search

gitgitgadget / git

GitGitGadget's Git fork. Open Pull Requests here to submit them to the Git mailing list
https://gitgitgadget.github.io/
Other
221 stars 133 forks source link

Disallow verify_path() failures from fast-import #1832

Open newren opened 16 hours ago

newren commented 16 hours ago

Since en/fast-import-path-sanitize has already made it to next, this commit is based on that. (See https://lore.kernel.org/git/pull.1831.v2.git.1732561248717.gitgitgadget@gmail.com/ for discussion of that series.)

Changes relative to that commit: this fixes up the error message as suggested by Kristoffer, and makes the checks more encompassing as suggested by Patrick and Peff -- in particular, using verify_path() as suggested by Peff.

cc: Eric Sunshine sunshine@sunshineco.com cc: Patrick Steinhardt ps@pks.im cc: "Kristoffer Haugsbakk" kristofferhaugsbakk@fastmail.com cc: Jeff King peff@peff.net

newren commented 12 hours ago

/submit

gitgitgadget[bot] commented 12 hours ago

Submitted as pull.1832.git.1732740464398.gitgitgadget@gmail.com

To fetch this version into FETCH_HEAD:

git fetch https://github.com/gitgitgadget/git/ pr-1832/newren/disallow-verify-path-fast-import-v1

To fetch this version to local tag pr-1832/newren/disallow-verify-path-fast-import-v1:

git fetch --no-tags https://github.com/gitgitgadget/git/ tag pr-1832/newren/disallow-verify-path-fast-import-v1
gitgitgadget[bot] commented 9 hours ago

On the Git mailing list, Junio C Hamano wrote (reply to this):

"Elijah Newren via GitGitGadget" <gitgitgadget@gmail.com> writes:

> From: Elijah Newren <newren@gmail.com>
>
> Instead of just disallowing '.' and '..', make use of verify_path() to
> ensure that fast-import will disallow anything we wouldn't allow into
> the index, such as anything under .git/, .gitmodules as a symlink, or
> a dos drive prefix on Windows.
>
> Since a few fast-export and fast-import tests that tried to stress-test
> the correct handling of quoting relied on filenames that fail
> is_valid_win32_path(), such as spaces or periods at the end of filenames
> or backslashes within the filename, turn off core.protectNTFS for those
> tests to ensure they keep passing.
>
> Signed-off-by: Elijah Newren <newren@gmail.com>
> ---
>     Disallow verify_path() failures from fast-import
>     
>     Since en/fast-import-path-sanitize has already made it to next, this
>     commit is based on that. (See
>     https://lore.kernel.org/git/pull.1831.v2.git.1732561248717.gitgitgadget@gmail.com/
>     for discussion of that series.)
>     
>     Changes relative to that commit: this fixes up the error message as
>     suggested by Kristoffer, and makes the checks more encompassing as
>     suggested by Patrick and Peff -- in particular, using verify_path() as
>     suggested by Peff.
>
> Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1832%2Fnewren%2Fdisallow-verify-path-fast-import-v1
> Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1832/newren/disallow-verify-path-fast-import-v1
> Pull-Request: https://github.com/gitgitgadget/git/pull/1832

Thanks, all.  Looking good to me.

Will queue.
gitgitgadget[bot] commented 7 hours ago

This patch series was integrated into seen via https://github.com/git/git/commit/89004b9a1f6eb4b1181fb77d530b154ebb1babd4.

gitgitgadget[bot] commented 3 hours ago

This patch series was integrated into seen via https://github.com/git/git/commit/da9ae6ea145f29337aee5543486ea2969ec7ad00.