Merge branch 'tb/config-copy-or-rename-in-file-injection'

Avoids issues with renaming or deleting sections with long lines, where
configuration values may be interpreted as sections, leading to
configuration injection. Addresses CVE-2023-29007.

* tb/config-copy-or-rename-in-file-injection:
  config.c: disallow overly-long lines in `copy_or_rename_section_in_file()`
  config.c: avoid integer truncation in `copy_or_rename_section_in_file()`
  config: avoid fixed-sized buffer when renaming/deleting a section
  t1300: demonstrate failure when renaming sections with long lines

Signed-off-by: Taylor Blau <me@ttaylorr.com>

diff --git a/apply.c b/apply.c
index d80382c940619b60cf23a9d535b56f92122a2a37..6634e9c5108723d71faa7021c6523293bd91003e 100644 (file)
--- a/apply.c
+++ b/apply.c
@@ -4558,7 +4558,7 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch)
        FILE *rej;
        char namebuf[PATH_MAX];
        struct fragment *frag;
-       int cnt = 0;
+       int fd, cnt = 0;
        struct strbuf sb = STRBUF_INIT;
 
        for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) {
@@ -4598,7 +4598,17 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch)
        memcpy(namebuf, patch->new_name, cnt);
        memcpy(namebuf + cnt, ".rej", 5);
 
-       rej = fopen(namebuf, "w");
+       fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
+       if (fd < 0) {
+               if (errno != EEXIST)
+                       return error_errno(_("cannot open %s"), namebuf);
+               if (unlink(namebuf))
+                       return error_errno(_("cannot unlink '%s'"), namebuf);
+               fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
+               if (fd < 0)
+                       return error_errno(_("cannot open %s"), namebuf);
+       }
+       rej = fdopen(fd, "w");
        if (!rej)
                return error_errno(_("cannot open %s"), namebuf);
 

diff --git a/gettext.c b/gettext.c
index 1b564216d03f6a7bb75fb4c867ad1b0e5cfbecd0..610d402fe720aba33281877f47976895f659578f 100644 (file)
--- a/gettext.c
+++ b/gettext.c
@@ -109,6 +109,8 @@ static void init_gettext_charset(const char *domain)
                setlocale(LC_CTYPE, "C");
 }
 
+int git_gettext_enabled = 0;
+
 void git_setup_gettext(void)
 {
        const char *podir = getenv(GIT_TEXT_DOMAIN_DIR_ENVIRONMENT);
@@ -130,6 +132,8 @@ void git_setup_gettext(void)
        init_gettext_charset("git");
        textdomain("git");
 
+       git_gettext_enabled = 1;
+
        free(p);
 }
 

diff --git a/gettext.h b/gettext.h
index bee52eb11347da9336e9f1906f7973aa0e224d3b..b96ab9d3403481b2c585db0a259f24b15724590a 100644 (file)
--- a/gettext.h
+++ b/gettext.h
@@ -31,9 +31,11 @@
 int use_gettext_poison(void);
 
 #ifndef NO_GETTEXT
+extern int git_gettext_enabled;
 void git_setup_gettext(void);
 int gettext_width(const char *s);
 #else
+#define git_gettext_enabled (0)
 static inline void git_setup_gettext(void)
 {
        use_gettext_poison(); /* getenv() reentrancy paranoia */
@@ -48,7 +50,8 @@ static inline FORMAT_PRESERVING(1) const char *_(const char *msgid)
 {
        if (!*msgid)
                return "";
-       return use_gettext_poison() ? "# GETTEXT POISON #" : gettext(msgid);
+       return use_gettext_poison() ? "# GETTEXT POISON #" :
+               !git_gettext_enabled ? msgid : gettext(msgid);
 }
 
 static inline FORMAT_PRESERVING(1) FORMAT_PRESERVING(2)
@@ -56,6 +59,8 @@ const char *Q_(const char *msgid, const char *plu, unsigned long n)
 {
        if (use_gettext_poison())
                return "# GETTEXT POISON #";
+       if (!git_gettext_enabled)
+               return n == 1 ? msgid : plu;
        return ngettext(msgid, plu, n);
 }
 

diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh
index 14e0f4d70590d9a0221a1b1c51171c71fa2bf648..2d03c4e4d19abac87da0b0543ad423790081d7b2 100755 (executable)
--- a/t/t4115-apply-symlink.sh
+++ b/t/t4115-apply-symlink.sh
@@ -125,4 +125,19 @@ test_expect_success SYMLINKS 'symlink escape when deleting file' '
        test_path_is_file .git/delete-me
 '
 
+test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' '
+       test_when_finished "git reset --hard && git clean -dfx" &&
+
+       test_commit file &&
+       echo modified >file.t &&
+       git diff -- file.t >patch &&
+       echo modified-again >file.t &&
+
+       ln -s foo file.t.rej &&
+       test_must_fail git apply patch --reject 2>err &&
+       test_i18ngrep "Rejected hunk" err &&
+       test_path_is_missing foo &&
+       test_path_is_file file.t.rej
+'
+
 test_done