2015-08-18 02:21:57 +02:00
|
|
|
#include "cache.h"
|
2017-06-22 20:43:44 +02:00
|
|
|
#include "repository.h"
|
2017-06-14 20:07:36 +02:00
|
|
|
#include "config.h"
|
2015-08-18 02:21:57 +02:00
|
|
|
#include "submodule-config.h"
|
|
|
|
|
#include "submodule.h"
|
|
|
|
|
#include "strbuf.h"
|
2017-06-23 21:13:00 +02:00
|
|
|
#include "parse-options.h"
|
2015-08-18 02:21:57 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* submodule cache lookup structure
|
|
|
|
|
* There is one shared set of 'struct submodule' entries which can be
|
|
|
|
|
* looked up by their sha1 blob id of the .gitmodule file and either
|
|
|
|
|
* using path or name as key.
|
|
|
|
|
* for_path stores submodule entries with path as key
|
|
|
|
|
* for_name stores submodule entries with name as key
|
|
|
|
|
*/
|
|
|
|
|
struct submodule_cache {
|
|
|
|
|
struct hashmap for_path;
|
|
|
|
|
struct hashmap for_name;
|
2017-06-22 20:43:44 +02:00
|
|
|
unsigned initialized:1;
|
2015-08-18 02:21:57 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* thin wrapper struct needed to insert 'struct submodule' entries to
|
|
|
|
|
* the hashmap
|
|
|
|
|
*/
|
|
|
|
|
struct submodule_entry {
|
|
|
|
|
struct hashmap_entry ent;
|
|
|
|
|
struct submodule *config;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
enum lookup_type {
|
|
|
|
|
lookup_name,
|
|
|
|
|
lookup_path
|
|
|
|
|
};
|
|
|
|
|
|
2017-06-30 21:14:05 +02:00
|
|
|
static int config_path_cmp(const void *unused_cmp_data,
|
|
|
|
|
const struct submodule_entry *a,
|
2015-08-18 02:21:57 +02:00
|
|
|
const struct submodule_entry *b,
|
2017-06-30 21:14:05 +02:00
|
|
|
const void *unused_keydata)
|
2015-08-18 02:21:57 +02:00
|
|
|
{
|
|
|
|
|
return strcmp(a->config->path, b->config->path) ||
|
|
|
|
|
hashcmp(a->config->gitmodules_sha1, b->config->gitmodules_sha1);
|
|
|
|
|
}
|
|
|
|
|
|
2017-06-30 21:14:05 +02:00
|
|
|
static int config_name_cmp(const void *unused_cmp_data,
|
|
|
|
|
const struct submodule_entry *a,
|
2015-08-18 02:21:57 +02:00
|
|
|
const struct submodule_entry *b,
|
2017-06-30 21:14:05 +02:00
|
|
|
const void *unused_keydata)
|
2015-08-18 02:21:57 +02:00
|
|
|
{
|
|
|
|
|
return strcmp(a->config->name, b->config->name) ||
|
|
|
|
|
hashcmp(a->config->gitmodules_sha1, b->config->gitmodules_sha1);
|
|
|
|
|
}
|
|
|
|
|
|
2017-06-22 20:43:44 +02:00
|
|
|
static struct submodule_cache *submodule_cache_alloc(void)
|
|
|
|
|
{
|
|
|
|
|
return xcalloc(1, sizeof(struct submodule_cache));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void submodule_cache_init(struct submodule_cache *cache)
|
2015-08-18 02:21:57 +02:00
|
|
|
{
|
2017-06-30 21:14:05 +02:00
|
|
|
hashmap_init(&cache->for_path, (hashmap_cmp_fn) config_path_cmp, NULL, 0);
|
|
|
|
|
hashmap_init(&cache->for_name, (hashmap_cmp_fn) config_name_cmp, NULL, 0);
|
2017-06-22 20:43:44 +02:00
|
|
|
cache->initialized = 1;
|
2015-08-18 02:21:57 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void free_one_config(struct submodule_entry *entry)
|
|
|
|
|
{
|
|
|
|
|
free((void *) entry->config->path);
|
|
|
|
|
free((void *) entry->config->name);
|
2016-07-29 02:44:07 +02:00
|
|
|
free((void *) entry->config->branch);
|
2016-03-01 03:07:11 +01:00
|
|
|
free((void *) entry->config->update_strategy.command);
|
2015-08-18 02:21:57 +02:00
|
|
|
free(entry->config);
|
|
|
|
|
}
|
|
|
|
|
|
2017-06-22 20:43:44 +02:00
|
|
|
static void submodule_cache_clear(struct submodule_cache *cache)
|
2015-08-18 02:21:57 +02:00
|
|
|
{
|
|
|
|
|
struct hashmap_iter iter;
|
|
|
|
|
struct submodule_entry *entry;
|
|
|
|
|
|
2017-06-22 20:43:44 +02:00
|
|
|
if (!cache->initialized)
|
|
|
|
|
return;
|
|
|
|
|
|
2015-08-18 02:21:57 +02:00
|
|
|
/*
|
|
|
|
|
* We iterate over the name hash here to be symmetric with the
|
|
|
|
|
* allocation of struct submodule entries. Each is allocated by
|
|
|
|
|
* their .gitmodule blob sha1 and submodule name.
