Git 2.38.1

-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEE4fA2sf7nIh/HeOzvsLXohpav5ssFAmM/rwcACgkQsLXohpav
 5stHpQ/9Eqd0dVwVA6FijqRr6Nsdt8ufGh4OPZUWlNoQeJbp6N1IDGydAxfzNRNC
 fQTqGyL0ZdvLkWZUQ5ACL+157ArJGINE1f+EjOy+MDcyClPfJpk3r4O/qftmowQk
 l3vnAKBqYRn5ta2+fg6a0R6Q3cH5qZsucXwvspEU+TcqMV6QAQYsbINxnO+VNCSV
 tmqeVO8bvNR+zsZ6p8J1EduWpgvh6XsBpr56UxnOim+XEp+nAzPOILJTbYnMx0Am
 HD6WO7Ws3Wp9hj6cKYjcXyNmXT0T4EOhXtIBCKaXxAjXvvX77a9dpUQNI5n91DAi
 HQ/viM4hhrqBfs3jtr6qnDB/c1wcCLH+1QiOlB/2TE9l4zjR25lAtv901uey4yg6
 A8he9nr1eEiPN0k3vrhYE01rUi9I1arAZ9lVF28NF+JMM25F8dZc2YZbc3UHoBMZ
 7ilpydBqXe43ll4/J8XRcMPQeR7++ss0ROqVN/xXnVB0UWvCYhMFleJ1KA7LHjQd
 XaRi9Xsiki9OTXFrr7u8QZ94RinpHPUkuGxODO7Jqo8uL5+9JIdVuNbJbzQDK8s4
 aU6nfSM7clNebrjaTOeiQB8hv0/uZt6QpUQzT4Q7OBOJzO4uLbkDxChIw/sflQWB
 rWRb63/KOtap78DVvMJMw5OQC4hXi7lJIchgZ8hfBKKs83p5Smk=
 =bTdb
 -----END PGP SIGNATURE-----

Sync with v2.38.1
This commit is contained in:
Junio C Hamano 2022-10-17 15:46:09 -07:00
commit 9c32cfb49c
74 changed files with 362 additions and 62 deletions

View File

@ -0,0 +1,60 @@
Git v2.30.6 Release Notes
=========================
This release addresses the security issues CVE-2022-39253 and
CVE-2022-39260.
Fixes since v2.30.5
-------------------
* CVE-2022-39253:
When relying on the `--local` clone optimization, Git dereferences
symbolic links in the source repository before creating hardlinks
(or copies) of the dereferenced link in the destination repository.
This can lead to surprising behavior where arbitrary files are
present in a repository's `$GIT_DIR` when cloning from a malicious
repository.
Git will no longer dereference symbolic links via the `--local`
clone mechanism, and will instead refuse to clone repositories that
have symbolic links present in the `$GIT_DIR/objects` directory.
Additionally, the value of `protocol.file.allow` is changed to be
"user" by default.
* CVE-2022-39260:
An overly-long command string given to `git shell` can result in
overflow in `split_cmdline()`, leading to arbitrary heap writes and
remote code execution when `git shell` is exposed and the directory
`$HOME/git-shell-commands` exists.
`git shell` is taught to refuse interactive commands that are
longer than 4MiB in size. `split_cmdline()` is hardened to reject
inputs larger than 2GiB.
Credit for finding CVE-2022-39253 goes to Cory Snider of Mirantis. The
fix was authored by Taylor Blau, with help from Johannes Schindelin.
Credit for finding CVE-2022-39260 goes to Kevin Backhouse of GitHub.
The fix was authored by Kevin Backhouse, Jeff King, and Taylor Blau.
Jeff King (2):
shell: add basic tests
shell: limit size of interactive commands
Kevin Backhouse (1):
alias.c: reject too-long cmdline strings in split_cmdline()
Taylor Blau (11):
builtin/clone.c: disallow `--local` clones with symlinks
t/lib-submodule-update.sh: allow local submodules
t/t1NNN: allow local submodules
t/2NNNN: allow local submodules
t/t3NNN: allow local submodules
t/t4NNN: allow local submodules
t/t5NNN: allow local submodules
t/t6NNN: allow local submodules
t/t7NNN: allow local submodules
t/t9NNN: allow local submodules
transport: make `protocol.file.allow` be "user" by default

View File

@ -0,0 +1,5 @@
Git v2.31.5 Release Notes
=========================
This release merges the security fix that appears in v2.30.6; see
the release notes for that version for details.

View File

@ -0,0 +1,5 @@
Git v2.32.4 Release Notes
=========================
This release merges the security fix that appears in v2.30.6; see
the release notes for that version for details.

View File

@ -0,0 +1,5 @@
Git v2.33.5 Release Notes
=========================
This release merges the security fix that appears in v2.30.6; see
the release notes for that version for details.

View File

@ -0,0 +1,5 @@
Git v2.34.5 Release Notes
=========================
This release merges the security fix that appears in v2.30.6; see
the release notes for that version for details.

View File

@ -0,0 +1,5 @@
Git v2.35.5 Release Notes
=========================
This release merges the security fix that appears in v2.30.6; see
the release notes for that version for details.

View File

@ -0,0 +1,5 @@
Git v2.36.3 Release Notes
=========================
This release merges the security fix that appears in v2.30.6; see
the release notes for that version for details.

