gitweb.git
Merge branch 'rs/qsort-s' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:14 +0000 (14:19 +0900)

Merge branch 'rs/qsort-s' into maint

* rs/qsort-s:
test-stringlist: avoid buffer underrun when sorting nothing

Merge branch 'jn/strbuf-doc-re-reuse' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:13 +0000 (14:19 +0900)

Merge branch 'jn/strbuf-doc-re-reuse' into maint

* jn/strbuf-doc-re-reuse:
strbuf doc: reuse after strbuf_release is fine

Merge branch 'rs/run-command-use-alloc-array' into... Junio C Hamano Wed, 18 Oct 2017 05:19:13 +0000 (14:19 +0900)

Merge branch 'rs/run-command-use-alloc-array' into maint

Code clean-up.

* rs/run-command-use-alloc-array:
run-command: use ALLOC_ARRAY

Merge branch 'rs/tag-null-pointer-arith-fix' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:12 +0000 (14:19 +0900)

Merge branch 'rs/tag-null-pointer-arith-fix' into maint

Code clean-up.

* rs/tag-null-pointer-arith-fix:
tag: avoid NULL pointer arithmetic

Merge branch 'rs/cocci-de-paren-call-params' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:12 +0000 (14:19 +0900)

Merge branch 'rs/cocci-de-paren-call-params' into maint

Code clean-up.

* rs/cocci-de-paren-call-params:
coccinelle: remove parentheses that become unnecessary

Merge branch 'ad/doc-markup-fix' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:12 +0000 (14:19 +0900)

Merge branch 'ad/doc-markup-fix' into maint

Docfix.

* ad/doc-markup-fix:
doc: correct command formatting

Merge branch 'mr/doc-negative-pathspec' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:12 +0000 (14:19 +0900)

Merge branch 'mr/doc-negative-pathspec' into maint

Doc updates.

* mr/doc-negative-pathspec:
docs: improve discoverability of exclude pathspec

Merge branch 'jk/validate-headref-fix' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:12 +0000 (14:19 +0900)

Merge branch 'jk/validate-headref-fix' into maint

Code clean-up.

* jk/validate-headref-fix:
validate_headref: use get_oid_hex for detached HEADs
validate_headref: use skip_prefix for symref parsing
validate_headref: NUL-terminate HEAD buffer

Merge branch 'ks/doc-use-camelcase-for-config-name... Junio C Hamano Wed, 18 Oct 2017 05:19:12 +0000 (14:19 +0900)

Merge branch 'ks/doc-use-camelcase-for-config-name' into maint

Doc update.

* ks/doc-use-camelcase-for-config-name:
doc: camelCase the config variables to improve readability

Merge branch 'jk/doc-read-tree-table-asciidoctor-fix... Junio C Hamano Wed, 18 Oct 2017 05:19:11 +0000 (14:19 +0900)

Merge branch 'jk/doc-read-tree-table-asciidoctor-fix' into maint

A docfix.

* jk/doc-read-tree-table-asciidoctor-fix:
doc: put literal block delimiter around table

Merge branch 'hn/typofix' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:11 +0000 (14:19 +0900)

Merge branch 'hn/typofix' into maint

* hn/typofix:
submodule.h: typofix

Merge branch 'ks/test-readme-phrasofix' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:10 +0000 (14:19 +0900)

Merge branch 'ks/test-readme-phrasofix' into maint

Doc updates.

* ks/test-readme-phrasofix:
t/README: fix typo and grammatically improve a sentence

Merge branch 'ez/doc-duplicated-words-fix' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:10 +0000 (14:19 +0900)

Merge branch 'ez/doc-duplicated-words-fix' into maint

Typofix.

* ez/doc-duplicated-words-fix:
doc: fix minor typos (extra/duplicated words)

Merge branch 'kd/doc-for-each-ref' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:10 +0000 (14:19 +0900)

Merge branch 'kd/doc-for-each-ref' into maint

Doc update.

* kd/doc-for-each-ref:
doc/for-each-ref: explicitly specify option names
doc/for-each-ref: consistently use '=' to between argument names and values

Merge branch 'cc/subprocess-handshake-missing-capabilit... Junio C Hamano Wed, 18 Oct 2017 05:19:10 +0000 (14:19 +0900)

Merge branch 'cc/subprocess-handshake-missing-capabilities' into maint

Finishing touches to a topic already in 'master'.

* cc/subprocess-handshake-missing-capabilities:
subprocess: loudly die when subprocess asks for an unsupported capability

Merge branch 'jk/system-path-cleanup' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:10 +0000 (14:19 +0900)

Merge branch 'jk/system-path-cleanup' into maint

Code clean-up.

* jk/system-path-cleanup:
git_extract_argv0_path: do nothing without RUNTIME_PREFIX
system_path: move RUNTIME_PREFIX to a sub-function

Merge branch 'bb/doc-eol-dirty' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:09 +0000 (14:19 +0900)

Merge branch 'bb/doc-eol-dirty' into maint

Doc update.

* bb/doc-eol-dirty:
Documentation: mention that `eol` can change the dirty status of paths

Merge branch 'mg/timestamp-t-fix' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:09 +0000 (14:19 +0900)

Merge branch 'mg/timestamp-t-fix' into maint

A mismerge fix.

* mg/timestamp-t-fix:
name-rev: change ULONG_MAX to TIME_MAX

Merge branch 'ma/pkt-line-leakfix' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:08 +0000 (14:19 +0900)

Merge branch 'ma/pkt-line-leakfix' into maint

A leakfix.

* ma/pkt-line-leakfix:
pkt-line: re-'static'-ify buffer in packet_write_fmt_1()

Merge branch 'jk/config-lockfile-leak-fix' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:07 +0000 (14:19 +0900)

Merge branch 'jk/config-lockfile-leak-fix' into maint

A leakfix.

* jk/config-lockfile-leak-fix:
config: use a static lock_file struct

Merge branch 'dw/diff-highlight-makefile-fix' into... Junio C Hamano Wed, 18 Oct 2017 05:19:07 +0000 (14:19 +0900)

Merge branch 'dw/diff-highlight-makefile-fix' into maint

Build clean-up.

* dw/diff-highlight-makefile-fix:
diff-highlight: add clean target to Makefile

Merge branch 'jk/drop-sha1-entry-pos' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:06 +0000 (14:19 +0900)

Merge branch 'jk/drop-sha1-entry-pos' into maint

Code clean-up.

