[PATCH] daemon.c and path.enter_repo(): revamp path validation.
The whitelist of git-daemon is checked against return value from
enter_repo(), and enter_repo() used to return the value obtained
from getcwd() to avoid directory aliasing issues as discussed
earier (mid October 2005).
Unfortunately, it did not go well as we hoped.
For example, /pub on a kernel.org public machine is a symlink to
its real mountpoint, and it is understandable that the
administrator does not want to adjust the whitelist every time
/pub needs to point at a different partition for storage
allcation or whatever reasons. Being able to keep using
/pub/scm as the whitelist is a desirable property.
So this version of enter_repo() reports what it used to chdir()
and validate, but does not use getcwd() to canonicalize the
directory name. When it sees a user relative path ~user/path,
it internally resolves it to try chdir() there, but it still
reports ~user/path (possibly after appending .git if allowed to
do so, in which case it would report ~user/path.git).
What this means is that if a whitelist wants to allow a user
relative path, it needs to say "~" (for all users) or list user
home directories like "~alice" "~bob". And no, you cannot say
/home if the advertised way to access user home directories are
~alice,~bob, etc. The whole point of this is to avoid
unnecessary aliasing issues.
Anyway, because of this, daemon needs to do a bit more work to
guard itself. Namely, it needs to make sure that the accessor
does not try to exploit its leading path match rule by inserting
/../ in the middle or hanging /.. at the end. I resurrected the
belts and suspender paranoia code HPA did for this purpose.
This check cannot be done in the enter_repo() unconditionally,
because there are valid callers of enter_repo() that want to
honor /../; authorized users coming over ssh to run send-pack
and fetch-pack should be allowed to do so.
There is no setenv() in Solaris 5.8. The trivial calls to
setenv() were replaced by putenv() in a much earlier patch,
but setenv() was used again in git.c. This patch just adds
a compat/setenv.c.
The rule for building git$(X) also needs to include compat.
objects and compiler flags. Those are now in makefile vars
COMPAT_OBJS and COMPAT_CFLAGS.
Signed-off-by: E. Jason Riedy <ejr@cs.berkeley.edu> Signed-off-by: Junio C Hamano <junkio@cox.net>
Use the same trick Josef used to introduce line breaks for
git-mv documentation for now, to help HTML rendering. This
breaks manpages and we need to come up with a better solution.
git-merge documentation: conflicting merge leaves higher stages in index
This hopefully concludes the latest updates that changes the
behaviour of the merge on an unsuccessful automerge. Instead of
collapsing the conflicted path in the index to show HEAD, we
leave it unmerged, now that diff-files can compare working tree
files with higher stages.
merge-one-file: make sure we create the merged file.
The "update-index followed by checkout-index" chain served two
purposes -- to collapse the index to "our" version, and make
sure that file exists in the working tree. In the recent update
to leave the index unmerged on conflicting path, we wanted to
stop doing the former, but we still need to do the latter (we
allow merging to work in an un-checked-out working tree).
merge-recursive: adjust git-ls-tree use for the latest.
You need to pass -t flag if you want to see tree objects in
"git-ls-tree -r" output these days. This change broke the tree
structure reading code in git-merge-recursive used to detect D/F
conflicts.
- Use stderr for error output
- Build git_command more careful
- ENOENT is good enough for check of failed exec to show usage, no
access() check needed
[jc: Originally from Alex Riesen with inputs from Sven
Verdoolaege mixed in.]
Fingers of some "git diff" users are trained to do --name-only
which git-ls-tree unfortunately does not take. With this,
cd sub/directory && git-ls-tree -r --name-only ..
would show only the names not object names nor modes. I threw
in another synonym --name-status only for usability, but
obviously ls-tree does not do any comparison so what it does is
the same as --name-only.
git-ls-tree: add "-t" option to always show the tree entries
The old (new) behaviour was that it only shows trees if the object is
specified exactly, and recursive is not set. That makes sense, because
there is obviously nothing else it can show for that case.
However, with the new "-t" option, it will show the tree even with "-r",
as it traverses down into it.
NOTE! This also means that it will show all trees leading up to that tree.
