diff --git a/Documentation/RelNotes/2.30.6.txt b/Documentation/RelNotes/2.30.6.txt new file mode 100644 index 0000000000..d649071b79 --- /dev/null +++ b/Documentation/RelNotes/2.30.6.txt @@ -0,0 +1,60 @@ +Git v2.30.6 Release Notes +========================= + +This release addresses the security issues CVE-2022-39253 and +CVE-2022-39260. + +Fixes since v2.30.5 +------------------- + + * CVE-2022-39253: + When relying on the `--local` clone optimization, Git dereferences + symbolic links in the source repository before creating hardlinks + (or copies) of the dereferenced link in the destination repository. + This can lead to surprising behavior where arbitrary files are + present in a repository's `$GIT_DIR` when cloning from a malicious + repository. + + Git will no longer dereference symbolic links via the `--local` + clone mechanism, and will instead refuse to clone repositories that + have symbolic links present in the `$GIT_DIR/objects` directory. + + Additionally, the value of `protocol.file.allow` is changed to be + "user" by default. + + * CVE-2022-39260: + An overly-long command string given to `git shell` can result in + overflow in `split_cmdline()`, leading to arbitrary heap writes and + remote code execution when `git shell` is exposed and the directory + `$HOME/git-shell-commands` exists. + + `git shell` is taught to refuse interactive commands that are + longer than 4MiB in size. `split_cmdline()` is hardened to reject + inputs larger than 2GiB. + +Credit for finding CVE-2022-39253 goes to Cory Snider of Mirantis. The +fix was authored by Taylor Blau, with help from Johannes Schindelin. + +Credit for finding CVE-2022-39260 goes to Kevin Backhouse of GitHub. +The fix was authored by Kevin Backhouse, Jeff King, and Taylor Blau. + + +Jeff King (2): + shell: add basic tests + shell: limit size of interactive commands + +Kevin Backhouse (1): + alias.c: reject too-long cmdline strings in split_cmdline() + +Taylor Blau (11): + builtin/clone.c: disallow `--local` clones with symlinks + t/lib-submodule-update.sh: allow local submodules + t/t1NNN: allow local submodules + t/2NNNN: allow local submodules + t/t3NNN: allow local submodules + t/t4NNN: allow local submodules + t/t5NNN: allow local submodules + t/t6NNN: allow local submodules + t/t7NNN: allow local submodules + t/t9NNN: allow local submodules + transport: make `protocol.file.allow` be "user" by default diff --git a/Documentation/RelNotes/2.31.5.txt b/Documentation/RelNotes/2.31.5.txt new file mode 100644 index 0000000000..0d87e6e03f --- /dev/null +++ b/Documentation/RelNotes/2.31.5.txt @@ -0,0 +1,5 @@ +Git v2.31.5 Release Notes +========================= + +This release merges the security fix that appears in v2.30.6; see +the release notes for that version for details. diff --git a/Documentation/RelNotes/2.32.4.txt b/Documentation/RelNotes/2.32.4.txt new file mode 100644 index 0000000000..76c67b209e --- /dev/null +++ b/Documentation/RelNotes/2.32.4.txt @@ -0,0 +1,5 @@ +Git v2.32.4 Release Notes +========================= + +This release merges the security fix that appears in v2.30.6; see +the release notes for that version for details. diff --git a/Documentation/config/protocol.txt b/Documentation/config/protocol.txt index 756591d77b..799389132f 100644 --- a/Documentation/config/protocol.txt +++ b/Documentation/config/protocol.txt @@ -1,10 +1,10 @@ protocol.allow:: If set, provide a user defined default policy for all protocols which don't explicitly have a policy (`protocol..allow`). By default, - if unset, known-safe protocols (http, https, git, ssh, file) have a + if unset, known-safe protocols (http, https, git, ssh) have a default policy of `always`, known-dangerous protocols (ext) have a - default policy of `never`, and all other protocols have a default - policy of `user`. Supported policies: + default policy of `never`, and all other protocols (including file) + have a default policy of `user`. Supported policies: + -- diff --git a/alias.c b/alias.c index c471538020..00abde0817 100644 --- a/alias.c +++ b/alias.c @@ -46,14 +46,16 @@ void list_aliases(struct string_list *list) #define SPLIT_CMDLINE_BAD_ENDING 1 #define SPLIT_CMDLINE_UNCLOSED_QUOTE 2 +#define SPLIT_CMDLINE_ARGC_OVERFLOW 3 static const char *split_cmdline_errors[] = { N_("cmdline ends with \\"), - N_("unclosed quote") + N_("unclosed quote"), + N_("too many arguments"), }; int split_cmdline(char *cmdline, const char ***argv) { - int src, dst, count = 0, size = 16; + size_t src, dst, count = 0, size = 16; char quoted = 0; ALLOC_ARRAY(*argv, size); @@ -96,6 +98,11 @@ int split_cmdline(char *cmdline, const char ***argv) return -SPLIT_CMDLINE_UNCLOSED_QUOTE; } + if (count >= INT_MAX) { + FREE_AND_NULL(*argv); + return -SPLIT_CMDLINE_ARGC_OVERFLOW; + } + ALLOC_GROW(*argv, count + 1, size); (*argv)[count] = NULL; diff --git a/builtin/clone.c b/builtin/clone.c index 7743dc07d2..4c5f35f6c1 100644 --- a/builtin/clone.c +++ b/builtin/clone.c @@ -424,13 +424,11 @@ static void copy_or_link_directory(struct strbuf *src, struct strbuf *dest, int src_len, dest_len; struct dir_iterator *iter; int iter_status; - unsigned int flags; struct strbuf realpath = STRBUF_INIT; mkdir_if_missing(dest->buf, 