View File

@ -2,11 +2,45 @@ Git 2.37.4 Release Notes
========================
This primarily is to backport various fixes accumulated on the 'master'
front since 2.37.3.
front since 2.37.3, and also includes the same security fixes as in
v2.30.6.
Fixes since v2.37.3
-------------------
* CVE-2022-39253:
When relying on the `--local` clone optimization, Git dereferences
symbolic links in the source repository before creating hardlinks
(or copies) of the dereferenced link in the destination repository.
This can lead to surprising behavior where arbitrary files are
present in a repository's `$GIT_DIR` when cloning from a malicious
repository.
Git will no longer dereference symbolic links via the `--local`
clone mechanism, and will instead refuse to clone repositories that
have symbolic links present in the `$GIT_DIR/objects` directory.
Additionally, the value of `protocol.file.allow` is changed to be
"user" by default.
Credit for finding CVE-2022-39253 goes to Cory Snider of Mirantis.
The fix was authored by Taylor Blau, with help from Johannes
Schindelin.
* CVE-2022-39260:
An overly-long command string given to `git shell` can result in
overflow in `split_cmdline()`, leading to arbitrary heap writes and
remote code execution when `git shell` is exposed and the directory
`$HOME/git-shell-commands` exists.
`git shell` is taught to refuse interactive commands that are
longer than 4MiB in size. `split_cmdline()` is hardened to reject
inputs larger than 2GiB.
Credit for finding CVE-2022-39260 goes to Kevin Backhouse of
GitHub. The fix was authored by Kevin Backhouse, Jeff King, and
Taylor Blau.
* An earlier optimization discarded a tree-object buffer that is
still in use, which has been corrected.

View File

@ -0,0 +1,5 @@
Git v2.38.1 Release Notes
=========================
This release merges the security fix that appears in v2.30.6; see
the release notes for that version for details.

View File

@ -1,10 +1,10 @@
protocol.allow::
If set, provide a user defined default policy for all protocols which
don't explicitly have a policy (`protocol.<name>.allow`). By default,
if unset, known-safe protocols (http, https, git, ssh, file) have a
if unset, known-safe protocols (http, https, git, ssh) have a
default policy of `always`, known-dangerous protocols (ext) have a
default policy of `never`, and all other protocols have a default
policy of `user`. Supported policies:
default policy of `never`, and all other protocols (including file)
have a default policy of `user`. Supported policies:
+
--

11
alias.c
View File

@ -46,14 +46,16 @@ void list_aliases(struct string_list *list)
#define SPLIT_CMDLINE_BAD_ENDING 1
#define SPLIT_CMDLINE_UNCLOSED_QUOTE 2
#define SPLIT_CMDLINE_ARGC_OVERFLOW 3
static const char *split_cmdline_errors[] = {
N_("cmdline ends with \\"),
N_("unclosed quote")
N_("unclosed quote"),
N_("too many arguments"),
};
int split_cmdline(char *cmdline, const char ***argv)
{
int src, dst, count = 0, size = 16;
size_t src, dst, count = 0, size = 16;
char quoted = 0;
ALLOC_ARRAY(*argv, size);
@ -96,6 +98,11 @@ int split_cmdline(char *cmdline, const char ***argv)
return -SPLIT_CMDLINE_UNCLOSED_QUOTE;
}
if (count >= INT_MAX) {
FREE_AND_NULL(*argv);
return -SPLIT_CMDLINE_ARGC_OVERFLOW;
}
ALLOC_GROW(*argv, count + 1, size);
(*argv)[count] = NULL;

View File

@ -320,13 +320,11 @@ static void copy_or_link_directory(struct strbuf *src, struct strbuf *dest,
int src_len, dest_len;
struct dir_iterator *iter;
int iter_status;
unsigned int flags;
struct strbuf realpath = STRBUF_INIT;
mkdir_if_missing(dest->buf, 0777);
flags = DIR_ITERATOR_PEDANTIC | DIR_ITERATOR_FOLLOW_SYMLINKS;
iter = dir_iterator_begin(src->buf, flags);
iter = dir_iterator_begin(src->buf, DIR_ITERATOR_PEDANTIC);
if (!iter)
die_errno(_("failed to start iterator over '%s'"), src->buf);
@ -342,6 +340,10 @@ static void copy_or_link_directory(struct strbuf *src, struct strbuf *dest,
strbuf_setlen(dest, dest_len);
strbuf_addstr(dest, iter->relative_path);
if (S_ISLNK(iter->st.st_mode))
die(_("symlink '%s' exists, refusing to clone with --local"),
iter->relative_path);
if (S_ISDIR(iter->st.st_mode)) {
mkdir_if_missing(dest->buf, 0777);
continue;