* jk/drop-sha1-entry-pos:
sha1-lookup: remove sha1_entry_pos() from header file
sha1_file: drop experimental GIT_USE_LOOKUP search

Merge branch 'tb/ref-filter-empty-modifier' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:06 +0000 (14:19 +0900)

Merge branch 'tb/ref-filter-empty-modifier' into maint

In the "--format=..." option of the "git for-each-ref" command (and
its friends, i.e. the listing mode of "git branch/tag"), "%(atom:)"
(e.g. "%(refname:)", "%(body:)" used to error out. Instead, treat
them as if the colon and an empty string that follows it were not
there.

* tb/ref-filter-empty-modifier:
ref-filter.c: pass empty-string as NULL to atom parsers

Merge branch 'rb/compat-poll-fix' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:05 +0000 (14:19 +0900)

Merge branch 'rb/compat-poll-fix' into maint

Backports a moral equivalent of 2015 fix to the poll emulation from
the upstream gnulib to fix occasional breakages on HPE NonStop.

* rb/compat-poll-fix:
poll.c: always set revents, even if to zero

Merge branch 'tg/memfixes' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:04 +0000 (14:19 +0900)

Merge branch 'tg/memfixes' into maint

Fixes for a handful memory access issues identified by valgrind.

* tg/memfixes:
sub-process: use child_process.args instead of child_process.argv
http-push: fix construction of hex value from path
path.c: fix uninitialized memory access

Merge branch 'ar/request-pull-phrasofix' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:04 +0000 (14:19 +0900)

Merge branch 'ar/request-pull-phrasofix' into maint

Spell the name of our system as "Git" in the output from
request-pull script.

* ar/request-pull-phrasofix:
request-pull: capitalise "Git" to make it a proper noun

Merge branch 'jc/merge-x-theirs-docfix' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:03 +0000 (14:19 +0900)

Merge branch 'jc/merge-x-theirs-docfix' into maint

The documentation for '-X<option>' for merges was misleadingly
written to suggest that "-s theirs" exists, which is not the case.

* jc/merge-x-theirs-docfix:
merge-strategies: avoid implying that "-s theirs" exists

Merge branch 'rs/mailinfo-qp-decode-fix' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:03 +0000 (14:19 +0900)

Merge branch 'rs/mailinfo-qp-decode-fix' into maint

"git mailinfo" was loose in decoding quoted printable and produced
garbage when the two letters after the equal sign are not
hexadecimal. This has been fixed.

* rs/mailinfo-qp-decode-fix:
mailinfo: don't decode invalid =XY quoted-printable sequences

Merge branch 'ik/userdiff-html-h-element-fix' into... Junio C Hamano Wed, 18 Oct 2017 05:19:02 +0000 (14:19 +0900)

Merge branch 'ik/userdiff-html-h-element-fix' into maint

The built-in pattern to detect the "function header" for HTML did
not match <H1>..<H6> elements without any attributes, which has
been fixed.

* ik/userdiff-html-h-element-fix:
userdiff: fix HTML hunk header regexp

Merge branch 'jk/diff-blob' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:01 +0000 (14:19 +0900)

Merge branch 'jk/diff-blob' into maint

"git cat-file --textconv" started segfaulting recently, which
has been corrected.

* jk/diff-blob:
cat-file: handle NULL object_context.path

Merge branch 'jk/describe-omit-some-refs' into maintJunio C Hamano Wed, 18 Oct 2017 05:19:01 +0000 (14:19 +0900)

Merge branch 'jk/describe-omit-some-refs' into maint

"git describe --match" learned to take multiple patterns in v2.13
series, but the feature ignored the patterns after the first one
and did not work at all. This has been fixed.

* jk/describe-omit-some-refs:
describe: fix matching to actually match all patterns

Merge branch 'mh/for-each-string-list-item-empty-fix... Junio C Hamano Wed, 18 Oct 2017 05:19:00 +0000 (14:19 +0900)

Merge branch 'mh/for-each-string-list-item-empty-fix' into maint

Code cmp.std.c nitpick.

* mh/for-each-string-list-item-empty-fix:
for_each_string_list_item: avoid undefined behavior for empty list

Merge branch 'tb/test-lint-echo-e' into maintJunio C Hamano Wed, 18 Oct 2017 05:18:59 +0000 (14:18 +0900)

Merge branch 'tb/test-lint-echo-e' into maint

The test linter has been taught that we do not like "echo -e".

* tb/test-lint-echo-e:
test-lint: echo -e (or -E) is not portable

Merge branch 'aw/gc-lockfile-fscanf-fix' into maintJunio C Hamano Wed, 18 Oct 2017 05:18:59 +0000 (14:18 +0900)

Merge branch 'aw/gc-lockfile-fscanf-fix' into maint

"git gc" tries to avoid running two instances at the same time by
reading and writing pid/host from and to a lock file; it used to
use an incorrect fscanf() format when reading, which has been
corrected.

* aw/gc-lockfile-fscanf-fix:
gc: call fscanf() with %<len>s, not %<len>c, when reading hostname

Merge branch 'tg/refs-allowed-flags' into maintJunio C Hamano Wed, 18 Oct 2017 05:18:58 +0000 (14:18 +0900)

Merge branch 'tg/refs-allowed-flags' into maint

API error-proofing which happens to also squelch warnings from GCC.

* tg/refs-allowed-flags:
refs: strip out not allowed flags from ref_transaction_update

Merge branch 'rs/archive-excluded-directory' into maintJunio C Hamano Wed, 18 Oct 2017 05:18:58 +0000 (14:18 +0900)

Merge branch 'rs/archive-excluded-directory' into maint

"git archive", especially when used with pathspec, stored an empty
directory in its output, even though Git itself never does so.
This has been fixed.

* rs/archive-excluded-directory:
archive: don't add empty directories to archives

Merge branch 'rk/commit-tree-make-F-verbatim' into... Junio C Hamano Wed, 18 Oct 2017 05:18:58 +0000 (14:18 +0900)

Merge branch 'rk/commit-tree-make-F-verbatim' into maint

Unlike "git commit-tree < file", "git commit-tree -F file" did not
pass the contents of the file verbatim and instead completed an
incomplete line at the end, if exists. The latter has been updated
to match the behaviour of the former.

* rk/commit-tree-make-F-verbatim:
commit-tree: do not complete line in -F input

Merge branch 'mh/packed-ref-store-prep' into maintJunio C Hamano Wed, 18 Oct 2017 05:18:58 +0000 (14:18 +0900)

Merge branch 'mh/packed-ref-store-prep' into maint

Fix regression to "gitk --bisect" by a recent update.

