1
0
mirror of https://github.com/git/git.git synced 2024-11-20 17:55:52 +01:00
Commit Graph

17 Commits

Author SHA1 Message Date
Nicolas Pitre
8685da4256 don't ever allow SHA1 collisions to exist by fetching a pack
Waaaaaaay back Git was considered to be secure as it never overwrote
an object it already had.  This was ensured by always unpacking the
packfile received over the network (both in fetch and receive-pack)
and our already existing logic to not create a loose object for an
object we already have.

Lately however we keep "large-ish" packfiles on both fetch and push
by running them through index-pack instead of unpack-objects.  This
would let an attacker perform a birthday attack.

How?  Assume the attacker knows a SHA-1 that has two different
data streams.  He knows the client is likely to have the "good"
one.  So he sends the "evil" variant to the other end as part of
a "large-ish" packfile.  The recipient keeps that packfile, and
indexes it.  Now since this is a birthday attack there is a SHA-1
collision; two objects exist in the repository with the same SHA-1.
They have *very* different data streams.  One of them is "evil".

Currently the poor recipient cannot tell the two objects apart,
short of by examining the timestamp of the packfiles.  But lets
say the recipient repacks before he realizes he's been attacked.
We may wind up packing the "evil" version of the object, and deleting
the "good" one.  This is made *even more likely* by Junio's recent
rearrange_packed_git patch (b867092f).

It is extremely unlikely for a SHA1 collisions to occur, but if it
ever happens with a remote (hence untrusted) object we simply must
not let the fetch succeed.

Normally received packs should not contain objects we already have.
But when they do we must ensure duplicated objects with the same SHA1
actually contain the same data.

Signed-off-by: Nicolas Pitre <nico@cam.org>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-03-20 22:08:25 -07:00
Nicolas Pitre
ac527b0b7c [PATCH] add test for OFS_DELTA objects
Make sure pack-objects with --delta-base-offset works fine, and that
it actually produces smaller packs as expected.

Signed-off-by: Nicolas Pitre <nico@cam.org>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-03-16 21:27:36 -07:00
Nicolas Pitre
82868f72b5 [PATCH] fix t5300-pack-object.sh
The 'use packed deltified objects' test was flawed as it failed to
remove the pack and index from the previous test, effectively preventing
the desired pack from being exercised as objects could be found in that
other pack instead.

Signed-off-by: Nicolas Pitre <nico@cam.org>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-03-16 21:27:35 -07:00
Nicolas Pitre
5c94f87e6b use 'init' instead of 'init-db' for shipped docs and tools
While 'init-db' still is and probably will always remain a valid git
command for obvious backward compatibility reasons, it would be a good
idea to move shipped tools and docs to using 'init' instead.

Signed-off-by: Nicolas Pitre <nico@cam.org>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-12 13:36:16 -08:00
Junio C Hamano
8eafa3da62 Guard a test against wc that pads its output with whitespace
Spotted by Johannes.

Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-12-27 11:08:57 -08:00
Junio C Hamano
c97451ce09 t5300: avoid false failures.
Johannes found that the test has 1/256 chance of falsely
producing an uncorrupted idx file, causing the check to detect
corruption fail.  Now we have 1/2^160 chance of false failure
;-).

Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-12-26 18:23:41 -08:00
Junio C Hamano
c5ced64578 check_packed_git_idx(): check integrity of the idx file itself.
Although pack-check.c had routine to verify the checksum for the
pack index file itself, the core did not check it before using
it.

This is stolen from the patch to tighten packname requirements.

Signed-off-by: Junio C Hamano <junkio@cox.net>
(cherry picked from 797bd6f490c91c07986382b9f268e0df712cb246 commit)
2005-12-23 14:14:28 -08:00
Pavel Roskin
f07a524195 fix testsuite to tolerate spaces in path
This patch allows the testsuite to run properly when the full path to
the git sources contains spaces or other symbols that need to be quoted.

Signed-off-by: Pavel Roskin <proski@gnu.org>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-10-28 02:59:01 -07:00
Sergey Vlasov
9cf6d3357a Add git-index-pack utility
git-index-pack builds a pack index file for an existing packed
archive.  With this utility a packed archive which was transferred
without the corresponding pack index can be added to objects/pack/
without repacking.

Signed-off-by: Sergey Vlasov <vsu@altlinux.ru>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-10-12 18:32:02 -07:00
Junio C Hamano
215a7ad1ef Big tool rename.
As promised, this is the "big tool rename" patch.  The primary differences
since 0.99.6 are:

  (1) git-*-script are no more.  The commands installed do not
      have any such suffix so users do not have to remember if
      something is implemented as a shell script or not.

