git.ipfire.org Git - thirdparty/git.git/commit

mingw: disallow backslash characters in tree objects' file names

The backslash character is not a valid part of a file name on Windows.
Hence it is dangerous to allow writing files that were unpacked from
tree objects, when the stored file name contains a backslash character:
it will be misinterpreted as directory separator.

This not only causes ambiguity when a tree contains a blob `a\b` and a
tree `a` that contains a blob `b`, but it also can be used as part of an
attack vector to side-step the careful protections against writing into
the `.git/` directory during a clone of a maliciously-crafted
repository.

Let's prevent that, addressing CVE-2019-1354.

Note: we guard against backslash characters in tree objects' file names
_only_ on Windows (because on other platforms, even on those where NTFS
volumes can be mounted, the backslash character is _not_ a directory
separator), and _only_ when `core.protectNTFS = true` (because users
might need to generate tree objects for other platforms, of course
without touching the worktree, e.g. using `git update-index
--cacheinfo`).

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

author	Johannes Schindelin <johannes.schindelin@gmx.de>
	Thu, 12 Sep 2019 12:54:05 +0000 (14:54 +0200)
committer	Johannes Schindelin <johannes.schindelin@gmx.de>
	Wed, 4 Dec 2019 12:20:05 +0000 (13:20 +0100)
commit	e1d911dd4c7b76a5a8cec0f5c8de15981e34da83
tree	c3e36cceeadde0713a1f154b075ca1176f1b4a8b	tree \| snapshot
parent	0060fd1511b94c918928fa3708f69a3f33895a4a	commit \| diff

t/t1450-fsck.sh		diff \| blob \| blame \| history
t/t7415-submodule-names.sh		diff \| blob \| blame \| history
t/t9350-fast-export.sh		diff \| blob \| blame \| history
tree-walk.c		diff \| blob \| blame \| history