|
|
|
|
|
*/
|
|
|
|
|
hashmap_iter_init(&cache->for_name, &iter);
|
|
|
|
|
while ((entry = hashmap_iter_next(&iter)))
|
|
|
|
|
free_one_config(entry);
|
|
|
|
|
|
|
|
|
|
hashmap_free(&cache->for_path, 1);
|
|
|
|
|
hashmap_free(&cache->for_name, 1);
|
2017-06-22 20:43:44 +02:00
|
|
|
cache->initialized = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void submodule_cache_free(struct submodule_cache *cache)
|
|
|
|
|
{
|
|
|
|
|
submodule_cache_clear(cache);
|
|
|
|
|
free(cache);
|
2015-08-18 02:21:57 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static unsigned int hash_sha1_string(const unsigned char *sha1,
|
|
|
|
|
const char *string)
|
|
|
|
|
{
|
|
|
|
|
return memhash(sha1, 20) + strhash(string);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void cache_put_path(struct submodule_cache *cache,
|
|
|
|
|
struct submodule *submodule)
|
|
|
|
|
{
|
|
|
|
|
unsigned int hash = hash_sha1_string(submodule->gitmodules_sha1,
|
|
|
|
|
submodule->path);
|
|
|
|
|
struct submodule_entry *e = xmalloc(sizeof(*e));
|
|
|
|
|
hashmap_entry_init(e, hash);
|
|
|
|
|
e->config = submodule;
|
|
|
|
|
hashmap_put(&cache->for_path, e);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void cache_remove_path(struct submodule_cache *cache,
|
|
|
|
|
struct submodule *submodule)
|
|
|
|
|
{
|
|
|
|
|
unsigned int hash = hash_sha1_string(submodule->gitmodules_sha1,
|
|
|
|
|
submodule->path);
|
|
|
|
|
struct submodule_entry e;
|
|
|
|
|
struct submodule_entry *removed;
|
|
|
|
|
hashmap_entry_init(&e, hash);
|
|
|
|
|
e.config = submodule;
|
|
|
|
|
removed = hashmap_remove(&cache->for_path, &e, NULL);
|
|
|
|
|
free(removed);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void cache_add(struct submodule_cache *cache,
|
|
|
|
|
struct submodule *submodule)
|
|
|
|
|
{
|
|
|
|
|
unsigned int hash = hash_sha1_string(submodule->gitmodules_sha1,
|
|
|
|
|
submodule->name);
|
|
|
|
|
struct submodule_entry *e = xmalloc(sizeof(*e));
|
|
|
|
|
hashmap_entry_init(e, hash);
|
|
|
|
|
e->config = submodule;
|
|
|
|
|
hashmap_add(&cache->for_name, e);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static const struct submodule *cache_lookup_path(struct submodule_cache *cache,
|
|
|
|
|
const unsigned char *gitmodules_sha1, const char *path)
|
|
|
|
|
{
|
|
|
|
|
struct submodule_entry *entry;
|
|
|
|
|
unsigned int hash = hash_sha1_string(gitmodules_sha1, path);
|
|
|
|
|
struct submodule_entry key;
|
|
|
|
|
struct submodule key_config;
|
|
|
|
|
|
|
|
|
|
hashcpy(key_config.gitmodules_sha1, gitmodules_sha1);
|
|
|
|
|
key_config.path = path;
|
|
|
|
|
|
|
|
|
|
hashmap_entry_init(&key, hash);
|
|
|
|
|
key.config = &key_config;
|
|
|
|
|
|
|
|
|
|
entry = hashmap_get(&cache->for_path, &key, NULL);
|
|
|
|
|
if (entry)
|
|
|
|
|
return entry->config;
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct submodule *cache_lookup_name(struct submodule_cache *cache,
|
|
|
|
|
const unsigned char *gitmodules_sha1, const char *name)
|
|
|
|
|
{
|
|
|
|
|
struct submodule_entry *entry;
|
|
|
|
|
unsigned int hash = hash_sha1_string(gitmodules_sha1, name);
|
|
|
|
|
struct submodule_entry key;
|
|
|
|
|
struct submodule key_config;
|
|
|
|
|
|
|
|
|
|
hashcpy(key_config.gitmodules_sha1, gitmodules_sha1);
|
|
|
|
|
key_config.name = name;
|
|
|
|
|
|
|
|
|
|
hashmap_entry_init(&key, hash);
|
|
|
|
|
key.config = &key_config;
|
|
|
|
|
|
|
|
|
|
entry = hashmap_get(&cache->for_name, &key, NULL);
|
|
|
|
|
if (entry)
|
|
|
|
|
return entry->config;
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
submodule-config: verify submodule names as paths
Submodule "names" come from the untrusted .gitmodules file,
but we blindly append them to $GIT_DIR/modules to create our
on-disk repo paths. This means you can do bad things by
putting "../" into the name (among other things).
Let's sanity-check these names to avoid building a path that
can be exploited. There are two main decisions:
1. What should the allowed syntax be?
It's tempting to reuse verify_path(), since submodule
names typically come from in-repo paths. But there are
two reasons not to:
a. It's technically more strict than what we need, as
we really care only about breaking out of the
$GIT_DIR/modules/ hierarchy. E.g., having a
submodule named "foo/.git" isn't actually
dangerous, and it's possible that somebody has
manually given such a funny name.
b. Since we'll eventually use this checking logic in
fsck to prevent downstream repositories, it should
be consistent across platforms. Because
verify_path() relies on is_dir_sep(), it wouldn't
block "foo\..\bar" on a non-Windows machine.
2. Where should we enforce it? These days most of the
.gitmodules reads go through submodule-config.c, so
I've put it there in the reading step. That should
cover all of the C code.
We also construct the name for "git submodule add"
inside the git-submodule.sh script. This is probably
not a big deal for security since the name is coming
from the user anyway, but it would be polite to remind
them if the name they pick is invalid (and we need to
expose the name-checker to the shell anyway for our
test scripts).
This patch issues a warning when reading .gitmodules
and just ignores the related config entry completely.
This will generally end up producing a sensible error,
as it works the same as a .gitmodules file which is
missing a submodule entry (so "submodule update" will
barf, but "git clone --recurse-submodules" will print
an error but not abort the clone.
There is one minor oddity, which is that we print the
warning once per malformed config key (since that's how
the config subsystem gives us the entries). So in the
new test, for example, the user would see three
warnings. That's OK, since the intent is that this case
should never come up outside of malicious repositories
(and then it might even benefit the user to see the
message multiple times).