For example, if you do a
git-ls-tree -t HEAD -- drivers/char/this/file/does/not/exist
it will show the trees that lead up to the files that do not exist:
and note how this is true even though I didn't specify "-r": the fact that
I supplied a pathspec automatically implies "enough recursion" for that
particular pathspec.
I think the code is cleaner and easier to understand too: the patch looks
bigger, but it's really just splitting up the "should we recurse into this
tree" into a function of its own.
Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Junio C Hamano <junkio@cox.net>
Alex Riesen wants to keep extra makefile targets in config.mak, but
the file is included before any of our real targets. Having this
at the beginning allows you to do so.
Tutorial: adjust merge example to recursive strategy.
Current default, merge-recursive, gives slightly different
message while working from merge-resolve which was used to
prepare the illustration in the tutorial.
merge-recursive: match the unmerged index entry behaviour with merge-resolve
This minimally changes merge-recursive to match what happens
when O->A, O->B, A!=B 3-way filelevel merge leaves conflicts to
the new merge-resolve behaviour.
diff-files: show diffs with stage0 and unmerged stage at the same time.
After thinking about it more, I realized that much of the change
I did on top of Linus' version does not make much sense. This
commit reverts it so that it by default shows diffs with stage0
paths or stage2 paths with working tree; the unmerged stage to
use can be overridden with -1/-2/-3 option (-2 is the default so
essentially is a no-op).
When the index file is unmerged, we are by definition in the
middle of a conflicting merge, and we should show the diff with
stage 2 by default. More importantly, paths without conflicts
are updated in the working tree and collapsed to stage0 in the
index, so showing diff with stage0 at the same time does not
hurt. In normal cases, stage0 entries should be in sync with
the working tree files and does not clutter the output. It even
helps the user to realize that the working tree has local
changes unrelated to the merge and remember to be careful not to
do a "git-commit -a" after resolving the conflicts.
When there is no unmerged entries, giving diff_unmerged_stage a
default value of 2 does not cause any harm, because it would not
be used anyway. So in all, always showing diff between stage0
paths and unmerged entries from a stage (defaulting to 2) is the
right thing to do, as Linus originally did.
merge-one-file: leave unmerged index entries upon automerge failure.
When automerge fails, we used to collapse the path to stage0
from "our" branch, to help "diff-files" users to view the
half-merged state against the current HEAD. Now diff-files has
been taught how to compare with unmerged stage2,leaving them
unmerged is a better thing to do, especially this prevents the
unresolved conflicts to be committed by mistake.
diff-files: -1/-2/-3 to diff against unmerged stage.
While resolving conflicted merge, it was not easy to compare the
working tree file with unmerged index entries. This commit
introduces new options -1/-2/-3 (with synonyms --base, --ours,
and --theirs) to compare working tree files with specified
stages.
When none of these options are given, the command defaults to -2
if the index file is unmerged, otherwise it acts as before.
[jc: majorly butchered from the version Linus originally posted.]
git-diff: do not turn off -p/-M with any diff options.
When the user gives a diff option (e.g. --cached) to "git diff",
we turned off the built-in default option -p, which is usually
not what user wants to see.
This commit makes lack of --name-status, --name-only nor -r to
add -p, and lack of -B*, -C* nor -M* to add -M to the flags
given to the underlying diff.
Before GIT version at the end of output we used a 3-dash marker;
but 3-dash marker is special and should not be overused.
Instead, use "-- " which is a standard practice in e-mails to
signal the beginning of trailing garbage.
The attempt to help 3-way fallback by recording the tree object
id for the entire pre-image was unnecessary, and we already have
an better alternative in the form of per-blob "index" lines.
One "svn log" (or its equivalent) per revision adds delay and server load.
Instead, open two SVN connections -- one for the log, and one for the files.
Positive side effect: Only those log entries which actually contain data
are committed => no more empty commits.
Also, change the "-l" option to set the maximum revision to be pulled,
not the number of revisions.
The malloc patch from Jan Andres fixed the problem that was causing a
segfault when freeing the lock token, and Johannes Schindelin found
and fixed a problem when no URL is specified on the command line.