* mh/packed-ref-store-prep:
rev-parse: don't trim bisect refnames

Merge branch 'mm/send-email-cc-cruft' into maintJunio C Hamano Wed, 18 Oct 2017 05:18:58 +0000 (14:18 +0900)

Merge branch 'mm/send-email-cc-cruft' into maint

In addition to "cc: <a@dd.re.ss> # cruft", "cc: a@dd.re.ss # cruft"
was taught to "git send-email" as a valid way to tell it that it
needs to also send a carbon copy to <a@dd.re.ss> in the trailer
section.

* mm/send-email-cc-cruft:
send-email: don't use Mail::Address, even if available
send-email: fix garbage removal after address

Merge branch 'rs/strbuf-getwholeline-fix' into maintJunio C Hamano Wed, 18 Oct 2017 05:18:57 +0000 (14:18 +0900)

Merge branch 'rs/strbuf-getwholeline-fix' into maint

A helper function to read a single whole line into strbuf
mistakenly triggered OOM error at EOF under certain conditions,
which has been fixed.

* rs/strbuf-getwholeline-fix:
strbuf: clear errno before calling getdelim(3)

ref-filter.c: pass empty-string as NULL to atom parsersTaylor Blau Mon, 2 Oct 2017 16:10:34 +0000 (09:10 -0700)

ref-filter.c: pass empty-string as NULL to atom parsers

Peff points out that different atom parsers handle the empty
"sub-argument" list differently. An example of this is the format
"%(refname:)".

Since callers often use `string_list_split` (which splits the empty
string with any delimiter as a 1-ary string_list containing the empty
string), this makes handling empty sub-argument strings non-ergonomic.

Let's fix this by declaring that atom parser implementations must
not care about distinguishing between the empty string "%(refname:)"
and no sub-arguments "%(refname)". Current code aborts, either with
"unrecognised arg" (e.g. "refname:") or "does not take args"
(e.g. "body:") as an error message.

Signed-off-by: Taylor Blau <me@ttaylorr.com>
Reviewed-by: Jeff King <peff@peff.net>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

strbuf doc: reuse after strbuf_release is fineJonathan Nieder Wed, 4 Oct 2017 02:39:54 +0000 (19:39 -0700)

strbuf doc: reuse after strbuf_release is fine

strbuf_release leaves the strbuf in a valid, initialized state, so
there is no need to call strbuf_init after it.

Moreover, this is not likely to change in the future: strbuf_release
leaving the strbuf in a valid state has been easy to maintain and has
been very helpful for Git's robustness and simplicity (e.g.,
preventing use-after-free vulnerabilities).

Document the semantics so the next generation of Git developers can
become familiar with them without reading the implementation. It is
still not advisable to call strbuf_release too often because it is
wasteful, so add a note pointing to strbuf_reset for that.

The same semantics apply to strbuf_detach. Add a similar note to its
docstring to make that clear.

Improved-by: Jeff King <peff@peff.net>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

sub-process: use child_process.args instead of child_pr... Johannes Sixt Tue, 3 Oct 2017 20:24:57 +0000 (22:24 +0200)

sub-process: use child_process.args instead of child_process.argv

Currently the argv is only allocated on the stack, and then assigned to
process->argv. When the start_subprocess function goes out of scope,
the local argv variable is eliminated from the stack, but the pointer is
still kept around in process->argv.

Much later when we try to access the same process->argv in
finish_command, this leads us to access a memory location that no longer
contains what we want. As argv0 is only used for printing errors, this
is not easily noticed in normal git operations. However when running
t0021-conversion.sh through valgrind, valgrind rightfully complains:

==21024== Invalid read of size 8
==21024== at 0x2ACF64: finish_command (run-command.c:869)
==21024== by 0x2D6B18: subprocess_exit_handler (sub-process.c:72)
==21024== by 0x2AB41E: cleanup_children (run-command.c:45)
==21024== by 0x2AB526: cleanup_children_on_exit (run-command.c:81)
==21024== by 0x54AD487: __run_exit_handlers (in /usr/lib/libc-2.26.so)
==21024== by 0x54AD4D9: exit (in /usr/lib/libc-2.26.so)
==21024== by 0x11A9EF: handle_builtin (git.c:550)
==21024== by 0x11ABCC: run_argv (git.c:602)
==21024== by 0x11AD8E: cmd_main (git.c:679)
==21024== by 0x1BF125: main (common-main.c:43)
==21024== Address 0x1ffeffec00 is on thread 1's stack
==21024== 1504 bytes below stack pointer
==21024==

These days, the child_process structure has its own args array, and
the standard way to set up its argv[] is to use that one, instead of
assigning to process->argv to point at an array that is outside.
Use that facility automatically fixes this issue.

Reported-by: Thomas Gummerer <t.gummerer@gmail.com>
Signed-off-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

http-push: fix construction of hex value from pathThomas Gummerer Tue, 3 Oct 2017 19:57:12 +0000 (20:57 +0100)

http-push: fix construction of hex value from path

The get_oid_hex_from_objpath takes care of creating a oid from a
pathname. It does this by memcpy'ing the first two bytes of the path to
the "hex" string, then skipping the '/', and then copying the rest of the
path to the "hex" string. Currently it fails to increase the pointer to
the hex string, so the second memcpy invocation just mashes over what
was copied in the first one, and leaves the last two bytes in the string
uninitialized.

This breaks valgrind in t5540, although the test passes without
valgrind:

==5490== Use of uninitialised value of size 8
==5490== at 0x13C6B5: hexval (cache.h:1238)
==5490== by 0x13C6DB: hex2chr (cache.h:1247)
==5490== by 0x13C734: get_sha1_hex (hex.c:42)
==5490== by 0x13C78E: get_oid_hex (hex.c:53)
==5490== by 0x118BDA: get_oid_hex_from_objpath (http-push.c:1023)
==5490== by 0x118C92: process_ls_object (http-push.c:1038)
==5490== by 0x118E5B: handle_remote_ls_ctx (http-push.c:1077)
==5490== by 0x118227: xml_end_tag (http-push.c:815)
==5490== by 0x50C1448: ??? (in /usr/lib/libexpat.so.1.6.6)
==5490== by 0x50C221B: ??? (in /usr/lib/libexpat.so.1.6.6)
==5490== by 0x50BFBF2: ??? (in /usr/lib/libexpat.so.1.6.6)
==5490== by 0x50C0B24: ??? (in /usr/lib/libexpat.so.1.6.6)
==5490== Uninitialised value was created by a stack allocation
==5490== at 0x118B63: get_oid_hex_from_objpath (http-push.c:1012)
==5490==

Fix this by correctly incrementing the pointer to the "hex" variable, so
the first two bytes are left untouched by the memcpy call, and the last
two bytes are correctly initialized.

