Blame SOURCES/git-cve-2019-1387.patch

c74fa9
diff --git a/builtin/submodule--helper.c b/builtin/submodule--helper.c
c74fa9
index cc79d059f2..29adde60bd 100644
c74fa9
--- a/builtin/submodule--helper.c
c74fa9
+++ b/builtin/submodule--helper.c
c74fa9
@@ -25,11 +25,32 @@ static int check_name(int argc, const char **argv, const char *prefix)
c74fa9
 	return 0;
c74fa9
 }
c74fa9
 
c74fa9
+/*
c74fa9
+ * Exit non-zero if the proposed submodule repository path is inside
c74fa9
+ * another submodules' git dir.
c74fa9
+ */
c74fa9
+static int validate_git_dir(int argc, const char **argv, const char *prefix)
c74fa9
+{
c74fa9
+	char *sm_gitdir;
c74fa9
+
c74fa9
+	if (argc != 3)
c74fa9
+		usage("git submodule--helper validate-git-dir <path> <name>");
c74fa9
+	sm_gitdir = xstrdup(argv[1]);
c74fa9
+	if (validate_submodule_git_dir(sm_gitdir, argv[2]) < 0) {
c74fa9
+		free(sm_gitdir);
c74fa9
+		return 1;
c74fa9
+	}
c74fa9
+	free(sm_gitdir);
c74fa9
+	return 0;
c74fa9
+}
c74fa9
+
c74fa9
 int cmd_submodule__helper(int argc, const char **argv, const char *prefix)
c74fa9
 {
c74fa9
 	if (argc < 2)
c74fa9
 		usage("git submodule--helper <command>");
c74fa9
 	if (!strcmp(argv[1], "check-name"))
c74fa9
 		return check_name(argc - 1, argv + 1, prefix);
c74fa9
+	if (!strcmp(argv[1], "validate-git-dir"))
c74fa9
+		return validate_git_dir(argc - 1, argv + 1, prefix);
c74fa9
 	die(_("'%s' is not a valid submodule--helper subcommand"), argv[1]);
c74fa9
 }
c74fa9
diff -ruNp a/git-submodule.sh b/git-submodule.sh
c74fa9
--- a/git-submodule.sh	2020-01-09 20:01:48.885647299 +0100
c74fa9
+++ b/git-submodule.sh	2020-01-10 08:42:05.107514269 +0100
c74fa9
@@ -253,6 +253,11 @@ module_clone()
c74fa9
 	gitdir_base="$gitdir/modules/$base_name"
c74fa9
 	gitdir="$gitdir/modules/$name"
c74fa9
 
c74fa9
+        if ! git submodule--helper validate-git-dir "$gitdir" "$name"
c74fa9
+        then
c74fa9
+	        die "$(eval_gettextln "refusing to create/use '\$gitdir' in another submodule's git dir")"
c74fa9
+        fi
c74fa9
+
c74fa9
 	if test -d "$gitdir"
c74fa9
 	then
c74fa9
 		mkdir -p "$sm_path"
c74fa9
c74fa9
diff --git a/git-submodule.sh b/git-submodule.sh
c74fa9
index ca16579c3c..bf5ffdb1f6 100755
c74fa9
--- a/git-submodule.sh
c74fa9
+++ b/git-submodule.sh
c74fa9
@@ -419,6 +419,11 @@ Use -f if you really want to add it." >&2
c74fa9
 		fi
c74fa9
 
