Compare commits

...

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

7 changed files with 452 additions and 1524 deletions

View File

@ -1,2 +1,2 @@
7577a22e233e892dba5cf19a3a57cef2062d01e6 SOURCES/git-2.43.5.tar.sign 6ee94f976a315b7897a6e663d8e6e97283ff5adb SOURCES/git-2.47.1.tar.sign
31decef72034ae36c8098a9e6bb13a7dd4859fd9 SOURCES/git-2.43.5.tar.xz 63654fcfa1604c7470bcc9c4e2d1cdba218a8bc3 SOURCES/git-2.47.1.tar.xz

4
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/git-2.43.5.tar.sign SOURCES/git-2.47.1.tar.sign
SOURCES/git-2.43.5.tar.xz SOURCES/git-2.47.1.tar.xz

View File

@ -1,12 +0,0 @@
diff -ur a/git-instaweb.sh b/git-instaweb.sh
--- a/git-instaweb.sh 2020-04-20 17:52:30.000000000 +0200
+++ b/git-instaweb.sh 2020-05-27 12:36:20.725300334 +0200
@@ -36,7 +36,7 @@
# Defaults:
# if installed, it doesn't need further configuration (module_path)
-test -z "$httpd" && httpd='lighttpd -f'
+test -z "$httpd" && httpd='httpd -f'
# Default is @@GITWEBDIR@@
test -z "$root" && root='@@GITWEBDIR@@'

View File

@ -1,115 +0,0 @@
From 51441e6460b505c07b4a8a6deeaa7de4bf6e8e33 Mon Sep 17 00:00:00 2001
From: Junio C Hamano <gitster@pobox.com>
Date: Fri, 3 May 2024 08:34:27 -0700
Subject: [PATCH] stop using HEAD for attributes in bare repository by default
With 23865355 (attr: read attributes from HEAD when bare repo,
2023-10-13), we started to use the HEAD tree as the default
attribute source in a bare repository. One argument for such a
behaviour is that it would make things like "git archive" run in
bare and non-bare repositories for the same commit consistent.
This changes was merged to Git 2.43 but without an explicit mention
in its release notes.
It turns out that this change destroys performance of shallowly
cloning from a bare repository. As the "server" installations are
expected to be mostly bare, and "git pack-objects", which is the
core of driving the other side of "git clone" and "git fetch" wants
to see if a path is set not to delta with blobs from other paths via
the attribute system, the change forces the server side to traverse
the tree of the HEAD commit needlessly to find if each and every
paths the objects it sends out has the attribute that controls the
deltification. Given that (1) most projects do not configure such
an attribute, and (2) it is dubious for the server side to honor
such an end-user supplied attribute anyway, this was a poor choice
of the default.
To mitigate the current situation, let's revert the change that uses
the tree of HEAD in a bare repository by default as the attribute
source. This will help most people who have been happy with the
behaviour of Git 2.42 and before.
Two things to note:
* If you are stuck with versions of Git 2.43 or newer, that is
older than the release this fix appears in, you can explicitly
set the attr.tree configuration variable to point at an empty
tree object, i.e.
$ git config attr.tree 4b825dc642cb6eb9a060e54bf8d69288fbee4904
* If you like the behaviour we are reverting, you can explicitly
set the attr.tree configuration variable to HEAD, i.e.
$ git config attr.tree HEAD
The right fix for this is to optimize the code paths that allow
accesses to attributes in tree objects, but that is a much more
involved change and is left as a longer-term project, outside the
scope of this "first step" fix.
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
attr.c | 7 -------
t/t0003-attributes.sh | 10 ++++++++--
t/t5001-archive-attr.sh | 3 ++-
3 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/attr.c b/attr.c
index e62876dfd3e9be..02ab8436266289 100644
--- a/attr.c
+++ b/attr.c
@@ -1213,13 +1213,6 @@ static void compute_default_attr_source(struct object_id *attr_source)
ignore_bad_attr_tree = 1;
}
- if (!default_attr_source_tree_object_name &&
- startup_info->have_repository &&
- is_bare_repository()) {
- default_attr_source_tree_object_name = "HEAD";
- ignore_bad_attr_tree = 1;
- }
-
if (!default_attr_source_tree_object_name || !is_null_oid(attr_source))
return;
diff --git a/t/t0003-attributes.sh b/t/t0003-attributes.sh
index aee2298f01331a..5de46ddf67f7ff 100755
--- a/t/t0003-attributes.sh
+++ b/t/t0003-attributes.sh
@@ -384,13 +384,19 @@ test_expect_success 'bad attr source defaults to reading .gitattributes file' '
)
'
-test_expect_success 'bare repo defaults to reading .gitattributes from HEAD' '
+test_expect_success 'bare repo no longer defaults to reading .gitattributes from HEAD' '
test_when_finished rm -rf test bare_with_gitattribute &&
git init test &&
test_commit -C test gitattributes .gitattributes "f/path test=val" &&
git clone --bare test bare_with_gitattribute &&
- echo "f/path: test: val" >expect &&
+
+ echo "f/path: test: unspecified" >expect &&
git -C bare_with_gitattribute check-attr test -- f/path >actual &&
+ test_cmp expect actual &&
+
+ echo "f/path: test: val" >expect &&
+ git -C bare_with_gitattribute -c attr.tree=HEAD \
+ check-attr test -- f/path >actual &&
test_cmp expect actual
'
diff --git a/t/t5001-archive-attr.sh b/t/t5001-archive-attr.sh
index eaf959d8f63f15..7310774af5efea 100755
--- a/t/t5001-archive-attr.sh
+++ b/t/t5001-archive-attr.sh
@@ -133,7 +133,8 @@ test_expect_success 'git archive vs. bare' '
'
test_expect_success 'git archive with worktree attributes, bare' '
- (cd bare && git archive --worktree-attributes HEAD) >bare-worktree.tar &&
+ (cd bare &&
+ git -c attr.tree=HEAD archive --worktree-attributes HEAD) >bare-worktree.tar &&
(mkdir bare-worktree && cd bare-worktree && "$TAR" xf -) <bare-worktree.tar
'

