Blame SOURCES/git-cve-2018-17456.patch

44325a
From d819a25360ba38dfec31e37413963adf5688db80 Mon Sep 17 00:00:00 2001
44325a
From: Jeff King <peff@peff.net>
44325a
Date: Mon, 24 Sep 2018 04:32:15 -0400
44325a
Subject: [PATCH 1/2] submodule--helper: use "--" to signal end of clone
44325a
 options
44325a
44325a
commit 98afac7a7cefdca0d2c4917dd8066a59f7088265 upstream.
44325a
44325a
When we clone a submodule, we call "git clone $url $path".
44325a
But there's nothing to say that those components can't begin
44325a
with a dash themselves, confusing git-clone into thinking
44325a
they're options. Let's pass "--" to make it clear what we
44325a
expect.
44325a
44325a
There's no test here, because it's actually quite hard to
44325a
make these names work, even with "git clone" parsing them
44325a
correctly. And we're going to restrict these cases even
44325a
further in future commits. So we'll leave off testing until
44325a
then; this is just the minimal fix to prevent us from doing
44325a
something stupid with a badly formed entry.
44325a
44325a
[jn: backported to 2.1.y by applying to git-submodule.sh
44325a
 instead of submodule--helper]
44325a
44325a
Reported-by: joernchen <joernchen@phenoelit.de>
44325a
Signed-off-by: Jeff King <peff@peff.net>
44325a
Signed-off-by: Junio C Hamano <gitster@pobox.com>
44325a
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
44325a
44325a
submodule-config: ban submodule urls that start with dash
44325a
44325a
commit f6adec4e329ef0e25e14c63b735a5956dc67b8bc upstream.
44325a
44325a
The previous commit taught the submodule code to invoke our
44325a
"git clone $url $path" with a "--" separator so that we
44325a
aren't confused by urls or paths that start with dashes.
44325a
44325a
However, that's just one code path. It's not clear if there
44325a
are others, and it would be an easy mistake to add one in
44325a
the future. Moreover, even with the fix in the previous
44325a
commit, it's quite hard to actually do anything useful with
44325a
such an entry. Any url starting with a dash must fall into
44325a
one of three categories:
44325a
44325a
 - it's meant as a file url, like "-path". But then any
44325a
   clone is not going to have the matching path, since it's
44325a
   by definition relative inside the newly created clone. If
44325a
   you spell it as "./-path", the submodule code sees the
44325a
   "/" and translates this to an absolute path, so it at
44325a
   least works (assuming the receiver has the same
44325a
   filesystem layout as you). But that trick does not apply
44325a
   for a bare "-path".
44325a
44325a
 - it's meant as an ssh url, like "-host:path". But this
44325a
   already doesn't work, as we explicitly disallow ssh
44325a
   hostnames that begin with a dash (to avoid option
44325a
   injection against ssh).
44325a
44325a
 - it's a remote-helper scheme, like "-scheme::data". This
44325a
   _could_ work if the receiver bends over backwards and
44325a
   creates a funny-named helper like "git-remote--scheme".
44325a
   But normally there would not be any helper that matches.
44325a
44325a
Since such a url does not work today and is not likely to do
44325a
anything useful in the future, let's simply disallow them
44325a
entirely. That protects the existing "git clone" path (in a
44325a
belt-and-suspenders way), along with any others that might
44325a
exist.
44325a
44325a
[jn: backported to 2.1.y by porting to shell]
44325a
[pc: backported to 1.8.3.1 by using $sm_path instead of $displayname
44325a
 and split tests into a separate commit]
44325a
44325a
Signed-off-by: Jeff King <peff@peff.net>
44325a
Signed-off-by: Junio C Hamano <gitster@pobox.com>
44325a
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
44325a
44325a
submodule-config: ban submodule paths that start with a dash
44325a
44325a
commit 273c61496f88c6495b886acb1041fe57965151da upstream.
44325a
44325a
We recently banned submodule urls that look like
44325a
command-line options. This is the matching change to ban
44325a
leading-dash paths.