Credit for finding this vulnerability and the proof of
concept from which the test script was adapted goes to
Etienne Stalmans.
Signed-off-by: Jeff King <peff@peff.net>
2018-04-30 09:25:25 +02:00
|
|
|
int check_submodule_name(const char *name)
|
|
|
|
|
{
|
|
|
|
|
/* Disallow empty names */
|
|
|
|
|
if (!*name)
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Look for '..' as a path component. Check both '/' and '\\' as
|
|
|
|
|
* separators rather than is_dir_sep(), because we want the name rules
|
|
|
|
|
* to be consistent across platforms.
|
|
|
|
|
*/
|
|
|
|
|
goto in_component; /* always start inside component */
|
|
|
|
|
while (*name) {
|
|
|
|
|
char c = *name++;
|
|
|
|
|
if (c == '/' || c == '\\') {
|
|
|
|
|
in_component:
|
|
|
|
|
if (name[0] == '.' && name[1] == '.' &&
|
|
|
|
|
(!name[2] || name[2] == '/' || name[2] == '\\'))
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2015-08-18 02:21:57 +02:00
|
|
|
static int name_and_item_from_var(const char *var, struct strbuf *name,
|
|
|
|
|
struct strbuf *item)
|
|
|
|
|
{
|
|
|
|
|
const char *subsection, *key;
|
|
|
|
|
int subsection_len, parse;
|
|
|
|
|
parse = parse_config_key(var, "submodule", &subsection,
|
|
|
|
|
&subsection_len, &key);
|
|
|
|
|
if (parse < 0 || !subsection)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
strbuf_add(name, subsection, subsection_len);
|
submodule-config: verify submodule names as paths
Submodule "names" come from the untrusted .gitmodules file,
but we blindly append them to $GIT_DIR/modules to create our
on-disk repo paths. This means you can do bad things by
putting "../" into the name (among other things).
Let's sanity-check these names to avoid building a path that
can be exploited. There are two main decisions:
1. What should the allowed syntax be?
It's tempting to reuse verify_path(), since submodule
names typically come from in-repo paths. But there are
two reasons not to:
a. It's technically more strict than what we need, as
we really care only about breaking out of the
$GIT_DIR/modules/ hierarchy. E.g., having a
submodule named "foo/.git" isn't actually
dangerous, and it's possible that somebody has
manually given such a funny name.
b. Since we'll eventually use this checking logic in
fsck to prevent downstream repositories, it should
be consistent across platforms. Because
verify_path() relies on is_dir_sep(), it wouldn't
block "foo\..\bar" on a non-Windows machine.
2. Where should we enforce it? These days most of the
.gitmodules reads go through submodule-config.c, so
I've put it there in the reading step. That should
cover all of the C code.
We also construct the name for "git submodule add"
inside the git-submodule.sh script. This is probably
not a big deal for security since the name is coming
from the user anyway, but it would be polite to remind
them if the name they pick is invalid (and we need to
expose the name-checker to the shell anyway for our
test scripts).
This patch issues a warning when reading .gitmodules
and just ignores the related config entry completely.
This will generally end up producing a sensible error,
as it works the same as a .gitmodules file which is
missing a submodule entry (so "submodule update" will
barf, but "git clone --recurse-submodules" will print
an error but not abort the clone.
There is one minor oddity, which is that we print the
warning once per malformed config key (since that's how
the config subsystem gives us the entries). So in the
new test, for example, the user would see three
warnings. That's OK, since the intent is that this case
should never come up outside of malicious repositories
(and then it might even benefit the user to see the
message multiple times).
Credit for finding this vulnerability and the proof of
concept from which the test script was adapted goes to
Etienne Stalmans.
Signed-off-by: Jeff King <peff@peff.net>
2018-04-30 09:25:25 +02:00
|
|
|
if (check_submodule_name(name->buf) < 0) {
|
|
|
|
|
warning(_("ignoring suspicious submodule name: %s"), name->buf);
|
|
|
|
|
strbuf_release(name);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2015-08-18 02:21:57 +02:00
|
|
|
strbuf_addstr(item, key);
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct submodule *lookup_or_create_by_name(struct submodule_cache *cache,
|
|
|
|
|
const unsigned char *gitmodules_sha1, const char *name)
|
|
|
|
|
{
|
|
|
|
|
struct submodule *submodule;
|
|
|
|
|
struct strbuf name_buf = STRBUF_INIT;
|
|
|
|
|
|
|
|
|
|
submodule = cache_lookup_name(cache, gitmodules_sha1, name);
|
|
|
|
|
if (submodule)
|
|
|
|
|
return submodule;
|
|
|
|
|
|
|
|
|
|
submodule = xmalloc(sizeof(*submodule));
|
|
|
|
|
|
|
|
|
|
