they are identical. Otherwise, we will refuse to update the working directory for a mode change.

952cf714

2018-02-19T10:51:29

Merge pull request #4537 from pks-t/pks/tests-filemode-uninitialized-memory tests: index::filemodes: fix use of uninitialized memory

cabe16df

2018-02-19T10:18:59

tests: index::filemodes: fix use of uninitialized memory The new index entry structure was not being initialized to all-zeroes. As that structure is used to add a new entry to the current index, and the hashing algorithm of the index making use of the uninitialized flags to calculate the state, we might miscompute the hash of the entry and add it at the wrong position. Later lookups would then fail. Initialize the structure with `memset` to fix the test breaking on some platforms.

f1ad004c

2018-02-18T22:29:48

Merge pull request #4529 from libgit2/ethomson/index_add_requires_files git_index_add_frombuffer: only accept files/links

574671ba

2018-02-18T10:16:15

Merge pull request #4534 from pks-t/pks/build-warnings Fix build warnings

5f774dbf

2018-02-11T10:14:13

git_index_add_frombuffer: only accept files/links Ensure that the buffer given to `git_index_add_frombuffer` represents a regular blob, an executable blob, or a link. Explicitly reject commit entries (submodules) - it makes little sense to allow users to add a submodule from a string; there's no possible path to success.

92324d84

2018-02-16T11:28:53

util: clean up header includes While "util.h" declares the macro `git__tolower`, which simply resorts to tolower(3P) on Unix-like systems, the <ctype.h> header is only being included in "util.c". Thus, anybody who has included "util.h" without having <ctype.h> included will fail to compile as soon as the macro is in use. Furthermore, we can clean up additional includes in "util.c" and simply replace them with an include for "common.h".

06b8a40f

2018-02-16T11:29:46

Explicitly mark fallthrough cases with comments A lot of compilers nowadays generate warnings when there are cases in a switch statement which implicitly fall through to the next case. To avoid this warning, the last line in the case that is falling through can have a comment matching a regular expression, where one possible comment body would be `/* fall through */`. An alternative to the comment would be an explicit attribute like e.g. `[[clang::fallthrough]` or `__attribute__ ((fallthrough))`. But GCC only introduced support for such an attribute recently with GCC 7. Thus, and also because the fallthrough comment is supported by most compilers, we settle for using comments instead. One shortcoming of that method is that compilers are very strict about that. Most interestingly, that comment _really_ has to be the last line. In case a closing brace follows the comment, the heuristic will fail.

7c6e9175

2018-02-16T11:11:11

index: shut up warning on uninitialized variable Even though the `entry` variable will always be initialized when `read_entry` returns success and even though we never dereference `entry` in case `read_entry` fails, GCC prints a warning about uninitialized use. Just initialize the pointer to `NULL` in order to shut GCC up.

522f3e4b

2018-02-16T10:50:54

CMakeLists: increase strict aliasing level to 3 The strict aliasing rules disallow dereferencing the pointer to a variable of a certain type as another type, which is frequently used e.g. when casting structs to their base type. We currently have the warning level for strict aliasing rules set to `2`, which is described by gcc(1) as being "Aggressive, quick, not too precise." And in fact, we experience quite a lot of warnings when doing a release build due to that. GCC provides multiple levels, where higher levels are more accurate, but also slower due to the additional analysis required. Still, we want to have warning level 3 instead of 2 to avoid the current warnings we have in the Travis CI release builds. As this is the default warning level when no level is passed to `-Wstrict-aliasing`, we can just remove the level and use that default.

84f03b3a

2018-02-16T10:48:55

streams: openssl: fix use of uninitialized variable When verifying the server certificate, we do try to make sure that the hostname actually matches the certificate alternative names. In cases where the host is either an IPv4 or IPv6 address, we have to compare the binary representations of the hostname with the declared IP address of the certificate. We only do that comparison in case we were successfully able to parse the hostname as an IP, which would always result in the memory region being initialized. Still, GCC 6.4.0 was complaining about usage of non-initialized memory. Fix the issue by simply asserting that `addr` needs to be initialized. This shuts up the GCC warning.

thodg/libgit2

Log