34
shell.c
View File

@ -47,6 +47,8 @@ static void cd_to_homedir(void)
die("could not chdir to user's home directory");
}
#define MAX_INTERACTIVE_COMMAND (4*1024*1024)
static void run_shell(void)
{
int done = 0;
@ -67,22 +69,46 @@ static void run_shell(void)
run_command_v_opt(help_argv, RUN_SILENT_EXEC_FAILURE);
do {
struct strbuf line = STRBUF_INIT;
const char *prog;
char *full_cmd;
char *rawargs;
size_t len;
char *split_args;
const char **argv;
int code;
int count;
fprintf(stderr, "git> ");
if (git_read_line_interactively(&line) == EOF) {
/*
* Avoid using a strbuf or git_read_line_interactively() here.
* We don't want to allocate arbitrary amounts of memory on
* behalf of a possibly untrusted client, and we're subject to
* OS limits on command length anyway.
*/
fflush(stdout);
rawargs = xmalloc(MAX_INTERACTIVE_COMMAND);
if (!fgets(rawargs, MAX_INTERACTIVE_COMMAND, stdin)) {
fprintf(stderr, "\n");
strbuf_release(&line);
free(rawargs);
break;
}
rawargs = strbuf_detach(&line, NULL);
len = strlen(rawargs);
/*
* If we truncated due to our input buffer size, reject the
* command. That's better than running bogus input, and
* there's a good chance it's just malicious garbage anyway.
*/
if (len >= MAX_INTERACTIVE_COMMAND - 1)
die("invalid command format: input too long");
if (len > 0 && rawargs[len - 1] == '\n') {
if (--len > 0 && rawargs[len - 1] == '\r')
--len;
rawargs[len] = '\0';
}
split_args = xstrdup(rawargs);
count = split_cmdline(split_args, &argv);
if (count < 0) {

View File

@ -197,6 +197,7 @@ test_git_directory_exists () {
# the submodule repo if it doesn't exist and configures the most problematic
# settings for diff.ignoreSubmodules.
prolog () {
test_config_global protocol.file.allow always &&
(test -d submodule_update_repo || create_lib_submodule_repo) &&
test_config_global diff.ignoreSubmodules all &&
test_config diff.ignoreSubmodules all

View File

@ -560,7 +560,8 @@ test_expect_success 'interaction with submodules' '
(
cd super &&
mkdir modules &&
git submodule add ../repo modules/child &&
git -c protocol.file.allow=always \
submodule add ../repo modules/child &&
git add . &&
git commit -m "add submodule" &&
git sparse-checkout init --cone &&

View File

@ -1315,6 +1315,8 @@ test_expect_success 'submodule handling' '
test_all_match git add modules &&
test_all_match git commit -m "add modules directory" &&
test_config_global protocol.file.allow always &&
run_on_all git submodule add "$(pwd)/initial-repo" modules/sub &&
test_all_match git commit -m "add submodule" &&

View File

@ -226,7 +226,8 @@ test_expect_success 'showing the superproject correctly' '
test_commit -C super test_commit &&
test_create_repo sub &&
test_commit -C sub test_commit &&
git -C super submodule add ../sub dir/sub &&
git -c protocol.file.allow=always \
-C super submodule add ../sub dir/sub &&
echo $(pwd)/super >expect &&
git -C super/dir/sub rev-parse --show-superproject-working-tree >out &&
test_cmp expect out &&

View File

@ -41,6 +41,8 @@ TEST_NO_CREATE_REPO=1
# - m/m (file)
#
test_expect_success 'setup repo for checkout with various types of changes' '
test_config_global protocol.file.allow always &&
git init sub &&
(
cd sub &&
@ -140,6 +142,7 @@ do
esac
test_expect_success "$mode checkout on clone" '
test_config_global protocol.file.allow always &&
repo=various_${mode}_clone &&
set_checkout_config $workers $threshold &&
test_checkout_workers $expected_workers \

View File

@ -669,6 +669,7 @@ test_expect_success '"add" should not fail because of another bad worktree' '
'
test_expect_success '"add" with uninitialized submodule, with submodule.recurse unset' '
test_config_global protocol.file.allow always &&
test_create_repo submodule &&
test_commit -C submodule first &&
test_create_repo project &&
@ -684,6 +685,7 @@ test_expect_success '"add" with uninitialized submodule, with submodule.recurse
'
test_expect_success '"add" with initialized submodule, with submodule.recurse unset' '
test_config_global protocol.file.allow always &&
git -C project-clone submodule update --init &&
git -C project-clone worktree add ../project-4
'

View File

@ -139,7 +139,8 @@ test_expect_success 'move a repo with uninitialized submodule' '
(
cd withsub &&
test_commit initial &&
git submodule add "$PWD"/.git sub &&
git -c protocol.file.allow=always \
submodule add "$PWD"/.git sub &&
git commit -m withsub &&
git worktree add second HEAD &&
git worktree move second third
@ -149,7 +150,7 @@ test_expect_success 'move a repo with uninitialized submodule' '
test_expect_success 'not move a repo with initialized submodule' '
(
cd withsub &&
git -C third submodule update &&
git -c protocol.file.allow=always -C third submodule update &&
test_must_fail git worktree move third forth
)
'
@ -228,6 +229,7 @@ test_expect_success 'remove cleans up .git/worktrees when empty' '
'
test_expect_success 'remove a repo with uninitialized submodule' '
test_config_global protocol.file.allow always &&
(
cd withsub &&
git worktree add to-remove HEAD &&
@ -236,6 +238,7 @@ test_expect_success 'remove a repo with uninitialized submodule' '
'
test_expect_success 'not remove a repo with initialized submodule' '
test_config_global protocol.file.allow always &&
(
cd withsub &&
git worktree add to-remove HEAD &&