Signed-off-by: Thomas Gummerer <t.gummerer@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

path.c: fix uninitialized memory accessJeff King Tue, 3 Oct 2017 23:30:40 +0000 (19:30 -0400)

path.c: fix uninitialized memory access

In cleanup_path we're passing in a char array, run a memcmp on it, and
run through it without ever checking if something is in the array in the
first place. This can lead us to access uninitialized memory, for
example in t5541-http-push-smart.sh test 7, when run under valgrind:

==4423== Conditional jump or move depends on uninitialised value(s)
==4423== at 0x242FA9: cleanup_path (path.c:35)
==4423== by 0x242FA9: mkpath (path.c:456)
==4423== by 0x256CC7: refname_match (refs.c:364)
==4423== by 0x26C181: count_refspec_match (remote.c:1015)
==4423== by 0x26C181: match_explicit_lhs (remote.c:1126)
==4423== by 0x26C181: check_push_refs (remote.c:1409)
==4423== by 0x2ABB4D: transport_push (transport.c:870)
==4423== by 0x186703: push_with_options (push.c:332)
==4423== by 0x18746D: do_push (push.c:409)
==4423== by 0x18746D: cmd_push (push.c:566)
==4423== by 0x1183E0: run_builtin (git.c:352)
==4423== by 0x11973E: handle_builtin (git.c:539)
==4423== by 0x11973E: run_argv (git.c:593)
==4423== by 0x11973E: main (git.c:698)
==4423== Uninitialised value was created by a heap allocation
==4423== at 0x4C2CD8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4423== by 0x4C2F195: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4423== by 0x2C196B: xrealloc (wrapper.c:137)
==4423== by 0x29A30B: strbuf_grow (strbuf.c:66)
==4423== by 0x29A30B: strbuf_vaddf (strbuf.c:277)
==4423== by 0x242F9F: mkpath (path.c:454)
==4423== by 0x256CC7: refname_match (refs.c:364)
==4423== by 0x26C181: count_refspec_match (remote.c:1015)
==4423== by 0x26C181: match_explicit_lhs (remote.c:1126)
==4423== by 0x26C181: check_push_refs (remote.c:1409)
==4423== by 0x2ABB4D: transport_push (transport.c:870)
==4423== by 0x186703: push_with_options (push.c:332)
==4423== by 0x18746D: do_push (push.c:409)
==4423== by 0x18746D: cmd_push (push.c:566)
==4423== by 0x1183E0: run_builtin (git.c:352)
==4423== by 0x11973E: handle_builtin (git.c:539)
==4423== by 0x11973E: run_argv (git.c:593)
==4423== by 0x11973E: main (git.c:698)
==4423==

Avoid this by using skip_prefix(), which knows not to go beyond the
end of the string.

Reported-by: Thomas Gummerer <t.gummerer@gmail.com>
Signed-off-by: Jeff King <peff@peff.net>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

test-stringlist: avoid buffer underrun when sorting... René Scharfe Tue, 3 Oct 2017 14:36:40 +0000 (16:36 +0200)

test-stringlist: avoid buffer underrun when sorting nothing

Check if the strbuf containing data to sort is empty before attempting
to trim a trailing newline character.

Signed-off-by: Rene Scharfe <l.s.r@web.de>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

request-pull: capitalise "Git" to make it a proper... Ann T Ropea Tue, 3 Oct 2017 00:08:38 +0000 (00:08 +0000)

request-pull: capitalise "Git" to make it a proper noun

Of the many ways to spell the three-letter word, the variant "Git"
should be used when referring to a repository in a description; or, in
general, when it is used as a proper noun.

We thus change the pull-request template message so that it reads

"...in the Git repository at:"

Besides, this brings us in line with the documentation, see
Documentation/howto/using-signed-tag-in-pull-request.txt

Signed-off-by: Ann T Ropea <bedhanger@gmx.de>
Acked-by: Jonathan Nieder <jrnieder@gmail.com>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

run-command: use ALLOC_ARRAYRené Scharfe Sun, 1 Oct 2017 15:14:31 +0000 (17:14 +0200)

run-command: use ALLOC_ARRAY

Use the macro ALLOC_ARRAY to allocate an array. This is shorter and
easier, as it automatically infers the size of elements.

Patch generated with Coccinelle and contrib/coccinelle/array.cocci.

Signeg-off-by: Rene Scharfe <l.s.r@web.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

tag: avoid NULL pointer arithmeticRené Scharfe Sun, 1 Oct 2017 14:45:13 +0000 (16:45 +0200)

tag: avoid NULL pointer arithmetic

lookup_blob() etc. can return NULL if the referenced object isn't of the
expected type. In theory it's wrong to reference the object member in
that case. In practice it's OK because it's located at offset 0 for all
types, so the pointer arithmetic (NULL + 0) is optimized out by the
compiler. The issue is reported by Clang's AddressSanitizer, though.

Avoid the ASan error by casting the results of the lookup functions to
struct object pointers. That works fine with NULL pointers as well. We
already rely on the object member being first in all object types in
other places in the code.

Signed-off-by: Rene Scharfe <l.s.r@web.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

coccinelle: remove parentheses that become unnecessaryRené Scharfe Sun, 1 Oct 2017 15:12:08 +0000 (17:12 +0200)

coccinelle: remove parentheses that become unnecessary

Transformations that hide multiplications can end up with an pair of
parentheses that is no longer needed. E.g. with a rule like this:

@@
expression E;
@@
- E * 2
+ double(E)

... we might get a patch like this:

- x = (a + b) * 2;
+ x = double((a + b));

Add a pair of parentheses to the preimage side of such rules.
Coccinelle will generate patches that remove them if they are present,
and it will still match expressions that lack them.