strbuf_addstr(&name_buf, name);
|
|
|
|
|
submodule->name = strbuf_detach(&name_buf, NULL);
|
|
|
|
|
|
|
|
|
|
submodule->path = NULL;
|
|
|
|
|
submodule->url = NULL;
|
2016-03-01 03:07:11 +01:00
|
|
|
submodule->update_strategy.type = SM_UPDATE_UNSPECIFIED;
|
|
|
|
|
submodule->update_strategy.command = NULL;
|
2015-08-18 02:21:57 +02:00
|
|
|
submodule->fetch_recurse = RECURSE_SUBMODULES_NONE;
|
|
|
|
|
submodule->ignore = NULL;
|
2016-07-29 02:44:07 +02:00
|
|
|
submodule->branch = NULL;
|
2016-05-26 23:59:42 +02:00
|
|
|
submodule->recommend_shallow = -1;
|
2015-08-18 02:21:57 +02:00
|
|
|
|
|
|
|
|
hashcpy(submodule->gitmodules_sha1, gitmodules_sha1);
|
|
|
|
|
|
|
|
|
|
cache_add(cache, submodule);
|
|
|
|
|
|
|
|
|
|
return submodule;
|
|
|
|
|
}
|
|
|
|
|
|
2015-08-18 02:22:00 +02:00
|
|
|
static int parse_fetch_recurse(const char *opt, const char *arg,
|
|
|
|
|
int die_on_error)
|
|
|
|
|
{
|
|
|
|
|
switch (git_config_maybe_bool(opt, arg)) {
|
|
|
|
|
case 1:
|
|
|
|
|
return RECURSE_SUBMODULES_ON;
|
|
|
|
|
case 0:
|
|
|
|
|
return RECURSE_SUBMODULES_OFF;
|
|
|
|
|
default:
|
|
|
|
|
if (!strcmp(arg, "on-demand"))
|
|
|
|
|
return RECURSE_SUBMODULES_ON_DEMAND;
|
|
|
|
|
|
|
|
|
|
if (die_on_error)
|
|
|
|
|
die("bad %s argument: %s", opt, arg);
|
|
|
|
|
else
|
|
|
|
|
return RECURSE_SUBMODULES_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int parse_fetch_recurse_submodules_arg(const char *opt, const char *arg)
|
|
|
|
|
{
|
|
|
|
|
return parse_fetch_recurse(opt, arg, 1);
|
|
|
|
|
}
|
|
|
|
|
|
2017-06-23 21:13:00 +02:00
|
|
|
int option_fetch_parse_recurse_submodules(const struct option *opt,
|
|
|
|
|
const char *arg, int unset)
|
|
|
|
|
{
|
|
|
|
|
int *v;
|
|
|
|
|
|
|
|
|
|
if (!opt->value)
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
|
|
v = opt->value;
|
|
|
|
|
|
|
|
|
|
if (unset) {
|
|
|
|
|
*v = RECURSE_SUBMODULES_OFF;
|
|
|
|
|
} else {
|
|
|
|
|
if (arg)
|
|
|
|
|
*v = parse_fetch_recurse_submodules_arg(opt->long_name, arg);
|
|
|
|
|
else
|
|
|
|
|
*v = RECURSE_SUBMODULES_ON;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2017-03-14 22:46:32 +01:00
|
|
|
static int parse_update_recurse(const char *opt, const char *arg,
|
|
|
|
|
int die_on_error)
|
|
|
|
|
{
|
|
|
|
|
switch (git_config_maybe_bool(opt, arg)) {
|
|
|
|
|
case 1:
|
|
|
|
|
return RECURSE_SUBMODULES_ON;
|
|
|
|
|
case 0:
|
|
|
|
|
return RECURSE_SUBMODULES_OFF;
|
|
|
|
|
default:
|
|
|
|
|
if (die_on_error)
|
|
|
|
|
die("bad %s argument: %s", opt, arg);
|
|
|
|
|
return RECURSE_SUBMODULES_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int parse_update_recurse_submodules_arg(const char *opt, const char *arg)
|
|
|
|
|
{
|
|
|
|
|
return parse_update_recurse(opt, arg, 1);
|
|
|
|
|
}
|
|
|
|
|
|
2015-11-17 12:05:56 +01:00
|
|
|
static int parse_push_recurse(const char *opt, const char *arg,
|
|
|
|
|
int die_on_error)
|
|
|
|
|
{
|
|
|
|
|
switch (git_config_maybe_bool(opt, arg)) {
|
|
|
|
|
case 1:
|
|
|
|
|
/* There's no simple "on" value when pushing */
|
|
|
|
|
if (die_on_error)
|
|
|
|
|
die("bad %s argument: %s", opt, arg);
|
|
|
|
|
else
|
|
|
|
|
return RECURSE_SUBMODULES_ERROR;
|
|
|
|
|
case 0:
|
|
|
|
|
return RECURSE_SUBMODULES_OFF;
|
|
|
|
|
default:
|
|
|
|
|
if (!strcmp(arg, "on-demand"))
|
|
|
|
|
return RECURSE_SUBMODULES_ON_DEMAND;
|
|
|
|
|
else if (!strcmp(arg, "check"))
|
|
|
|
|
return RECURSE_SUBMODULES_CHECK;
|
2016-12-19 19:25:32 +01:00
|
|
|
else if (!strcmp(arg, "only"))
|
|
|
|
|
return RECURSE_SUBMODULES_ONLY;
|
2015-11-17 12:05:56 +01:00
|
|
|
else if (die_on_error)
|
|
|
|
|
die("bad %s argument: %s", opt, arg);
|
|
|
|
|
else
|
|
|
|
|
return RECURSE_SUBMODULES_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int parse_push_recurse_submodules_arg(const char *opt, const char *arg)
|
|
|
|
|
{
|
|
|
|
|
return parse_push_recurse(opt, arg, 1);
|
|
|
|
|
}
|
|
|
|
|
|
2016-11-22 21:14:37 +01:00
|
|
|
static void warn_multiple_config(const unsigned char *treeish_name,
|
2015-08-18 02:21:57 +02:00
|
|
|
const char *name, const char *option)
|
|
|
|
|
{
|
|
|
|
|
const char *commit_string = "WORKTREE";
|
2016-11-22 21:14:37 +01:00
|
|
|
if (treeish_name)
|
|
|
|
|
commit_string = sha1_to_hex(treeish_name);
|
2015-08-18 02:21:57 +02:00
|
|
|
warning("%s:.gitmodules, multiple configurations found for "
|
|
|
|
|
"'submodule.%s.%s'. Skipping second one!",
|
|
|
|
|
commit_string, name, option);
|
|
|
|
|
}
|
|
|
|
|
|
submodule-config: ban submodule urls that start with dash
The previous commit taught the submodule code to invoke our
"git clone $url $path" with a "--" separator so that we
aren't confused by urls or paths that start with dashes.
