From 9f242a13366d4ca15358780d3b32aa1076dd7f49 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ren=C3=A9=20Scharfe?= Date: Sun, 25 Mar 2018 18:31:48 +0200 Subject: unpack-trees: release oid_array after use in check_updates() Signed-off-by: Rene Scharfe Signed-off-by: Junio C Hamano diff --git a/unpack-trees.c b/unpack-trees.c index 73a1cdb..2253c91 100644 --- a/unpack-trees.c +++ b/unpack-trees.c @@ -390,6 +390,7 @@ static int check_updates(struct unpack_trees_options *o) fetch_objects(repository_format_partial_clone, &to_fetch); fetch_if_missing = fetch_if_missing_store; + oid_array_clear(&to_fetch); } for (i = 0; i < index->cache_nr; i++) { struct cache_entry *ce = index->cache[i]; -- cgit v0.10.2-6-g49f6 From c7620bd0f35dddf8b8519da6fbf97014f46d0710 Mon Sep 17 00:00:00 2001 From: Jonathan Nieder Date: Wed, 28 Mar 2018 13:33:03 -0700 Subject: upload-pack: disable object filtering when disabled by config When upload-pack gained partial clone support (v2.17.0-rc0~132^2~12, 2017-12-08), it was guarded by the uploadpack.allowFilter config item to allow server operators to control when they start supporting it. That config item didn't go far enough, though: it controls whether the 'filter' capability is advertised, but if a (custom) client ignores the capability advertisement and passes a filter specification anyway, the server would handle that despite allowFilter being false. This is particularly significant if a security bug is discovered in this new experimental partial clone code. Installations without uploadpack.allowFilter ought not to be affected since they don't intend to support partial clone, but they would be swept up into being vulnerable. Simplify and limit the attack surface by making uploadpack.allowFilter disable the feature, not just the advertisement of it. Signed-off-by: Jonathan Nieder Signed-off-by: Junio C Hamano diff --git a/Documentation/config.txt b/Documentation/config.txt index e528210..7b67afc 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -3270,7 +3270,7 @@ uploadpack.packObjectsHook:: stdout. uploadpack.allowFilter:: - If this option is set, `upload-pack` will advertise partial + If this option is set, `upload-pack` will support partial clone and partial fetch object filtering. + Note that this configuration variable is ignored if it is seen in the diff --git a/upload-pack.c b/upload-pack.c index 15b6605..7217f3b 100644 --- a/upload-pack.c +++ b/upload-pack.c @@ -68,7 +68,7 @@ static int stateless_rpc; static const char *pack_objects_hook; static int filter_capability_requested; -static int filter_advertise; +static int allow_filter; static struct list_objects_filter_options filter_options; static void reset_timeout(void) @@ -845,7 +845,7 @@ static void receive_needs(void) no_progress = 1; if (parse_feature_request(features, "include-tag")) use_include_tag = 1; - if (parse_feature_request(features, "filter")) + if (allow_filter && parse_feature_request(features, "filter")) filter_capability_requested = 1; o = parse_object(&oid_buf); @@ -975,7 +975,7 @@ static int send_ref(const char *refname, const struct object_id *oid, " allow-reachable-sha1-in-want" : "", stateless_rpc ? " no-done" : "", symref_info.buf, - filter_advertise ? " filter" : "", + allow_filter ? " filter" : "", git_user_agent_sanitized()); strbuf_release(&symref_info); } else { @@ -1055,7 +1055,7 @@ static int upload_pack_config(const char *var, const char *value, void *unused) if (!strcmp("uploadpack.packobjectshook", var)) return git_config_string(&pack_objects_hook, var, value); } else if (!strcmp("uploadpack.allowfilter", var)) { - filter_advertise = git_config_bool(var, value); + allow_filter = git_config_bool(var, value); } return parse_hide_refs_config(var, value, "uploadpack"); } -- cgit v0.10.2-6-g49f6