Signed-off-by: Rene Scharfe <l.s.r@web.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

poll.c: always set revents, even if to zeroRandall S. Becker Thu, 28 Sep 2017 22:47:17 +0000 (07:47 +0900)

poll.c: always set revents, even if to zero

Match what is done to pfd[i].revents when compute_revents() returns
0 to the upstream gnulib's commit d42461c3 ("poll: fixes for large
fds", 2015-02-20). The revents field is set to 0, without
incrementing the value rc to be returned from the function. The
original code left the field to whatever random value the field was
initialized to.

This fixes occasional hangs in git-upload-pack on HPE NonStop.

Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

doc: correct command formattingAdam Dinwoodie Thu, 28 Sep 2017 14:06:48 +0000 (15:06 +0100)

doc: correct command formatting

Leaving spaces around the `-delimeters for commands means asciidoc fails
to parse them as the start of a literal string. Remove an extraneous
space that is causing a literal to not be formatted as such.

Signed-off-by: Adam Dinwoodie <adam@dinwoodie.org>
Acked-by: Andreas Heiduk <asheiduk@gmail.com>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

validate_headref: use get_oid_hex for detached HEADsJeff King Wed, 27 Sep 2017 06:17:36 +0000 (02:17 -0400)

validate_headref: use get_oid_hex for detached HEADs

If a candidate HEAD isn't a symref, we check that it
contains a viable sha1. But in a post-sha1 world, we should
be checking whether it has any plausible object-id.

We can do that by switching to get_oid_hex().

Note that both before and after this patch, we only check
for a plausible object id at the start of the file, and then
call that good enough. We ignore any content _after_ the
hex, so a string like:

0123456789012345678901234567890123456789 foo

is accepted. Though we do put extra bytes like this into
some pseudorefs (e.g., FETCH_HEAD), we don't typically do so
with HEAD. We could tighten this up by using parse_oid_hex(),
like:

if (!parse_oid_hex(buffer, &oid, &end) &&
*end++ == '\n' && *end == '\0')
return 0;

But we're probably better to remain on the loose side. We're
just checking here for a plausible-looking repository
directory, so heuristics are acceptable (if we really want
to be meticulous, we should use the actual ref code to parse
HEAD).

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

validate_headref: use skip_prefix for symref parsingJeff King Wed, 27 Sep 2017 06:17:26 +0000 (02:17 -0400)

validate_headref: use skip_prefix for symref parsing

Since the previous commit guarantees that our symref buffer
is NUL-terminated, we can just use skip_prefix() and friends
to parse it. This is shorter and saves us having to deal
with magic numbers and keeping the "len" counter up to date.

While we're at it, let's name the rather obscure "buf" to
"refname", since that is the thing we are parsing with it.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

validate_headref: NUL-terminate HEAD bufferJeff King Wed, 27 Sep 2017 06:17:23 +0000 (02:17 -0400)

validate_headref: NUL-terminate HEAD buffer

When we are checking to see if we have a git repo, we peek
into the HEAD file and see if it's a plausible symlink,
symref, or detached HEAD.

For the latter two, we read the contents with read_in_full(),
which means they aren't NUL-terminated. The symref check is
careful to respect the length we got, but the sha1 check
will happily parse up to 40 bytes, even if we read fewer.

E.g.,:

echo 1234 >.git/HEAD
git rev-parse

will parse 36 uninitialized bytes from our stack buffer.

This isn't a big deal in practice. Our buffer is 256 bytes,
so we know we'll never read outside of it. The worst case is
that the uninitialized bytes look like valid hex, and we
claim a bogus HEAD file is valid. The chances of this
happening randomly are quite slim, but let's be careful.

One option would be to check that "len == 41" before feeding
the buffer to get_sha1_hex(). But we'd like to eventually
prepare for a world with variable-length hashes. Let's
NUL-terminate as soon as we've read the buffer (we already
even leave a spare byte to do so!). That fixes this problem
without depending on the size of an object id.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

docs: improve discoverability of exclude pathspecManav Rathi Mon, 25 Sep 2017 08:09:00 +0000 (13:39 +0530)

docs: improve discoverability of exclude pathspec

The ability to exclude paths with a negative pathspec is not mentioned
in the man pages for git grep and other commands where it might be
useful.

Add an example and a pointer to the pathspec glossary entry in the man
page for git grep to help the user to discover this ability.

Add similar pointers from the git-add and git-status man pages.

Additionally,

- Add a test for the behaviour when multiple exclusions are present.
- Add a test for the ^ alias.
- Improve name of existing test.
- Improve grammar in glossary description of the exclude pathspec.

Helped-by: Junio C Hamano <gitster@pobox.com>
Signed-off-by: Manav Rathi <mnvrth@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

doc: camelCase the config variables to improve readabilityKaartic Sivaraam Sat, 23 Sep 2017 04:56:17 +0000 (10:26 +0530)

doc: camelCase the config variables to improve readability

References to multi-word configuration variable names in our
documentation must consistently use camelCase to highlight where
the word boundaries are, even though these are treated case
insensitively.

Fix a few places that spell them in all lowercase, which makes
them harder to read.

Signed-off-by: Kaartic Sivaraam <kaarticsivaraam91196@gmail.com>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

merge-strategies: avoid implying that "-s theirs" existsJunio C Hamano Mon, 25 Sep 2017 05:34:23 +0000 (14:34 +0900)

merge-strategies: avoid implying that "-s theirs" exists

The description of `-Xours` merge option has a parenthetical note
that tells the readers that it is very different from `-s ours`,
which is correct, but the description of `-Xtheirs` that follows it
carelessly says "this is the opposite of `ours`", giving a false
impression that the readers also need to be warned that it is very
different from `-s theirs`, which in reality does not even exist.

Clarify it a bit to avoid misleading readers.

Signed-off-by: Junio C Hamano <gitster@pobox.com>

mailinfo: don't decode invalid =XY quoted-printable... René Scharfe Sat, 23 Sep 2017 18:04:40 +0000 (20:04 +0200)

mailinfo: don't decode invalid =XY quoted-printable sequences

Decode =XY in quoted-printable segments only if X and Y are hexadecimal
digits, otherwise just copy them. That's at least better than
interpreting negative results from hexval() as a character.

Reported-by: Jeff King <peff@peff.net>
Signed-off-by: Rene Scharfe <l.s.r@web.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

userdiff: fix HTML hunk header regexpIlya Kantor Sat, 23 Sep 2017 07:53:47 +0000 (10:53 +0300)

userdiff: fix HTML hunk header regexp

Current HTML header regexp doesn't match headers without attributes.

So it fails to match <h1>...</h1>, while <h1 class="smth">...</h1> matches.