However, that's just one code path. It's not clear if there
are others, and it would be an easy mistake to add one in
the future. Moreover, even with the fix in the previous
commit, it's quite hard to actually do anything useful with
such an entry. Any url starting with a dash must fall into
one of three categories:
- it's meant as a file url, like "-path". But then any
clone is not going to have the matching path, since it's
by definition relative inside the newly created clone. If
you spell it as "./-path", the submodule code sees the
"/" and translates this to an absolute path, so it at
least works (assuming the receiver has the same
filesystem layout as you). But that trick does not apply
for a bare "-path".
- it's meant as an ssh url, like "-host:path". But this
already doesn't work, as we explicitly disallow ssh
hostnames that begin with a dash (to avoid option
injection against ssh).
- it's a remote-helper scheme, like "-scheme::data". This
_could_ work if the receiver bends over backwards and
creates a funny-named helper like "git-remote--scheme".
But normally there would not be any helper that matches.
Since such a url does not work today and is not likely to do
anything useful in the future, let's simply disallow them
entirely. That protects the existing "git clone" path (in a
belt-and-suspenders way), along with any others that might
exist.
Our tests cover two cases:
1. A file url with "./" continues to work, showing that
there's an escape hatch for people with truly silly
repo names.
2. A url starting with "-" is rejected.
Note that we expect case (2) to fail, but it would have done
so even without this commit, for the reasons given above.
So instead of just expecting failure, let's also check for
the magic word "ignoring" on stderr. That lets us know that
we failed for the right reason.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-24 10:36:30 +02:00
|
|
|
static void warn_command_line_option(const char *var, const char *value)
|
|
|
|
|
{
|
|
|
|
|
warning(_("ignoring '%s' which may be interpreted as"
|
|
|
|
|
" a command-line option: %s"), var, value);
|
|
|
|
|
}
|
|
|
|
|
|
2015-08-18 02:21:57 +02:00
|
|
|
struct parse_config_parameter {
|
|
|
|
|
struct submodule_cache *cache;
|
2016-11-22 21:14:37 +01:00
|
|
|
const unsigned char *treeish_name;
|
2015-08-18 02:21:57 +02:00
|
|
|
const unsigned char *gitmodules_sha1;
|
|
|
|
|
int overwrite;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static int parse_config(const char *var, const char *value, void *data)
|
|
|
|
|
{
|
|
|
|
|
struct parse_config_parameter *me = data;
|
|
|
|
|
struct submodule *submodule;
|
|
|
|
|
struct strbuf name = STRBUF_INIT, item = STRBUF_INIT;
|
|
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
|
|
/* this also ensures that we only parse submodule entries */
|
|
|
|
|
if (!name_and_item_from_var(var, &name, &item))
|
|
|
|
|
return 0;
|
|
|
|
|
|
2015-10-12 19:58:58 +02:00
|
|
|
submodule = lookup_or_create_by_name(me->cache,
|
|
|
|
|
me->gitmodules_sha1,
|
|
|
|
|
name.buf);
|
2015-08-18 02:21:57 +02:00
|
|
|
|
|
|
|
|
if (!strcmp(item.buf, "path")) {
|
2015-10-12 19:58:58 +02:00
|
|
|
if (!value)
|
2015-08-18 02:21:57 +02:00
|
|
|
ret = config_error_nonbool(var);
|
submodule-config: ban submodule paths that start with a dash
We recently banned submodule urls that look like
command-line options. This is the matching change to ban
leading-dash paths.
As with the urls, this should not break any use cases that
currently work. Even with our "--" separator passed to
git-clone, git-submodule.sh gets confused. Without the code
portion of this patch, the clone of "-sub" added in t7417
would yield results like:
/path/to/git-submodule: 410: cd: Illegal option -s
/path/to/git-submodule: 417: cd: Illegal option -s
/path/to/git-submodule: 410: cd: Illegal option -s
/path/to/git-submodule: 417: cd: Illegal option -s
Fetched in submodule path '-sub', but it did not contain b56243f8f4eb91b2f1f8109452e659f14dd3fbe4. Direct fetching of that commit failed.
Moreover, naively adding such a submodule doesn't work:
$ git submodule add $url -sub
The following path is ignored by one of your .gitignore files:
-sub
even though there is no such ignore pattern (the test script
hacks around this with a well-placed "git mv").
Unlike leading-dash urls, though, it's possible that such a
path _could_ be useful if we eventually made it work. So
this commit should be seen not as recommending a particular
policy, but rather temporarily closing off a broken and
possibly dangerous code-path. We may revisit this decision
later.
There are two minor differences to the tests in t7416 (that
covered urls):
1. We don't have a "./-sub" escape hatch to make this
work, since the submodule code expects to be able to
match canonical index names to the path field (so you
are free to add submodule config with that path, but we
would never actually use it, since an index entry would
never start with "./").
