delta/libgit2.git/tests/submodule/escape.c, branch ethomson/commit_create_cb github.com: libgit2/libgit2.git fileops: rename to "futils.h" to match function signatures 2019-07-20T17:11:20+00:00 Patrick Steinhardt ps@pks.im 2019-06-29T07:17:32+00:00 e54343a4024e75dfaa940e652c2c9799d33634b2 Our file utils functions all have a "futils" prefix, e.g. `git_futils_touch`. One would thus naturally guess that their definitions and implementation would live in files "futils.h" and "futils.c", respectively, but in fact they live in "fileops.h". Rename the files to match expectations. 
Our file utils functions all have a "futils" prefix, e.g.
`git_futils_touch`. One would thus naturally guess that their
definitions and implementation would live in files "futils.h" and
"futils.c", respectively, but in fact they live in "fileops.h".

Rename the files to match expectations.
Convert usage of `git_buf_free` to new `git_buf_dispose` 2018-06-10T17:34:37+00:00 Patrick Steinhardt ps@pks.im 2018-02-08T11:14:48+00:00 ecf4f33a4e327a91496f72816f9f02d923e5af05 






submodule: plug leaks from the escape detection
2018-05-24T18:28:36+00:00

Carlos Martín Nieto
cmn@dwim.me

2018-05-24T18:28:36+00:00

9e723db877f3c310f826f517ebe509722aad22eb












submodule: also validate Windows-separated paths for validity
2018-05-14T15:30:59+00:00

Carlos Martín Nieto
carlosmn@github.com

2018-05-14T14:03:15+00:00

397abe9832a1baa7a822f4c63fa9730a3438aa7a

Otherwise we would also admit `..\..\foo\bar` as a valid path and fail to
protect Windows users.

Ideally we would check for both separators without the need for the copied
string, but this'll get us over the RCE.





Otherwise we would also admit `..\..\foo\bar` as a valid path and fail to
protect Windows users.

Ideally we would check for both separators without the need for the copied
string, but this'll get us over the RCE.







submodule: ignore submodules which include path traversal in their name
2018-05-09T18:29:49+00:00

Carlos Martín Nieto
cmn@dwim.me

2018-04-30T11:47:15+00:00

6b15ceac0ad19ab671995e9926b492e93703ed0f

If the we decide that the "name" of the submodule (i.e. its path inside
`.git/modules/`) is trying to escape that directory or otherwise trick us, we
ignore the configuration for that submodule.

This leaves us with a half-configured submodule when looking it up by path, but
it's the same result as if the configuration really were missing.

The name check is potentially more strict than it needs to be, but it lets us
re-use the check we're doing for the checkout. The function that encapsulates
this logic is ready to be exported but we don't want to do that in a security
release so it remains internal for now.





If the we decide that the "name" of the submodule (i.e. its path inside
`.git/modules/`) is trying to escape that directory or otherwise trick us, we
ignore the configuration for that submodule.

This leaves us with a half-configured submodule when looking it up by path, but
it's the same result as if the configuration really were missing.

The name check is potentially more strict than it needs to be, but it lets us
re-use the check we're doing for the checkout. The function that encapsulates
this logic is ready to be exported but we don't want to do that in a security
release so it remains internal for now.







submodule: add a failing test for a submodule escaping .git/modules
2018-04-30T11:03:44+00:00

Carlos Martín Nieto
cmn@dwim.me

2018-04-30T11:03:44+00:00

7553763aca0068fd331f2ba07fbe960605f04bb6

We should pretend such submdules do not exist as it can lead to RCE.





We should pretend such submdules do not exist as it can lead to RCE.