From: Johannes Schindelin <johannes.schindelin@gmx.de>
Date: Fri, 12 Apr 2024 07:45:28 +0000 (+0200)
Subject: Sync with 2.39.4
X-Git-Tag: v2.40.2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=93a88f42db7ed9a975768df0e5f4516317c50dda;p=thirdparty%2Fgit.git

Sync with 2.39.4

* maint-2.39: (38 commits)
  Git 2.39.4
  fsck: warn about symlink pointing inside a gitdir
  core.hooksPath: add some protection while cloning
  init.templateDir: consider this config setting protected
  clone: prevent hooks from running during a clone
  Add a helper function to compare file contents
  init: refactor the template directory discovery into its own function
  find_hook(): refactor the `STRIP_EXTENSION` logic
  clone: when symbolic links collide with directories, keep the latter
  entry: report more colliding paths
  t5510: verify that D/F confusion cannot lead to an RCE
  submodule: require the submodule path to contain directories only
  clone_submodule: avoid using `access()` on directories
  submodules: submodule paths must not contain symlinks
  clone: prevent clashing git dirs when cloning submodule in parallel
  t7423: add tests for symlinked submodule directories
  has_dir_name(): do not get confused by characters < '/'
  docs: document security issues around untrusted .git dirs
  upload-pack: disable lazy-fetching by default
  fetch/clone: detect dubious ownership of local repositories
  ...
---

93a88f42db7ed9a975768df0e5f4516317c50dda
diff --cc .github/workflows/main.yml
index 30492eacdd,2dc0221f7f..b8aa4c9023
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@@ -286,15 -286,14 +286,15 @@@ jobs
        runs_on_pool: ${{matrix.vector.pool}}
      runs-on: ${{matrix.vector.pool}}
      steps:
-     - uses: actions/checkout@v3
+     - uses: actions/checkout@v4
      - run: ci/install-dependencies.sh
      - run: ci/run-build-and-tests.sh
 -    - run: ci/print-test-failures.sh
 +    - name: print test failures
        if: failure() && env.FAILED_TEST_ARTIFACTS != ''
 +      run: ci/print-test-failures.sh
      - name: Upload failed tests' directories
        if: failure() && env.FAILED_TEST_ARTIFACTS != ''
-       uses: actions/upload-artifact@v3
+       uses: actions/upload-artifact@v4
        with:
          name: failed-tests-${{matrix.vector.jobname}}
          path: ${{env.FAILED_TEST_ARTIFACTS}}
@@@ -326,12 -325,11 +326,12 @@@
        if: matrix.vector.jobname == 'linux32'
      - run: ci/install-docker-dependencies.sh
      - run: ci/run-build-and-tests.sh
 -    - run: ci/print-test-failures.sh
 +    - name: print test failures
        if: failure() && env.FAILED_TEST_ARTIFACTS != ''
 +      run: ci/print-test-failures.sh
      - name: Upload failed tests' directories
        if: failure() && env.FAILED_TEST_ARTIFACTS != '' && matrix.vector.jobname != 'linux32'
-       uses: actions/upload-artifact@v3
+       uses: actions/upload-artifact@v4
        with:
          name: failed-tests-${{matrix.vector.jobname}}
          path: ${{env.FAILED_TEST_ARTIFACTS}}
diff --cc builtin/clone.c
index 65b5b7db6d,e7721f5c22..5fa2901400
--- a/builtin/clone.c
+++ b/builtin/clone.c
@@@ -1418,7 -1430,8 +1456,8 @@@ int cmd_clone(int argc, const char **ar
  	free(unborn_head);
  	free(dir);
  	free(path);
 +	free(repo_to_free);
+ 	free(template_dir_dup);
 -	UNLEAK(repo);
  	junk_mode = JUNK_LEAVE_ALL;
  
  	transport_ls_refs_options_release(&transport_ls_refs_options);
diff --cc builtin/submodule--helper.c
index 4c173d8b37,941afe1568..74a23759f7
--- a/builtin/submodule--helper.c
+++ b/builtin/submodule--helper.c
@@@ -294,8 -294,10 +294,11 @@@ static void runcommand_in_submodule_cb(
  	struct child_process cp = CHILD_PROCESS_INIT;
  	char *displaypath;
  