Make attributes optional to fix this. The regexp is still far from
perfect, but now it at least handles the common case.

Signed-off-by: Ilya Kantor <iliakan@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

doc: put literal block delimiter around tableJeff King Sat, 23 Sep 2017 05:55:26 +0000 (01:55 -0400)

doc: put literal block delimiter around table

The git-read-tree manpage has a table that is meant to
be shown with its spacing exactly as it is in the source. We
mark it as a "literal paragraph" by indenting each line by
at least one space. This renders OK with asciidoc for both
the HTML and manpage versions.

But there are two problems when we render it with
asciidoctor.

The first is that some lines mix tabs and spaces. Even if
asciidoctor is correctly configured for 8-space tabs, it
seems to handle this case differently, soaking up some of
the initial literal-paragraph spaces and mis-aligning the
table text.

The second problem is that the table uses blank lines to
group rows. But as blank lines separate paragraphs in
asciidoc, this actually means that each chunk of the table
is rendered in its own pre-formatted <div> block. This
happens even with vanilla asciidoc, but there's no visible
result because the literal paragraphs aren't styled in any
special way. But with asciidoctor (or at least the styles
used on git-scm.com), literal paragraphs are styled with a
different background. This breaks the table into a visually
distracting sequence of chunks.

We can fix both by adding a literal-paragraph block
delimiter. That turns the whole table into a single block
(for both implementations) and causes asciidoctor to render
the indentation as it is in the source.

Reported-at: https://github.com/git/git-scm.com/issues/1023
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

Git 2.14.2 v2.14.2Junio C Hamano Fri, 22 Sep 2017 05:51:37 +0000 (14:51 +0900)

Git 2.14.2

Signed-off-by: Junio C Hamano <gitster@pobox.com>

Sync with 2.13.6Junio C Hamano Fri, 22 Sep 2017 05:50:02 +0000 (14:50 +0900)

Sync with 2.13.6

Signed-off-by: Junio C Hamano <gitster@pobox.com>

Git 2.13.6 v2.13.6Junio C Hamano Fri, 22 Sep 2017 05:49:24 +0000 (14:49 +0900)

Git 2.13.6

Signed-off-by: Junio C Hamano <gitster@pobox.com>

Sync with 2.12.5Junio C Hamano Fri, 22 Sep 2017 05:48:08 +0000 (14:48 +0900)

Sync with 2.12.5

Signed-off-by: Junio C Hamano <gitster@pobox.com>

Git 2.12.5 v2.12.5Junio C Hamano Fri, 22 Sep 2017 05:47:41 +0000 (14:47 +0900)

Git 2.12.5

Signed-off-by: Junio C Hamano <gitster@pobox.com>

Sync with 2.11.4Junio C Hamano Fri, 22 Sep 2017 05:45:30 +0000 (14:45 +0900)

Sync with 2.11.4

Signed-off-by: Junio C Hamano <gitster@pobox.com>

Git 2.11.4 v2.11.4Junio C Hamano Fri, 22 Sep 2017 05:44:45 +0000 (14:44 +0900)

Git 2.11.4

Signed-off-by: Junio C Hamano <gitster@pobox.com>

Sync with 2.10.5Junio C Hamano Fri, 22 Sep 2017 05:43:13 +0000 (14:43 +0900)

Sync with 2.10.5

Signed-off-by: Junio C Hamano <gitster@pobox.com>

Git 2.10.5 v2.10.5Junio C Hamano Fri, 22 Sep 2017 05:42:22 +0000 (14:42 +0900)

Git 2.10.5

Signed-off-by: Junio C Hamano <gitster@pobox.com>

Merge branch 'jk/safe-pipe-capture' into maint-2.10Junio C Hamano Fri, 22 Sep 2017 05:34:34 +0000 (14:34 +0900)

Merge branch 'jk/safe-pipe-capture' into maint-2.10

Merge branch 'jk/cvsimport-quoting' into maint-2.10Junio C Hamano Fri, 22 Sep 2017 05:34:34 +0000 (14:34 +0900)

Merge branch 'jk/cvsimport-quoting' into maint-2.10

Merge branch 'jc/cvsserver' into maint-2.10Junio C Hamano Fri, 22 Sep 2017 05:34:34 +0000 (14:34 +0900)

Merge branch 'jc/cvsserver' into maint-2.10

Merge branch 'jk/git-shell-drop-cvsserver' into maint... Junio C Hamano Fri, 22 Sep 2017 05:34:34 +0000 (14:34 +0900)

Merge branch 'jk/git-shell-drop-cvsserver' into maint-2.10

cat-file: handle NULL object_context.pathJeff King Thu, 21 Sep 2017 06:21:40 +0000 (02:21 -0400)

cat-file: handle NULL object_context.path

Commit dc944b65f1 (get_sha1_with_context: dynamically
allocate oc->path, 2017-05-19) changed the rules that
callers must follow for seeing if we parsed a path in the
object name. The rules switched from "check if the oc.path
buffer is empty" to "check if the oc.path pointer is NULL".
But that commit forgot to update some sites in
cat_one_file(), meaning we might dereference a NULL pointer.

You can see this by making a path-aware request like
--textconv without specifying --path, and giving an object
name that doesn't have a path in it. Like:

git cat-file --textconv HEAD

which will reliably segfault.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

submodule.h: typofixHan-Wen Nienhuys Thu, 21 Sep 2017 12:43:37 +0000 (14:43 +0200)

submodule.h: typofix

Signed-off-by: Han-Wen Nienhuys <hanwen@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

test-lint: echo -e (or -E) is not portableTorsten Bögershausen Sun, 17 Sep 2017 05:43:18 +0000 (07:43 +0200)

test-lint: echo -e (or -E) is not portable

Some implementations of `echo` support the '-e' option to enable
backslash interpretation of the following string.
As an addition, they support '-E' to turn it off.

However, none of these are portable, POSIX doesn't even mention them,
and many implementations don't support them.

A check for '-n' is already done in check-non-portable-shell.pl,
extend it to cover '-n', '-e' or '-E'.

