Google Git
Sign in
googlers / jrn / git / 288a74bcd28229a00c3632f18cba92dbfdf73ee9
commit288a74bcd28229a00c3632f18cba92dbfdf73ee9[log] [tgz]
authorJohannes Schindelin <johannes.schindelin@gmx.de>Mon Sep 23 08:58:11 2019 +0200
committerJohannes Schindelin <johannes.schindelin@gmx.de>Thu Dec 05 15:36:50 2019 +0100
tree86984af16137a62e6062503f5d3d2278eeed6519
parenta62f9d1ace8c6556cbc1bb7df69eff0a0bb9e774 [diff]
is_ntfs_dotgit(): only verify the leading segment

The config setting `core.protectNTFS` is specifically designed to work
not only on Windows, but anywhere, to allow for repositories hosted on,
say, Linux servers to be protected against NTFS-specific attack vectors.

As a consequence, `is_ntfs_dotgit()` manually splits backslash-separated
paths (but does not do the same for paths separated by forward slashes),
under the assumption that the backslash might not be a valid directory
separator on the _current_ Operating System.

However, the two callers, `verify_path()` and `fsck_tree()`, are
supposed to feed only individual path segments to the `is_ntfs_dotgit()`
function.

This causes a lot of duplicate scanning (and very inefficient scanning,
too, as the inner loop of `is_ntfs_dotgit()` was optimized for
readability rather than for speed.

Let's simplify the design of `is_ntfs_dotgit()` by putting the burden of
splitting the paths by backslashes as directory separators on the
callers of said function.

Consequently, the `verify_path()` function, which already splits the
path by directory separators, now treats backslashes as directory
separators _explicitly_ when `core.protectNTFS` is turned on, even on
platforms where the backslash is _not_ a directory separator.

Note that we have to repeat some code in `verify_path()`: if the
backslash is not a directory separator on the current Operating System,
we want to allow file names like `\`, but we _do_ want to disallow paths
that are clearly intended to cause harm when the repository is cloned on
Windows.

The `fsck_tree()` function (the other caller of `is_ntfs_dotgit()`) now
needs to look for backslashes in tree entries' names specifically when
`core.protectNTFS` is turned on. While it would be tempting to
completely disallow backslashes in that case (much like `fsck` reports
names containing forward slashes as "full paths"), this would be
overzealous: when `core.protectNTFS` is turned on in a non-Windows
setup, backslashes are perfectly valid characters in file names while we
_still_ want to disallow tree entries that are clearly designed to
exploit NTFS-specific behavior.

This simplification will make subsequent changes easier to implement,
such as turning `core.protectNTFS` on by default (not only on Windows)
or protecting against attack vectors involving NTFS Alternate Data
Streams.