c74fa9
 	else
c74fa9
+		sm_gitdir=".git/modules/$sm_name"
c74fa9
+		if ! git submodule--helper validate-git-dir "$sm_gitdir" "$sm_name"
c74fa9
+		then
c74fa9
+			die "$(eval_gettextln "refusing to create/use '\$sm_gitdir' in another submodule's git dir")"
c74fa9
+		fi
c74fa9
 		if test -d ".git/modules/$sm_name"
c74fa9
 		then
c74fa9
 			if test -z "$force"
c74fa9
diff --git a/submodule.c b/submodule.c
c74fa9
index 6337cab091..9927f56a33 100644
c74fa9
--- a/submodule.c
c74fa9
+++ b/submodule.c
c74fa9
@@ -1034,3 +1034,43 @@ int merge_submodule(unsigned char result[20], const char *path,
c74fa9
 	free(merges.objects);
c74fa9
 	return 0;
c74fa9
 }
c74fa9
+int validate_submodule_git_dir(char *git_dir, const char *submodule_name)
c74fa9
+{
c74fa9
+	size_t len = strlen(git_dir), suffix_len = strlen(submodule_name);
c74fa9
+	char *p;
c74fa9
+	int ret = 0;
c74fa9
+
c74fa9
+	if (len <= suffix_len || (p = git_dir + len - suffix_len)[-1] != '/' ||
c74fa9
+	    strcmp(p, submodule_name))
c74fa9
+		die("BUG: submodule name '%s' not a suffix of git dir '%s'",
c74fa9
+		    submodule_name, git_dir);
c74fa9
+
c74fa9
+	/*
c74fa9
+	 * We prevent the contents of sibling submodules' git directories to
c74fa9
+	 * clash.
c74fa9
+	 *
c74fa9
+	 * Example: having a submodule named `hippo` and another one named
c74fa9
+	 * `hippo/hooks` would result in the git directories
c74fa9
+	 * `.git/modules/hippo/` and `.git/modules/hippo/hooks/`, respectively,
c74fa9
+	 * but the latter directory is already designated to contain the hooks
c74fa9
+	 * of the former.
c74fa9
+	 */
c74fa9
+	for (; *p; p++) {
c74fa9
+		if (is_dir_sep(*p)) {
c74fa9
+			char c = *p;
c74fa9
+
c74fa9
+			*p = '\0';
c74fa9
+			if (is_git_directory(git_dir))
c74fa9
+				ret = -1;
c74fa9
+			*p = c;
c74fa9
+
c74fa9
+			if (ret < 0)
c74fa9
+				return error(_("submodule git dir '%s' is "
c74fa9
+					       "inside git dir '%.*s'"),
c74fa9
+					     git_dir,
c74fa9
+					     (int)(p - git_dir), git_dir);
c74fa9
+		}
c74fa9
+	}
c74fa9
+
c74fa9
+	return 0;
c74fa9
+}
c74fa9
diff --git a/submodule.h b/submodule.h
c74fa9
index 59dbdfbd17..9c99457a3f 100644
c74fa9
--- a/submodule.h
c74fa9
+++ b/submodule.h
c74fa9
@@ -37,6 +37,11 @@ int find_unpushed_submodules(unsigned char new_sha1[20], const char *remotes_nam
c74fa9
 		struct string_list *needs_pushing);
c74fa9
 int push_unpushed_submodules(unsigned char new_sha1[20], const char *remotes_name);
c74fa9
 
c74fa9
+/*
c74fa9
+ * Make sure that no submodule's git dir is nested in a sibling submodule's.
c74fa9
+ */
c74fa9
+int validate_submodule_git_dir(char *git_dir, const char *submodule_name);
c74fa9
+
c74fa9
 /*
c74fa9
  * Returns 0 if the name is syntactically acceptable as a submodule "name"
c74fa9
  * (e.g., that may be found in the subsection of a .gitmodules file) and -1
c74fa9
diff --git a/t/t7415-submodule-names.sh b/t/t7415-submodule-names.sh
c74fa9
index 6456d5ae43..29393de617 100755
c74fa9
--- a/t/t7415-submodule-names.sh
c74fa9
+++ b/t/t7415-submodule-names.sh
c74fa9
@@ -151,4 +151,27 @@ test_expect_success 'fsck detects symlinked .gitmodules file' '
c74fa9
 	)
c74fa9
 '
c74fa9
 
c74fa9
+test_expect_success 'git dirs of sibling submodules must not be nested' '
c74fa9
+	git init nested &&
c74fa9
+	(
c74fa9
+		cd nested &&
c74fa9
+		test_commit nested &&
c74fa9
+		cat >.gitmodules <<-EOF &&
c74fa9
+		[submodule "hippo"]
c74fa9
+			url = .
c74fa9
+			path = thing1
c74fa9
+		[submodule "hippo/hooks"]
c74fa9
+			url = .
c74fa9
+			path = thing2
c74fa9
+		EOF
c74fa9
+		git clone . thing1 &&
c74fa9
+		git clone . thing2 &&
c74fa9
+		git add .gitmodules thing1 thing2 &&
c74fa9
+		test_tick &&
c74fa9
+		git commit -m nested
c74fa9
+	) &&
c74fa9
+	test_must_fail git clone --recurse-submodules nested clone 2>err &&
c74fa9
+	test_i18ngrep "is inside git dir" err
c74fa9
+'
c74fa9
+
c74fa9
 test_done
c74fa9