- 29 May, 2018 9 commits
-
-
These will be used by the checkout code to detect them for the particular filesystem they're on.
Carlos Martín Nieto committed -
These can't go into the public API yet as we don't want to introduce API or ABI changes in a security release.
Carlos Martín Nieto committed -
Carlos Martín Nieto committed
-
Given a path component it knows what to pass to the filesystem-specific functions so we're protected even from trees which try to use the 8.3 naming rules to get around us matching on the filename exactly. The logic and test strings come from the equivalent git change.
Carlos Martín Nieto committed -
It checks against the 8.3 shortname variants, including the one which includes the checksum as part of its name.
Carlos Martín Nieto committed -
This lets us check for other kinds of reserved files.
Carlos Martín Nieto committed -
Otherwise we would also admit `..\..\foo\bar` as a valid path and fail to protect Windows users. Ideally we would check for both separators without the need for the copied string, but this'll get us over the RCE.
Carlos Martín Nieto committed -
If the we decide that the "name" of the submodule (i.e. its path inside `.git/modules/`) is trying to escape that directory or otherwise trick us, we ignore the configuration for that submodule. This leaves us with a half-configured submodule when looking it up by path, but it's the same result as if the configuration really were missing. The name check is potentially more strict than it needs to be, but it lets us re-use the check we're doing for the checkout. The function that encapsulates this logic is ready to be exported but we don't want to do that in a security release so it remains internal for now.
Carlos Martín Nieto committed -
We should pretend such submdules do not exist as it can lead to RCE.
Carlos Martín Nieto committed
-
- 23 Mar, 2018 3 commits
-
-
odb: fix writing to fake write streams
Edward Thomson committed -
In commit 7ec7aa4a (odb: assert on logic errors when writing objects, 2018-02-01), the check for whether we are trying to overflowing the fake stream buffer was changed from returning an error to raising an assert. The conversion forgot though that the logic around `assert`s are basically inverted. Previously, if the statement stream->written + len > steram->size evaluated to true, we would return a `-1`. Now we are asserting that this statement is true, and in case it is not we will raise an error. So the conversion to the `assert` in fact changed the behaviour to the complete opposite intention. Fix the assert by inverting its condition again and add a regression test.
Patrick Steinhardt committed -
Our mempack ODB backend has no test coverage at all right now. Add a simple test suite to at least have some coverage of the most basic operations on the ODB.
Patrick Steinhardt committed
-
- 20 Mar, 2018 3 commits
-
-
online tests: update auth for bitbucket test
Edward Thomson committed -
Update the settings to use a specific read-only token for accessing our test repositories in Bitbucket.
Edward Thomson committed -
Refactor `gitno_extract_url_parts`
Edward Thomson committed
-
- 19 Mar, 2018 11 commits
-
-
Edward Thomson committed
-
RFC 3986 says that hostnames can be percent encoded. Percent decode hostnames in our URLs.
Edward Thomson committed -
Edward Thomson committed
-
Now that we can decode percent-encoded strings as part of `git_buf`s, use that decoder in `gitno_extract_url_parts`.
Edward Thomson committed -
Use `git_buf_decode_percent` so that we can avoid allocating a temporary buffer.
Edward Thomson committed -
Introduce a function to take a percent-encoded string (URI encoded, described by RFC 1738) and decode it into a `git_buf`.
Edward Thomson committed -
Steven King Jr committed
-
Steven King Jr committed
-
Steven King Jr committed
-
online::clone: skip creds fallback test
Edward Thomson committed -
At present, we have three online tests against bitbucket: one which specifies the credentials in the payload, one which specifies the correct credentials in the URL and a final one that specifies the incorrect credentials in the URL. Bitbucket has begun responding to the latter test with a 403, which causes us to fail. Break these three tests into separate tests so that we can skip the latter until this is resolved on Bitbucket's end or until we can change the test to a different provider.
Edward Thomson committed
-
- 13 Mar, 2018 1 commit
-
-
pathspec: improve git_pathspec_flag_t doc rendering
Patrick Steinhardt committed
-
- 12 Mar, 2018 2 commits
-
-
Index parsing fixes
Edward Thomson committed -
config: specify how we match the regular expressions
Edward Thomson committed
-
- 11 Mar, 2018 1 commit
-
-
Carlos Martín Nieto committed
-
- 10 Mar, 2018 3 commits
-
-
When computing the complete path length from the encoded prefix-compressed path, we end up just allocating the complete path without ever checking what the encoded path length actually is. This can easily lead to a denial of service by just encoding an unreasonable long path name inside of the index. Git already enforces a maximum path length of 4096 bytes. As we also have that enforcement ready in some places, just make sure that the resulting path is smaller than GIT_PATH_MAX. Reported-by: Krishna Ram Prakash R <krp@gtux.in> Reported-by: Vivek Parikh <viv0411.parikh@gmail.com>
Patrick Steinhardt committed -
The index format in version 4 has prefix-compressed entries, where every index entry can compress its path by using a path prefix of the previous entry. Since implmenting support for this index format version in commit 5625d86b (index: support index v4, 2016-05-17), though, we do not correctly verify that the prefix length that we want to reuse is actually smaller or equal to the amount of characters than the length of the previous index entry's path. This can lead to a an integer underflow and subsequently to an out-of-bounds read. Fix this by verifying that the prefix is actually smaller than the previous entry's path length. Reported-by: Krishna Ram Prakash R <krp@gtux.in> Reported-by: Vivek Parikh <viv0411.parikh@gmail.com>
Patrick Steinhardt committed -
The function `read_entry` does not conform to our usual coding style of returning stuff via the out parameter and to use the return value for reporting errors. Due to most of our code conforming to that pattern, it has become quite natural for us to actually return `-1` in case there is any error, which has also slipped in with commit 5625d86b (index: support index v4, 2016-05-17). As the function returns an `size_t` only, though, the return value is wrapped around, causing the caller of `read_tree` to continue with an invalid index entry. Ultimately, this can lead to a double-free. Improve code and fix the bug by converting the function to return the index entry size via an out parameter and only using the return value to indicate errors. Reported-by: Krishna Ram Prakash R <krp@gtux.in> Reported-by: Vivek Parikh <viv0411.parikh@gmail.com>
Patrick Steinhardt committed
-
- 08 Mar, 2018 3 commits
-
-
Integer overflow
Patrick Steinhardt committed -
Jacques Germishuys committed
-
Jacques Germishuys committed
-
- 07 Mar, 2018 2 commits
-
-
deps: upgrade embedded zlib to version 1.2.11
Edward Thomson committed -
The current version of zlib bundled with libgit2 is version 1.2.8. This version has several CVEs assigned: - CVE-2016-9843 - CVE-2016-9841 - CVE-2016-9842 - CVE-2016-9840 Upgrade the bundled version to the current release 1.2.11, which has these vulnerabilities fixes.
Patrick Steinhardt committed
-
- 04 Mar, 2018 2 commits
-
-
CHANGELOG: mention the change to `git_odb_open_rstream`
Edward Thomson committed -
Worktree lock reason should be const
Edward Thomson committed
-