View File

@ -10,6 +10,7 @@ export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME
base_path=$(pwd -P)
test_expect_success 'setup: create origin repos' '
git config --global protocol.file.allow always &&
git init origin/sub &&
test_commit -C origin/sub file1 &&
git init origin/main &&

View File

@ -306,6 +306,7 @@ test_expect_success 'deleting checked-out branch from repo that is a submodule'
git init repo1 &&
git init repo1/sub &&
test_commit -C repo1/sub x &&
test_config_global protocol.file.allow always &&
git -C repo1 submodule add ./sub &&
git -C repo1 commit -m "adding sub" &&

View File

@ -793,7 +793,7 @@ test_expect_success 'submodule changes are shown irrespective of diff.submodule'
sub_oid3=$(git -C sub-repo rev-parse HEAD) &&
git checkout -b main-sub topic &&
git submodule add ./sub-repo sub &&
git -c protocol.file.allow=always submodule add ./sub-repo sub &&
git -C sub checkout --detach sub-first &&
git commit -m "add sub" sub &&
sup_oid1=$(git rev-parse --short HEAD) &&

View File

@ -28,6 +28,7 @@ test_no_branch () {
}
test_expect_success 'setup superproject and submodule' '
git config --global protocol.file.allow always &&
mkdir test_dirs &&
(
cd test_dirs &&

View File

@ -310,7 +310,7 @@ test_expect_success 'autostash is saved on editor failure with conflict' '
test_expect_success 'autostash with dirty submodules' '
test_when_finished "git reset --hard && git checkout main" &&
git checkout -b with-submodule &&
git submodule add ./ sub &&
git -c protocol.file.allow=always submodule add ./ sub &&
test_tick &&
git commit -m add-submodule &&
echo changed >sub/file0 &&

View File

@ -48,7 +48,8 @@ test_expect_success 'rebase interactive ignores modified submodules' '
git init sub &&
git -C sub commit --allow-empty -m "Initial commit" &&
git init super &&
git -C super submodule add ../sub &&
git -c protocol.file.allow=always \
-C super submodule add ../sub &&
git -C super config submodule.sub.ignore dirty &&
>super/foo &&
git -C super add foo &&

View File

@ -16,6 +16,8 @@ fi
test_submodule_switch "cherry-pick"
test_expect_success 'unrelated submodule/file conflict is ignored' '
test_config_global protocol.file.allow always &&
test_create_repo sub &&
touch sub/file &&

View File

@ -333,7 +333,7 @@ test_expect_success 'rm removes empty submodules from work tree' '
test_expect_success 'rm removes removed submodule from index and .gitmodules' '
git reset --hard &&
git submodule update &&
git -c protocol.file.allow=always submodule update &&
rm -rf submod &&
git rm submod &&
git status -s -uno --ignore-submodules=none >actual &&
@ -639,6 +639,7 @@ cat >expect.deepmodified <<EOF
EOF
test_expect_success 'setup subsubmodule' '
test_config_global protocol.file.allow always &&
git reset --hard &&
git submodule update &&
(

View File

@ -36,7 +36,7 @@ setup_basic () {
git init main &&
(
cd main &&
git submodule add ../sub &&
git -c protocol.file.allow=always submodule add ../sub &&
test_commit main_file
)
}

View File

@ -49,7 +49,7 @@ test_expect_success 'setup - submodules' '
'
test_expect_success 'setup - git submodule add' '
git submodule add ./sm2 sm1 &&
git -c protocol.file.allow=always submodule add ./sm2 sm1 &&
commit_file sm1 .gitmodules &&
git diff-tree -p --no-commit-id --submodule=log HEAD -- sm1 >actual &&
cat >expected <<-EOF &&

View File

@ -840,7 +840,7 @@ rm sm2
mv sm2-bak sm2
test_expect_success 'setup nested submodule' '
git -C sm2 submodule add ../sm2 nested &&
git -c protocol.file.allow=always -C sm2 submodule add ../sm2 nested &&
git -C sm2 commit -a -m "nested sub" &&
head10=$(git -C sm2 rev-parse --short --verify HEAD)
'

View File

@ -77,6 +77,7 @@ test_expect_success 'diff skips same-OID blobs' '
test_expect_success 'when fetching missing objects, diff skips GITLINKs' '
test_when_finished "rm -rf sub server client trace" &&
test_config_global protocol.file.allow always &&
test_create_repo sub &&
test_commit -C sub first &&

View File

@ -124,6 +124,7 @@ test_expect_success 'command line pathspec parsing for "git log"' '
test_expect_success 'tree_entry_interesting does not match past submodule boundaries' '
test_when_finished "rm -rf repo submodule" &&
test_config_global protocol.file.allow always &&
git init submodule &&
test_commit -C submodule initial &&
git init repo &&

View File

@ -790,6 +790,7 @@ test_expect_success 'fetch.writeCommitGraph' '
'
test_expect_success 'fetch.writeCommitGraph with submodules' '
test_config_global protocol.file.allow always &&
git clone dups super &&
(
cd super &&

View File

@ -222,6 +222,7 @@ test_expect_success 'push with negotiation proceeds anyway even if negotiation f
test_expect_success 'push with negotiation does not attempt to fetch submodules' '
mk_empty submodule_upstream &&
test_commit -C submodule_upstream submodule_commit &&
test_config_global protocol.file.allow always &&
git submodule add ./submodule_upstream submodule &&
mk_empty testrepo &&
git push testrepo $the_first_commit:refs/remotes/origin/first_commit &&