0777); - flags = DIR_ITERATOR_PEDANTIC | DIR_ITERATOR_FOLLOW_SYMLINKS; - iter = dir_iterator_begin(src->buf, flags); + iter = dir_iterator_begin(src->buf, DIR_ITERATOR_PEDANTIC); if (!iter) die_errno(_("failed to start iterator over '%s'"), src->buf); @@ -446,6 +444,10 @@ static void copy_or_link_directory(struct strbuf *src, struct strbuf *dest, strbuf_setlen(dest, dest_len); strbuf_addstr(dest, iter->relative_path); + if (S_ISLNK(iter->st.st_mode)) + die(_("symlink '%s' exists, refusing to clone with --local"), + iter->relative_path); + if (S_ISDIR(iter->st.st_mode)) { mkdir_if_missing(dest->buf, 0777); continue; diff --git a/shell.c b/shell.c index 811e13b9c9..7ff4109db7 100644 --- a/shell.c +++ b/shell.c @@ -47,6 +47,8 @@ static void cd_to_homedir(void) die("could not chdir to user's home directory"); } +#define MAX_INTERACTIVE_COMMAND (4*1024*1024) + static void run_shell(void) { int done = 0; @@ -67,22 +69,46 @@ static void run_shell(void) run_command_v_opt(help_argv, RUN_SILENT_EXEC_FAILURE); do { - struct strbuf line = STRBUF_INIT; const char *prog; char *full_cmd; char *rawargs; + size_t len; char *split_args; const char **argv; int code; int count; fprintf(stderr, "git> "); - if (git_read_line_interactively(&line) == EOF) { + + /* + * Avoid using a strbuf or git_read_line_interactively() here. + * We don't want to allocate arbitrary amounts of memory on + * behalf of a possibly untrusted client, and we're subject to + * OS limits on command length anyway. + */ + fflush(stdout); + rawargs = xmalloc(MAX_INTERACTIVE_COMMAND); + if (!fgets(rawargs, MAX_INTERACTIVE_COMMAND, stdin)) { fprintf(stderr, "\n"); - strbuf_release(&line); + free(rawargs); break; } - rawargs = strbuf_detach(&line, NULL); + len = strlen(rawargs); + + /* + * If we truncated due to our input buffer size, reject the + * command. That's better than running bogus input, and + * there's a good chance it's just malicious garbage anyway. + */ + if (len >= MAX_INTERACTIVE_COMMAND - 1) + die("invalid command format: input too long"); + + if (len > 0 && rawargs[len - 1] == '\n') { + if (--len > 0 && rawargs[len - 1] == '\r') + --len; + rawargs[len] = '\0'; + } + split_args = xstrdup(rawargs); count = split_cmdline(split_args, &argv); if (count < 0) { diff --git a/t/lib-submodule-update.sh b/t/lib-submodule-update.sh index f7c7df0ca4..25a5f3016f 100644 --- a/t/lib-submodule-update.sh +++ b/t/lib-submodule-update.sh @@ -197,6 +197,7 @@ test_git_directory_exists () { # the submodule repo if it doesn't exist and configures the most problematic # settings for diff.ignoreSubmodules. prolog () { + test_config_global protocol.file.allow always && (test -d submodule_update_repo || create_lib_submodule_repo) && test_config_global diff.ignoreSubmodules all && test_config diff.ignoreSubmodules all diff --git a/t/t1091-sparse-checkout-builtin.sh b/t/t1091-sparse-checkout-builtin.sh index 38fc8340f5..ab7b604998 100755 --- a/t/t1091-sparse-checkout-builtin.sh +++ b/t/t1091-sparse-checkout-builtin.sh @@ -465,7 +465,8 @@ test_expect_success 'interaction with submodules' ' ( cd super && mkdir modules && - git submodule add ../repo modules/child && + git -c protocol.file.allow=always \ + submodule add ../repo modules/child && git add . && git commit -m "add submodule" && git sparse-checkout init --cone && diff --git a/t/t1092-sparse-checkout-compatibility.sh b/t/t1092-sparse-checkout-compatibility.sh index 91e30d6ec2..51fd377a8e 100755 --- a/t/t1092-sparse-checkout-compatibility.sh +++ b/t/t1092-sparse-checkout-compatibility.sh @@ -554,6 +554,8 @@ test_expect_success 'submodule handling' ' test_all_match git add modules && test_all_match git commit -m "add modules directory" && + test_config_global protocol.file.allow always && + run_on_all git submodule add "$(pwd)/initial-repo" modules/sub && test_all_match git commit -m "add submodule" && diff --git a/t/t1500-rev-parse.sh b/t/t1500-rev-parse.sh index 1c2df08333..2c429f9635 100755 --- a/t/t1500-rev-parse.sh +++ b/t/t1500-rev-parse.sh @@ -225,7 +225,8 @@ test_expect_success 'showing the superproject correctly' ' test_commit -C super test_commit && test_create_repo sub && test_commit -C sub test_commit && - git -C super submodule add ../sub dir/sub && + git -c protocol.file.allow=always \ + -C super submodule add ../sub dir/sub && echo $(pwd)/super >expect && git -C super/dir/sub rev-parse --show-superproject-working-tree >out && test_cmp expect out && diff --git a/t/t2080-parallel-checkout-basics.sh b/t/t2080-parallel-checkout-basics.sh index 3e0f8c675f..393ba3545e 100755 --- a/t/t2080-parallel-checkout-basics.sh +++ b/t/t2080-parallel-checkout-basics.sh @@ -41,6 +41,8 @@ TEST_NO_CREATE_REPO=1 # - m/m (file) # test_expect_success 'setup repo for checkout with various types of changes' ' + test_config_global protocol.file.allow always && + git init sub && ( cd sub && @@ -140,6 +142,7 @@ do esac test_expect_success "$mode checkout on clone" ' + test_config_global protocol.file.allow always && repo=various_${mode}_clone && set_checkout_config $workers $threshold && test_checkout_workers $expected_workers \ diff --git a/t/t2400-worktree-add.sh b/t/t2400-worktree-add.sh index 37ad79470f..54b0eb6dce 100755 --- a/t/t2400-worktree-add.sh +++ b/t/t2400-worktree-add.sh @@ -614,6 +614,7 @@ test_expect_success '"add" should not fail because of another bad worktree' ' ' test_expect_success '"add" with uninitialized submodule, with submodule.recurse unset' ' + test_config_global protocol.file.allow always && test_create_repo submodule && test_commit -C submodule first && test_create_repo project && @@ -629,6 +630,7 @@ test_expect_success '"add" with uninitialized submodule, with submodule.recurse ' test_expect_success '"add" with initialized submodule, with submodule.recurse unset' ' + test_config_global protocol.file.allow always && git -C project-clone submodule update --init && git -C project-clone worktree add ../project-4 ' diff --git a/t/t2403-worktree-move.sh b/t/t2403-worktree-move.sh index a4e1a178e0..e8246eed9c 100755 --- a/t/t2403-worktree-move.sh +++ b/t/t2403-worktree-move.sh @@ -138,7 +138,8 @@ test_expect_success 'move a repo with uninitialized submodule' ' ( cd withsub && test_commit initial && - git submodule add "$PWD"/.git sub && + git -c protocol.file.allow=always \ + submodule add "$PWD"/.git sub && git commit -m withsub && git worktree add second HEAD && git worktree move second third @@ -148,7 +149,7 @@ test_expect_success 'move a repo with uninitialized submodule' ' test_expect_success 'not move a repo with initialized submodule' ' ( cd withsub && - git -C third submodule update && + git -c protocol.file.allow=always -C third submodule update && test_must_fail git worktree move third forth ) ' @@ -227,6 +228,7 @@ test_expect_success 'remove cleans up .git/worktrees when empty' ' ' test_expect_success 'remove a repo with uninitialized submodule' ' + test_config_global protocol.file.allow always && ( cd withsub && git worktree add to-remove HEAD && @@ -235,6 +237,7 @@ test_expect_success 'remove a repo with uninitialized submodule' ' ' test_expect_success 'not remove a repo with initialized submodule' ' + test_config_global protocol.file.allow always && ( cd withsub && git worktree add to-remove HEAD && diff --git a/t/t2405-worktree-submodule.sh b/t/t2405-worktree-submodule.sh index b172c26ca4..11018f37c7 100755 --- a/t/t2405-worktree-submodule.sh +++ b/t/t2405-worktree-submodule.sh @@ -10,6 +10,7 @@ export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME base_path=$(pwd -P) test_expect_success 'setup: create origin repos' ' + git config --global protocol.file.allow always && git init origin/sub && test_commit -C origin/sub file1 && git init origin/main && diff --git a/t/t3200-branch.sh b/t/t3200-branch.sh index e575ffb4ff..354e625fbd 100755 --- a/t/t3200-branch.sh +++ b/t/t3200-branch.sh @@ -282,6 +282,7 @@ test_expect_success 'deleting checked-out branch from repo that is a submodule' git init repo1 && git init repo1/sub && test_commit -C repo1/sub x && + test_config_global protocol.file.allow always && git -C repo1 submodule add ./sub && git -C repo1 commit -m "adding sub" && diff --git a/t/t3420-rebase-autostash.sh b/t/t3420-rebase-autostash.sh index 43fcb68f27..693934ee8b 100755 --- a/t/t3420-rebase-autostash.sh +++ b/t/t3420-rebase-autostash.sh @@ -310,7 +310,7 @@ test_expect_success 'autostash is saved on editor failure with conflict' ' test_expect_success 'autostash with dirty submodules' ' test_when_finished "git reset --hard && git checkout main" && git checkout -b with-submodule && - git submodule add ./ sub && + git -c protocol.file.allow=always submodule add ./ sub && test_tick && git commit -m add-submodule && echo changed >sub/file0 && diff --git a/t/t3426-rebase-submodule.sh b/t/t3426-rebase-submodule.sh index 0ad3a07bf4..fb21f675bb 100755 --- a/t/t3426-rebase-submodule.sh +++ b/t/t3426-rebase-submodule.sh @@ -47,7 +47,8 @@ test_expect_success 'rebase interactive ignores modified submodules' ' git init sub && git -C sub commit --allow-empty -m "Initial commit" && git init super && - git -C super submodule add ../sub && + git -c protocol.file.allow=always \ + -C super submodule add ../sub && git -C super config submodule.sub.ignore dirty && >super/foo && git -C super add foo && diff --git a/t/t3512-cherry-pick-submodule.sh b/t/t3512-cherry-pick-submodule.sh index c657840db3..f22d1ddead 100755 --- a/t/t3512-cherry-pick-submodule.sh +++ b/t/t3512-cherry-pick-submodule.sh @@ -16,6 +16,8 @@ fi test_submodule_switch "cherry-pick" test_expect_success 'unrelated submodule/file conflict is ignored' ' + test_config_global protocol.file.allow always && + test_create_repo sub && touch sub/file && diff --git a/t/t3600-rm.sh b/t/t3600-rm.sh index bb9ef35dac..a0eda54cde 100755 --- a/t/t3600-rm.sh +++ b/t/t3600-rm.sh @@ -336,7 +336,7 @@ test_expect_success 'rm removes empty submodules from work tree' ' test_expect_success 'rm removes removed submodule from index and .gitmodules' ' git reset --hard && - git submodule update && + git -c protocol.file.allow=always submodule update && rm -rf submod && git rm submod && git status -s -uno --ignore-submodules=none >actual && @@ -642,6 +642,7 @@ cat >expect.deepmodified <actual && cat >expected <<-EOF && diff --git a/t/t4060-diff-submodule-option-diff-format.sh b/t/t4060-diff-submodule-option-diff-format.sh index dc7b242697..a90add57f7 100755 --- a/t/t4060-diff-submodule-option-diff-format.sh +++ b/t/t4060-diff-submodule-option-diff-format.sh @@ -759,9 +759,9 @@ test_expect_success 'diff --submodule=diff with .git file' ' ' test_expect_success 'setup nested submodule' ' - git submodule add -f ./sm2 && + git -c protocol.file.allow=always submodule add -f ./sm2 && git commit -a -m "add sm2" && - git -C sm2 submodule add ../sm2 nested && + git -c protocol.file.allow=always -C sm2 submodule add ../sm2 nested && git -C sm2 commit -a -m "nested sub" && head10=$(git -C sm2 rev-parse --short --verify HEAD) ' diff --git a/t/t4067-diff-partial-clone.sh b/t/t4067-diff-partial-clone.sh index 804f2a82e8..28f42a4046 100755 --- a/t/t4067-diff-partial-clone.sh +++ b/t/t4067-diff-partial-clone.sh @@ -77,6 +77,7 @@ test_expect_success 'diff skips same-OID blobs' ' test_expect_success 'when fetching missing objects, diff skips GITLINKs' ' test_when_finished "rm -rf sub server client trace" && + test_config_global protocol.file.allow always && test_create_repo sub && test_commit -C sub first && diff --git a/t/t4208-log-magic-pathspec.sh b/t/t4208-log-magic-pathspec.sh index 7f0c1dcc0f..2e8f5ad7b8 100755 --- a/t/t4208-log-magic-pathspec.sh +++ b/t/t4208-log-magic-pathspec.sh @@ -124,6 +124,7 @@ test_expect_success 'command line pathspec parsing for "git log"' ' test_expect_success 'tree_entry_interesting does not match past submodule boundaries' ' test_when_finished "rm -rf repo submodule" && + test_config_global protocol.file.allow always && git init submodule && test_commit -C submodule initial && git init repo && diff --git a/t/t5510-fetch.sh b/t/t5510-fetch.sh index a0faf0dd94..96b839d598 100755 --- a/t/t5510-fetch.sh +++ b/t/t5510-fetch.sh @@ -782,6 +782,7 @@ test_expect_success 'fetch.writeCommitGraph' ' ' test_expect_success 'fetch.writeCommitGraph with submodules' ' + test_config_global protocol.file.allow always && git clone dups super && ( cd super && diff --git a/t/t5526-fetch-submodules.sh b/t/t5526-fetch-submodules.sh index ed11569d8d..bca679590b 100755 --- a/t/t5526-fetch-submodules.sh +++ b/t/t5526-fetch-submodules.sh @@ -38,6 +38,7 @@ add_upstream_commit() { } test_expect_success setup ' + git config --global protocol.file.allow always && mkdir deepsubmodule && ( cd deepsubmodule && diff --git a/t/t5545-push-options.sh b/t/t5545-push-options.sh index 58c7add7ee..210302b20f 100755 --- a/t/t5545-push-options.sh +++ b/t/t5545-push-options.sh @@ -116,6 +116,7 @@ test_expect_success 'push options and submodules' ' test_commit -C parent one && git -C parent push --mirror up && + test_config_global protocol.file.allow always && git -C parent submodule add ../upstream workbench && git -C parent/workbench remote add up ../../upstream && git -C parent commit -m "add submodule" && diff --git a/t/t5572-pull-submodule.sh b/t/t5572-pull-submodule.sh index 4f92a116e1..3fd4151030 100755 --- a/t/t5572-pull-submodule.sh +++ b/t/t5572-pull-submodule.sh @@ -49,6 +49,10 @@ then fi test_submodule_switch_func "git_pull_noff" +test_expect_success 'setup' ' + git config --global protocol.file.allow always +' + test_expect_success 'pull --recurse-submodule setup' ' test_create_repo child && test_commit -C child bar && diff --git a/t/t5601-clone.sh b/t/t5601-clone.sh index 83c24fc97a..20aef0018c 100755 --- a/t/t5601-clone.sh +++ b/t/t5601-clone.sh @@ -742,6 +742,7 @@ test_expect_success 'batch missing blob request does not inadvertently try to fe echo aa >server/a && echo bb >server/b && # Also add a gitlink pointing to an arbitrary repository + test_config_global protocol.file.allow always && git -C server submodule add "$(pwd)/repo_for_submodule" c && git -C server add a b c && git -C server commit -m x && diff --git a/t/t5604-clone-reference.sh b/t/t5604-clone-reference.sh index 24340e6d56..2734e37e88 100755 --- a/t/t5604-clone-reference.sh +++ b/t/t5604-clone-reference.sh @@ -303,8 +303,6 @@ test_expect_success SYMLINKS 'setup repo with manually symlinked or unknown file ln -s ../an-object $obj && cd ../ && - find . -type f | sort >../../../T.objects-files.raw && - find . -type l | sort >../../../T.objects-symlinks.raw && echo unknown_content >unknown_file ) && git -C T fsck && @@ -313,19 +311,27 @@ test_expect_success SYMLINKS 'setup repo with manually symlinked or unknown file test_expect_success SYMLINKS 'clone repo with symlinked or unknown files at objects/' ' - for option in --local --no-hardlinks --shared --dissociate + # None of these options work when cloning locally, since T has + # symlinks in its `$GIT_DIR/objects` directory + for option in --local --no-hardlinks --dissociate do - git clone $option T T$option || return 1 && - git -C T$option fsck || return 1 && - git -C T$option rev-list --all --objects >T$option.objects && - test_cmp T.objects T$option.objects && - ( - cd T$option/.git/objects && - find . -type f | sort >../../../T$option.objects-files.raw && - find . -type l | sort >../../../T$option.objects-symlinks.raw - ) + test_must_fail git clone $option T T$option 2>err || return 1 && + test_i18ngrep "symlink.