  (2) Many command names with 'cache' in them are renamed with
      'index' if that is what they mean.

There are backward compatibility symblic links so that you and
Porcelains can keep using the old names, but the backward
compatibility support  is expected to be removed in the near
future.

Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-09-07 17:45:20 -07:00
Pavel Roskin
4d9d62fa7c [PATCH] Trapping exit in tests, using return for errors
I have noticed that "make test" fails without any explanations when the
"merge" utility is missing.  I don't think tests should be silent in
case of failure.

It turned out that the particular test was using "exit" to interrupt the
test in case of an error.  This caused the whole test script to exit.
No further tests would be run even if "--immediate" wasn't specified.
No error message was printed.

This patch does following:

All instances of "exit", "exit 1" and "(exit 1)" in tests have been
replaced with "return 1".  In fact, "(exit 1)" had no effect.

File descriptor 5 is duplicated from file descriptor 1.  This is needed
to print important error messages from tests.

New function test_run_() has been introduced.  Any "return" in the test
would merely cause that function to return without skipping calls to
test_failure_() and test_ok_().  The new function also traps "exit" and
treats it like a fatal error (in case somebody reintroduces "exit" in
the tests).

test_expect_failure() and test_expect_success() check both the result of
eval and the return value of test_run_().  If the later is not 0, it's
always a failure because it indicates the the test didn't complete.

Signed-off-by: Pavel Roskin <proski@gnu.org>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-08-11 18:26:16 -07:00
Jon Seymour
a61eea6abd [PATCH] Fixup t/t5300 unit tests broken by 5f3de58ff85c49620ae2a1722d8d4d37c881a054
This patch fixes up the t/t5300 unit tests which were broken by the changes in:

	Make the name of a pack-file depend on the objects packed there-in.

Signed-off-by: Jon Seymour <jon.seymour@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-07-04 08:22:32 -07:00
Junio C Hamano
e06eb4c6f5 [PATCH] Adjust t5300 test for unpack-objects change
It now always read from standard input and rejects non-flag
arguments.

Signed-off-by: Junio C Hamano <junkio@cox.net>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-06-29 09:53:57 -07:00
Junio C Hamano
f9253394a2 [PATCH] Add git-verify-pack command.
Given a list of <pack>.idx files, this command validates the
index file and the corresponding .pack file for consistency.

This patch also uses the same validation mechanism in fsck-cache
when the --full flag is used.

During normal operation, sha1_file.c verifies that a given .idx
file matches the .pack file by comparing the SHA1 checksum
stored in .idx file and .pack file as a minimum sanity check.
We may further want to check the pack signature and version when
we map the pack, but that would be a separate patch.

Earlier, errors to map a pack file was not flagged fatal but led
to a random fatal error later.  This version explicitly die()s
when such an error is detected.

Signed-off-by: Junio C Hamano <junkio@cox.net>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-06-29 09:11:39 -07:00
Linus Torvalds
d6771bd060 Fix another test that broke with the recent git-init-db update
t5300-pack-object.sh test 8 expected to have to create the "pack"
directory itself, and was unhappy when it already existed.
2005-06-27 19:48:02 -07:00
Junio C Hamano
1f688557c0 [PATCH] Teach read_sha1_file() and friends about packed git object store.
GIT_OBJECT_DIRECTORY and GIT_ALTERNATE_OBJECT_DIRECTORIES can
have the "pack" subdirectory that houses "packed GIT" files
produced by git-pack-objects (e.g. .git/objects/pack/foo.pack
and .git/objects/pack/foo.idx; always store them as pairs).  The
following functions in sha1_file.c can then read object contents
from such packed file:

 - sha1_object_info()
 - has_sha1_file()
 - read_sha1_file()

Signed-off-by: Junio C Hamano <junkio@cox.net>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-06-27 15:27:51 -07:00
Junio C Hamano
8ee378a0f0 [PATCH] Finish initial cut of git-pack-object/git-unpack-object pair.
This finishes the initial round of git-pack-object /
git-unpack-object pair.  They are now good enough to be used as
a transport medium:

 - Fix delta direction in pack-objects; the original was
   computing delta to create the base object from the object to
   be squashed, which was quite unfriendly for unpacker ;-).

 - Add a script to test the very basics.

 - Implement unpacker for both regular and deltified objects.

Signed-off-by: Junio C Hamano <junkio@cox.net>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-06-26 07:33:23 -07:00