View File

@ -127,6 +127,7 @@ verify_fetch_result () {
}
test_expect_success setup '
git config --global protocol.file.allow always &&
mkdir deepsubmodule &&
(
cd deepsubmodule &&

View File

@ -162,6 +162,8 @@ test_expect_success 'fetch --update-shallow' '
'
test_expect_success 'fetch --update-shallow into a repo with submodules' '
test_config_global protocol.file.allow always &&
git init a-submodule &&
test_commit -C a-submodule foo &&
@ -175,7 +177,8 @@ test_expect_success 'fetch --update-shallow into a repo with submodules' '
test_expect_success 'fetch --update-shallow a commit that is also a shallow point into a repo with submodules' '
test_when_finished "rm -rf repo-with-sub" &&
git init repo-with-sub &&
git -C repo-with-sub submodule add ../a-submodule a-submodule &&
git -c protocol.file.allow=always -C repo-with-sub \
submodule add ../a-submodule a-submodule &&
git -C repo-with-sub commit -m "added submodule" &&
SHALLOW=$(cat shallow/.git/shallow) &&

View File

@ -119,6 +119,7 @@ test_expect_success 'push options and submodules' '
test_commit -C parent one &&
git -C parent push --mirror up &&
test_config_global protocol.file.allow always &&
git -C parent submodule add ../upstream workbench &&
git -C parent/workbench remote add up ../../upstream &&
git -C parent commit -m "add submodule" &&

View File

@ -52,6 +52,10 @@ then
fi
test_submodule_switch_func "git_pull_noff"
test_expect_success 'setup' '
git config --global protocol.file.allow always
'
test_expect_success 'pull --recurse-submodule setup' '
test_create_repo child &&
test_commit -C child bar &&

View File

@ -767,6 +767,7 @@ test_expect_success 'batch missing blob request does not inadvertently try to fe
echo aa >server/a &&
echo bb >server/b &&
# Also add a gitlink pointing to an arbitrary repository
test_config_global protocol.file.allow always &&
git -C server submodule add "$(pwd)/repo_for_submodule" c &&
git -C server add a b c &&
git -C server commit -m x &&

View File

@ -303,8 +303,6 @@ test_expect_success SYMLINKS 'setup repo with manually symlinked or unknown file
ln -s ../an-object $obj &&
cd ../ &&
find . -type f | sort >../../../T.objects-files.raw &&
find . -type l | sort >../../../T.objects-symlinks.raw &&
echo unknown_content >unknown_file
) &&
git -C T fsck &&
@ -313,19 +311,27 @@ test_expect_success SYMLINKS 'setup repo with manually symlinked or unknown file
test_expect_success SYMLINKS 'clone repo with symlinked or unknown files at objects/' '
for option in --local --no-hardlinks --shared --dissociate
# None of these options work when cloning locally, since T has
# symlinks in its `$GIT_DIR/objects` directory
for option in --local --no-hardlinks --dissociate
do
git clone $option T T$option || return 1 &&
git -C T$option fsck || return 1 &&
git -C T$option rev-list --all --objects >T$option.objects &&
test_cmp T.objects T$option.objects &&
(
cd T$option/.git/objects &&
find . -type f | sort >../../../T$option.objects-files.raw &&
find . -type l | sort >../../../T$option.objects-symlinks.raw
)
test_must_fail git clone $option T T$option 2>err || return 1 &&
test_i18ngrep "symlink.*exists" err || return 1
done &&
# But `--shared` clones should still work, even when specifying
# a local path *and* that repository has symlinks present in its
# `$GIT_DIR/objects` directory.
git clone --shared T T--shared &&
git -C T--shared fsck &&
git -C T--shared rev-list --all --objects >T--shared.objects &&
test_cmp T.objects T--shared.objects &&
(
cd T--shared/.git/objects &&
find . -type f | sort >../../../T--shared.objects-files.raw &&
find . -type l | sort >../../../T--shared.objects-symlinks.raw
) &&
for raw in $(ls T*.raw)
do
sed -e "s!/../!/Y/!; s![0-9a-f]\{38,\}!Z!" -e "/commit-graph/d" \
@ -333,26 +339,6 @@ test_expect_success SYMLINKS 'clone repo with symlinked or unknown files at obje
sort $raw.de-sha-1 >$raw.de-sha || return 1
done &&
cat >expected-files <<-EOF &&
./Y/Z
./Y/Z
./Y/Z
./a-loose-dir/Z
./an-object
./info/packs
./pack/pack-Z.idx
./pack/pack-Z.pack
./packs/pack-Z.idx
./packs/pack-Z.pack
./unknown_file
EOF
for option in --local --no-hardlinks --dissociate
do
test_cmp expected-files T$option.objects-files.raw.de-sha || return 1 &&
test_must_be_empty T$option.objects-symlinks.raw.de-sha || return 1
done &&
echo ./info/alternates >expected-files &&
test_cmp expected-files T--shared.objects-files.raw &&
test_must_be_empty T--shared.objects-symlinks.raw

