Validate repository directory ownership (v1.3)

Introduce the `GIT_OPT_SET_OWNER_VALIDATION` option, so that users can
disable repository ownership validation.

Obey the `safe.directory` configuration variable if it is set in the
global or system configuration. (Do not try to load this from the
repository configuration - to avoid malicious repositories that then
mark themselves as safe.)

Pull the global configuration loader out of the symlink check so that it
can be re-used.

Test that we prevent opening directories that are not owned by
ourselves.

Provide a mock for file ownership for testability.

Ensure that the repository directory is owned by the current user; this
prevents us from opening configuration files that may have been created
by an attacker.

Provide individual file ownership checks for both the current user and
the system user, as well as a combined current user and system user
check.

GitHub is removing support for the unauthenticated git protocol; test
with the https protocol.

examples: Free the git_config and git_config_entry after use

oidarray: introduce `git_oidarray_dispose`

buf: common_prefix takes a string array

`git_strarray` is a public-facing type.  Change
`git_buf_text_common_prefix` to not use it, and just take an array of
strings instead.

Since users are disposing the _contents_ of the oidarray, not freeing
the oidarray itself, the proper cleanup function is
`git_oidarray_dispose`.  Deprecate `git_oidarray_free`.

The `repo` argument is now unnecessary.  Remove it.

When looking up attributes for a file, we construct an absolute path
to the queried file within the working directory so that we can accept
both absolute paths and working directory relative paths.  We then trim
the leading working directory path to give us an in-repo path.

Since we only want the in-repo path to look up attributes - and not to
read it from disk - we don't need to validate its length.

Attribute lookups are done on paths relative to the repository.  Fail if
erroneously presented with an absolute path.

Always pass a working-directory relative path to attribute lookups
during checkout.

Resolve absolute paths to be working directory relative when looking up
attributes.  Importantly, now we will _never_ pass an absolute path down
to attribute lookup functions.

When `git_repository_hashfile` is handed an absolute path, it determines
whether the path is within the repository's working directory or not.
This is necessary when there is no `as_path` specified.

If the path is within the working directory, then the given path should
be used for attribute lookups (it is the effective `as_path`).  If it is
not within the working directory, then it is _not_ eligible.

Importantly, now we will _never_ pass an absolute path down to attribute
lookup functions.

Make p_getcwd match the rest of our win32 path handling semantics.

(This is currently only used in tests, which is why this disparity went
unnoticed.)

v1.3.0

diff: update `GIT_DIFF_IGNORE_BLANK_LINES`

`GIT_DIFF_IGNORE_BLANK_LINES` needs to be within a (signed) int, per the
`enum` definition of ISO C.

filter: use a `git_oid` in filter options, not a pointer

ci: pull libssh2 from www.libssh2.org

libssh2.org and www.libssh2.org were previously identical; now this is a
redirect.