*exists" err || return 1 done && + # But `--shared` clones should still work, even when specifying + # a local path *and* that repository has symlinks present in its + # `$GIT_DIR/objects` directory. + git clone --shared T T--shared && + git -C T--shared fsck && + git -C T--shared rev-list --all --objects >T--shared.objects && + test_cmp T.objects T--shared.objects && + ( + cd T--shared/.git/objects && + find . -type f | sort >../../../T--shared.objects-files.raw && + find . -type l | sort >../../../T--shared.objects-symlinks.raw + ) && + for raw in $(ls T*.raw) do sed -e "s!/../!/Y/!; s![0-9a-f]\{38,\}!Z!" -e "/commit-graph/d" \ @@ -333,26 +339,6 @@ test_expect_success SYMLINKS 'clone repo with symlinked or unknown files at obje sort $raw.de-sha-1 >$raw.de-sha || return 1 done && - cat >expected-files <<-EOF && - ./Y/Z - ./Y/Z - ./Y/Z - ./a-loose-dir/Z - ./an-object - ./info/packs - ./pack/pack-Z.idx - ./pack/pack-Z.pack - ./packs/pack-Z.idx - ./packs/pack-Z.pack - ./unknown_file - EOF - - for option in --local --no-hardlinks --dissociate - do - test_cmp expected-files T$option.objects-files.raw.de-sha || return 1 && - test_must_be_empty T$option.objects-symlinks.raw.de-sha || return 1 - done && - echo ./info/alternates >expected-files && test_cmp expected-files T--shared.objects-files.raw && test_must_be_empty T--shared.objects-symlinks.raw diff --git a/t/t5614-clone-submodules-shallow.sh b/t/t5614-clone-submodules-shallow.sh index 5504b519c7..0c85ef834a 100755 --- a/t/t5614-clone-submodules-shallow.sh +++ b/t/t5614-clone-submodules-shallow.sh @@ -24,6 +24,7 @@ test_expect_success 'setup' ' test_expect_success 'nonshallow clone implies nonshallow submodule' ' test_when_finished "rm -rf super_clone" && + test_config_global protocol.file.allow always && git clone --recurse-submodules "file://$pwd/." super_clone && git -C super_clone log --oneline >lines && test_line_count = 3 lines && @@ -33,6 +34,7 @@ test_expect_success 'nonshallow clone implies nonshallow submodule' ' test_expect_success 'shallow clone with shallow submodule' ' test_when_finished "rm -rf super_clone" && + test_config_global protocol.file.allow always && git clone --recurse-submodules --depth 2 --shallow-submodules "file://$pwd/." super_clone && git -C super_clone log --oneline >lines && test_line_count = 2 lines && @@ -42,6 +44,7 @@ test_expect_success 'shallow clone with shallow submodule' ' test_expect_success 'shallow clone does not imply shallow submodule' ' test_when_finished "rm -rf super_clone" && + test_config_global protocol.file.allow always && git clone --recurse-submodules --depth 2 "file://$pwd/." super_clone && git -C super_clone log --oneline >lines && test_line_count = 2 lines && @@ -51,6 +54,7 @@ test_expect_success 'shallow clone does not imply shallow submodule' ' test_expect_success 'shallow clone with non shallow submodule' ' test_when_finished "rm -rf super_clone" && + test_config_global protocol.file.allow always && git clone --recurse-submodules --depth 2 --no-shallow-submodules "file://$pwd/." super_clone && git -C super_clone log --oneline >lines && test_line_count = 2 lines && @@ -60,6 +64,7 @@ test_expect_success 'shallow clone with non shallow submodule' ' test_expect_success 'non shallow clone with shallow submodule' ' test_when_finished "rm -rf super_clone" && + test_config_global protocol.file.allow always && git clone --recurse-submodules --no-local --shallow-submodules "file://$pwd/." super_clone && git -C super_clone log --oneline >lines && test_line_count = 3 lines && @@ -69,6 +74,7 @@ test_expect_success 'non shallow clone with shallow submodule' ' test_expect_success 'clone follows shallow recommendation' ' test_when_finished "rm -rf super_clone" && + test_config_global protocol.file.allow always && git config -f .gitmodules submodule.sub.shallow true && git add .gitmodules && git commit -m "recommend shallow for sub" && @@ -87,6 +93,7 @@ test_expect_success 'clone follows shallow recommendation' ' test_expect_success 'get unshallow recommended shallow submodule' ' test_when_finished "rm -rf super_clone" && + test_config_global protocol.file.allow always && git clone --no-local "file://$pwd/." super_clone && ( cd super_clone && @@ -103,6 +110,7 @@ test_expect_success 'get unshallow recommended shallow submodule' ' test_expect_success 'clone follows non shallow recommendation' ' test_when_finished "rm -rf super_clone" && + test_config_global protocol.file.allow always && git config -f .gitmodules submodule.sub.shallow false && git add .gitmodules && git commit -m "recommend non shallow for sub" && diff --git a/t/t5616-partial-clone.sh b/t/t5616-partial-clone.sh index cf3e82bdf5..8b2605b55f 100755 --- a/t/t5616-partial-clone.sh +++ b/t/t5616-partial-clone.sh @@ -174,6 +174,8 @@ test_expect_success 'partial clone with transfer.fsckobjects=1 works with submod test_config -C src_with_sub uploadpack.allowfilter 1 && test_config -C src_with_sub uploadpack.allowanysha1inwant 1 && + test_config_global protocol.file.allow always && + git -C src_with_sub submodule add "file://$(pwd)/submodule" mysub && git -C src_with_sub commit -m "commit with submodule" && diff --git a/t/t5617-clone-submodules-remote.sh b/t/t5617-clone-submodules-remote.sh index e2dbb4eaba..5691f27405 100755 --- a/t/t5617-clone-submodules-remote.sh +++ b/t/t5617-clone-submodules-remote.sh @@ -10,6 +10,7 @@ export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME pwd=$(pwd) test_expect_success 'setup' ' + git config --global protocol.file.allow always && git checkout -b main && test_commit commit1 && mkdir sub && diff --git a/t/t6008-rev-list-submodule.sh b/t/t6008-rev-list-submodule.sh index 3153a0d891..a0a070b404 100755 --- a/t/t6008-rev-list-submodule.sh +++ b/t/t6008-rev-list-submodule.sh @@ -26,7 +26,7 @@ test_expect_success 'setup' ' : > super-file && git add super-file && - git submodule add "$(pwd)" sub && + git -c protocol.file.allow=always submodule add "$(pwd)" sub && git symbolic-ref HEAD refs/heads/super && test_tick && git commit -m super-initial && diff --git a/t/t6134-pathspec-in-submodule.sh b/t/t6134-pathspec-in-submodule.sh index 0f1cb49ced..7a8c9e3247 100755 --- a/t/t6134-pathspec-in-submodule.sh +++ b/t/t6134-pathspec-in-submodule.sh @@ -9,7 +9,7 @@ test_expect_success 'setup a submodule' ' : >pretzel/a && git -C pretzel add a && git -C pretzel commit -m "add a file" -- a && - git submodule add ./pretzel sub && + git -c protocol.file.allow=always submodule add ./pretzel sub && git commit -a -m "add submodule" && git submodule deinit --all ' diff --git a/t/t7001-mv.sh b/t/t7001-mv.sh index 25bb9bbb89..ef505aeff6 100755 --- a/t/t7001-mv.sh +++ b/t/t7001-mv.sh @@ -304,6 +304,7 @@ test_expect_success SYMLINKS 'check moved symlink' ' rm -f moved symlink test_expect_success 'setup submodule' ' + test_config_global protocol.file.allow always && git commit -m initial && git reset --hard && git submodule add ./. sub && @@ -489,6 +490,7 @@ test_expect_success 'moving a submodule in nested directories' ' ' test_expect_success 'moving nested submodules' ' + test_config_global protocol.file.allow always && git commit -am "cleanup commit" && mkdir sub_nested_nested && ( diff --git a/t/t7064-wtstatus-pv2.sh b/t/t7064-wtstatus-pv2.sh index 4613882caf..95a9b47083 100755 --- a/t/t7064-wtstatus-pv2.sh +++ b/t/t7064-wtstatus-pv2.sh @@ -465,6 +465,7 @@ test_expect_success 'create and add submodule, submodule appears clean (A. S...) git checkout initial-branch && git clone . sub_repo && git clone . super_repo && + test_config_global protocol.file.allow always && ( cd super_repo && git submodule add ../sub_repo sub1 && diff --git a/t/t7300-clean.sh b/t/t7300-clean.sh index 0399701e62..c975eb54d2 100755 --- a/t/t7300-clean.sh +++ b/t/t7300-clean.sh @@ -480,6 +480,7 @@ test_expect_success 'should not clean submodules' ' git init && test_commit msg hello.world ) && + test_config_global protocol.file.allow always && git submodule add ./repo/.git sub1 && git commit -m "sub1" && git branch before_sub2 && diff --git a/t/t7400-submodule-basic.sh b/t/t7400-submodule-basic.sh index cb1b8e35db..ae3fc0143f 100755 --- a/t/t7400-submodule-basic.sh +++ b/t/t7400-submodule-basic.sh @@ -14,6 +14,10 @@ export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME . ./test-lib.sh +test_expect_success 'setup - enable local submodules' ' + git config --global protocol.file.allow always +' + test_expect_success 'submodule deinit works on empty repository' ' git submodule deinit --all ' diff --git a/t/t7403-submodule-sync.sh b/t/t7403-submodule-sync.sh index 7d2ac3322b..ea92ef52a5 100755 --- a/t/t7403-submodule-sync.sh +++ b/t/t7403-submodule-sync.sh @@ -14,6 +14,8 @@ export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME . ./test-lib.sh test_expect_success setup ' + git config --global protocol.file.allow always && + echo file >file && git add file && test_tick && diff --git a/t/t7406-submodule-update.sh b/t/t7406-submodule-update.sh index 11cccbb333..53d419c0ed 100755 --- a/t/t7406-submodule-update.sh +++ b/t/t7406-submodule-update.sh @@ -25,6 +25,7 @@ compare_head() test_expect_success 'setup a submodule tree' ' + git config --global protocol.file.allow always && echo file > file && git add file && test_tick && diff --git a/t/t7407-submodule-foreach.sh b/t/t7407-submodule-foreach.sh index e2f110b786..59bd150166 100755 --- a/t/t7407-submodule-foreach.sh +++ b/t/t7407-submodule-foreach.sh @@ -16,6 +16,7 @@ export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME test_expect_success 'setup a submodule tree' ' + git config --global protocol.file.allow always && echo file > file && git add file && test_tick && diff --git a/t/t7408-submodule-reference.sh b/t/t7408-submodule-reference.sh index a3892f494b..02feb85779 100755 --- a/t/t7408-submodule-reference.sh +++ b/t/t7408-submodule-reference.sh @@ -17,6 +17,10 @@ test_alternate_is_used () { test_cmp expect actual } +test_expect_success 'setup' ' + git config --global protocol.file.allow always +' + test_expect_success 'preparing first repository' ' test_create_repo A && ( diff --git a/t/t7409-submodule-detached-work-tree.sh b/t/t7409-submodule-detached-work-tree.sh index e17ac81a89..374ed481e9 100755 --- a/t/t7409-submodule-detached-work-tree.sh +++ b/t/t7409-submodule-detached-work-tree.sh @@ -15,6 +15,10 @@ export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME . ./test-lib.sh +test_expect_success 'setup' ' + git config --global protocol.file.allow always +' + test_expect_success 'submodule on detached working tree' ' git init --bare remote && test_create_repo bundle1 && diff --git