View File

@ -24,6 +24,7 @@ test_expect_success 'setup' '
test_expect_success 'nonshallow clone implies nonshallow submodule' '
test_when_finished "rm -rf super_clone" &&
test_config_global protocol.file.allow always &&
git clone --recurse-submodules "file://$pwd/." super_clone &&
git -C super_clone log --oneline >lines &&
test_line_count = 3 lines &&
@ -33,6 +34,7 @@ test_expect_success 'nonshallow clone implies nonshallow submodule' '
test_expect_success 'shallow clone with shallow submodule' '
test_when_finished "rm -rf super_clone" &&
test_config_global protocol.file.allow always &&
git clone --recurse-submodules --depth 2 --shallow-submodules "file://$pwd/." super_clone &&
git -C super_clone log --oneline >lines &&
test_line_count = 2 lines &&
@ -42,6 +44,7 @@ test_expect_success 'shallow clone with shallow submodule' '
test_expect_success 'shallow clone does not imply shallow submodule' '
test_when_finished "rm -rf super_clone" &&
test_config_global protocol.file.allow always &&
git clone --recurse-submodules --depth 2 "file://$pwd/." super_clone &&
git -C super_clone log --oneline >lines &&
test_line_count = 2 lines &&
@ -51,6 +54,7 @@ test_expect_success 'shallow clone does not imply shallow submodule' '
test_expect_success 'shallow clone with non shallow submodule' '
test_when_finished "rm -rf super_clone" &&
test_config_global protocol.file.allow always &&
git clone --recurse-submodules --depth 2 --no-shallow-submodules "file://$pwd/." super_clone &&
git -C super_clone log --oneline >lines &&
test_line_count = 2 lines &&
@ -60,6 +64,7 @@ test_expect_success 'shallow clone with non shallow submodule' '
test_expect_success 'non shallow clone with shallow submodule' '
test_when_finished "rm -rf super_clone" &&
test_config_global protocol.file.allow always &&
git clone --recurse-submodules --no-local --shallow-submodules "file://$pwd/." super_clone &&
git -C super_clone log --oneline >lines &&
test_line_count = 3 lines &&
@ -69,6 +74,7 @@ test_expect_success 'non shallow clone with shallow submodule' '
test_expect_success 'clone follows shallow recommendation' '
test_when_finished "rm -rf super_clone" &&
test_config_global protocol.file.allow always &&
git config -f .gitmodules submodule.sub.shallow true &&
git add .gitmodules &&
git commit -m "recommend shallow for sub" &&
@ -87,6 +93,7 @@ test_expect_success 'clone follows shallow recommendation' '
test_expect_success 'get unshallow recommended shallow submodule' '
test_when_finished "rm -rf super_clone" &&
test_config_global protocol.file.allow always &&
git clone --no-local "file://$pwd/." super_clone &&
(
cd super_clone &&
@ -103,6 +110,7 @@ test_expect_success 'get unshallow recommended shallow submodule' '
test_expect_success 'clone follows non shallow recommendation' '
test_when_finished "rm -rf super_clone" &&
test_config_global protocol.file.allow always &&
git config -f .gitmodules submodule.sub.shallow false &&
git add .gitmodules &&
git commit -m "recommend non shallow for sub" &&

View File

@ -260,6 +260,8 @@ test_expect_success 'partial clone with transfer.fsckobjects=1 works with submod
test_config -C src_with_sub uploadpack.allowfilter 1 &&
test_config -C src_with_sub uploadpack.allowanysha1inwant 1 &&
test_config_global protocol.file.allow always &&
git -C src_with_sub submodule add "file://$(pwd)/submodule" mysub &&
git -C src_with_sub commit -m "commit with submodule" &&

View File

@ -10,6 +10,7 @@ export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME
pwd=$(pwd)
test_expect_success 'setup' '
git config --global protocol.file.allow always &&
git checkout -b main &&
test_commit commit1 &&
mkdir sub &&

View File

@ -27,7 +27,7 @@ test_expect_success 'setup' '
: > super-file &&
git add super-file &&
git submodule add "$(pwd)" sub &&
git -c protocol.file.allow=always submodule add "$(pwd)" sub &&
git symbolic-ref HEAD refs/heads/super &&
test_tick &&
git commit -m super-initial &&

View File

@ -10,7 +10,7 @@ test_expect_success 'setup a submodule' '
: >pretzel/a &&
git -C pretzel add a &&
git -C pretzel commit -m "add a file" -- a &&
git submodule add ./pretzel sub &&
git -c protocol.file.allow=always submodule add ./pretzel sub &&
git commit -a -m "add submodule" &&
git submodule deinit --all
'

View File

@ -324,6 +324,7 @@ test_expect_success SYMLINKS 'check moved symlink' '
rm -f moved symlink
test_expect_success 'setup submodule' '
test_config_global protocol.file.allow always &&
git commit -m initial &&
git reset --hard &&
git submodule add ./. sub &&
@ -509,6 +510,7 @@ test_expect_success 'moving a submodule in nested directories' '
'
test_expect_success 'moving nested submodules' '
test_config_global protocol.file.allow always &&
git commit -am "cleanup commit" &&
mkdir sub_nested_nested &&
(

View File

@ -473,6 +473,7 @@ test_expect_success 'create and add submodule, submodule appears clean (A. S...)
git checkout initial-branch &&
git clone . sub_repo &&
git clone . super_repo &&
test_config_global protocol.file.allow always &&
( cd super_repo &&
git submodule add ../sub_repo sub1 &&