44325a
44325a
As with the urls, this should not break any use cases that
44325a
currently work. Even with our "--" separator passed to
44325a
git-clone, git-submodule.sh gets confused. Without the code
44325a
portion of this patch, the clone of "-sub" added in t7417
44325a
would yield results like:
44325a
44325a
    /path/to/git-submodule: 410: cd: Illegal option -s
44325a
    /path/to/git-submodule: 417: cd: Illegal option -s
44325a
    /path/to/git-submodule: 410: cd: Illegal option -s
44325a
    /path/to/git-submodule: 417: cd: Illegal option -s
44325a
    Fetched in submodule path '-sub', but it did not contain b56243f8f4eb91b2f1f8109452e659f14dd3fbe4. D
44325a
irect fetching of that commit failed.
44325a
44325a
Moreover, naively adding such a submodule doesn't work:
44325a
44325a
  $ git submodule add $url -sub
44325a
  The following path is ignored by one of your .gitignore files:
44325a
  -sub
44325a
44325a
even though there is no such ignore pattern (the test script
44325a
hacks around this with a well-placed "git mv").
44325a
44325a
Unlike leading-dash urls, though, it's possible that such a
44325a
path _could_ be useful if we eventually made it work. So
44325a
this commit should be seen not as recommending a particular
44325a
policy, but rather temporarily closing off a broken and
44325a
possibly dangerous code-path. We may revisit this decision
44325a
later.
44325a
44325a
[jn: ported to git-submodule.sh
44325a
 pc: split the test into a separate commit ]
44325a
44325a
fsck: detect submodule urls starting with dash
44325a
44325a
commit a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46 upstream.
44325a
44325a
Urls with leading dashes can cause mischief on older
44325a
versions of Git. We should detect them so that they can be
44325a
rejected by receive.fsckObjects, preventing modern versions
44325a
of git from being a vector by which attacks can spread.
44325a
44325a
[jn: backported to 2.1.y: using error_func instead of report
44325a
 to report fsck errors]
44325a
44325a
[pc: split tests into a separate commit]
44325a
44325a
Signed-off-by: Jeff King <peff@peff.net>
44325a
Signed-off-by: Junio C Hamano <gitster@pobox.com>
44325a
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
44325a
44325a
fsck: detect submodule paths starting with dash
44325a
44325a
commit 1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404 upstream.
44325a
44325a
As with urls, submodule paths with dashes are ignored by
44325a
git, but may end up confusing older versions. Detecting them
44325a
via fsck lets us prevent modern versions of git from being a
44325a
vector to spread broken .gitmodules to older versions.
44325a
44325a
Compared to blocking leading-dash urls, though, this
44325a
detection may be less of a good idea:
44325a
44325a
  1. While such paths provide confusing and broken results,
44325a
     they don't seem to actually work as option injections
44325a
     against anything except "cd". In particular, the
44325a
     submodule code seems to canonicalize to an absolute
44325a
     path before running "git clone" (so it passes
44325a
     /your/clone/-sub).
44325a
44325a
  2. It's more likely that we may one day make such names
44325a
     actually work correctly. Even after we revert this fsck
44325a
     check, it will continue to be a hassle until hosting
44325a
     servers are all updated.
44325a
44325a
On the other hand, it's not entirely clear that the behavior
44325a
in older versions is safe. And if we do want to eventually
44325a
allow this, we may end up doing so with a special syntax
44325a
anyway (e.g., writing "./-sub" in the .gitmodules file, and
44325a
teaching the submodule code to canonicalize it when
44325a
comparing).
44325a
44325a
So on balance, this is probably a good protection.
