delta/libgit2.git/src/path.c, branch ethomson/github_actions github.com: libgit2/libgit2.git tree-wide: mark local functions as static 2020-06-09T12:57:06+00:00 Patrick Steinhardt ps@pks.im 2020-06-08T10:40:47+00:00 a6c9e0b367c4882ab0f8e78bd0ad4ab2904ac377 We've accumulated quite some functions which are never used outside of their respective code unit, but which are lacking the `static` keyword. Add it to reduce their linkage scope and allow the compiler to optimize better. 
We've accumulated quite some functions which are never used outside of
their respective code unit, but which are lacking the `static` keyword.
Add it to reduce their linkage scope and allow the compiler to optimize
better.
path: support non-ascii drive letters on dos 2019-12-10T08:11:45+00:00 Edward Thomson ethomson@edwardthomson.com 2019-12-03T12:15:47+00:00 14ff3516e5f4203838a0edb044c6622b8e3a3755 Windows/DOS only supports drive letters that are alpha characters A-Z. However, you can `subst` any one-character as a drive letter, including numbers or even emoji. Test that we can identify emoji as drive letters. 
Windows/DOS only supports drive letters that are alpha characters A-Z.
However, you can `subst` any one-character as a drive letter, including
numbers or even emoji.  Test that we can identify emoji as drive
letters.
path: protect NTFS everywhere 2019-12-10T08:11:45+00:00 Edward Thomson ethomson@edwardthomson.com 2019-12-03T08:24:59+00:00 e4034dfa568b28651305364cd3367ac47cdc79d8 Enable core.protectNTFS by default everywhere and in every codepath, not just on checkout. 
Enable core.protectNTFS by default everywhere and in every codepath, not
just on checkout.
path: rename function that detects end of filename 2019-12-10T08:01:06+00:00 Edward Thomson ethomson@edwardthomson.com 2019-12-03T06:47:31+00:00 b8464342f3605917b238a111e3c1ce14b254da8a The function `only_spaces_and_dots` used to detect the end of the filename on win32. Now we look at spaces and dots _before_ the end of the string _or_ a `:` character, which would signify a win32 alternate data stream. Thus, rename the function `ntfs_end_of_filename` to indicate that it detects the (virtual) end of a filename, that any further characters would be elided to the given path. 
The function `only_spaces_and_dots` used to detect the end of the
filename on win32.  Now we look at spaces and dots _before_ the end of
the string _or_ a `:` character, which would signify a win32 alternate
data stream.

Thus, rename the function `ntfs_end_of_filename` to indicate that it
detects the (virtual) end of a filename, that any further characters
would be elided to the given path.
path: also guard `.gitmodules` against NTFS Alternate Data Streams 2019-12-10T08:01:06+00:00 Johannes Schindelin johannes.schindelin@gmx.de 2019-09-18T14:33:18+00:00 e1832eb20a7089f6383cfce474f213157f5300cb We just safe-guarded `.git` against NTFS Alternate Data Stream-related attack vectors, and now it is time to do the same for `.gitmodules`. Note: In the added regression test, we refrain from verifying all kinds of variations between short names and NTFS Alternate Data Streams: as the new code disallows _all_ Alternate Data Streams of `.gitmodules`, it is enough to test one in order to know that all of them are guarded against. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> 
We just safe-guarded `.git` against NTFS Alternate Data Stream-related
attack vectors, and now it is time to do the same for `.gitmodules`.

Note: In the added regression test, we refrain from verifying all kinds
of variations between short names and NTFS Alternate Data Streams: as
the new code disallows _all_ Alternate Data Streams of `.gitmodules`, it
is enough to test one in order to know that all of them are guarded
against.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Disallow NTFS Alternate Data Stream attacks, even on Linux/macOS 2019-12-10T08:01:06+00:00 Johannes Schindelin johannes.schindelin@gmx.de 2019-09-18T12:32:05+00:00 3f7851eadca36a99627ad78cbe56a40d3776ed01 A little-known feature of NTFS is that it offers to store metadata in so-called "Alternate Data Streams" (inspired by Apple's "resource forks") that are copied together with the file they are associated with. These Alternate Data Streams can be accessed via `<file name>:<stream name>:<stream type>`. Directories, too, have Alternate Data Streams, and they even have a default stream type `$INDEX_ALLOCATION`. Which means that `abc/` and `abc::$INDEX_ALLOCATION/` are actually equivalent. This is of course another attack vector on the Git directory that we definitely want to prevent. On Windows, we already do this incidentally, by disallowing colons in file/directory names. While it looks as if files'/directories' Alternate Data Streams are not accessible in the Windows Subsystem for Linux, and neither via CIFS/SMB-mounted network shares in Linux, it _is_ possible to access them on SMB-mounted network shares on macOS. Therefore, let's go the extra mile and prevent this particular attack _everywhere_. To keep things simple, let's just disallow *any* Alternate Data Stream of `.git`. This is libgit2's variant of CVE-2019-1352. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> 
A little-known feature of NTFS is that it offers to store metadata in
so-called "Alternate Data Streams" (inspired by Apple's "resource
forks") that are copied together with the file they are associated with.
These Alternate Data Streams can be accessed via `<file name>:<stream
name>:<stream type>`.

