From d819a25360ba38dfec31e37413963adf5688db80 Mon Sep 17 00:00:00 2001
From: Jeff King <peff@peff.net>
Date: Mon, 24 Sep 2018 04:32:15 -0400
Subject: [PATCH 1/2] submodule--helper: use "--" to signal end of clone
options
commit 98afac7a7cefdca0d2c4917dd8066a59f7088265 upstream.
When we clone a submodule, we call "git clone $url $path".
But there's nothing to say that those components can't begin
with a dash themselves, confusing git-clone into thinking
they're options. Let's pass "--" to make it clear what we
expect.
There's no test here, because it's actually quite hard to
make these names work, even with "git clone" parsing them
correctly. And we're going to restrict these cases even
further in future commits. So we'll leave off testing until
then; this is just the minimal fix to prevent us from doing
something stupid with a badly formed entry.
[jn: backported to 2.1.y by applying to git-submodule.sh
instead of submodule--helper]
Reported-by: joernchen <joernchen@phenoelit.de>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
submodule-config: ban submodule urls that start with dash
commit f6adec4e329ef0e25e14c63b735a5956dc67b8bc upstream.
The previous commit taught the submodule code to invoke our
"git clone $url $path" with a "--" separator so that we
aren't confused by urls or paths that start with dashes.
However, that's just one code path. It's not clear if there
are others, and it would be an easy mistake to add one in
the future. Moreover, even with the fix in the previous
commit, it's quite hard to actually do anything useful with
such an entry. Any url starting with a dash must fall into
one of three categories:
- it's meant as a file url, like "-path". But then any
clone is not going to have the matching path, since it's
by definition relative inside the newly created clone. If
you spell it as "./-path", the submodule code sees the
"/" and translates this to an absolute path, so it at
least works (assuming the receiver has the same
filesystem layout as you). But that trick does not apply
for a bare "-path".
- it's meant as an ssh url, like "-host:path". But this
already doesn't work, as we explicitly disallow ssh
hostnames that begin with a dash (to avoid option
injection against ssh).
- it's a remote-helper scheme, like "-scheme::data". This
_could_ work if the receiver bends over backwards and
creates a funny-named helper like "git-remote--scheme".
But normally there would not be any helper that matches.
Since such a url does not work today and is not likely to do
anything useful in the future, let's simply disallow them
entirely. That protects the existing "git clone" path (in a
belt-and-suspenders way), along with any others that might
exist.
[jn: backported to 2.1.y by porting to shell]
[pc: backported to 1.8.3.1 by using $sm_path instead of $displayname
and split tests into a separate commit]
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
submodule-config: ban submodule paths that start with a dash
commit 273c61496f88c6495b886acb1041fe57965151da upstream.
We recently banned submodule urls that look like
command-line options. This is the matching change to ban
leading-dash paths.
As with the urls, this should not break any use cases that
currently work. Even with our "--" separator passed to
git-clone, git-submodule.sh gets confused. Without the code
portion of this patch, the clone of "-sub" added in t7417
would yield results like:
/path/to/git-submodule: 410: cd: Illegal option -s
/path/to/git-submodule: 417: cd: Illegal option -s
/path/to/git-submodule: 410: cd: Illegal option -s
/path/to/git-submodule: 417: cd: Illegal option -s
Fetched in submodule path '-sub', but it did not contain b56243f8f4eb91b2f1f8109452e659f14dd3fbe4. D
irect fetching of that commit failed.
Moreover, naively adding such a submodule doesn't work:
$ git submodule add $url -sub
The following path is ignored by one of your .gitignore files:
-sub
even though there is no such ignore pattern (the test script
hacks around this with a well-placed "git mv").
Unlike leading-dash urls, though, it's possible that such a
path _could_ be useful if we eventually made it work. So
this commit should be seen not as recommending a particular
policy, but rather temporarily closing off a broken and
possibly dangerous code-path. We may revisit this decision
later.
[jn: ported to git-submodule.sh
pc: split the test into a separate commit ]
fsck: detect submodule urls starting with dash
commit a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46 upstream.
Urls with leading dashes can cause mischief on older
versions of Git. We should detect them so that they can be
rejected by receive.fsckObjects, preventing modern versions
of git from being a vector by which attacks can spread.
[jn: backported to 2.1.y: using error_func instead of report
to report fsck errors]
[pc: split tests into a separate commit]
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
fsck: detect submodule paths starting with dash
commit 1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404 upstream.