a/t/t7411-submodule-config.sh b/t/t7411-submodule-config.sh index ad28e93880..c583c4e373 100755 --- a/t/t7411-submodule-config.sh +++ b/t/t7411-submodule-config.sh @@ -12,6 +12,9 @@ from the database and from the worktree works. TEST_NO_CREATE_REPO=1 . ./test-lib.sh +test_expect_success 'setup' ' + git config --global protocol.file.allow always +' test_expect_success 'submodule config cache setup' ' mkdir submodule && (cd submodule && diff --git a/t/t7413-submodule-is-active.sh b/t/t7413-submodule-is-active.sh index c8e7e98331..c8b5ac2928 100755 --- a/t/t7413-submodule-is-active.sh +++ b/t/t7413-submodule-is-active.sh @@ -9,6 +9,7 @@ submodules which are "active" and interesting to the user. . ./test-lib.sh test_expect_success 'setup' ' + git config --global protocol.file.allow always && git init sub && test_commit -C sub initial && git init super && diff --git a/t/t7414-submodule-mistakes.sh b/t/t7414-submodule-mistakes.sh index f2e7df59cf..cf95603d7d 100755 --- a/t/t7414-submodule-mistakes.sh +++ b/t/t7414-submodule-mistakes.sh @@ -30,7 +30,8 @@ test_expect_success 'no warning when updating entry' ' test_expect_success 'submodule add does not warn' ' test_when_finished "git rm -rf submodule .gitmodules" && - git submodule add ./embed submodule 2>stderr && + git -c protocol.file.allow=always \ + submodule add ./embed submodule 2>stderr && test_i18ngrep ! warning stderr ' diff --git a/t/t7416-submodule-dash-url.sh b/t/t7416-submodule-dash-url.sh index d21dc8b009..3ebd985981 100755 --- a/t/t7416-submodule-dash-url.sh +++ b/t/t7416-submodule-dash-url.sh @@ -3,6 +3,10 @@ test_description='check handling of disallowed .gitmodule urls' . ./test-lib.sh +test_expect_success 'setup' ' + git config --global protocol.file.allow always +' + test_expect_success 'create submodule with protected dash in url' ' git init upstream && git -C upstream commit --allow-empty -m base && diff --git a/t/t7417-submodule-path-url.sh b/t/t7417-submodule-path-url.sh index f0f6b9fa9e..2f4b25dfd7 100755 --- a/t/t7417-submodule-path-url.sh +++ b/t/t7417-submodule-path-url.sh @@ -6,6 +6,10 @@ export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME . ./test-lib.sh +test_expect_success 'setup' ' + git config --global protocol.file.allow always +' + test_expect_success 'create submodule with dash in path' ' git init upstream && git -C upstream commit --allow-empty -m base && diff --git a/t/t7418-submodule-sparse-gitmodules.sh b/t/t7418-submodule-sparse-gitmodules.sh index 3f7f271883..16331c34c4 100755 --- a/t/t7418-submodule-sparse-gitmodules.sh +++ b/t/t7418-submodule-sparse-gitmodules.sh @@ -14,6 +14,10 @@ also by committing .gitmodules and then just removing it from the filesystem. . ./test-lib.sh +test_expect_success 'setup' ' + git config --global protocol.file.allow always +' + test_expect_success 'sparse checkout setup which hides .gitmodules' ' git init upstream && git init submodule && diff --git a/t/t7419-submodule-set-branch.sh b/t/t7419-submodule-set-branch.sh index 3b925c302f..5357093e98 100755 --- a/t/t7419-submodule-set-branch.sh +++ b/t/t7419-submodule-set-branch.sh @@ -12,6 +12,10 @@ as expected. TEST_NO_CREATE_REPO=1 . ./test-lib.sh +test_expect_success 'setup' ' + git config --global protocol.file.allow always +' + test_expect_success 'submodule config cache setup' ' mkdir submodule && (cd submodule && diff --git a/t/t7420-submodule-set-url.sh b/t/t7420-submodule-set-url.sh index ef0cb6e8e1..d6bf62b3ac 100755 --- a/t/t7420-submodule-set-url.sh +++ b/t/t7420-submodule-set-url.sh @@ -12,6 +12,10 @@ as expected. TEST_NO_CREATE_REPO=1 . ./test-lib.sh +test_expect_success 'setup' ' + git config --global protocol.file.allow always +' + test_expect_success 'submodule config cache setup' ' mkdir submodule && ( diff --git a/t/t7421-submodule-summary-add.sh b/t/t7421-submodule-summary-add.sh index b070f13714..ce64d8b137 100755 --- a/t/t7421-submodule-summary-add.sh +++ b/t/t7421-submodule-summary-add.sh @@ -12,6 +12,10 @@ while making sure to add submodules using `git submodule add` instead of . ./test-lib.sh +test_expect_success 'setup' ' + git config --global protocol.file.allow always +' + test_expect_success 'summary test environment setup' ' git init sm && test_commit -C sm "add file" file file-content file-tag && diff --git a/t/t7450-bad-git-dotfiles.sh b/t/t7450-bad-git-dotfiles.sh index 41706c1c9f..c02008c375 100755 --- a/t/t7450-bad-git-dotfiles.sh +++ b/t/t7450-bad-git-dotfiles.sh @@ -15,6 +15,10 @@ Such as: . ./test-lib.sh . "$TEST_DIRECTORY"/lib-pack.sh +test_expect_success 'setup' ' + git config --global protocol.file.allow always +' + test_expect_success 'check names' ' cat >expect <<-\EOF && valid diff --git a/t/t7506-status-submodule.sh b/t/t7506-status-submodule.sh index 3fcb44767f..459300c40b 100755 --- a/t/t7506-status-submodule.sh +++ b/t/t7506-status-submodule.sh @@ -251,6 +251,7 @@ test_expect_success 'status with merge conflict in .gitmodules' ' test_create_repo_with_commit sub1 && test_tick && test_create_repo_with_commit sub2 && + test_config_global protocol.file.allow always && ( cd super && prev=$(git rev-parse HEAD) && @@ -326,6 +327,7 @@ test_expect_success 'diff --submodule with merge conflict in .gitmodules' ' # sub2 will have an untracked file # sub3 will have an untracked repository test_expect_success 'setup superproject with untracked file in nested submodule' ' + test_config_global protocol.file.allow always && ( cd super && git clean -dfx && diff --git a/t/t7507-commit-verbose.sh b/t/t7507-commit-verbose.sh index ed2653d46f..bd0ae4b1ea 100755 --- a/t/t7507-commit-verbose.sh +++ b/t/t7507-commit-verbose.sh @@ -74,6 +74,7 @@ test_expect_success 'diff in message is retained with -v' ' test_expect_success 'submodule log is stripped out too with -v' ' git config diff.submodule log && + test_config_global protocol.file.allow always && git submodule add ./. sub && git commit -m "sub added" && ( diff --git a/t/t7800-difftool.sh b/t/t7800-difftool.sh index 528e0dabf0..a264ffc0a7 100755 --- a/t/t7800-difftool.sh +++ b/t/t7800-difftool.sh @@ -629,6 +629,7 @@ test_expect_success 'difftool --no-symlinks detects conflict ' ' test_expect_success 'difftool properly honors gitlink and core.worktree' ' test_when_finished rm -rf submod/ule && + test_config_global protocol.file.allow always && git submodule add ./. submod/ule && test_config -C submod/ule diff.tool checktrees && test_config -C submod/ule difftool.checktrees.cmd '\'' diff --git a/t/t7814-grep-recurse-submodules.sh b/t/t7814-grep-recurse-submodules.sh index 828cb3ba58..f465c0d140 100755 --- a/t/t7814-grep-recurse-submodules.sh +++ b/t/t7814-grep-recurse-submodules.sh @@ -193,6 +193,7 @@ test_expect_success !MINGW 'grep recurse submodule colon in name' ' git -C "su:b" commit -m "add fi:le" && test_tick && + test_config_global protocol.file.allow always && git -C parent submodule add "../su:b" "su:b" && git -C parent commit -m "add submodule" && test_tick && @@ -227,6 +228,7 @@ test_expect_success 'grep history with moved submoules' ' git -C sub commit -m "add file" && test_tick && + test_config_global protocol.file.allow always && git -C parent submodule add ../sub dir/sub && git -C parent commit -m "add submodule" && test_tick && @@ -271,6 +273,7 @@ test_expect_success 'grep using relative path' ' mkdir parent/src && echo "(1|2)d(3|4)" >parent/src/file2 && git -C parent add src/file2 && + test_config_global protocol.file.allow always && git -C parent submodule add ../sub && git -C parent commit -m "add files and submodule" && test_tick && @@ -313,6 +316,7 @@ test_expect_success 'grep from a subdir' ' mkdir parent/src && echo "(1|2)d(3|4)" >parent/src/file && git -C parent add src/file && + test_config_global protocol.file.allow always && git -C parent submodule add ../sub src/sub && git -C parent submodule add ../sub sub && git -C parent commit -m "add files and submodules" && diff --git a/t/t9304-fast-import-marks.sh b/t/t9304-fast-import-marks.sh index d4359dba21..73f3ca2b11 100755 --- a/t/t9304-fast-import-marks.sh +++ b/t/t9304-fast-import-marks.sh @@ -25,6 +25,7 @@ test_expect_success 'import with large marks file' ' ' test_expect_success 'setup dump with submodule' ' + test_config_global protocol.file.allow always && git submodule add "$PWD" sub && git commit -m "add submodule" && git fast-export HEAD >dump diff --git a/t/t9350-fast-export.sh b/t/t9350-fast-export.sh index 409b48e244..3e0b0398cf 100755 --- a/t/t9350-fast-export.sh +++ b/t/t9350-fast-export.sh @@ -268,6 +268,7 @@ test_expect_success 'signed-tags=warn-strip' ' test_expect_success 'setup submodule' ' + test_config_global protocol.file.allow always && git checkout -f main && mkdir sub && ( @@ -293,6 +294,7 @@ test_expect_success 'setup submodule' ' test_expect_success 'submodule fast-export | fast-import' ' + test_config_global protocol.file.allow always && SUBENT1=$(git ls-tree main^ sub) && SUBENT2=$(git ls-tree main sub) && rm -rf new && diff --git a/t/t9850-shell.sh b/t/t9850-shell.sh new file mode 100755 index 0000000000..cfc71c3bd4 --- /dev/null +++ b/t/t9850-shell.sh @@ -0,0 +1,37 @@ +#!/bin/sh + +test_description='git shell tests' +. ./test-lib.sh + +test_expect_success 'shell allows upload-pack' ' + printf 0000 >input && + git upload-pack . expect && + git shell -c "git-upload-pack $SQ.$SQ" actual && + test_cmp expect actual +' + +test_expect_success 'shell forbids other commands' ' + test_must_fail git shell -c "git config foo.bar baz" +' + +test_expect_success 'shell forbids interactive use by default' ' + test_must_fail git shell +' + +test_expect_success 'shell allows interactive command' ' + mkdir git-shell-commands && + write_script git-shell-commands/ping <<-\EOF && + echo pong + EOF + echo pong >expect && + echo ping | git shell >actual && + test_cmp expect actual +' + +test_expect_success 'shell complains of overlong commands' ' + perl -e "print \"a\" x 2**12 for (0..2**19)" | + test_must_fail git shell 2>err && + grep "too long" err +' + +test_done diff --git a/transport.c b/transport.c index 17e9629710..eded823627 100644 --- a/transport.c +++ b/transport.c @@ -993,8 +993,7 @@ static enum protocol_allow_config get_protocol_config(const char *type) if (!strcmp(type, "http") || !strcmp(type, "https") || !strcmp(type, "git") || - !strcmp(type, "ssh") || - !strcmp(type, "file")) + !strcmp(type, "ssh")) return PROTOCOL_ALLOW_ALWAYS; /* known scary; err on the side of caution */