View File

@ -1,219 +0,0 @@
From 13bb730859857c97f298e9a8c7b68fe00074b3d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Poho=C5=99elsk=C3=BD?= <opohorel@redhat.com>
Date: Thu, 3 Apr 2025 14:46:53 +0200
Subject: [PATCH] Adds the option to sanitize sideband channel messages
CVE-2024-52005 wasn't fixed by upstream. This patch adds the option
to harden Git against it.
The default behaviour of Git remains unchanged.
Changes are taken from Git for Windows. The only differences are that
by default we are allowing all control characters, the documentation
reflects it and one of the tests has to be invoked with a config
change: `sideband.allowControlCharacters=color`
These commits can also be seen in this upstream PR:
https://github.com/gitgitgadget/git/pull/1853
---
Documentation/config.txt | 2 +
Documentation/config/sideband.txt | 16 ++++++
sideband.c | 78 ++++++++++++++++++++++++++++-
t/t5409-colorize-remote-messages.sh | 30 +++++++++++
4 files changed, 124 insertions(+), 2 deletions(-)
create mode 100644 Documentation/config/sideband.txt
diff --git a/Documentation/config.txt b/Documentation/config.txt
index e3a74dd1c1..5b8bbdee82 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -513,6 +513,8 @@ include::config/sequencer.txt[]
include::config/showbranch.txt[]
+include::config/sideband.txt[]
+
include::config/sparse.txt[]
include::config/splitindex.txt[]
diff --git a/Documentation/config/sideband.txt b/Documentation/config/sideband.txt
new file mode 100644
index 0000000000..1adc831667
--- /dev/null
+++ b/Documentation/config/sideband.txt
@@ -0,0 +1,16 @@
+sideband.allowControlCharacters::
+ By default, control characters that are delivered via the sideband
+ are NOT masked. Use this config setting to prevent potentially
+ unwanted ANSI escape sequences from being sent to the terminal:
++
+--
+ color::
+ Allow ANSI color sequences, line feeds and horizontal tabs,
+ but mask all other control characters.
+ false::
+ Mask all control characters other than line feeds and
+ horizontal tabs.
+ true::
+ Allow all control characters to be sent to the terminal.
+ This is the default.
+--
\ No newline at end of file
diff --git a/sideband.c b/sideband.c
index 266a67342b..316a401a5d 100644
--- a/sideband.c
+++ b/sideband.c
@@ -23,6 +23,12 @@ static struct keyword_entry keywords[] = {
{ "error", GIT_COLOR_BOLD_RED },
};
+static enum {
+ ALLOW_NO_CONTROL_CHARACTERS = 0,
+ ALLOW_ALL_CONTROL_CHARACTERS = 1,
+ ALLOW_ANSI_COLOR_SEQUENCES = 2
+} allow_control_characters = ALLOW_ALL_CONTROL_CHARACTERS;
+
/* Returns a color setting (GIT_COLOR_NEVER, etc). */
static int use_sideband_colors(void)
{
@@ -36,6 +42,25 @@ static int use_sideband_colors(void)
if (use_sideband_colors_cached >= 0)
return use_sideband_colors_cached;
+ switch (git_config_get_maybe_bool("sideband.allowcontrolcharacters", &i)) {
+ case 0: /* Boolean value */
+ allow_control_characters = i ? ALLOW_ALL_CONTROL_CHARACTERS :
+ ALLOW_NO_CONTROL_CHARACTERS;
+ break;
+ case -1: /* non-Boolean value */
+ if (git_config_get_string_tmp("sideband.allowcontrolcharacters",
+ &value))
+ ; /* huh? `get_maybe_bool()` returned -1 */
+ else if (!strcmp(value, "color"))
+ allow_control_characters = ALLOW_ANSI_COLOR_SEQUENCES;
+ else
+ warning(_("unrecognized value for `sideband."
+ "allowControlCharacters`: '%s'"), value);
+ break;
+ default:
+ break; /* not configured */
+ }
+
if (!git_config_get_string(key, &value)) {
use_sideband_colors_cached = git_config_colorbool(key, value);
} else if (!git_config_get_string("color.ui", &value)) {
@@ -64,6 +89,55 @@ void list_config_color_sideband_slots(struct string_list *list, const char *pref