Incidentally, this change allows for catching malicious repositories
that contain tree entries of the form `dir\.gitmodules` already on the
server side rather than only on the client side (and previously only on
Windows): in contrast to `is_ntfs_dotgit()`, the
`is_ntfs_dotgitmodules()` function already expects the caller to split
the paths by directory separators.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
3 files changed
tree: 86984af16137a62e6062503f5d3d2278eeed6519
  1. .github/
  2. block-sha1/
  3. builtin/
  4. ci/
  5. compat/
  6. contrib/
  7. Documentation/
  8. ewah/
  9. git-gui/
  10. gitk-git/
  11. gitweb/
  12. mergetools/
  13. perl/
  14. po/
  15. ppc/
  16. refs/
  17. sha1dc/
  18. t/
  19. templates/
  20. vcs-svn/
  21. xdiff/
  22. sha1collisiondetection
  23. RelNotesDocumentation/RelNotes/2.14.5.txt
  24. .gitattributes
  25. .gitignore
  26. .gitmodules
  27. .mailmap
  28. .travis.yml
  29. .tsan-suppressions
  30. abspath.c
  31. aclocal.m4
  32. advice.c
  33. advice.h
  34. alias.c
  35. alloc.c
  36. apply.c
  37. apply.h
  38. archive-tar.c
  39. archive-zip.c
  40. archive.c
  41. archive.h
  42. argv-array.c
  43. argv-array.h
  44. attr.c
  45. attr.h
  46. base85.c
  47. bisect.c
  48. bisect.h
  49. blame.c
  50. blame.h
  51. blob.c
  52. blob.h
  53. branch.c
  54. branch.h
  55. builtin.h
  56. bulk-checkin.c
  57. bulk-checkin.h
  58. bundle.c
  59. bundle.h
  60. cache-tree.c
  61. cache-tree.h
  62. cache.h
  63. check-builtins.sh
  64. check-racy.c
  65. check_bindir
  66. color.c
  67. color.h
  68. column.c
  69. column.h
  70. combine-diff.c
  71. command-list.txt
  72. commit-slab.h
  73. commit.c
  74. commit.h
  75. common-main.c
  76. config.c
  77. config.h
  78. config.mak.in
  79. config.mak.uname
  80. configure.ac
  81. connect.c
  82. connect.h
  83. connected.c
  84. connected.h
  85. convert.c
  86. convert.h
  87. copy.c
  88. COPYING
  89. credential-cache--daemon.c
  90. credential-cache.c
  91. credential-store.c
  92. credential.c
  93. credential.h
  94. csum-file.c
  95. csum-file.h
  96. ctype.c
  97. daemon.c
  98. date.c
  99. decorate.c
  100. decorate.h
  101. delta.h
  102. diff-delta.c
  103. diff-lib.c
  104. diff-no-index.c
  105. diff.c
  106. diff.h
  107. diffcore-break.c
  108. diffcore-delta.c
  109. diffcore-order.c
  110. diffcore-pickaxe.c
  111. diffcore-rename.c
  112. diffcore.h
  113. dir-iterator.c
  114. dir-iterator.h
  115. dir.c
  116. dir.h
  117. editor.c
  118. entry.c
  119. environment.c
  120. exec_cmd.c
  121. exec_cmd.h
  122. fast-import.c
  123. fetch-pack.c
  124. fetch-pack.h
  125. fmt-merge-msg.h
  126. fsck.c
  127. fsck.h
  128. generate-cmdlist.sh
  129. gettext.c
  130. gettext.h
  131. git-add--interactive.perl
  132. git-archimport.perl
  133. git-bisect.sh
  134. git-compat-util.h
  135. git-cvsexportcommit.perl
  136. git-cvsimport.perl
  137. git-cvsserver.perl
  138. git-difftool--helper.sh
  139. git-filter-branch.sh
  140. git-instaweb.sh
  141. git-merge-octopus.sh
  142. git-merge-one-file.sh
  143. git-merge-resolve.sh
  144. git-mergetool--lib.sh
  145. git-mergetool.sh
  146. git-p4.py
  147. git-parse-remote.sh
  148. git-quiltimport.sh
  149. git-rebase--am.sh
  150. git-rebase--interactive.sh
  151. git-rebase--merge.sh
  152. git-rebase.sh
  153. git-remote-testgit.sh
  154. git-request-pull.sh
  155. git-send-email.perl
  156. git-sh-i18n.sh
  157. git-sh-setup.sh
  158. git-stash.sh
  159. git-submodule.sh
  160. git-svn.perl
  161. GIT-VERSION-GEN
  162. git-web--browse.sh
  163. git.c
  164. git.rc
  165. gpg-interface.c
  166. gpg-interface.h
  167. graph.c
  168. graph.h
  169. grep.c
  170. grep.h
  171. hash.h
  172. hashmap.c
  173. hashmap.h
  174. help.c
  175. help.h
  176. hex.c
  177. http-backend.c
  178. http-fetch.c
  179. http-push.c
  180. http-walker.c
  181. http.c
  182. http.h
  183. ident.c
  184. imap-send.c
  185. INSTALL
  186. iterator.h
  187. khash.h
  188. kwset.c
  189. kwset.h
  190. levenshtein.c
  191. levenshtein.h
  192. LGPL-2.1
  193. line-log.c
  194. line-log.h
  195. line-range.c
  196. line-range.h
  197. list-objects.c
  198. list-objects.h
  199. list.h
  200. ll-merge.c
  201. ll-merge.h
  202. lockfile.c
  203. lockfile.h
  204. log-tree.c
  205. log-tree.h
  206. mailinfo.c
  207. mailinfo.h
  208. mailmap.c
  209. mailmap.h
  210. Makefile
  211. match-trees.c
  212. merge-blobs.c
  213. merge-blobs.h
  214. merge-recursive.c
  215. merge-recursive.h
  216. merge.c
  217. mergesort.c
  218. mergesort.h
  219. mru.c
  220. mru.h
  221. name-hash.c
  222. notes-cache.c
  223. notes-cache.h
  224. notes-merge.c
  225. notes-merge.h
  226. notes-utils.c
  227. notes-utils.h
  228. notes.c
  229. notes.h
  230. object.c
  231. object.h
  232. oidset.c
  233. oidset.h
  234. pack-bitmap-write.c
  235. pack-bitmap.c
  236. pack-bitmap.h
  237. pack-check.c
  238. pack-objects.c
  239. pack-objects.h
  240. pack-revindex.c
  241. pack-revindex.h
  242. pack-write.c
  243. pack.h
  244. pager.c
  245. parse-options-cb.c
  246. parse-options.c
  247. parse-options.h
  248. patch-delta.c
  249. patch-ids.c
  250. patch-ids.h
  251. path.c
  252. path.h
  253. pathspec.c
  254. pathspec.h
  255. pkt-line.c
  256. pkt-line.h
  257. preload-index.c
  258. pretty.c
  259. prio-queue.c
  260. prio-queue.h
  261. progress.c
  262. progress.h
  263. prompt.c
  264. prompt.h
  265. quote.c
  266. quote.h
  267. reachable.c
  268. reachable.h
  269. read-cache.c
  270. README.md
  271. ref-filter.c
  272. ref-filter.h
  273. reflog-walk.c
  274. reflog-walk.h
  275. refs.c
  276. refs.h
  277. remote-curl.c
  278. remote-testsvn.c
  279. remote.c
  280. remote.h
  281. replace_object.c
  282. repository.c
  283. repository.h
  284. rerere.c
  285. rerere.h
  286. resolve-undo.c
  287. resolve-undo.h
  288. revision.c
  289. revision.h
  290. run-command.c
  291. run-command.h
  292. send-pack.c
  293. send-pack.h
  294. sequencer.c
  295. sequencer.h
  296. server-info.c
  297. setup.c
  298. sh-i18n--envsubst.c
  299. sha1-array.c
  300. sha1-array.h
  301. sha1-lookup.c
  302. sha1-lookup.h
  303. sha1_file.c
  304. sha1_name.c
  305. sha1dc_git.c
  306. sha1dc_git.h
  307. shallow.c
  308. shell.c
  309. shortlog.h
  310. show-index.c
  311. sideband.c
  312. sideband.h
  313. sigchain.c
  314. sigchain.h
  315. split-index.c
  316. split-index.h
  317. strbuf.c
  318. strbuf.h
  319. streaming.c
  320. streaming.h
  321. string-list.c
  322. string-list.h
  323. sub-process.c
  324. sub-process.h
  325. submodule-config.c
  326. submodule-config.h
  327. submodule.c
  328. submodule.h
  329. symlinks.c
  330. tag.c
  331. tag.h
  332. tar.h
  333. tempfile.c
  334. tempfile.h
  335. thread-utils.c
  336. thread-utils.h
  337. tmp-objdir.c
  338. tmp-objdir.h
  339. trace.c
  340. trace.h
  341. trailer.c
  342. trailer.h
  343. transport-helper.c
  344. transport.c
  345. transport.h
  346. tree-diff.c
  347. tree-walk.c
  348. tree-walk.h
  349. tree.c
  350. tree.h
  351. unicode_width.h
  352. unimplemented.sh
  353. unix-socket.c
  354. unix-socket.h
  355. unpack-trees.c
  356. unpack-trees.h
  357. upload-pack.c
  358. url.c
  359. url.h
  360. urlmatch.c
  361. urlmatch.h
  362. usage.c
  363. userdiff.c
  364. userdiff.h
  365. utf8.c
  366. utf8.h
  367. varint.c
  368. varint.h
  369. version.c
  370. version.h
  371. versioncmp.c
  372. walker.c
  373. walker.h
  374. wildmatch.c
  375. wildmatch.h
  376. worktree.c
  377. worktree.h
  378. wrap-for-bin.sh
  379. wrapper.c
  380. write_or_die.c
  381. ws.c
  382. wt-status.c
  383. wt-status.h
  384. xdiff-interface.c
  385. xdiff-interface.h
  386. zlib.c
README.md