View File

@ -480,6 +480,7 @@ test_expect_success 'should not clean submodules' '
git init &&
test_commit msg hello.world
) &&
test_config_global protocol.file.allow always &&
git submodule add ./repo/.git sub1 &&
git commit -m "sub1" &&
git branch before_sub2 &&

View File

@ -14,6 +14,10 @@ export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME
. ./test-lib.sh
test_expect_success 'setup - enable local submodules' '
git config --global protocol.file.allow always
'
test_expect_success 'submodule usage: -h' '
git submodule -h >out 2>err &&
grep "^usage: git submodule" out &&

View File

@ -14,6 +14,8 @@ export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME
. ./test-lib.sh
test_expect_success setup '
git config --global protocol.file.allow always &&
echo file >file &&
git add file &&
test_tick &&

View File

@ -25,6 +25,7 @@ compare_head()
test_expect_success 'setup a submodule tree' '
git config --global protocol.file.allow always &&
echo file > file &&
git add file &&
test_tick &&

View File

@ -16,6 +16,7 @@ export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME
test_expect_success 'setup a submodule tree' '
git config --global protocol.file.allow always &&
echo file > file &&
git add file &&
test_tick &&

View File

@ -17,6 +17,10 @@ test_alternate_is_used () {
test_cmp expect actual
}
test_expect_success 'setup' '
git config --global protocol.file.allow always
'
test_expect_success 'preparing first repository' '
test_create_repo A &&
(

View File

@ -15,6 +15,10 @@ export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME
. ./test-lib.sh
test_expect_success 'setup' '
git config --global protocol.file.allow always
'
test_expect_success 'submodule on detached working tree' '
git init --bare remote &&
test_create_repo bundle1 &&

View File

@ -12,6 +12,9 @@ from the database and from the worktree works.
TEST_NO_CREATE_REPO=1
. ./test-lib.sh
test_expect_success 'setup' '
git config --global protocol.file.allow always
'
test_expect_success 'submodule config cache setup' '
mkdir submodule &&
(cd submodule &&

View File

@ -13,6 +13,7 @@ TEST_PASSES_SANITIZE_LEAK=true
. ./test-lib.sh
test_expect_success 'setup' '
git config --global protocol.file.allow always &&
git init sub &&
test_commit -C sub initial &&
git init super &&

View File

@ -32,7 +32,8 @@ test_expect_success 'no warning when updating entry' '
test_expect_success 'submodule add does not warn' '
test_when_finished "git rm -rf submodule .gitmodules" &&
git submodule add ./embed submodule 2>stderr &&
git -c protocol.file.allow=always \
submodule add ./embed submodule 2>stderr &&
test_i18ngrep ! warning stderr
'

View File

@ -3,6 +3,10 @@
test_description='check handling of disallowed .gitmodule urls'
. ./test-lib.sh
test_expect_success 'setup' '
git config --global protocol.file.allow always
'
test_expect_success 'create submodule with protected dash in url' '
git init upstream &&
git -C upstream commit --allow-empty -m base &&

View File

@ -6,6 +6,10 @@ export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME
. ./test-lib.sh
test_expect_success 'setup' '
git config --global protocol.file.allow always
'
test_expect_success 'create submodule with dash in path' '
git init upstream &&
git -C upstream commit --allow-empty -m base &&

View File

@ -17,6 +17,10 @@ export GIT_TEST_FATAL_REGISTER_SUBMODULE_ODB
. ./test-lib.sh
test_expect_success 'setup' '
git config --global protocol.file.allow always
'
test_expect_success 'sparse checkout setup which hides .gitmodules' '
git init upstream &&
git init submodule &&

View File

@ -13,6 +13,10 @@ TEST_PASSES_SANITIZE_LEAK=true
TEST_NO_CREATE_REPO=1
. ./test-lib.sh
test_expect_success 'setup' '
git config --global protocol.file.allow always
'
test_expect_success 'submodule config cache setup' '
mkdir submodule &&
(cd submodule &&

View File

@ -12,6 +12,10 @@ as expected.
TEST_NO_CREATE_REPO=1
. ./test-lib.sh
test_expect_success 'setup' '
git config --global protocol.file.allow always
'
test_expect_success 'submodule config cache setup' '
mkdir submodule &&
(

View File

@ -12,6 +12,10 @@ while making sure to add submodules using `git submodule add` instead of
. ./test-lib.sh
test_expect_success 'setup' '
git config --global protocol.file.allow always
'
test_expect_success 'summary test environment setup' '
git init sm &&
test_commit -C sm "add file" file file-content file-tag &&

View File

@ -15,6 +15,10 @@ Such as:
. ./test-lib.sh
. "$TEST_DIRECTORY"/lib-pack.sh
test_expect_success 'setup' '
git config --global protocol.file.allow always
'
test_expect_success 'check names' '
cat >expect <<-\EOF &&
valid

View File

@ -252,6 +252,7 @@ test_expect_success 'status with merge conflict in .gitmodules' '
test_create_repo_with_commit sub1 &&
test_tick &&
test_create_repo_with_commit sub2 &&
test_config_global protocol.file.allow always &&
(
cd super &&
prev=$(git rev-parse HEAD) &&
@ -327,6 +328,7 @@ test_expect_success 'diff --submodule with merge conflict in .gitmodules' '
# sub2 will have an untracked file
# sub3 will have an untracked repository
test_expect_success 'setup superproject with untracked file in nested submodule' '
test_config_global protocol.file.allow always &&
(
cd super &&
git clean -dfx &&