Signed-off-by: Torsten Bögershausen <tboegi@web.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

for_each_string_list_item: avoid undefined behavior... Michael Haggerty Wed, 20 Sep 2017 05:27:05 +0000 (22:27 -0700)

for_each_string_list_item: avoid undefined behavior for empty list

If you pass a newly initialized or newly cleared `string_list` to
`for_each_string_list_item()`, then the latter does

for (
item = (list)->items; /* NULL */
item < (list)->items + (list)->nr; /* NULL + 0 */
++item)

Even though this probably works almost everywhere, it is undefined
behavior, and it could plausibly cause highly-optimizing compilers to
misbehave. C99 section 6.5.6 paragraph 8 explains:

If both the pointer operand and the result point to elements
of the same array object, or one past the last element of the
array object, the evaluation shall not produce an overflow;
otherwise, the behavior is undefined.

and (6.3.2.3.3) a null pointer does not point to anything.

Guard the loop with a NULL check to make the intent crystal clear to
even the most pedantic compiler. A suitably clever compiler could let
the NULL check only run in the first iteration, but regardless, this
overhead is likely to be dwarfed by the work to be done on each item.

This problem was noticed by Coverity.

[jn: using a NULL check instead of a placeholder empty list;
fleshed out the commit message based on mailing list discussion]

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

t/README: fix typo and grammatically improve a sentenceKaartic Sivaraam Sun, 17 Sep 2017 10:18:15 +0000 (10:18 +0000)

t/README: fix typo and grammatically improve a sentence

Signed-off-by: Kaartic Sivaraam <kaarticsivaraam91196@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

gc: call fscanf() with %<len>s, not %<len>c, when readi... Junio C Hamano Sun, 17 Sep 2017 03:16:55 +0000 (12:16 +0900)

gc: call fscanf() with %<len>s, not %<len>c, when reading hostname

Earlier in this codepath, we (ab)used "%<len>c" to read the hostname
recorded in the lockfile into locking_host[HOST_NAME_MAX + 1] while
substituting <len> with the actual value of HOST_NAME_MAX.

This turns out to be incorrect, as it is an instruction to read
exactly the specified number of bytes. Because we are trying to
read at most that many bytes, we should be using "%<len>s" instead.

Helped-by: A. Wilcox <awilfox@adelielinux.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

describe: fix matching to actually match all patternsMax Kirillov Sat, 16 Sep 2017 05:53:44 +0000 (08:53 +0300)

describe: fix matching to actually match all patterns

`git describe --match` with multiple patterns matches only first pattern.
If it fails, next patterns are not tried.

Fix it, add test cases and update existing test which has wrong
expectation.

Signed-off-by: Max Kirillov <max@max630.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

doc: fix minor typos (extra/duplicated words)Evan Zacks Tue, 12 Sep 2017 22:58:39 +0000 (15:58 -0700)

doc: fix minor typos (extra/duplicated words)

Following are several fixes for duplicated words ("of of") and one
case where an extra article ("a") slipped in.

Signed-off-by: Evan Zacks <zackse@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

archive: don't add empty directories to archivesRené Scharfe Tue, 12 Sep 2017 22:43:57 +0000 (00:43 +0200)

archive: don't add empty directories to archives

While git doesn't track empty directories, git archive can be tricked
into putting some into archives. One way is to construct an empty tree
object, as t5004 does. While that is supported by the object database,
it can't be represented in the index and thus it's unlikely to occur in
the wild.

Another way is using the literal name of a directory in an exclude
pathspec -- its contents are are excluded, but the directory stub is
included. That's inconsistent: exclude pathspecs containing wildcards
don't leave empty directories in the archive.

Yet another way is have a few levels of nested subdirectories (e.g.
d1/d2/d3/file1) and ignoring the entries at the leaves (e.g. file1).
The directories with the ignored content are ignored as well (e.g. d3),
but their empty parents are included (e.g. d2).

As empty directories are not supported by git, they should also not be
written into archives. If an empty directory is really needed then it
can be tracked and archived by placing an empty .gitignore file in it.

There already is a mechanism in place for suppressing empty directories.
When read_tree_recursive() encounters a directory excluded by a pathspec
then it enters it anyway because it might contain included entries. It
calls the callback function before it is able to decide if the directory
is actually needed. For that reason git archive adds directories to a
queue and writes entries for them only when it encounters the first
child item -- but currently only if pathspecs with wildcards are used.

Queue *all* directories, no matter if there even are pathspecs present.
This prevents git archive from writing entries for empty directories in
all cases.

Suggested-by: Jeff King <peff@peff.net>
Signed-off-by: Rene Scharfe <l.s.r@web.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

refs: strip out not allowed flags from ref_transaction_... Thomas Gummerer Tue, 12 Sep 2017 22:59:21 +0000 (23:59 +0100)

refs: strip out not allowed flags from ref_transaction_update

Callers are only allowed to pass certain flags into
ref_transaction_update, other flags are internal to it. To prevent
mistakes from the callers, strip the internal only flags out before
continuing.

This was noticed because of a compiler warning gcc 7.1.1 issued about
passing a NULL parameter as second parameter to memcpy (through
hashcpy):

In file included from refs.c:5:0:
refs.c: In function ‘ref_transaction_verify’:
cache.h:948:2: error: argument 2 null where non-null expected [-Werror=nonnull]
memcpy(sha_dst, sha_src, GIT_SHA1_RAWSZ);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from git-compat-util.h:165:0,
from cache.h:4,
from refs.c:5:
/usr/include/string.h:43:14: note: in a call to function ‘memcpy’ declared here
extern void *memcpy (void *__restrict __dest, const void *__restrict __src,
^~~~~~

The call to hascpy in ref_transaction_add_update is protected by the
passed in flags, but as we only add flags there, gcc notices
REF_HAVE_NEW or REF_HAVE_OLD flags could be passed in from the outside,
which would potentially result in passing in NULL as second parameter to
memcpy.

Fix both the compiler warning, and make the interface safer for its
users by stripping the internal flags out.

Suggested-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Thomas Gummerer <t.gummerer@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

doc/for-each-ref: explicitly specify option namesKevin Daudt Mon, 11 Sep 2017 19:33:38 +0000 (21:33 +0200)

doc/for-each-ref: explicitly specify option names

For count, sort and format, only the argument names were listed under
OPTIONS, not the option names.

Add the option names to make it clear the options exist

Signed-off-by: Kevin Daudt <me@ikke.info>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

doc/for-each-ref: consistently use '=' to between argum... Kevin Daudt Mon, 11 Sep 2017 19:33:37 +0000 (21:33 +0200)

doc/for-each-ref: consistently use '=' to between argument names and values

The synopsis and description inconsistently add a '=' between the
argument name and it's value. Make this consistent.

