Merge branch 'fix-msys2-quoting-bugs'
These patches fix several bugs in quoting arguments when spawning shell
scripts on Windows.
Note: these bugs are Windows-only, as we have to construct a command
line for the process-to-spawn, unlike Linux/macOS, where `execv()`
accepts an already-split command line.
Furthermore, these fixes were not included in the CVE-2019-1350 part of
v2.14.6 because the Windows-specific quoting when spawning shell scripts
was contributed from Git for Windows into Git only in the v2.21.x era.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
diff --git a/compat/mingw.c b/compat/mingw.c
index 0e14cab..2c55c34 100644
--- a/compat/mingw.c
+++ b/compat/mingw.c
@@ -1120,13 +1120,14 @@
for (p = arg; *p; p++) {
int ws = isspace(*p);
- if (!ws && *p != '\\' && *p != '"' && *p != '{')
+ if (!ws && *p != '\\' && *p != '"' && *p != '{' && *p != '\'' &&
+ *p != '?' && *p != '*' && *p != '~')
continue;
if (!buf.len)
strbuf_addch(&buf, '"');
if (p != p2)
strbuf_add(&buf, p2, p - p2);
- if (!ws && *p != '{')
+ if (*p == '\\' || *p == '"')
strbuf_addch(&buf, '\\');
p2 = p;
}
@@ -1136,7 +1137,7 @@
else if (!buf.len)
return arg;
else
- strbuf_add(&buf, p2, p - p2),
+ strbuf_add(&buf, p2, p - p2);
strbuf_addch(&buf, '"');
return strbuf_detach(&buf, 0);
@@ -1391,7 +1392,10 @@
static int is_msys2_sh(const char *cmd)
{
- if (cmd && !strcmp(cmd, "sh")) {
+ if (!cmd)
+ return 0;
+
+ if (!strcmp(cmd, "sh")) {
static int ret = -1;
char *p;
@@ -1411,6 +1415,16 @@
}
return ret;
}
+
+ if (ends_with(cmd, "\\sh.exe")) {
+ static char *sh;
+
+ if (!sh)
+ sh = path_lookup("sh", 0);
+
+ return !fspathcmp(cmd, sh);
+ }
+
return 0;
}
@@ -1426,7 +1440,8 @@
BOOL ret;
HANDLE cons;
const char *(*quote_arg)(const char *arg) =
- is_msys2_sh(*argv) ? quote_arg_msys2 : quote_arg_msvc;
+ is_msys2_sh(cmd ? cmd : *argv) ?
+ quote_arg_msys2 : quote_arg_msvc;
do_unset_environment_variables();