+ 	if (validate_submodule_path(path) < 0)
+ 		exit(128);
+ 
 -	displaypath = get_submodule_displaypath(path, info->prefix);
 +	displaypath = get_submodule_displaypath(path, info->prefix,
 +						info->super_prefix);
  
  	sub = submodule_from_path(the_repository, null_oid(), path);
  
diff --cc ci/lib.sh
index db7105e8a8,b6bbb0222e..e4677845ec
--- a/ci/lib.sh
+++ b/ci/lib.sh
@@@ -253,12 -253,11 +253,10 @@@ ubuntu-*
  	export PATH="$GIT_LFS_PATH:$P4_PATH:$PATH"
  	;;
  macos-*)
- 	if [ "$jobname" = osx-gcc ]
+ 	MAKEFLAGS="$MAKEFLAGS PYTHON_PATH=$(which python3)"
+ 	if [ "$jobname" != osx-gcc ]
  	then
- 		MAKEFLAGS="$MAKEFLAGS PYTHON_PATH=$(which python3)"
- 	else
- 		MAKEFLAGS="$MAKEFLAGS PYTHON_PATH=$(which python2)"
 -		MAKEFLAGS="$MAKEFLAGS NO_APPLE_COMMON_CRYPTO=NoThanks"
 -		MAKEFLAGS="$MAKEFLAGS NO_OPENSSL=NoThanks"
 +		MAKEFLAGS="$MAKEFLAGS APPLE_COMMON_CRYPTO_SHA1=Yes"
  	fi
  	;;
  esac
diff --cc submodule.c
index 3a0dfc417c,0b87ae6340..397e41304c
--- a/submodule.c
+++ b/submodule.c
@@@ -2072,9 -2107,13 +2099,13 @@@ static int submodule_has_dirty_index(co
  	return finish_command(&cp);
  }
  
 -static void submodule_reset_index(const char *path)
 +static void submodule_reset_index(const char *path, const char *super_prefix)
  {
  	struct child_process cp = CHILD_PROCESS_INIT;
+ 
+ 	if (validate_submodule_path(path) < 0)
+ 		exit(128);
+ 
  	prepare_submodule_repo_env(&cp.env);
  
  	cp.git_cmd = 1;
@@@ -2136,8 -2176,19 +2167,20 @@@ int submodule_move_head(const char *pat
  	if (!(flags & SUBMODULE_MOVE_HEAD_DRY_RUN)) {
  		if (old_head) {
  			if (!submodule_uses_gitfile(path))
 -				absorb_git_dir_into_superproject(path);
 +				absorb_git_dir_into_superproject(path,
 +								 super_prefix);
+ 			else {
+ 				char *dotgit = xstrfmt("%s/.git", path);
+ 				char *git_dir = xstrdup(read_gitfile(dotgit));
+ 
+ 				free(dotgit);
+ 				if (validate_submodule_git_dir(git_dir,
+ 							       sub->name) < 0)
+ 					die(_("refusing to create/use '%s' in "
+ 					      "another submodule's git dir"),
+ 					    git_dir);
+ 				free(git_dir);
+ 			}
  		} else {
  			struct strbuf gitdir = STRBUF_INIT;
  			submodule_name_to_gitdir(&gitdir, the_repository,
diff --cc submodule.h
index c55a25ca37,fb770f1687..b50d29eba4
--- a/submodule.h
+++ b/submodule.h
@@@ -148,10 -148,16 +148,15 @@@ void submodule_name_to_gitdir(struct st
   */
  int validate_submodule_git_dir(char *git_dir, const char *submodule_name);
  
+ /*
+  * Make sure that the given submodule path does not follow symlinks.
+  */
+ int validate_submodule_path(const char *path);
+ 
  #define SUBMODULE_MOVE_HEAD_DRY_RUN (1<<0)
  #define SUBMODULE_MOVE_HEAD_FORCE   (1<<1)
 -int submodule_move_head(const char *path,
 -			const char *old,
 -			const char *new_head,
 +int submodule_move_head(const char *path, const char *super_prefix,
 +			const char *old_head, const char *new_head,
  			unsigned flags);
  
  void submodule_unset_core_worktree(const struct submodule *sub);
diff --cc t/t1800-hook.sh
index 3506f627b6,7ee12e6f48..0f0c706d07
--- a/t/t1800-hook.sh
+++ b/t/t1800-hook.sh
@@@ -177,22 -177,19 +177,37 @@@ test_expect_success 'git hook run a hoo
  	test_cmp expect actual
  '
  
 +test_expect_success 'stdin to hooks' '
 +	write_script .git/hooks/test-hook <<-\EOF &&
 +	echo BEGIN stdin
 +	cat
 +	echo END stdin
 +	EOF
 +
 +	cat >expect <<-EOF &&
 +	BEGIN stdin
 +	hello
 +	END stdin
 +	EOF
 +
 +	echo hello >input &&
 +	git hook run --to-stdin=input test-hook 2>actual &&
 +	test_cmp expect actual
 +'
 +
+ test_expect_success 'clone protections' '
+ 	test_config core.hooksPath "$(pwd)/my-hooks" &&
+ 	mkdir -p my-hooks &&
+ 	write_script my-hooks/test-hook <<-\EOF &&
+ 	echo Hook ran $1
+ 	EOF
+ 
+ 	git hook run test-hook 2>err &&
+ 	grep "Hook ran" err &&
+ 	test_must_fail env GIT_CLONE_PROTECTION_ACTIVE=true \
+ 		git hook run test-hook 2>err &&
+ 	grep "active .core.hooksPath" err &&
+ 	! grep "Hook ran" err
+ '
+ 
  test_done