Signed-off-by: Nick Hengeveld <nickh@reactrix.com> Signed-off-by: Junio C Hamano <junkio@cox.net>
The "--shared" option to git-clone is silently ignored if "--local" is
not specified. The manual doesn't mention such dependency. Make
"--shared" imply "--local".
Signed-off-by: Pavel Roskin <proski@gnu.org> Signed-off-by: Junio C Hamano <junkio@cox.net>
As a fallout from not using git-sh-setup in scripts that can
operate from a subdirectory, we lost definition of die() from
them. It might make sense to do some cleanup to consolidate
them back again, but this should suffice for now.
ls-remote: define die() now we do not use git-sh-setup
Another interesting "property" is that from inside a git managed
tree, "git-ls-remote ." names the current repository no matter
how deep a subdirectory you are in.
Make networking commands to work from a subdirectory.
These are whole-tree operations and there is not much point
making them operable from within a subdirectory, but it is easy
to do so, and using setup_git_directory() upfront helps git://
proxy specification picked up from the correct place.
This makes ls-tree to work from subdirectory. It defaults to
show the paths under the current subdirectory, and interprets
user-supplied paths as relative to the current subdirectory.
With this, git-checkout-index from a subdirectory works as
expected. Note that "git-checkout-index -a" checks out files
only in the current directory and under.
When applying a patch to index file, we need to know where GIT_DIR is;
use setup_git_directory() to find it out. This also allows us to work
from a subdirectory if we wanted to.
When git-apply is run from a subdirectory, it applies the given patch
only to the files under the current directory and below.
followed by all the normal "git bisect good/bad" stuff.
Almost totally untested, and I guarantee that if your pathnames have
spaces in them (or your GIT_DIR has spaces in it) this won't work. I don't
know how to fix that, my shell programming isn't good enough.
This involves small changes to make "git-rev-list --bisect" work in the
presense of a pathspec limiter, and then truly trivial (and that's the
broken part) changes to make "git bisect" save away and use the pathspec.
I tried one bisection, and a "git bisect visualize", and it all looked
correct. But hey, don't be surprised if it has problems.
ls-tree: Resurrect funny name quoting lost during rewrite.
The rewrite to match ls-files/diff-tree behaviour accidentally
lost the name quoting. I am not proud about this code, but this
would get the test going.
It modifies the selection a bit, so that a pathspec that is a superset of
a particular tree path will always cause it to recurse into that tree.
As an example, let's say that we do
git-ls-tree HEAD drivers/char
_without_ the "-r". What will happen is that it will start out doing all
the base tree, and for "drivers" it will notice that it's a proper subset
of "drivers/char", so it will always recurse into _that_ tree (but not
into other trees).
Then, it will not match anything else than "char" in that subdirectory,
and because that's not a proper superset (it's an exact match), it will
_not_ recurse into it, so you get:
which is what you got with the old git-ls-tree too.
But interestingly, if you add the slash, it will become a proper superset
and it will recurse into _that_ subdirectory (but no deeper: so if you
want all subdirectories _below_ drivers/char/, you still need to give
"-r"):
To get more a "git-ls-files" approach, this trivial patch (on top of my
previous one) enables recursion, and doesn't show partial trees.
[jc: after further discussion, this version enables recursion by default,
and you can disable it with "-d" flag.
git-ls-tree -d HEAD Documentation/no/such/directory
shows Documentation tree (without -d it shows nothing).
git-ls-tree HEAD
shows everything from the tree. Only to get the single level from the top
git-ls-tree -d HEAD
is needed. But there is no way to get the single level with pathspec.
You need to extract the object name of Documentation tree from the parent
tree and run
git-ls-tree -d $tree_id_of_Documentation_tree
to get something similar to what you can get from the current
git-ls-tree should be rewritten to use a pathspec the same way everybody
else does. Right now it's the odd man out: if you do
git-ls-tree HEAD divers/char drivers/
it will show the same files _twice_, which is not how pathspecs in general
work.
How about this patch? It breaks some of the git-ls-tree tests, but it
makes git-ls-tree work a lot more like other git pathspec commands, and it
removes more than 150 lines by re-using the recursive tree traversal (but
the "-d" flag is gone for good, so I'm not pushing this too hard).
Documentation: Describe merge operation a bit better.
