1. 30 Jun, 2020 1 commit
  2. 05 Jun, 2020 1 commit
  3. 23 May, 2020 1 commit
  4. 16 May, 2020 1 commit
  5. 10 May, 2020 3 commits
  6. 10 Dec, 2019 2 commits
    • Disallow NTFS Alternate Data Stream attacks, even on Linux/macOS · 3f7851ea
      A little-known feature of NTFS is that it offers to store metadata in
      so-called "Alternate Data Streams" (inspired by Apple's "resource
      forks") that are copied together with the file they are associated with.
      These Alternate Data Streams can be accessed via `<file name>:<stream
      name>:<stream type>`.
      
      Directories, too, have Alternate Data Streams, and they even have a
      default stream type `$INDEX_ALLOCATION`. Which means that `abc/` and
      `abc::$INDEX_ALLOCATION/` are actually equivalent.
      
      This is of course another attack vector on the Git directory that we
      definitely want to prevent.
      
      On Windows, we already do this incidentally, by disallowing colons in
      file/directory names.
      
      While it looks as if files'/directories' Alternate Data Streams are not
      accessible in the Windows Subsystem for Linux, and neither via
      CIFS/SMB-mounted network shares in Linux, it _is_ possible to access
      them on SMB-mounted network shares on macOS.
      
      Therefore, let's go the extra mile and prevent this particular attack
      _everywhere_. To keep things simple, let's just disallow *any* Alternate
      Data Stream of `.git`.
      
      This is libgit2's variant of CVE-2019-1352.
      
      Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
      Johannes Schindelin committed
    • Protect against 8.3 "short name" attacks also on Linux/macOS · 64c612cc
      The Windows Subsystem for Linux (WSL) is getting increasingly popular,
      in particular because it makes it _so_ easy to run Linux software on
      Windows' files, via the auto-mounted Windows drives (`C:\` is mapped to
      `/mnt/c/`, no need to set that up manually).
      
      Unfortunately, files/directories on the Windows drives can be accessed
      via their _short names_, if that feature is enabled (which it is on the
      `C:` drive by default).
      
      Which means that we have to safeguard even our Linux users against the
      short name attacks.
      
      Further, while the default options of CIFS/SMB-mounts seem to disallow
      accessing files on network shares via their short names on Linux/macOS,
      it _is_ possible to do so with the right options.
      
      So let's just safe-guard against short name attacks _everywhere_.
      
      Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
      Johannes Schindelin committed
  7. 20 Jul, 2019 2 commits
    • path: extract function to check whether a path supports symlinks · ded77bb1
      When initializing a repository, we need to check whether its working
      directory supports symlinks to correctly set the initial value of the
      "core.symlinks" config variable. The code to check the filesystem is
      reusable in other parts of our codebase, like for example in our tests
      to determine whether certain tests can be expected to succeed or not.
      
      Extract the code into a new function `git_path_supports_symlinks` to
      avoid duplicate implementations. Remove a duplicate implementation in
      the repo test helper code.
      Patrick Steinhardt committed
    • fileops: rename to "futils.h" to match function signatures · e54343a4
      Our file utils functions all have a "futils" prefix, e.g.
      `git_futils_touch`. One would thus naturally guess that their
      definitions and implementation would live in files "futils.h" and
      "futils.c", respectively, but in fact they live in "fileops.h".
      
      Rename the files to match expectations.
      Patrick Steinhardt committed
  8. 18 Jul, 2019 1 commit
  9. 14 Jun, 2019 1 commit
    • Rename opt init functions to `options_init` · 0b5ba0d7
      In libgit2 nomenclature, when we need to verb a direct object, we name
      a function `git_directobject_verb`.  Thus, if we need to init an options
      structure named `git_foo_options`, then the name of the function that
      does that should be `git_foo_options_init`.
      
      The previous names of `git_foo_init_options` is close - it _sounds_ as
      if it's initializing the options of a `foo`, but in fact
      `git_foo_options` is its own noun that should be respected.
      
      Deprecate the old names; they'll now call directly to the new ones.
      Edward Thomson committed
  10. 07 Jun, 2019 1 commit
  11. 22 Jan, 2019 1 commit
  12. 17 Jan, 2019 1 commit
  13. 19 Dec, 2018 1 commit
  14. 04 Dec, 2018 1 commit
  15. 03 Dec, 2018 1 commit
    • crlf_data: move to a "to_workdir" folder · 13a8bc92
      Move the crlf_data folders reponsible for holding the state of the
      filters going into the working directory to "to_workdir" variations of
      the folder name to accommodate future growth into the "to odb" filter
      variation.  Update the script to create these new folders as appopriate.
      Edward Thomson committed
  16. 01 Dec, 2018 2 commits
  17. 20 Oct, 2018 5 commits
  18. 13 Jul, 2018 1 commit
    • treewide: remove use of C++ style comments · 9994cd3f
      C++ style comment ("//") are not specified by the ISO C90 standard and
      thus do not conform to it. While libgit2 aims to conform to C90, we did
      not enforce it until now, which is why quite a lot of these
      non-conforming comments have snuck into our codebase. Do a tree-wide
      conversion of all C++ style comments to the supported C style comments
      to allow us enforcing strict C90 compliance in a later commit.
      Patrick Steinhardt committed
  19. 06 Jul, 2018 1 commit
  20. 29 Jun, 2018 3 commits
  21. 10 Jun, 2018 1 commit
  22. 23 May, 2018 1 commit
  23. 22 May, 2018 1 commit
  24. 05 Apr, 2018 1 commit
  25. 24 Feb, 2018 2 commits
    • checkout test: ensure workdir mode is simplified · 275693e2
      Ensure that when examining the working directory for checkout that the
      mode is correctly simplified.  Git only pays attention to whether a file
      is executable or not.  When examining a working directory, we should
      coalesce modes in the working directory to either `0755` (indicating
      that a file is executable) or `0644` (indicating that it is not).
      
      Test this by giving the file an exotic mode, and ensuring that when
      checkout out a branch that changes the file's contents, that we do not
      have a checkout conflict.
      Edward Thomson committed
    • checkout test: add core.filemode checkout tests · ec96db57
      Add two tests for filemode.
      
      The first ensures that `core.filemode=true` is honored: if we have
      changed the filemode such that a file that _was_ executable (mode 0755)
      is now executable (mode 0644) and we go to check out a branch that has
      otherwise changed the contents of the file, then we should raise a
      checkout conflict for that file.
      
      The second ensures that `core.filemode=false` is honored: in the same
      situation, we set a file that was executable to be non-executable, and
      check out the branch that changes the contents of the file.  However,
      since `core.filemode` is false, we do not detect the filemode change.
      
      We run these tests on both operating systems that obey `core.filemode`
      (eg, POSIX) and those that have no conception of filemode (eg, Win32).
      This ensures that `core.filemode` is always honored, as it is a cache of
      the underlying filesystem's settings.  This ensures that we do not
      make assumptions based on the operating system, and honor the
      configuration setting even if it were misconfigured.
      Edward Thomson committed
  26. 20 Feb, 2018 2 commits
  27. 03 Jan, 2018 1 commit
    • tests: status::worktree: indicate skipped tests on Win32 · 72c28ab0
      Some function bodies of tests which are not applicable to the Win32
      platform are completely #ifdef'd out instead of calling `cl_skip()`.
      This leaves us with no indication that these tests are not being
      executed at all and may thus cause decreased scrutiny when investigating
      skipped tests. Improve the situation by calling `cl_skip()` instead of
      just doing nothing.
      Patrick Steinhardt committed