Directories, too, have Alternate Data Streams, and they even have a
default stream type `$INDEX_ALLOCATION`. Which means that `abc/` and
`abc::$INDEX_ALLOCATION/` are actually equivalent.

This is of course another attack vector on the Git directory that we
definitely want to prevent.

On Windows, we already do this incidentally, by disallowing colons in
file/directory names.

While it looks as if files'/directories' Alternate Data Streams are not
accessible in the Windows Subsystem for Linux, and neither via
CIFS/SMB-mounted network shares in Linux, it _is_ possible to access
them on SMB-mounted network shares on macOS.

Therefore, let's go the extra mile and prevent this particular attack
_everywhere_. To keep things simple, let's just disallow *any* Alternate
Data Stream of `.git`.

This is libgit2's variant of CVE-2019-1352.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Fix include casing for case-sensitive filesystems. 2019-08-24T15:39:56+00:00 Dan Skorupski boardwalk@ersatsz.com 2019-08-24T15:39:56+00:00 44d5e47d8c486e149c262974bfab808737ac85c1 






config: validate ownership of C:\ProgramData\Git\config before using it
2019-08-13T16:56:06+00:00

Johannes Schindelin
johannes.schindelin@gmx.de

2019-06-19T10:59:27+00:00

cb1439c9d32c059ee93216637a6d155306f76ab3

When the VirtualStore feature is in effect, it is safe to let random
users write into C:\ProgramData because other users won't see those
files. This seemed to be the case when we introduced support for
C:\ProgramData\Git\config.

However, when that feature is not in effect (which seems to be the case
in newer Windows 10 versions), we'd rather not use those files unless
they come from a trusted source, such as an administrator.

This change imitates the strategy chosen by PowerShell's native OpenSSH
port to Windows regarding host key files: if a system file is owned
neither by an administrator, a system account, or the current user, it
is ignored.





When the VirtualStore feature is in effect, it is safe to let random
users write into C:\ProgramData because other users won't see those
files. This seemed to be the case when we introduced support for
C:\ProgramData\Git\config.

However, when that feature is not in effect (which seems to be the case
in newer Windows 10 versions), we'd rather not use those files unless
they come from a trusted source, such as an administrator.

This change imitates the strategy chosen by PowerShell's native OpenSSH
port to Windows regarding host key files: if a system file is owned
neither by an administrator, a system account, or the current user, it
is ignored.







path: extract function to check whether a path supports symlinks
2019-07-20T17:11:20+00:00

Patrick Steinhardt
ps@pks.im

2019-06-29T07:58:34+00:00

ded77bb1f18c6cb7a0371b3f66c92387413a161d

When initializing a repository, we need to check whether its working
directory supports symlinks to correctly set the initial value of the
"core.symlinks" config variable. The code to check the filesystem is
reusable in other parts of our codebase, like for example in our tests
to determine whether certain tests can be expected to succeed or not.

Extract the code into a new function `git_path_supports_symlinks` to
avoid duplicate implementations. Remove a duplicate implementation in
the repo test helper code.





When initializing a repository, we need to check whether its working
directory supports symlinks to correctly set the initial value of the
"core.symlinks" config variable. The code to check the filesystem is
reusable in other parts of our codebase, like for example in our tests
to determine whether certain tests can be expected to succeed or not.

Extract the code into a new function `git_path_supports_symlinks` to
avoid duplicate implementations. Remove a duplicate implementation in
the repo test helper code.







configuration: cvar -> configmap
2019-07-18T11:53:41+00:00

Patrick Steinhardt
ps@pks.im

2019-07-18T11:53:41+00:00

658022c41affc7d9b5bd9b84b1d75ec909b820c6

`cvar` is an unhelpful name.  Refactor its usage to `configmap` for more
clarity.





`cvar` is an unhelpful name.  Refactor its usage to `configmap` for more
clarity.