2. After this patch, cloning actually succeeds. Since we
ignore the submodule.*.path value, we fail to find a
config stanza for our submodule at all, and simply
treat it as inactive. We still check for the "ignoring"
message.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-24 10:39:55 +02:00
|
|
|
else if (looks_like_command_line_option(value))
|
|
|
|
|
warn_command_line_option(var, value);
|
2016-03-01 03:07:12 +01:00
|
|
|
else if (!me->overwrite && submodule->path)
|
2016-11-22 21:14:37 +01:00
|
|
|
warn_multiple_config(me->treeish_name, submodule->name,
|
2015-08-18 02:21:57 +02:00
|
|
|
"path");
|
2015-10-12 19:58:58 +02:00
|
|
|
else {
|
|
|
|
|
if (submodule->path)
|
|
|
|
|
cache_remove_path(me->cache, submodule);
|
|
|
|
|
free((void *) submodule->path);
|
|
|
|
|
submodule->path = xstrdup(value);
|
|
|
|
|
cache_put_path(me->cache, submodule);
|
2015-08-18 02:21:57 +02:00
|
|
|
}
|
|
|
|
|
} else if (!strcmp(item.buf, "fetchrecursesubmodules")) {
|
2015-08-18 02:22:00 +02:00
|
|
|
/* when parsing worktree configurations we can die early */
|
|
|
|
|
int die_on_error = is_null_sha1(me->gitmodules_sha1);
|
2015-08-18 02:21:57 +02:00
|
|
|
if (!me->overwrite &&
|
2015-10-12 19:58:58 +02:00
|
|
|
submodule->fetch_recurse != RECURSE_SUBMODULES_NONE)
|
2016-11-22 21:14:37 +01:00
|
|
|
warn_multiple_config(me->treeish_name, submodule->name,
|
2015-08-18 02:21:57 +02:00
|
|
|
"fetchrecursesubmodules");
|
2015-10-12 19:58:58 +02:00
|
|
|
else
|
|
|
|
|
submodule->fetch_recurse = parse_fetch_recurse(
|
|
|
|
|
var, value,
|
2015-08-18 02:22:00 +02:00
|
|
|
die_on_error);
|
2015-08-18 02:21:57 +02:00
|
|
|
} else if (!strcmp(item.buf, "ignore")) {
|
2015-10-12 19:58:58 +02:00
|
|
|
if (!value)
|
|
|
|
|
ret = config_error_nonbool(var);
|
2016-03-01 03:07:12 +01:00
|
|
|
else if (!me->overwrite && submodule->ignore)
|
2016-11-22 21:14:37 +01:00
|
|
|
warn_multiple_config(me->treeish_name, submodule->name,
|
2015-08-18 02:21:57 +02:00
|
|
|
"ignore");
|
2015-10-12 19:58:58 +02:00
|
|
|
else if (strcmp(value, "untracked") &&
|
|
|
|
|
strcmp(value, "dirty") &&
|
|
|
|
|
strcmp(value, "all") &&
|
|
|
|
|
strcmp(value, "none"))
|
2015-08-18 02:21:57 +02:00
|
|
|
warning("Invalid parameter '%s' for config option "
|
2017-03-14 23:14:40 +01:00
|
|
|
"'submodule.%s.ignore'", value, name.buf);
|
2015-10-12 19:58:58 +02:00
|
|
|
else {
|
|
|
|
|
free((void *) submodule->ignore);
|
|
|
|
|
submodule->ignore = xstrdup(value);
|
2015-08-18 02:21:57 +02:00
|
|
|
}
|
|
|
|
|
} else if (!strcmp(item.buf, "url")) {
|
|
|
|
|
if (!value) {
|
|
|
|
|
ret = config_error_nonbool(var);
|
submodule-config: ban submodule urls that start with dash
The previous commit taught the submodule code to invoke our
"git clone $url $path" with a "--" separator so that we
aren't confused by urls or paths that start with dashes.
However, that's just one code path. It's not clear if there
are others, and it would be an easy mistake to add one in
the future. Moreover, even with the fix in the previous
commit, it's quite hard to actually do anything useful with
such an entry. Any url starting with a dash must fall into
one of three categories:
- it's meant as a file url, like "-path". But then any
clone is not going to have the matching path, since it's
by definition relative inside the newly created clone. If
you spell it as "./-path", the submodule code sees the
"/" and translates this to an absolute path, so it at
least works (assuming the receiver has the same
filesystem layout as you). But that trick does not apply
for a bare "-path".
- it's meant as an ssh url, like "-host:path". But this
already doesn't work, as we explicitly disallow ssh
hostnames that begin with a dash (to avoid option
injection against ssh).
- it's a remote-helper scheme, like "-scheme::data". This
_could_ work if the receiver bends over backwards and
creates a funny-named helper like "git-remote--scheme".
But normally there would not be any helper that matches.
Since such a url does not work today and is not likely to do
anything useful in the future, let's simply disallow them
entirely. That protects the existing "git clone" path (in a
belt-and-suspenders way), along with any others that might
exist.
Our tests cover two cases:
1. A file url with "./" continues to work, showing that
there's an escape hatch for people with truly silly
repo names.
2. A url starting with "-" is rejected.
Note that we expect case (2) to fail, but it would have done
so even without this commit, for the reasons given above.
