New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mingw: safeguard better against backslashes in file names #690
Conversation
In 224c7d7 (mingw: only test index entries for backslashes, not tree entries, 2019-12-31), we relaxed the check for backslashes in tree entries to check only index entries. However, the code change was incorrect: it was added to `add_index_entry_with_check()`, not to `add_index_entry()`, so under certain circumstances it was possible to side-step the protection. Besides, the description of that commit purported that all index entries would be checked when in fact they were only checked when being added to the index (there are code paths that do not do that, constructing "transient" index entries). In any case, it was pointed out in one insightful review at git-for-windows#2437 (comment) that it would be a much better idea to teach `verify_path()` to perform the check for a backslash. This is safer, even if it comes with two notable drawbacks: - `verify_path()` cannot say _what_ is wrong with the path, therefore the user will no longer be told that there was a backslash in the path, only that the path was invalid. - The `git apply` command also calls the `verify_path()` function, and might have been able to handle Windows-style paths (i.e. with backslashes instead of forward slashes). This will no longer be possible unless the user (temporarily) sets `core.protectNTFS=false`. Note that `git add <windows-path>` will _still_ work because `normalize_path_copy_len()` will convert the backslashes to forward slashes before hitting the code path that creates an index entry. The clear advantage is that `verify_path()`'s purpose is to check the validity of the file name, therefore we naturally tap into all the code paths that need safeguarding, also implicitly into future code paths. The benefits of that approach outweigh the downsides, so let's move the check from `add_index_entry_with_check()` to `verify_path()`. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
/submit |
On the Git mailing list, Johannes Schindelin wrote (reply to this):
|
This branch is now known as |
This patch series was integrated into pu via 132d982. |
This patch series was integrated into pu via f56e7dc. |
This patch series was integrated into next via f43f0fe. |
This patch series was integrated into pu via 1cf4836. |
This patch series was integrated into next via f6adca8. |
This patch series was integrated into master via 1cf4836. |
Closed via 1cf4836. |
I investigated again, and I think that there are code paths involving
make_transient_cache_entry()
that might be vulnerable again after my recent change in 224c7d7 (mingw: only test index entries for backslashes, not tree entries, 2019-12-31).This version should help with keeping Git for Windows' users safe.