git/builtin
Jeff King 10ecfa7649 verify_path: disallow symlinks in .gitmodules
There are a few reasons it's not a good idea to make
.gitmodules a symlink, including:

  1. It won't be portable to systems without symlinks.

  2. It may behave inconsistently, since Git may look at
     this file in the index or a tree without bothering to
     resolve any symbolic links. We don't do this _yet_, but
     the config infrastructure is there and it's planned for
     the future.

With some clever code, we could make (2) work. And some
people may not care about (1) if they only work on one
platform. But there are a few security reasons to simply
disallow it:

  a. A symlinked .gitmodules file may circumvent any fsck
     checks of the content.

  b. Git may read and write from the on-disk file without
     sanity checking the symlink target. So for example, if
     you link ".gitmodules" to "../oops" and run "git
     submodule add", we'll write to the file "oops" outside
     the repository.

Again, both of those are problems that _could_ be solved
with sufficient code, but given the complications in (1) and
(2), we're better off just outlawing it explicitly.

Note the slightly tricky call to verify_path() in
update-index's update_one(). There we may not have a mode if
we're not updating from the filesystem (e.g., we might just
be removing the file). Passing "0" as the mode there works
fine; since it's not a symlink, we'll just skip the extra
checks.

Signed-off-by: Jeff King <peff@peff.net>
2018-05-21 23:50:11 -04:00
..
add.c hold_locked_index(): align error handling with hold_lockfile_for_update() 2016-12-07 11:31:59 -08:00
am.c Merge branch 'jk/unbreak-am-h' into maint 2017-06-05 09:03:15 +09:00
annotate.c
apply.c Convert read_mmblob to take struct object_id. 2016-09-07 12:59:42 -07:00
archive.c archive: read local configuration 2016-11-22 13:55:20 -08:00
bisect--helper.c
blame.c C style: use standard style for "TRANSLATORS" comments 2017-05-31 08:01:42 +09:00
branch.c Merge branch 'kn/ref-filter-branch-list' into maint 2017-07-12 15:23:09 -07:00
bundle.c bundle: use prefix_filename with bundle path 2017-03-21 11:18:41 -07:00
cat-file.c Merge branch 'jk/diff-blob' into maint 2017-06-24 15:29:28 -07:00
check-attr.c attr: tighten const correctness with git_attr and match_attr 2017-02-01 13:46:53 -08:00
check-ignore.c give "nbuf" strbuf a more meaningful name 2016-02-01 13:43:02 -08:00
check-mailmap.c strbuf: introduce strbuf_getline_{lf,nul}() 2016-01-15 10:12:51 -08:00
check-ref-format.c use xmallocz to avoid size arithmetic 2016-02-22 14:51:09 -08:00
checkout-index.c hold_locked_index(): align error handling with hold_lockfile_for_update() 2016-12-07 11:31:59 -08:00
checkout.c Merge branch 'rs/checkout-am-fix-unborn' into maint 2017-06-05 09:03:12 +09:00
clean.c Merge branch 'sl/clean-d-ignored-fix' into maint 2017-06-13 13:27:02 -07:00
clone.c Merge branch 'jn/clone-add-empty-config-from-command-line' into maint 2017-06-05 09:03:11 +09:00
column.c column: read lines with strbuf_getline() 2016-01-15 10:35:07 -08:00
commit-tree.c builtin/commit-tree: convert to struct object_id 2016-09-07 12:59:43 -07:00
commit.c builtin/commit.c: fix a typo in the comment 2017-07-06 09:06:26 -07:00
config.c config: complain about --local outside of a git repo 2017-05-15 11:30:51 +09:00