So instead of just expecting failure, let's also check for
the magic word "ignoring" on stderr. That lets us know that
we failed for the right reason.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-09-24 10:36:30 +02:00
|
|
|
} else if (looks_like_command_line_option(value)) {
|
|
|
|
|
warn_command_line_option(var, value);
|
2016-03-01 03:07:12 +01:00
|
|
|
} else if (!me->overwrite && submodule->url) {
|
2016-11-22 21:14:37 +01:00
|
|
|
warn_multiple_config(me->treeish_name, submodule->name,
|
2015-08-18 02:21:57 +02:00
|
|
|
"url");
|
2015-10-12 19:58:58 +02:00
|
|
|
} else {
|
|
|
|
|
free((void *) submodule->url);
|
|
|
|
|
submodule->url = xstrdup(value);
|
2015-08-18 02:21:57 +02:00
|
|
|
}
|
2016-03-01 03:07:11 +01:00
|
|
|
} else if (!strcmp(item.buf, "update")) {
|
|
|
|
|
if (!value)
|
|
|
|
|
ret = config_error_nonbool(var);
|
|
|
|
|
else if (!me->overwrite &&
|
|
|
|
|
submodule->update_strategy.type != SM_UPDATE_UNSPECIFIED)
|
2016-11-22 21:14:37 +01:00
|
|
|
warn_multiple_config(me->treeish_name, submodule->name,
|
2016-03-01 03:07:11 +01:00
|
|
|
"update");
|
|
|
|
|
else if (parse_submodule_update_strategy(value,
|
|
|
|
|
&submodule->update_strategy) < 0)
|
|
|
|
|
die(_("invalid value for %s"), var);
|
2016-05-26 23:59:42 +02:00
|
|
|
} else if (!strcmp(item.buf, "shallow")) {
|
|
|
|
|
if (!me->overwrite && submodule->recommend_shallow != -1)
|
2016-11-22 21:14:37 +01:00
|
|
|
warn_multiple_config(me->treeish_name, submodule->name,
|
2016-05-26 23:59:42 +02:00
|
|
|
"shallow");
|
2016-07-29 02:44:07 +02:00
|
|
|
else
|
2016-05-26 23:59:42 +02:00
|
|
|
submodule->recommend_shallow =
|
|
|
|
|
git_config_bool(var, value);
|
2016-07-29 02:44:07 +02:00
|
|
|
} else if (!strcmp(item.buf, "branch")) {
|
|
|
|
|
if (!me->overwrite && submodule->branch)
|
2016-11-22 21:14:37 +01:00
|
|
|
warn_multiple_config(me->treeish_name, submodule->name,
|
2016-07-29 02:44:07 +02:00
|
|
|
"branch");
|
|
|
|
|
else {
|
|
|
|
|
free((void *)submodule->branch);
|
|
|
|
|
submodule->branch = xstrdup(value);
|
2016-05-26 23:59:42 +02:00
|
|
|
}
|
2015-08-18 02:21:57 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
strbuf_release(&name);
|
|
|
|
|
strbuf_release(&item);
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2017-01-19 00:12:11 +01:00
|
|
|
int gitmodule_sha1_from_commit(const unsigned char *treeish_name,
|
2016-07-28 14:49:11 +02:00
|
|
|
unsigned char *gitmodules_sha1,
|
|
|
|
|
struct strbuf *rev)
|
2015-08-18 02:21:57 +02:00
|
|
|
{
|
|
|
|
|
int ret = 0;
|
|
|
|
|
|
2016-11-22 21:14:37 +01:00
|
|
|
if (is_null_sha1(treeish_name)) {
|
2016-06-25 01:09:21 +02:00
|
|
|
hashclr(gitmodules_sha1);
|
2015-08-18 02:21:57 +02:00
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2016-11-22 21:14:37 +01:00
|
|
|
strbuf_addf(rev, "%s:.gitmodules", sha1_to_hex(treeish_name));
|
2016-07-28 14:49:11 +02:00
|
|
|
if (get_sha1(rev->buf, gitmodules_sha1) >= 0)
|
2015-08-18 02:21:57 +02:00
|
|
|
ret = 1;
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* This does a lookup of a submodule configuration by name or by path
|
|
|
|
|
* (key) with on-demand reading of the appropriate .gitmodules from
|
|
|
|
|
* revisions.
|
|
|
|
|
*/
|
|
|
|
|
static const struct submodule *config_from(struct submodule_cache *cache,
|
2016-11-22 21:14:37 +01:00
|
|
|
const unsigned char *treeish_name, const char *key,
|
2015-08-18 02:21:57 +02:00
|
|
|
enum lookup_type lookup_type)
|
|
|
|
|
{
|
|
|
|
|
struct strbuf rev = STRBUF_INIT;
|
|
|
|
|
unsigned long config_size;
|
2016-07-28 14:49:47 +02:00
|
|
|
char *config = NULL;
|
2015-08-18 02:21:57 +02:00
|
|
|
unsigned char sha1[20];
|
|
|
|
|
enum object_type type;
|
|
|
|
|
const struct submodule *submodule = NULL;
|
|
|
|
|
struct parse_config_parameter parameter;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If any parameter except the cache is a NULL pointer just
|
|
|
|
|
* return the first submodule. Can be used to check whether
|
|
|
|
|
* there are any submodules parsed.
|
|
|
|
|
*/
|
2016-11-22 21:14:37 +01:00
|
|
|
if (!treeish_name || !key) {
|
2015-08-18 02:21:57 +02:00
|
|
|
struct hashmap_iter iter;
|
|
|
|
|
struct submodule_entry *entry;
|
|
|
|
|
|
2016-03-16 08:46:31 +01:00
|
|
|
entry = hashmap_iter_first(&cache->for_name, &iter);
|
2015-08-18 02:21:57 +02:00
|
|
|
if (!entry)
|
|
|
|
|
return NULL;
|
|
|
|
|
return entry->config;
|
|
|
|
|
}
|
|
|
|
|
|
2016-11-22 21:14:37 +01:00
|
|
|
if (!gitmodule_sha1_from_commit(treeish_name, sha1, &rev))
|
2016-07-28 14:49:47 +02:00
|
|
|
goto out;
|
2015-08-18 02:21:57 +02:00
|
|
|
|
|
|
|
|
switch (lookup_type) {
|
|
|
|
|
case lookup_name:
|
|
|
|
|
submodule = cache_lookup_name(cache, sha1, key);
|
|
|
|
|
break;
|
|
|
|
|
case lookup_path:
|
|
|
|
|
submodule = cache_lookup_path(cache, sha1, key);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if (submodule)
|
2016-07-28 14:49:47 +02:00
|
|
|
goto out;
|
2015-08-18 02:21:57 +02:00
|
|
|
|
|
|
|
|
config = read_sha1_file(sha1, &type, &config_size);
|
2016-07-28 14:49:47 +02:00
|
|
|
if (!config || type != OBJ_BLOB)
|
|
|
|
|
goto out;
|
2015-08-18 02:21:57 +02:00
|
|
|
|
|
|
|
|
/* fill the submodule config into the cache */
|
|
|
|
|
parameter.cache = cache;
|
2016-11-22 21:14:37 +01:00
|
|
|
parameter.treeish_name = treeish_name;
|
2015-08-18 02:21:57 +02:00
|
|
|
parameter.gitmodules_sha1 = sha1;
|
|
|
|
|
parameter.overwrite = 0;
|
i18n: config: unfold error messages marked for translation
Introduced in 473166b ("config: add 'origin_type' to config_source
struct", 2016-02-19), Git can inform the user about the origin of a
config error, but the implementation does not allow translators to
translate the keywords 'file', 'blob, 'standard input', and
'submodule-blob'. Moreover, for the second message, a reason for the
error is appended to the message, not allowing translators to translate
that reason either.