View File

@ -76,6 +76,7 @@ test_expect_success 'diff in message is retained with -v' '
test_expect_success 'submodule log is stripped out too with -v' '
git config diff.submodule log &&
test_config_global protocol.file.allow always &&
git submodule add ./. sub &&
git commit -m "sub added" &&
(

View File

@ -813,6 +813,10 @@ my_match_and_clean () {
git -C super/dir_1/dir_2/sub clean -d -f
}
test_expect_success 'submodule setup' '
git config --global protocol.file.allow always
'
test_expect_success 'submodule always visited' '
test_when_finished "git -C super fsmonitor--daemon stop; \
rm -rf super; \

View File

@ -636,6 +636,7 @@ test_expect_success 'difftool --no-symlinks detects conflict ' '
test_expect_success 'difftool properly honors gitlink and core.worktree' '
test_when_finished rm -rf submod/ule &&
test_config_global protocol.file.allow always &&
git submodule add ./. submod/ule &&
test_config -C submod/ule diff.tool checktrees &&
test_config -C submod/ule difftool.checktrees.cmd '\''

View File

@ -197,6 +197,7 @@ test_expect_success !MINGW 'grep recurse submodule colon in name' '
git -C "su:b" commit -m "add fi:le" &&
test_tick &&
test_config_global protocol.file.allow always &&
git -C parent submodule add "../su:b" "su:b" &&
git -C parent commit -m "add submodule" &&
test_tick &&
@ -231,6 +232,7 @@ test_expect_success 'grep history with moved submoules' '
git -C sub commit -m "add file" &&
test_tick &&
test_config_global protocol.file.allow always &&
git -C parent submodule add ../sub dir/sub &&
git -C parent commit -m "add submodule" &&
test_tick &&
@ -275,6 +277,7 @@ test_expect_success 'grep using relative path' '
mkdir parent/src &&
echo "(1|2)d(3|4)" >parent/src/file2 &&
git -C parent add src/file2 &&
test_config_global protocol.file.allow always &&
git -C parent submodule add ../sub &&
git -C parent commit -m "add files and submodule" &&
test_tick &&
@ -317,6 +320,7 @@ test_expect_success 'grep from a subdir' '
mkdir parent/src &&
echo "(1|2)d(3|4)" >parent/src/file &&
git -C parent add src/file &&
test_config_global protocol.file.allow always &&
git -C parent submodule add ../sub src/sub &&
git -C parent submodule add ../sub sub &&
git -C parent commit -m "add files and submodules" &&
@ -550,6 +554,7 @@ test_expect_failure 'grep saves textconv cache in the appropriate repository' '
test_expect_success 'grep partially-cloned submodule' '
# Set up clean superproject and submodule for partial cloning.
test_config_global protocol.file.allow always &&
git init super &&
git init super/sub &&
(

View File

@ -25,6 +25,7 @@ test_expect_success 'import with large marks file' '
'
test_expect_success 'setup dump with submodule' '
test_config_global protocol.file.allow always &&
git submodule add "$PWD" sub &&
git commit -m "add submodule" &&
git fast-export HEAD >dump

View File

@ -268,6 +268,7 @@ test_expect_success 'signed-tags=warn-strip' '
test_expect_success 'setup submodule' '
test_config_global protocol.file.allow always &&
git checkout -f main &&
mkdir sub &&
(
@ -293,6 +294,7 @@ test_expect_success 'setup submodule' '
test_expect_success 'submodule fast-export | fast-import' '
test_config_global protocol.file.allow always &&
SUBENT1=$(git ls-tree main^ sub) &&
SUBENT2=$(git ls-tree main sub) &&
rm -rf new &&

37
t/t9850-shell.sh Executable file
View File

@ -0,0 +1,37 @@
#!/bin/sh
test_description='git shell tests'
. ./test-lib.sh
test_expect_success 'shell allows upload-pack' '
printf 0000 >input &&
git upload-pack . <input >expect &&
git shell -c "git-upload-pack $SQ.$SQ" <input >actual &&
test_cmp expect actual
'
test_expect_success 'shell forbids other commands' '
test_must_fail git shell -c "git config foo.bar baz"
'
test_expect_success 'shell forbids interactive use by default' '
test_must_fail git shell
'
test_expect_success 'shell allows interactive command' '
mkdir git-shell-commands &&
write_script git-shell-commands/ping <<-\EOF &&
echo pong
EOF
echo pong >expect &&
echo ping | git shell >actual &&
test_cmp expect actual
'
test_expect_success 'shell complains of overlong commands' '
perl -e "print \"a\" x 2**12 for (0..2**19)" |
test_must_fail git shell 2>err &&
grep "too long" err
'
test_done

View File

@ -1009,8 +1009,7 @@ static enum protocol_allow_config get_protocol_config(const char *type)
if (!strcmp(type, "http") ||
!strcmp(type, "https") ||
!strcmp(type, "git") ||
!strcmp(type, "ssh") ||
!strcmp(type, "file"))
!strcmp(type, "ssh"))
return PROTOCOL_ALLOW_ALWAYS;
/* known scary; err on the side of caution */