count-objects.c Convert object iteration callbacks to struct object_id 2017-02-22 10:12:15 -08:00
credential.c
describe.c describe: localize debug output fully 2017-03-27 13:45:23 -07:00
diff-files.c diff: run arguments through precompose_argv 2016-05-13 14:35:49 -07:00
diff-index.c diff: run arguments through precompose_argv 2016-05-13 14:35:49 -07:00
diff-tree.c Merge branch 'jc/diff-tree-stale-comment' into maint 2017-06-24 15:29:31 -07:00
diff.c diff: use blob path for blob/file diffs 2017-05-24 10:59:27 +09:00
difftool.c difftool: address a couple of resource/memory leaks 2017-05-08 12:18:19 +09:00
fast-export.c fast-export: avoid leaking memory in handle_tag() 2017-05-08 12:18:20 +09:00
fetch-pack.c Rename sha1_array to oid_array 2017-03-31 08:33:56 -07:00
fetch.c Merge branch 'bc/object-id' 2017-04-19 21:37:13 -07:00
fmt-merge-msg.c builtin/fmt-merge-message: convert to struct object_id 2017-02-22 10:12:15 -08:00
for-each-ref.c ref-filter: add --no-contains option to tag/branch/for-each-ref 2017-03-24 12:15:26 -07:00
fsck.c read-cache: force_verify_index_checksum 2017-04-15 00:58:36 -07:00
gc.c gc: run pre-detach operations under lock 2017-07-12 09:41:04 -07:00
get-tar-commit-id.c usage: do not insist that standard input must come from a file 2015-10-16 15:27:52 -07:00
grep.c get_sha1_with_context: dynamically allocate oc->path 2017-05-24 10:59:27 +09:00
hash-object.c prefix_filename: return newly allocated string 2017-03-21 11:18:41 -07:00
help.c Merge branch 'js/no-html-bypass-on-windows' into maint 2016-09-08 21:35:55 -07:00
index-pack.c Merge branch 'jk/loose-object-info-report-error' 2017-04-16 23:29:30 -07:00
init-db.c real_pathdup(): fix callsites that wanted it to die on error 2017-03-08 14:38:41 -08:00
interpret-trailers.c Merge branch 'jk/parseopt-string-list' into jk/string-list-static-init 2016-06-13 10:37:48 -07:00
log.c Merge branch 'jk/diff-blob' into maint 2017-06-24 15:29:28 -07:00
ls-files.c ls-files: fix path used when recursing into submodules 2017-04-18 18:01:41 -07:00
ls-remote.c avoid using fixed PATH_MAX buffers for refs 2017-03-30 14:59:50 -07:00
ls-tree.c ls-tree: convert show_recursive to use the pathspec struct interface 2017-01-08 18:04:17 -08:00
mailinfo.c prefix_filename: return newly allocated string 2017-03-21 11:18:41 -07:00
mailsplit.c mailinfo & mailsplit: check for EOF while parsing 2017-05-08 12:18:19 +09:00
merge-base.c builtin/merge-base: convert to struct object_id 2017-02-22 10:12:16 -08:00
merge-file.c prefix_filename: return newly allocated string 2017-03-21 11:18:41 -07:00
merge-index.c Convert GIT_SHA1_HEXSZ used for allocation to GIT_MAX_HEXSZ 2017-03-26 22:08:21 -07:00
merge-ours.c
merge-recursive.c i18n: merge-recursive: mark verbose message for translation 2016-09-15 13:17:32 -07:00
merge-tree.c struct name_entry: use struct object_id instead of unsigned char sha1[20] 2016-04-25 14:23:42 -07:00
merge.c Merge branch 'bc/object-id' 2017-04-19 21:37:13 -07:00
mktag.c usage: do not insist that standard input must come from a file 2015-10-16 15:27:52 -07:00
mktree.c mktree: plug memory leaks reported by Coverity 2017-05-08 12:18:19 +09:00
mv.c Merge branch 'bw/pathspec-cleanup' 2017-01-18 15:12:15 -08:00