Unfold the message into several templates for each known origin_type.
That would result in better translation at the expense of code
verbosity.
Add enum config_oringin_type to ease management of the various
configuration origin types (blob, file, etc). Previously origin type
was considered from command line if cf->origin_type == NULL, i.e.,
uninitialized. Now we set origin_type to CONFIG_ORIGIN_CMDLINE in
git_config_from_parameters() and configset_add_value().
For error message in git_parse_source(), use xstrfmt() function to
prepare the message string, instead of doing something like it's done
for die_bad_number(), because intelligibility and code conciseness are
improved for that instance.
Signed-off-by: Vasco Almeida <vascomalmeida@sapo.pt>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-07-28 15:14:03 +02:00
|
|
|
git_config_from_mem(parse_config, CONFIG_ORIGIN_SUBMODULE_BLOB, rev.buf,
|
2016-02-19 10:16:01 +01:00
|
|
|
config, config_size, ¶meter);
|
2016-07-28 14:49:11 +02:00
|
|
|
strbuf_release(&rev);
|
2015-08-18 02:21:57 +02:00
|
|
|
free(config);
|
|
|
|
|
|
|
|
|
|
switch (lookup_type) {
|
|
|
|
|
case lookup_name:
|
|
|
|
|
return cache_lookup_name(cache, sha1, key);
|
|
|
|
|
case lookup_path:
|
|
|
|
|
return cache_lookup_path(cache, sha1, key);
|
|
|
|
|
default:
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
2016-07-28 14:49:47 +02:00
|
|
|
|
|
|
|
|
out:
|
|
|
|
|
strbuf_release(&rev);
|
|
|
|
|
free(config);
|
|
|
|
|
return submodule;
|
2015-08-18 02:21:57 +02:00
|
|
|
}
|
|
|
|
|
|
2017-06-22 20:43:44 +02:00
|
|
|
static void submodule_cache_check_init(struct repository *repo)
|
2015-08-18 02:21:57 +02:00
|
|
|
{
|
2017-06-22 20:43:44 +02:00
|
|
|
if (repo->submodule_cache && repo->submodule_cache->initialized)
|
2015-08-18 02:21:57 +02:00
|
|
|
return;
|
|
|
|
|
|
2017-06-22 20:43:44 +02:00
|
|
|
if (!repo->submodule_cache)
|
|
|
|
|
repo->submodule_cache = submodule_cache_alloc();
|
|
|
|
|
|
|
|
|
|
submodule_cache_init(repo->submodule_cache);
|
2015-08-18 02:21:57 +02:00
|
|
|
}
|
|
|
|
|
|
2017-06-22 20:43:44 +02:00
|
|
|
int submodule_config_option(struct repository *repo,
|
|
|
|
|
const char *var, const char *value)
|
2015-08-18 02:21:59 +02:00
|
|
|
{
|
|
|
|
|
struct parse_config_parameter parameter;
|
2017-06-22 20:43:44 +02:00
|
|
|
|
|
|
|
|
submodule_cache_check_init(repo);
|
|
|
|
|
|
|
|
|
|
parameter.cache = repo->submodule_cache;
|
2016-11-22 21:14:37 +01:00
|
|
|
parameter.treeish_name = NULL;
|
2015-08-18 02:21:59 +02:00
|
|
|
parameter.gitmodules_sha1 = null_sha1;
|
|
|
|
|
parameter.overwrite = 1;
|
|
|
|
|
|
|
|
|
|
return parse_config(var, value, ¶meter);
|
|
|
|
|
}
|
|
|
|
|
|
2017-06-22 20:43:44 +02:00
|
|
|
int parse_submodule_config_option(const char *var, const char *value)
|
|
|
|
|
{
|
|
|
|
|
return submodule_config_option(the_repository, var, value);
|
|
|
|
|
}
|
|
|
|
|
|
2016-11-22 21:14:37 +01:00
|
|
|
const struct submodule *submodule_from_name(const unsigned char *treeish_name,
|
2015-08-18 02:21:57 +02:00
|
|
|
const char *name)
|
|
|
|
|
{
|
2017-06-22 20:43:44 +02:00
|
|
|
submodule_cache_check_init(the_repository);
|
|
|
|
|
return config_from(the_repository->submodule_cache, treeish_name, name, lookup_name);
|
2015-08-18 02:21:57 +02:00
|
|
|
}
|
|
|
|
|
|
2016-11-22 21:14:37 +01:00
|
|
|
const struct submodule *submodule_from_path(const unsigned char *treeish_name,
|
2015-08-18 02:21:57 +02:00
|
|
|
const char *path)
|
|
|
|
|
{
|
2017-06-22 20:43:44 +02:00
|
|
|
submodule_cache_check_init(the_repository);
|
|
|
|
|
return config_from(the_repository->submodule_cache, treeish_name, path, lookup_path);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const struct submodule *submodule_from_cache(struct repository *repo,
|
|
|
|
|
const unsigned char *treeish_name,
|
|
|
|
|
const char *key)
|
|
|
|
|
{
|
|
|
|
|
submodule_cache_check_init(repo);
|
|
|
|
|
return config_from(repo->submodule_cache, treeish_name,
|
|
|
|
|
key, lookup_path);
|
2015-08-18 02:21:57 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void submodule_free(void)
|
|
|
|
|
{
|
2017-06-22 20:43:44 +02:00
|
|
|
if (the_repository->submodule_cache)
|
|
|
|
|
submodule_cache_clear(the_repository->submodule_cache);
|
2015-08-18 02:21:57 +02:00
|
|
|
}
|