this patch fixes a 1-byte overflow in update-cache.c (probably not
exploitable). A specially crafted db object might trigger this overflow.
the bug is that normally the 'type' field is parsed by read_sha1_file(),
via:
if (sscanf(buffer, "%10s %lu", type, size) != 2)
i.e. 0-10 long strings, which take 1-11 bytes of space. Normally the
type strings are stored in char [20] arrays, but in update-cache.c that
is char [10], so a 1 byte overflow might occur.
This should not happen with a 'friendly' DB, as the longest type string
("commit") is 7 bytes long. The fix is to use the customary char [20].
(someone might want to clean those open-coded constants up with a
TYPE_LEN define, they do tend to cause problems like this. I'm not
against open-coded constants (they make code much more readable), but
for fields that get filled in from possibly hostile objects this is
playing with fire.)
hey, this might be the first true security fix for GIT? ;-)
Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Petr Baudis <pasky@ucw.cz>
git-merge-cache -o does all the automerges in a single shot
When you pass git-merge-cache the -o option, it tries to do all the
automatic merges and possibly return error if any of them failed, instead
of the default behaviour of failing immediately after the first failed
automatic merge.
Ported from the Cogito branch - Cogito needs this behaviour.
Mark the variable declarations in .h files as extern
This allows git to be built even with linkers which are not smart enough
to join those symbols, and makes this correct C. Pointed out by several
people.
Link with -lcrypto instead of -lssl when using openssl libraries.
Mark Allen had trouble with building GIT on his Darwin and
posted a patch to link with -lcrypto instead of -lssl on Darwin.
Later Daniel Barkalow suggested to change it for everybody who
uses openssl, because the relevant functionality is in -lcrypto
not in -lssl, and the current linking happens to work only
because -lssl pulls in -lcrypto.
Do not report size of the object that cannot be written in local-pull.c
Reporting st.st_size with %ld is simply wrong, as H Peter Anvin
says. No other pull drivers report the failure with size
anyway, so yank it out. This is a cop-out patch but should be
good enough.
During the mailing list discussion on renaming GIT_ environment
variables, people felt that having one environment that lets the
user (or Porcelain) specify both SHA1_FILE_DIRECTORY (now
GIT_OBJECT_DIRECTORY) and GIT_INDEX_FILE for the default layout
would be handy. This change introduces GIT_DIR environment
variable, from which the defaults for GIT_INDEX_FILE and
GIT_OBJECT_DIRECTORY are derived. When GIT_DIR is not defined,
it defaults to ".git". GIT_INDEX_FILE defaults to
"$GIT_DIR/index" and GIT_OBJECT_DIRECTORY defaults to
"$GIT_DIR/objects".
Special thanks for ideas and discussions go to Petr Baudis and
Daniel Barkalow. Bugs are mine ;-)
H. Peter Anvin mentioned that using SHA1_whatever as an
environment variable name is not nice and we should instead use
names starting with "GIT_" prefix to avoid conflicts. Here is
what this patch does:
* Introduces a compatibility macro, gitenv(), which does an
getenv() and if it fails calls gitenv_bc(), which in turn
picks up the value from old name while giving a warning about
using an old name.
* Changes all users of the environment variable to fetch
environment variable with the new name using gitenv().
* Updates the documentation and scripts shipped with Linus GIT
distribution.
The transition plan is as follows:
* We will keep the backward compatibility list used by gitenv()
for now, so the current scripts and user environments
continue to work as before. The users will get warnings when
they have old name but not new name in their environment to
the stderr.
* The Porcelain layers should start using new names. However,
just in case it ends up calling old Plumbing layer
implementation, they should also export old names, taking
values from the corresponding new names, during the
transition period.
* After a transition period, we would drop the compatibility
support and drop gitenv(). Revert the callers to directly
call getenv() but keep using the new names.
The last part is probably optional and the transition
duration needs to be set to a reasonable value.
Reformat core-git.txt to asciidoc format.
Includes split-docs.pl to create individual txt, html and man pages.
<JC> Editorial note. I've updated to add git-diff-cache -m and
git-update-cache --replace description on top of the version
David posted to the GIT list and got his OK.
Signed-off-by: David Greaves <david@dgreaves.com> Signed-off-by: Junio C Hamano <junkio@cox.net>
This fixes stylistic problems and one unused variable spotted by
Petr Baudis. The buf variable unused in prepare_alt_odb() is
gone and the "creepy" function is more heavily documented.
A deflate loop in sha1_file.c would have /* nothing */ as its
body, but the semicolon was missing, so the next command was run.
Fortunately the loop went through exactly once so it didn't trigger
an actual bug so far.
Signed-Off-by: Thomas Glanzmann <sithglan@stud.uni-erlangen.de> Signed-off-by: Petr Baudis <pasky@ucw.cz>
When we used to have "path" as a file or a symlink, but now we
have "path/file" (or in general, have "path" as a directory), we
would want to remove "path" before adding "path/file". The
logic in add_file_to_cache() only runs lstat() and does not
detect this case and fails to allow removing it in this case.