name-rev.c Merge branch 'jc/name-rev-lw-tag' into maint 2017-06-24 15:29:28 -07:00
notes.c C style: use standard style for "TRANSLATORS" comments 2017-05-31 08:01:42 +09:00
pack-objects.c Merge branch 'jk/disable-pack-reuse-when-broken' into maint 2017-06-04 10:21:02 +09:00
pack-redundant.c pack-redundant: plug memory leak 2017-05-08 12:18:19 +09:00
pack-refs.c refs: delete pack_refs() in favor of refs_pack_refs() 2017-04-14 03:53:25 -07:00
patch-id.c Convert GIT_SHA1_RAWSZ used for allocation to GIT_MAX_RAWSZ 2017-03-26 22:08:21 -07:00
prune-packed.c Convert object iteration callbacks to struct object_id 2017-02-22 10:12:15 -08:00
prune.c Convert object iteration callbacks to struct object_id 2017-02-22 10:12:15 -08:00
pull.c pull: ff --rebase --autostash works in dirty repo 2017-06-01 14:09:39 +09:00
push.c push: unmark a local variable as static 2017-04-02 09:49:24 -07:00
read-tree.c Merge branch 'jc/read-tree-empty-with-m' into maint 2017-06-04 10:21:00 +09:00
rebase--helper.c rebase--helper: add a builtin helper for interactive rebases 2017-02-09 14:55:26 -08:00
receive-pack.c Merge branch 'jt/push-options-doc' into maint 2017-06-04 10:21:05 +09:00
reflog.c refs: convert each_reflog_ent_fn to struct object_id 2017-02-22 10:12:15 -08:00
remote-ext.c pkt-line: rename packet_write() to packet_write_fmt() 2016-10-17 11:36:50 -07:00
remote-fd.c
remote.c C style: use standard style for "TRANSLATORS" comments 2017-05-31 08:01:42 +09:00
repack.c repack: die on incremental + write-bitmap-index 2016-12-29 13:45:37 -08:00
replace.c replace: plug a memory leak 2017-04-17 21:56:54 -07:00
rerere.c Sync with 2.6.1 2015-10-05 13:20:08 -07:00
reset.c delete_ref: accept a reflog message argument 2017-02-20 22:04:47 -08:00
rev-list.c Convert GIT_SHA1_HEXSZ used for allocation to GIT_MAX_HEXSZ 2017-03-26 22:08:21 -07:00
rev-parse.c Merge branch 'bc/object-id' 2017-04-19 21:37:13 -07:00
revert.c Merge branch 'jk/cherry-pick-0-mainline' 2017-03-17 13:50:28 -07:00
rm.c rm: reuse strbuf for all remove_dir_recursively() calls, again 2017-02-13 14:33:32 -08:00
send-pack.c Merge branch 'bc/object-id' 2017-04-19 21:37:13 -07:00
shortlog.c Merge branch 'rs/shortlog-cleanup' 2017-03-24 13:07:37 -07:00
show-branch.c Merge branch 'jk/show-branch-lift-name-len-limit' into maint 2017-03-21 15:03:29 -07:00
show-ref.c show-ref: remove a stale comment 2017-01-23 18:51:56 -08:00
stripspace.c stripspace: respect repository config 2016-11-21 11:00:38 -08:00
submodule--helper.c submodule-config: verify submodule names as paths 2018-05-21 23:50:11 -04:00
symbolic-ref.c delete_ref: accept a reflog message argument 2017-02-20 22:04:47 -08:00
tag.c i18n: remove i18n from tag reflog message 2017-05-01 11:08:02 +09:00
unpack-file.c
unpack-objects.c unpack-objects: add --max-input-size=<size> option 2016-08-24 12:31:05 -07:00
update-index.c verify_path: disallow symlinks in .gitmodules 2018-05-21 23:50:11 -04:00
update-ref.c update-ref: pass reflog message to delete_ref() 2017-02-20 22:04:47 -08:00
update-server-info.c
upload-archive.c archive: read local configuration 2016-11-22 13:55:20 -08:00
var.c
verify-commit.c
verify-pack.c
verify-tag.c builtin/verify-tag: add --format to verify-tag 2017-01-17 16:10:22 -08:00
worktree.c show_worktree(): plug memory leak 2017-05-08 12:18:20 +09:00
write-tree.c