Git - fast, scalable, distributed revision control system

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals.

Git is an Open Source project covered by the GNU General Public License version 2 (some parts of it are under different licenses, compatible with the GPLv2). It was originally written by Linus Torvalds with help of a group of hackers around the net.

Please read the file INSTALL for installation instructions.

Many Git online resources are accessible from https://git-scm.com/ including full documentation and Git related tools.

See Documentation/gittutorial.txt to get started, then see Documentation/giteveryday.txt for a useful minimum set of commands, and Documentation/git-.txt for documentation of each command. If git has been correctly installed, then the tutorial can also be read with man gittutorial or git help tutorial, and the documentation of each command with man git-<commandname> or git help <commandname>.

CVS users may also want to read Documentation/gitcvs-migration.txt (man gitcvs-migration or git help cvs-migration if git is installed).

The user discussion and development of Git take place on the Git mailing list -- everyone is welcome to post bug reports, feature requests, comments and patches to git@vger.kernel.org (read Documentation/SubmittingPatches for instructions on patch submission). To subscribe to the list, send an email with just “subscribe git” in the body to majordomo@vger.kernel.org. The mailing list archives are available at https://public-inbox.org/git/, http://marc.info/?l=git and other archival sites.

The maintainer frequently sends the “What's cooking” reports that list the current status of various development topics to the mailing list. The discussion following them give a good reference for project status, development direction and remaining tasks.

The name “git” was given by Linus Torvalds when he wrote the very first version. He described the tool as “the stupid content tracker” and the name as (depending on your mood):

  • random three-letter combination that is pronounceable, and not actually used by any common UNIX command. The fact that it is a mispronunciation of “get” may or may not be relevant.
  • stupid. contemptible and despicable. simple. Take your pick from the dictionary of slang.
  • “global information tracker”: you're in a good mood, and it actually works for you. Angels sing, and a light suddenly fills the room.
  • “goddamn idiotic truckload of sh*t”: when it breaks