In the opposite case of having "path/file" in the index and
having "path" on the filesystem as a file or a symlink we do
allow removal of "path/file", so to be symmetric we should allow
it as well, without forcing the user to say --force-remove.
When "path" exists as a file or a symlink in the index, an
attempt to add "path/file" is refused because it results in file
vs directory conflict. Similarly when "path/file1",
"path/file2", etc. exist, an attempt to add "path" as a file or
a symlink is refused. With git-update-cache --replace, these
existing entries that conflict with the entry being added are
automatically removed from the cache, with warning messages.
This is a follow-up fix to the earlier "Notice index that has
path and path/file and refuse to write such a tree" patch.
With this fix, git-fsck-cache complains if a tree object stores
more than one entries with the same name.
[PATCH] make INSTALL binary in Makefile configurable via make variable
On Solaris machines gnu install called ginstall
<JC> Editorial notes. I've also changed it to use $(COPTS), $(prefix),
and $(bin) because I always get confused without compiling it with -O1
when I single step in gdb. The default is left as Linus shipped.
Date: Sat, 7 May 2005 10:41:54 +0200 Signed-off-by: Thomas Glanzmann <sithglan@stud.uni-erlangen.de> Signed-off-by: Junio C Hamano <junkio@cox.net>
[PATCH] Add #include <limits.h> so that git compiles under Solaris
<JC> Editorial Note. We may want to include standard headers in one
of those headers everybody includes, e.g. cache.h, to reduce clutters,
but this commit is as Thomas posted to the GIT list.
Date: Sat, 7 May 2005 10:41:41 +0200 Signed-off-by: Thomas Glanzmann <sithglan@stud.uni-erlangen.de> Signed-off-by: Junio C Hamano <junkio@cox.net>
Use backticks in git-merge-one-file-script instead of $(command).
Thomas Glanzmann says that shell he uses on Solaris cannot grok
$(command) but the script does not use nested $(command) and
works happily just by using backticks instead.
Notice index that has path and path/file and refuse to write such a tree.
Kay Sievers noticed that you can have both path and path/file in
the cache and write-tree happily creates a tree object from such
a state. Since a merge can result in such situation and the
user should be able to see the situation by looking at the
cache, rather than forbidding add_cache_entry() to create such
conflicts, fix it by making write-tree refuse to write such an
nonsensical tree. Here is a test case.
Make merge-cache not fail immediatelly when the merge program
fails, but go on and return error code at the end. It makes sense
to try to merge everything, then let the user solve the commits
at once.
Free compressed buffer after write_sha1_file() is done.
This does not matter for commands that write just a handful SHA1 files,
but is noticeable in git-convert-cache which essentially traverses the
entire object database.
Introduce SHA1_FILE_DIRECTORIES to support multiple object databases.
SHA1_FILE_DIRECTORIES environment variable is a colon separated paths
used when looking for SHA1 files not found in the usual place for
reading. Creating a new SHA1 file does not use this alternate object
database location mechanism. This is useful to archive older, rarely
used objects into separate directories.
Revert bogus optimization that avoids index file writes
It didn't properly mark all cache updates as being dirty, and
causes merge errors due to that. In particular, it didn't notice
when a file was force-removed.
Besides, it was ugly as hell. I've put in place a slightly cleaner
version, but I've not enabled the optimization because I don't
want to be burned again.
[PATCH] git-tar-tree: make file contents accessible to write_header()
Pass pointer to filecontents to write_header() and pass pointer
to filecontents, its size and some flags to write_exntended_header().
These parameters are not used, yet. They are added in preparation
to symlink support.
Introduce append_extended_header_prefix(), extended_header_len()
and append_extended_header(). These are helper functions that
make it easier to handle multiple entries in a pax extended
header. append_log() is no longer needed and can go away.
[PATCH] don't load and decompress objects twice with parse_object()
It turns out that parse_object() is loading and decompressing given
object to free it just before calling the specific object parsing
function which does mmap and decompress the same object again. This
patch introduces the ability to parse specific objects directly from a
memory buffer.
Without this patch, running git-fsck-cache on the kernel repositorytake:
real 0m13.006s
user 0m11.421s
sys 0m1.218s
With this patch applied:
real 0m8.060s
user 0m7.071s
sys 0m0.710s
The performance increase is significant, and this is kind of a
prerequisite for sane delta object support with fsck.
Signed-off-by: Nicolas Pitre <nico@cam.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This only shows the tree headers when something actually changed. Also,
add a "silent" mode, which doesn't actually show the changes at all,
just the commit information.
gitweb.cgi's default view is the log of the last day and git-rev-list
can stop crawling the whole repo if we have all our data to display in the
browser. Also the rss-feed query needs only the last 20 items. This
will speeds up these queries dramatically.
Implement -v (verbose) option for pull methods other than local transport.
This moves the private "say()" function to pull.c, renames it to
"pull_say()", and introduces a global variable "get_verbosely" that
makes the pull backends report what they fetch. The -v option is
added to git-rpull and git-http-pull to match git-local-pull.
The documentation is updated to describe these pull commands.
The tree object parsing used to get the executable bit wrong,
and didn't know about symlinks. Also, fsck really wants the
full mode value so that it can verify the other bits for sanity,
so save it all in struct tree_entry.
