summaryrefslogtreecommitdiff
path: root/read-cache.c
diff options
context:
space:
mode:
authorJohannes Schindelin <johannes.schindelin@gmx.de>2019-09-05 11:27:53 (GMT)
committerJohannes Schindelin <johannes.schindelin@gmx.de>2019-12-05 14:37:06 (GMT)
commitd2c84dad1c88f40906799bc879f70b965efd8ba6 (patch)
tree0f5ade52bd955bf983830a41972c6307ae6fa8d4 /read-cache.c
parentcc756edda63769cf6d7acc99e6ad3a9cbb5dc3ec (diff)
downloadgit-d2c84dad1c88f40906799bc879f70b965efd8ba6.zip
git-d2c84dad1c88f40906799bc879f70b965efd8ba6.tar.gz
git-d2c84dad1c88f40906799bc879f70b965efd8ba6.tar.bz2
mingw: refuse to access paths with trailing spaces or periods
When creating a directory on Windows whose path ends in a space or a period (or chains thereof), the Win32 API "helpfully" trims those. For example, `mkdir("abc ");` will return success, but actually create a directory called `abc` instead. This stems back to the DOS days, when all file names had exactly 8 characters plus exactly 3 characters for the file extension, and the only way to have shorter names was by padding with spaces. Sadly, this "helpful" behavior is a bit inconsistent: after a successful `mkdir("abc ");`, a `mkdir("abc /def")` will actually _fail_ (because the directory `abc ` does not actually exist). Even if it would work, we now have a serious problem because a Git repository could contain directories `abc` and `abc `, and on Windows, they would be "merged" unintentionally. As these paths are illegal on Windows, anyway, let's disallow any accesses to such paths on that Operating System. For practical reasons, this behavior is still guarded by the config setting `core.protectNTFS`: it is possible (and at least two regression tests make use of it) to create commits without involving the worktree. In such a scenario, it is of course possible -- even on Windows -- to create such file names. Among other consequences, this patch disallows submodules' paths to end in spaces on Windows (which would formerly have confused Git enough to try to write into incorrect paths, anyway). While this patch does not fix a vulnerability on its own, it prevents an attack vector that was exploited in demonstrations of a number of recently-fixed security bugs. The regression test added to `t/t7417-submodule-path-url.sh` reflects that attack vector. Note that we have to adjust the test case "prevent git~1 squatting on Windows" in `t/t7415-submodule-names.sh` because of a very subtle issue. It tries to clone two submodules whose names differ only in a trailing period character, and as a consequence their git directories differ in the same way. Previously, when Git tried to clone the second submodule, it thought that the git directory already existed (because on Windows, when you create a directory with the name `b.` it actually creates `b`), but with this patch, the first submodule's clone will fail because of the illegal name of the git directory. Therefore, when cloning the second submodule, Git will take a different code path: a fresh clone (without an existing git directory). Both code paths fail to clone the second submodule, both because the the corresponding worktree directory exists and is not empty, but the error messages are worded differently. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Diffstat (limited to 'read-cache.c')
-rw-r--r--read-cache.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/read-cache.c b/read-cache.c
index bde1e70..771171c 100644
--- a/read-cache.c
+++ b/read-cache.c
@@ -847,6 +847,9 @@ int verify_path(const char *path, unsigned mode)
if (has_dos_drive_prefix(path))
return 0;
+ if (!is_valid_path(path))
+ return 0;
+
goto inside;
for (;;) {
if (!c)