Signed-off-by: Kevin Daudt <me@ikke.info>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

cvsimport: shell-quote variable used in backticksJeff King Mon, 11 Sep 2017 14:24:26 +0000 (10:24 -0400)

cvsimport: shell-quote variable used in backticks

We run `git rev-parse` though the shell, and quote its
argument only with single-quotes. This prevents most
metacharacters from being a problem, but misses the obvious
case when $name itself has single-quotes in it. We can fix
this by applying the usual shell-quoting formula.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

archimport: use safe_pipe_capture for user inputJeff King Mon, 11 Sep 2017 14:24:11 +0000 (10:24 -0400)

archimport: use safe_pipe_capture for user input

Refnames can contain shell metacharacters which need to be
passed verbatim to sub-processes. Using safe_pipe_capture
skips the shell entirely.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

shell: drop git-cvsserver support by defaultJeff King Mon, 11 Sep 2017 15:27:51 +0000 (11:27 -0400)

shell: drop git-cvsserver support by default

The git-cvsserver script is old and largely unmaintained
these days. But git-shell allows untrusted users to run it
out of the box, significantly increasing its attack surface.

Let's drop it from git-shell's list of internal handlers so
that it cannot be run by default. This is not backwards
compatible. But given the age and development activity on
CVS-related parts of Git, this is likely to impact very few
users, while helping many more (i.e., anybody who runs
git-shell and had no intention of supporting CVS).

There's no configuration mechanism in git-shell for us to
add a boolean and flip it to "off". But there is a mechanism
for adding custom commands, and adding CVS support here is
fairly trivial. Let's document it to give guidance to
anybody who really is still running cvsserver.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

cvsserver: use safe_pipe_capture for `constant commands... Junio C Hamano Mon, 11 Sep 2017 05:45:54 +0000 (14:45 +0900)

cvsserver: use safe_pipe_capture for `constant commands` as well

This is not strictly necessary, but it is a good code hygiene.

Signed-off-by: Junio C Hamano <gitster@pobox.com>

cvsserver: use safe_pipe_capture instead of backticksjoernchen Mon, 11 Sep 2017 05:45:09 +0000 (14:45 +0900)

cvsserver: use safe_pipe_capture instead of backticks

This makes the script pass arguments that are derived from end-user
input in safer way when invoking subcommands.

Reported-by: joernchen <joernchen@phenoelit.de>
Signed-off-by: joernchen <joernchen@phenoelit.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

cvsserver: move safe_pipe_capture() to the main packageJunio C Hamano Mon, 11 Sep 2017 05:44:24 +0000 (14:44 +0900)

cvsserver: move safe_pipe_capture() to the main package

As a preparation for replacing `command` with a call to this
function from outside GITCVS::updater package, move it to the main
package.

Signed-off-by: Junio C Hamano <gitster@pobox.com>

subprocess: loudly die when subprocess asks for an... Junio C Hamano Mon, 11 Sep 2017 03:21:29 +0000 (12:21 +0900)

subprocess: loudly die when subprocess asks for an unsupported capability

The handshake_capabilities() function first advertises the set of
capabilities it supports, so that the other side can pick and choose
which ones to use and ask us to enable in its response. Then we
read the response that tells us what choice the other side made. If
we saw something that we never advertised, that indicates one of two
things. The other side, i.e. the "upgraded" filter, is not paying
attention of the capabilities advertisement, and asking something
its correct operation relies on, but we are not capable of giving
that unknown feature and operate without it, so after that point the
exchange of data is a garbage-in-garbage-out. Or the other side
wanted to ask for one of the capabilities we advertised, but the
code has typo and their wish to enable a capability that its correct
operation relies on is not understood on this end. The result is
the same garbage-in-garbage-out.

Instead of sweeping such a potential bug under the rug, die loudly
when we see a request for an unsupported capability in order to
force sloppily-written filter scripts to get corrected.

Signed-off-by: Junio C Hamano <gitster@pobox.com>

RelNotes: further fixes for 2.14.2 from the master... Junio C Hamano Sun, 10 Sep 2017 08:06:09 +0000 (17:06 +0900)

RelNotes: further fixes for 2.14.2 from the master front

Signed-off-by: Junio C Hamano <gitster@pobox.com>

Merge branch 'jt/doc-pack-objects-fix' into maintJunio C Hamano Sun, 10 Sep 2017 08:03:10 +0000 (17:03 +0900)

Merge branch 'jt/doc-pack-objects-fix' into maint

Doc updates.

* jt/doc-pack-objects-fix:
Doc: clarify that pack-objects makes packs, plural

Merge branch 'jn/vcs-svn-cleanup' into maintJunio C Hamano Sun, 10 Sep 2017 08:03:09 +0000 (17:03 +0900)

Merge branch 'jn/vcs-svn-cleanup' into maint

Code clean-up.

* jn/vcs-svn-cleanup:
vcs-svn: move remaining repo_tree functions to fast_export.h
vcs-svn: remove repo_delete wrapper function
vcs-svn: remove custom mode constants
vcs-svn: remove more unused prototypes and declarations

Merge branch 'bc/vcs-svn-cleanup' into maintJunio C Hamano Sun, 10 Sep 2017 08:03:08 +0000 (17:03 +0900)

Merge branch 'bc/vcs-svn-cleanup' into maint

Code clean-up.

* bc/vcs-svn-cleanup:
vcs-svn: rename repo functions to "svn_repo"
vcs-svn: remove unused prototypes

Merge branch 'jk/doc-the-this' into maintJunio C Hamano Sun, 10 Sep 2017 08:03:07 +0000 (17:03 +0900)

Merge branch 'jk/doc-the-this' into maint

Doc clean-up.

* jk/doc-the-this:
doc: fix typo in sendemail.identity

Merge branch 'rs/commit-h-single-parent-cleanup' into... Junio C Hamano Sun, 10 Sep 2017 08:03:07 +0000 (17:03 +0900)

Merge branch 'rs/commit-h-single-parent-cleanup' into maint

Code clean-up.

* rs/commit-h-single-parent-cleanup:
commit: remove unused inline function single_parent()

Merge branch 'mg/format-ref-doc-fix' into maintJunio C Hamano Sun, 10 Sep 2017 08:03:06 +0000 (17:03 +0900)

Merge branch 'mg/format-ref-doc-fix' into maint

Doc fix.

* mg/format-ref-doc-fix:
Documentation/git-for-each-ref: clarify peeling of tags for --format
Documentation: use proper wording for ref format strings