]> git.ipfire.org Git - thirdparty/git.git/commit
projects / thirdparty / git.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 2e7b89e) | patch
finalize_object_file(): check for name collision before renaming
authorTaylor Blau <me@ttaylorr.com>
Thu, 26 Sep 2024 15:22:32 +0000 (11:22 -0400)
committerJunio C Hamano <gitster@pobox.com>
Fri, 27 Sep 2024 18:27:46 +0000 (11:27 -0700)
commitd1b44bb76442431eca44279da32deed249dcf213
treef426f80ac8bc458190a48f0d4e4721fb290dbb4atree | snapshot
parent2e7b89e038c0c888acf61f1b4ee5a43d4dd5e94ccommit | diff
finalize_object_file(): check for name collision before renaming

We prefer link()/unlink() to rename() for object files, with the idea
that we should prefer the data that is already on disk to what is
incoming. But we may fall back to rename() if the user has configured us
to do so, or if the filesystem seems not to support cross-directory
links. This loses the "prefer what is on disk" property.

We can mitigate this somewhat by trying to stat() the destination
filename before doing the rename. This is racy, since the object could
be created between the stat() and rename() calls. But in practice it is
expanding the definition of "what is already on disk" to be the point
that the function is called. That is enough to deal with any potential
attacks where an attacker is trying to collide hashes with what's
already in the repository.

Co-authored-by: Jeff King <peff@peff.net>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Taylor Blau <me@ttaylorr.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
object-file.c diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.