list_config_item(list, prefix, keywords[i].keyword);
}
+static int handle_ansi_color_sequence(struct strbuf *dest, const char *src, int n)
+{
+ int i;
+
+ /*
+ * Valid ANSI color sequences are of the form
+ *
+ * ESC [ [<n> [; <n>]*] m
+ */
+
+ if (allow_control_characters != ALLOW_ANSI_COLOR_SEQUENCES ||
+ n < 3 || src[0] != '\x1b' || src[1] != '[')
+ return 0;
+
+ for (i = 2; i < n; i++) {
+ if (src[i] == 'm') {
+ strbuf_add(dest, src, i + 1);
+ return i;
+ }
+ if (!isdigit(src[i]) && src[i] != ';')
+ break;
+ }
+
+ return 0;
+}
+
+static void strbuf_add_sanitized(struct strbuf *dest, const char *src, int n)
+{
+ int i;
+
+ if (allow_control_characters == ALLOW_ALL_CONTROL_CHARACTERS) {
+ strbuf_add(dest, src, n);
+ return;
+ }
+
+ strbuf_grow(dest, n);
+ for (; n && *src; src++, n--) {
+ if (!iscntrl(*src) || *src == '\t' || *src == '\n')
+ strbuf_addch(dest, *src);
+ else if ((i = handle_ansi_color_sequence(dest, src, n))) {
+ src += i;
+ n -= i;
+ } else {
+ strbuf_addch(dest, '^');
+ strbuf_addch(dest, 0x40 + *src);
+ }
+ }
+}
+
/*
* Optionally highlight one keyword in remote output if it appears at the start
* of the line. This should be called for a single line only, which is
@@ -79,7 +153,7 @@ static void maybe_colorize_sideband(struct strbuf *dest, const char *src, int n)
int i;
if (!want_color_stderr(use_sideband_colors())) {
- strbuf_add(dest, src, n);
+ strbuf_add_sanitized(dest, src, n);
return;
}
@@ -112,7 +186,7 @@ static void maybe_colorize_sideband(struct strbuf *dest, const char *src, int n)
}
}
- strbuf_add(dest, src, n);
+ strbuf_add_sanitized(dest, src, n);
}
diff --git a/t/t5409-colorize-remote-messages.sh b/t/t5409-colorize-remote-messages.sh
index fa5de4500a..3b5ff00363 100755
--- a/t/t5409-colorize-remote-messages.sh
+++ b/t/t5409-colorize-remote-messages.sh
@@ -98,4 +98,34 @@ test_expect_success 'fallback to color.ui' '
grep "<BOLD;RED>error<RESET>: error" decoded
'
+test_expect_success 'disallow (color) control sequences in sideband' '
+ write_script .git/color-me-surprised <<-\EOF &&
+ printf "error: Have you \\033[31mread\\033[m this?\\a\\n" >&2
+ exec "$@"
+ EOF
+ test_config_global uploadPack.packObjectshook ./color-me-surprised &&
+ test_commit need-at-least-one-commit &&
+ git -c sideband.allowControlCharacters=color \
+ clone --no-local . throw-away 2>stderr &&
+ test_decode_color <stderr >decoded &&
+ test_grep RED decoded &&
+ test_grep "\\^G" stderr &&
+ tr -dc "\\007" <stderr >actual &&
+ test_must_be_empty actual &&
+
+ rm -rf throw-away &&
+ git -c sideband.allowControlCharacters=false \
+ clone --no-local . throw-away 2>stderr &&
+ test_decode_color <stderr >decoded &&
+ test_grep ! RED decoded &&
+ test_grep "\\^G" stderr &&
+
+ rm -rf throw-away &&
+ git -c sideband.allowControlCharacters clone --no-local . throw-away 2>stderr &&
+ test_decode_color <stderr >decoded &&
+ test_grep RED decoded &&
+ tr -dc "\\007" <stderr >actual &&
+ test_file_not_empty actual
+'
+
test_done
--
2.49.0

View File

@ -3,11 +3,11 @@
shopt -s failglob shopt -s failglob
# Print output from failing tests # Print output from failing tests
dashes=$(printf "%80s" '' | tr ' ' '-') printf -v sep "%0.s-" {1..80}
for exit_file in t/test-results/*.exit; do for exit_file in t/test-results/*.exit; do
[ "$(cat "$exit_file")" -eq 0 ] && continue [ "$(< "$exit_file")" -eq 0 ] && continue
out_file="${exit_file%exit}out" out_file="${exit_file%exit}out"
printf '\n%s\n%s\n%s\n' "$dashes" "$out_file" "$dashes" printf '\n%s\n%s\n%s\n' "$sep" "$out_file" "$sep"
cat "$out_file" cat "$out_file"
done done
exit 1 exit 1

File diff suppressed because it is too large Load Diff