Sync with 2.39.4

* maint-2.39: (38 commits)
  Git 2.39.4
  fsck: warn about symlink pointing inside a gitdir
  core.hooksPath: add some protection while cloning
  init.templateDir: consider this config setting protected
  clone: prevent hooks from running during a clone
  Add a helper function to compare file contents
  init: refactor the template directory discovery into its own function
  find_hook(): refactor the `STRIP_EXTENSION` logic
  clone: when symbolic links collide with directories, keep the latter
  entry: report more colliding paths
  t5510: verify that D/F confusion cannot lead to an RCE
  submodule: require the submodule path to contain directories only
  clone_submodule: avoid using `access()` on directories
  submodules: submodule paths must not contain symlinks
  clone: prevent clashing git dirs when cloning submodule in parallel
  t7423: add tests for symlinked submodule directories
  has_dir_name(): do not get confused by characters < '/'
  docs: document security issues around untrusted .git dirs
  upload-pack: disable lazy-fetching by default
  fetch/clone: detect dubious ownership of local repositories
  ...

diff --cc .github/workflows/main.yml
index 30492eacddfc7db484e9c73af3ba49960d77f5cb,2dc0221f7f587beb8c80d134c91d9264b5a1b308..b8aa4c902325d615e1f1cd1c30dae6c7e38e3bab
--- 1/.github/workflows/main.yml
--- 2/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@@ -286,15 -286,14 +286,15 @@@ jobs
        runs_on_pool: ${{matrix.vector.pool}}
      runs-on: ${{matrix.vector.pool}}
      steps:
-     - uses: actions/checkout@v3
+     - uses: actions/checkout@v4
      - run: ci/install-dependencies.sh
      - run: ci/run-build-and-tests.sh
 -    - run: ci/print-test-failures.sh
 +    - name: print test failures
        if: failure() && env.FAILED_TEST_ARTIFACTS != ''
 +      run: ci/print-test-failures.sh
      - name: Upload failed tests' directories
        if: failure() && env.FAILED_TEST_ARTIFACTS != ''
-       uses: actions/upload-artifact@v3
+       uses: actions/upload-artifact@v4
        with:
          name: failed-tests-${{matrix.vector.jobname}}
          path: ${{env.FAILED_TEST_ARTIFACTS}}
@@@ -326,12 -325,11 +326,12 @@@
        if: matrix.vector.jobname == 'linux32'
      - run: ci/install-docker-dependencies.sh
      - run: ci/run-build-and-tests.sh
 -    - run: ci/print-test-failures.sh
 +    - name: print test failures
        if: failure() && env.FAILED_TEST_ARTIFACTS != ''
 +      run: ci/print-test-failures.sh
      - name: Upload failed tests' directories
        if: failure() && env.FAILED_TEST_ARTIFACTS != '' && matrix.vector.jobname != 'linux32'
-       uses: actions/upload-artifact@v3
+       uses: actions/upload-artifact@v4
        with:
          name: failed-tests-${{matrix.vector.jobname}}
          path: ${{env.FAILED_TEST_ARTIFACTS}}

diff --cc Documentation/git.txt
Simple merge

diff --cc INSTALL
Simple merge

diff --cc builtin/clone.c
index 65b5b7db6de5bdac835ad95b6438c1cc548d1599,e7721f5c22cd5db0e08a5bced861b829d58e8eb8..5fa29014007a3a3a1078b60b0f3a2401b5f939e2
--- 1/builtin/clone.c
--- 2/builtin/clone.c
+++ b/builtin/clone.c
@@@ -1418,7 -1430,8 +1456,8 @@@ int cmd_clone(int argc, const char **ar
        free(unborn_head);
        free(dir);
        free(path);
 -      UNLEAK(repo);
 +      free(repo_to_free);
+       free(template_dir_dup);
        junk_mode = JUNK_LEAVE_ALL;
  
        transport_ls_refs_options_release(&transport_ls_refs_options);

diff --cc builtin/submodule--helper.c
index 4c173d8b37adfc72ec840fd88ca27e36f432aef3,941afe1568e36bbf74833fb3f638ecbba95684c0..74a23759f704397a65ed432c867541992b0f231d
--- 1/builtin/submodule--helper.c
--- 2/builtin/submodule--helper.c
+++ b/builtin/submodule--helper.c
@@@ -294,8 -294,10 +294,11 @@@ static void runcommand_in_submodule_cb(
        struct child_process cp = CHILD_PROCESS_INIT;
        char *displaypath;
  
 -      displaypath = get_submodule_displaypath(path, info->prefix);
+       if (validate_submodule_path(path) < 0)
+               exit(128);
+ 
 +      displaypath = get_submodule_displaypath(path, info->prefix,
 +                                              info->super_prefix);
  
        sub = submodule_from_path(the_repository, null_oid(), path);
  

diff --cc cache.h
Simple merge

diff --cc ci/lib.sh
index db7105e8a8dcdff1432d5ec972e3262e4f787c16,b6bbb0222e205167b7cb83ac5cd80f1cd752edf1..e4677845ec2e81978ee958cc1f166f9e16b91c93
--- 1/ci/lib.sh
--- 2/ci/lib.sh
+++ b/ci/lib.sh
@@@ -253,12 -253,11 +253,10 @@@ ubuntu-*
        export PATH="$GIT_LFS_PATH:$P4_PATH:$PATH"
        ;;
  macos-*)
-       if [ "$jobname" = osx-gcc ]
+       MAKEFLAGS="$MAKEFLAGS PYTHON_PATH=$(which python3)"
+       if [ "$jobname" != osx-gcc ]
        then
-               MAKEFLAGS="$MAKEFLAGS PYTHON_PATH=$(which python3)"
-       else
-               MAKEFLAGS="$MAKEFLAGS PYTHON_PATH=$(which python2)"
 -              MAKEFLAGS="$MAKEFLAGS NO_APPLE_COMMON_CRYPTO=NoThanks"
 -              MAKEFLAGS="$MAKEFLAGS NO_OPENSSL=NoThanks"
 +              MAKEFLAGS="$MAKEFLAGS APPLE_COMMON_CRYPTO_SHA1=Yes"
        fi
        ;;
  esac