In git-merge documentation, add a section to describe what happens to
the index and working tree during merge, and what their cleanliness
requirements are before the merge.
rebase: one safety net, one bugfix and one optimization.
When a .dotest from a previously failed rebase or patch
application exists, rebase got confused and tried to apply
mixture of what was already there and what is being rebased.
Check the existence of the directory and barf.
It failed with an mysterious "fatal: cannot read mbox" message
if the branch being rebased is fully in sync with the base.
Also if the branch is a proper descendant of the base, there is
no need to run rebase logic. Prevent these from happening by
checking where the merge-base is.
gitk: Fix diff this->selected and selected->this functions
The change in 8b7e5d76e836396a097bb6f61cf930ea872a7bd3, which makes
a couple of git-diff-tree calls supply only one id rather than two,
fixes the display when showing what a single commit did with dense
revlists, but broke the diff this->selected and diff selected->this
right-click menu functions.
Yann Dirson pointed this out and had a patch that fixed the diff
menu functions by passing a "singlecommit" flag around. This fixes
it a bit differently, by making the ids and diffids variables be
either a single id, in the case of showing what a commit did, or
{oldid newid}, in the case of the diff menu functions. That way
we can just pass $ids to git-diff-tree as is. Most of the changes
in fact are just reversing the order of ids in $ids and $diffids,
because they used to be {child parent}, but git-diff-tree requires
old id before new id.
mailinfo: Do not use -u=<encoding>; say --encoding=<encoding>
Specifying the value for a single letter, single dash option
parameter with equal sign looked funny, and more importantly
calling the flag to override encoding from utf-8 to something
else "-u" (obviously abbreviated from "utf-8") did not make any
sense. So spell it out.
This uses i18n.commitencoding configuration item to pick up the
default commit encoding for the repository when converting form
e-mail encoding to commit encoding (the default is utf8).
mailinfo: allow -u to fall back on latin1 to utf8 conversion.
When the message body does not identify what encoding it is in,
-u assumes it is in latin-1 and converts it to utf8, which is
the recommended encoding for git commit log messages.
With -u=<encoding>, the conversion is made into the specified
one, instead of utf8, to allow project-local policies.
The change made in 8b7e5d76e836396a097bb6f61cf930ea872a7bd3 to
accomodate dense revlists in single-commit diffs has broken computing
of diffs between arbitrary trees, which does need to consider two
commit ids.
This patch changes the two git-diff-tree calls to get the necessary
two ids in this case. It does so by propagating a "singlecommit" flag
through all functions involved via an additional argument.
Signed-off-by: Yann Dirson <ydirson@altern.org> Signed-off-by: Junio C Hamano <junkio@cox.net>
git-mv: fully detect 'directory moved into itself'
This gives a better error message when trying to move a directory
into some subdirectory of itself; ie. no real bug fix: renaming
already failed before, but with a strange "invalid argument".
Signed-off-by: Josef Weidendorfer <Josef.Weidendorfer@gmx.de> Signed-off-by: Junio C Hamano <junkio@cox.net>
git-mv: keep git index consistent with file system on failed rename
When doing multiple renames, and a rename in the middle fails,
git-mv did not store the successful renames in the git index;
this is fixed by delaying the error message on a failed rename
to after the git updating.
Signed-off-by: Josef Weidendorfer <Josef.Weidendorfer@gmx.de> Signed-off-by: Junio C Hamano <junkio@cox.net>
It checks if an existing config file says the repository being
reinitialized is of a wrong version and aborts before doing
further harm.
When copying the templates, it makes sure the they are of the
right repository format version. Otherwise the templates are
ignored with an warning message.
It copies the templates before creating the HEAD, and if the
config file is copied from the template directory, reads it,
primarily to pick up the value of core.symrefsonly.
It changes the way the result of the filemode reliability test
is written to the configuration file using git_config_set().
The test is done even if the config file was copied from the
templates.
And finally, our own repository format version is written to the
config file.
After daemon, upload-pack and receive-pack find out where the
git directory is and chdir() there, make sure that repository is
in a format we understand, after putenv("GIT_DIR=.") so that it
knows to pick up the configuration file from there.