As with urls, submodule paths with dashes are ignored by
git, but may end up confusing older versions. Detecting them
via fsck lets us prevent modern versions of git from being a
vector to spread broken .gitmodules to older versions.
Compared to blocking leading-dash urls, though, this
detection may be less of a good idea:
1. While such paths provide confusing and broken results,
they don't seem to actually work as option injections
against anything except "cd". In particular, the
submodule code seems to canonicalize to an absolute
path before running "git clone" (so it passes
/your/clone/-sub).
2. It's more likely that we may one day make such names
actually work correctly. Even after we revert this fsck
check, it will continue to be a hassle until hosting
servers are all updated.
On the other hand, it's not entirely clear that the behavior
in older versions is safe. And if we do want to eventually
allow this, we may end up doing so with a special syntax
anyway (e.g., writing "./-sub" in the .gitmodules file, and
teaching the submodule code to canonicalize it when
comparing).
So on balance, this is probably a good protection.
[jn: backported to 2.1.y: using error_func instead of report
to report fsck errors]
[pc: split test to a separate commit]
---
fsck.c | 10 ++++++++++
git-submodule.sh | 20 +++++++++++++++-----
2 files changed, 25 insertions(+), 5 deletions(-)
diff --git a/fsck.c b/fsck.c
index 811724125..90d641066 100644
--- a/fsck.c
+++ b/fsck.c
@@ -442,6 +442,16 @@ static int fsck_gitmodules_fn(const char *var, const char *value, void *vdata)
data->ret += data->error_func(data->obj, FSCK_ERROR,
"disallowed submodule name: %s",
name);
+ if (!strcmp(key, "url") && value &&
+ looks_like_command_line_option(value))
+ data->ret += data->error_func(data->obj, FSCK_ERROR,
+ "disallowed submodule url: %s",
+ value);
+ if (!strcmp(key, "path") && value &&
+ looks_like_command_line_option(value))
+ data->ret += data->error_func(data->obj, FSCK_ERROR,
+ "disallowed submodule path: %s",
+ value);
free(name);
return 0;
diff --git a/git-submodule.sh b/git-submodule.sh
index e958ce840..b5176ecc3 100755
--- a/git-submodule.sh
+++ b/git-submodule.sh
@@ -205,6 +205,11 @@ module_name()
re=$(printf '%s\n' "$1" | sed -e 's/[].[^$\\*]/\\&/g')
name=$( git config -f .gitmodules --get-regexp '^submodule\..*\.path$' |
sed -n -e 's|^submodule\.\(.*\)\.path '"$re"'$|\1|p' )
+ case "$sm_path" in
+ -*)
+ die "$(eval_gettext "Submodule path '\$sm_path' may be interpreted as a command-line option")"
+ ;;
+ esac
test -z "$name" &&
die "$(eval_gettext "No submodule mapping found in .gitmodules for path '\$sm_path'")"
check_module_name "$name"
@@ -248,7 +253,7 @@ module_clone()
(
clear_local_git_env
git clone $quiet -n ${reference:+"$reference"} \
- --separate-git-dir "$gitdir" "$url" "$sm_path"
+ --separate-git-dir "$gitdir" -- "$url" "$sm_path"
) ||
die "$(eval_gettext "Clone of '\$url' into submodule path '\$sm_path' failed")"
fi
@@ -547,11 +552,13 @@ cmd_init()
if test -z "$(git config "submodule.$name.url")"
then
url=$(git config -f .gitmodules submodule."$name".url)
- test -z "$url" &&
- die "$(eval_gettext "No url found for submodule path '\$sm_path' in .gitmodules")"
-
- # Possibly a url relative to parent
case "$url" in
+ "")
+ die "$(eval_gettext "No url found for submodule path '\$sm_path' in .gitmodules")"
+ ;;
+ -*)
+ die "$(eval_gettext "Submodule at path '\$sm_path' has url '\$url' which may be interpreted as a command-line option")"
+ ;;
./*|../*)
url=$(resolve_relative_url "$url") || exit
;;
@@ -1213,6 +1220,9 @@ cmd_sync()
# Possibly a url relative to parent
case "$url" in
+ -*)
+ die "$(eval_gettext "Submodule at path '\$sm_path' has url '\$url' which may be interpreted as a command-line option")"
+ ;;
./*|../*)
# rewrite foo/bar as ../.. to find path from
# submodule work tree to superproject work tree
--
2.14.4