diff --cc config.c
Simple merge

diff --cc dir.c
Simple merge

diff --cc dir.h
Simple merge

diff --cc entry.c
Simple merge

diff --cc fsck.c
Simple merge

diff --cc fsck.h
Simple merge

diff --cc hook.c
Simple merge

diff --cc read-cache.c
Simple merge

diff --cc submodule.c
index 3a0dfc417c05b627a5100f518768a1b32ee22339,0b87ae6340b92f886e0c1602940b2dd7c88211de..397e41304c086131511ff082c0dc7ed1fbdae48a
--- 1/submodule.c
--- 2/submodule.c
+++ b/submodule.c
@@@ -2072,9 -2107,13 +2099,13 @@@ static int submodule_has_dirty_index(co
        return finish_command(&cp);
  }
  
 -static void submodule_reset_index(const char *path)
 +static void submodule_reset_index(const char *path, const char *super_prefix)
  {
        struct child_process cp = CHILD_PROCESS_INIT;
+ 
+       if (validate_submodule_path(path) < 0)
+               exit(128);
+ 
        prepare_submodule_repo_env(&cp.env);
  
        cp.git_cmd = 1;
@@@ -2136,8 -2176,19 +2167,20 @@@ int submodule_move_head(const char *pat
        if (!(flags & SUBMODULE_MOVE_HEAD_DRY_RUN)) {
                if (old_head) {
                        if (!submodule_uses_gitfile(path))
 -                              absorb_git_dir_into_superproject(path);
 +                              absorb_git_dir_into_superproject(path,
 +                                                               super_prefix);
+                       else {
+                               char *dotgit = xstrfmt("%s/.git", path);
+                               char *git_dir = xstrdup(read_gitfile(dotgit));
+ 
+                               free(dotgit);
+                               if (validate_submodule_git_dir(git_dir,
+                                                              sub->name) < 0)
+                                       die(_("refusing to create/use '%s' in "
+                                             "another submodule's git dir"),
+                                           git_dir);
+                               free(git_dir);
+                       }
                } else {
                        struct strbuf gitdir = STRBUF_INIT;
                        submodule_name_to_gitdir(&gitdir, the_repository,

diff --cc submodule.h
index c55a25ca37d2425d398f59c98ff177c8dfa6fdaf,fb770f1687a4e183a02f6590169b331fbf0e4b05..b50d29eba4f13ad6a77befb65e95019f63f70d78
--- 1/submodule.h
--- 2/submodule.h
+++ b/submodule.h
@@@ -148,10 -148,16 +148,15 @@@ void submodule_name_to_gitdir(struct st
   */
  int validate_submodule_git_dir(char *git_dir, const char *submodule_name);
  
+ /*
+  * Make sure that the given submodule path does not follow symlinks.
+  */
+ int validate_submodule_path(const char *path);
+ 
  #define SUBMODULE_MOVE_HEAD_DRY_RUN (1<<0)
  #define SUBMODULE_MOVE_HEAD_FORCE   (1<<1)
 -int submodule_move_head(const char *path,
 -                      const char *old,
 -                      const char *new_head,
 +int submodule_move_head(const char *path, const char *super_prefix,
 +                      const char *old_head, const char *new_head,
                        unsigned flags);
  
  void submodule_unset_core_worktree(const struct submodule *sub);

diff --cc t/t0000-basic.sh
Simple merge

diff --cc t/t1450-fsck.sh
Simple merge

diff --cc t/t1800-hook.sh
index 3506f627b6cf20f11e4cfd78b309e9e9acc07148,7ee12e6f48afab2b811c6848333f86090c2a5f1e..0f0c706d07a6ef4c6e5e0215dd533d3008aef07b
--- 1/t/t1800-hook.sh
--- 2/t/t1800-hook.sh
+++ b/t/t1800-hook.sh
@@@ -177,22 -177,19 +177,37 @@@ test_expect_success 'git hook run a hoo
        test_cmp expect actual
  '
  
 +test_expect_success 'stdin to hooks' '
 +      write_script .git/hooks/test-hook <<-\EOF &&
 +      echo BEGIN stdin
 +      cat
 +      echo END stdin
 +      EOF
 +
 +      cat >expect <<-EOF &&
 +      BEGIN stdin
 +      hello
 +      END stdin
 +      EOF
 +
 +      echo hello >input &&
 +      git hook run --to-stdin=input test-hook 2>actual &&
 +      test_cmp expect actual
 +'
 +
+ test_expect_success 'clone protections' '
+       test_config core.hooksPath "$(pwd)/my-hooks" &&
+       mkdir -p my-hooks &&
+       write_script my-hooks/test-hook <<-\EOF &&
+       echo Hook ran $1
+       EOF
+ 
+       git hook run test-hook 2>err &&
+       grep "Hook ran" err &&
+       test_must_fail env GIT_CLONE_PROTECTION_ACTIVE=true \
+               git hook run test-hook 2>err &&
+       grep "active .core.hooksPath" err &&
+       ! grep "Hook ran" err
+ '
+ 
  test_done

diff --cc t/t5510-fetch.sh
Simple merge

diff --cc t/t5601-clone.sh
Simple merge

diff --cc t/t7450-bad-git-dotfiles.sh
Simple merge

diff --cc t/test-lib.sh
Simple merge