44325a
44325a
[jn: backported to 2.1.y: using error_func instead of report
44325a
 to report fsck errors]
44325a
44325a
[pc: split test to a separate commit]
44325a
---
44325a
 fsck.c           | 10 ++++++++++
44325a
 git-submodule.sh | 20 +++++++++++++++-----
44325a
 2 files changed, 25 insertions(+), 5 deletions(-)
44325a
44325a
diff --git a/fsck.c b/fsck.c
44325a
index 811724125..90d641066 100644
44325a
--- a/fsck.c
44325a
+++ b/fsck.c
44325a
@@ -442,6 +442,16 @@ static int fsck_gitmodules_fn(const char *var, const char *value, void *vdata)
44325a
 		data->ret += data->error_func(data->obj, FSCK_ERROR,
44325a
 					      "disallowed submodule name: %s",
44325a
 					      name);
44325a
+	if (!strcmp(key, "url") && value &&
44325a
+	    looks_like_command_line_option(value))
44325a
+		data->ret += data->error_func(data->obj, FSCK_ERROR,
44325a
+					      "disallowed submodule url: %s",
44325a
+					      value);
44325a
+	if (!strcmp(key, "path") && value &&
44325a
+	    looks_like_command_line_option(value))
44325a
+		data->ret += data->error_func(data->obj, FSCK_ERROR,
44325a
+					      "disallowed submodule path: %s",
44325a
+					      value);
44325a
 	free(name);
44325a
 
44325a
 	return 0;
44325a
diff --git a/git-submodule.sh b/git-submodule.sh
44325a
index e958ce840..b5176ecc3 100755
44325a
--- a/git-submodule.sh
44325a
+++ b/git-submodule.sh
44325a
@@ -205,6 +205,11 @@ module_name()
44325a
 	re=$(printf '%s\n' "$1" | sed -e 's/[].[^$\\*]/\\&/g')
44325a
 	name=$( git config -f .gitmodules --get-regexp '^submodule\..*\.path$' |
44325a
 		sed -n -e 's|^submodule\.\(.*\)\.path '"$re"'$|\1|p' )
44325a
+	case "$sm_path" in
44325a
+	-*)
44325a
+		die "$(eval_gettext "Submodule path '\$sm_path' may be interpreted as a command-line option")"
44325a
+		;;
44325a
+	esac
44325a
 	test -z "$name" &&
44325a
 	die "$(eval_gettext "No submodule mapping found in .gitmodules for path '\$sm_path'")"
44325a
 	check_module_name "$name"
44325a
@@ -248,7 +253,7 @@ module_clone()
44325a
 		(
44325a
 			clear_local_git_env
44325a
 			git clone $quiet -n ${reference:+"$reference"} \
44325a
-				--separate-git-dir "$gitdir" "$url" "$sm_path"
44325a
+				--separate-git-dir "$gitdir" -- "$url" "$sm_path"
44325a
 		) ||
44325a
 		die "$(eval_gettext "Clone of '\$url' into submodule path '\$sm_path' failed")"
44325a
 	fi
44325a
@@ -547,11 +552,13 @@ cmd_init()
44325a
 		if test -z "$(git config "submodule.$name.url")"
44325a
 		then
44325a
 			url=$(git config -f .gitmodules submodule."$name".url)
44325a
-			test -z "$url" &&
44325a
-			die "$(eval_gettext "No url found for submodule path '\$sm_path' in .gitmodules")"
44325a
-
44325a
-			# Possibly a url relative to parent
44325a
 			case "$url" in
44325a
+			"")
44325a
+				die "$(eval_gettext "No url found for submodule path '\$sm_path' in .gitmodules")"
44325a
+				;;
44325a
+			-*)
44325a
+				die "$(eval_gettext "Submodule at path '\$sm_path' has url '\$url' which may be interpreted as a command-line option")"
44325a
+				;;
44325a
 			./*|../*)
44325a
 				url=$(resolve_relative_url "$url") || exit
44325a
 				;;
44325a
@@ -1213,6 +1220,9 @@ cmd_sync()
44325a
 
44325a
 		# Possibly a url relative to parent
44325a
 		case "$url" in
44325a
+		-*)
44325a
+			die "$(eval_gettext "Submodule at path '\$sm_path' has url '\$url' which may be interpreted as a command-line option")"
44325a
+			;;
44325a
 		./*|../*)
44325a
 			# rewrite foo/bar as ../.. to find path from
44325a
 			# submodule work tree to superproject work tree
44325a
-- 
44325a
2.14.4
44325a