Update git-apply-patch-script for symbolic links.
Make git-prune-script executable again.
Do not write out new index if nothing has changed.
diff-cache shows differences for unmerged paths without --cache.
Update diff engine for symlinks stored in the cache.
This patch updates the git-apply-patch-script for the symbolic links
in the cache, recently added by Kay Sievers.
It currently is very anal about symbolic link changes. It refuses to
change between a regular file and a symbolic link, and only allows
symbolic link changes if the patch is based on the same original.
Update diff engine for symlinks stored in the cache.
This patch updates the external diff interface engine for the change
to store the symbolic links in the cache, recently done by Kay
Sievers.
The main thing it does is when comparing with the work tree, it
prepares the counterpart to the blob being compared by doing a
readlink followed by sending that result to a temporary file to
be diffed.
diff-cache shows differences for unmerged paths without --cache.
While manually resolving a merge conflict, being able to run
diff-cache without --cache option between files in the work tree
and either of the ancestor trees is helpful to verify the hand
merged result. However, diff-cache refuses to handle unmerged
paths, even when run without --cache option.
This changes the behaviour so that the above use case will
report the differences between the compared tree and the magic
0{40} SHA1 (i.e. "look at the work tree"). When there is no
corresponding file in the work tree, or when the command is run
with "--cache" option, it continues to report "unmerged".
Separate out the merge resolve from the actual getting of the
data. Also, update the resolve phase to take advantage of the
fact that we don't need to do the commit->tree object lookup
by hand, since all the actors involved happily just act on a
commit object these days.
Allow to store and track symlink in the repository. A symlink is stored
the same way as a regular file, only with the appropriate mode bits set.
The symlink target is therefore stored in a blob object.
This will hopefully make our udev repository fully functional. :)
Signed-off-by: Kay Sievers <kay.sievers@vrfy.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Following up from my fix to rpull, please also apply this, which fixes
rpush.c to call git-rpull rather than rpull which no longer exists after
the Big Rename(TM)...
Signed-off-by: Anton Altaparmakov <aia21@cantab.net> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
When the patch tries to create a new file and the file exists, abort.
This fixes an error introduced to git-apply-patch-script in the previous
round. We do not invoke patch for create/delete case, so we need to
be a bit careful about detecting conflicts like this.
This patch optimizes "diff-cache -p --cached" by avoiding to
inflate blobs into temporary files when the blob recorded in the
cache matches the corresponding file in the work tree. The file
in the work tree is passed as the comparison source in such a
case instead.
This optimization kicks in only when we have already read the
cache this optimization and this is deliberate. Especially,
diff-tree does not use this code, because changes are contained
in small number of files relative to the project size most of
the time, and reading cache is so expensive for a large project
that the cost of reading it outweighs the savings by not
inflating blobs.
Also this patch cleans up the structure passed from diff clients
by removing one unused structure member.
Terminate diff-* on non-zero exit from GIT_EXTERNAL_DIFF
(slightly updated from the version posted to the GIT mailing list
with small bugfixes).
This patch changes the git-apply-patch-script to exit non-zero when
the patch cannot be applied. Previously, the external diff driver
deliberately ignored the exit status of GIT_EXTERNAL_DIFF command,
which was a design mistake. It now stops the processing when
GIT_EXTERNAL_DIFF exits non-zero, so the damages from running
git-diff-* with git-apply-patch-script between two wrong trees can be
contained.
The "diff" command line generated by the built-in driver is changed to
always exit 0 in order to match this new behaviour. I know Pasky does
not use GIT_EXTERNAL_DIFF yet, so this change should not break Cogito,
either.
Git-prune-script loses blobs referenced from an uncommitted cache.
(updated from the version posted to GIT mailing list).
When a new blob is registered with update-cache, and before the cache
is written as a tree and committed, git-fsck-cache will find the blob
unreachable. This patch adds a new flag, "--cache" to git-fsck-cache,
with which it keeps such blobs from considered "unreachable".
The git-prune-script is updated to use this new flag. At the same time
it adds .git/refs/*/* to the set of default locations to look for heads,
which should be consistent with expectations from Cogito users.
Without this fix, "diff-cache -p --cached" after git-prune-script has
pruned the blob object will fail mysteriously and git-write-tree would
also fail.
When git-local-pull with -l option gets ENOENT attempting to create
a hard link, there is no point falling back to other copy methods.
With this patch, git-local-pull detects such a case and gives up
copying the file early.
Make git-*-pull say who wants them for missing objects.
This patch updates pull.c, the engine that decides which objects are
needed, given a commit to traverse from, to report which commit was
calling for the object that cannot be retrieved from the remote side.
This complements git-fsck-cache in that it checks the consistency of
the remote repository for reachability.
Make it much safer: we write to a temporary file, and then link that
temporary file to the final destination. This avoids all the nasty
races if several people write the same object at the same time.
It should also result in nicer on-disk layout, since it means that
objects all get created in the same subdirectory. That makes a lot
of block allocation algorithms happier, since the objects will now
be allocated from the same zone.