NTFS: Prevent problematic paths from being checked out

On Windows' default filesystems, FAT and NTFS, DOS-style 8.3 file names
are supported for backwards compatibility. That means that there are
multiple ways to reference the same file. For example, the file
credential-cache--daemon.c can also be accessed via CREDEN~1.C (unless
another file has already been mapped to that so-called "short name", i.e.
the exact short name is unpredictable).

Since this mapping is unpredictable, we need to disallow such file names
on Windows, and while at it, we also exclude other file names incompatible
with Windows' file systems (e.g. NUL, CON, etc).

We use the core.protectNTFS guard introduced in the previous commit to
make sure that we prevent such file names only when appropriate.

A big thank you goes to Ed Thomson and an unnamed Microsoft engineer for
the detailed analysis performed to come up with the corresponding fixes
for libgit2.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Author: dscho

cache.h

@@ -784,6 +784,8 @@ int longest_ancestor_length(const char *path, struct string_list *prefixes);
 char *strip_path_suffix(const char *path, const char *suffix);
 int daemon_avoid_alias(const char *path);
 int offset_1st_component(const char *path);
+extern int is_ntfs_reserved_character(char c);
+extern int is_ntfs_reserved(const char *path, size_t len);
 extern int is_ntfs_dotgit(const char *name);
 
 /* object replacement */

path.c

@@ -863,3 +863,87 @@ int is_ntfs_dotgit(const char *name)
 			len = -1;
 		}
 }
+
+/*
+ * This function detects characters incompatible with NT paths.
+ */
+int is_ntfs_reserved_character(char c)
+{
+	switch (c) {
+	case '\\':
+	case '<':
+	case '>':
+	case ':':
+	case '"':
+	case '|':
+	case '?':
+	case '*':
+		return 1;
+	}
+
+	if (c >= 0 && c < 32)
+		return 1;
+
+	return 0;
+}
+
+static int conflicts_with_ntfs_short_name(const char *path, size_t len)
+{
+	if (len < 3 || len > 8 + 1 + 3)
+		return 0;
+
+	/* strip extension, if any */
+	if (path[len - 1] == '.')
+		len--;
+	else if (path[len - 2] == '.')
+		len -= 2;
+	else if (path[len - 3] == '.')
+		len -= 3;
+	else if (len > 3 && path[len - 4] == '.')
+		len -= 4;
+
+	/* short names are in 8.3 format */
+	if (len < 3 || len > 8)
+		return 0;
+
+	if (!isdigit(path[len-1]))
+		return 0;
+
+	while (len && isdigit(path[len-1]))
+		len--;
+
+	return len > 0 && path[len-1] == '~';
+}
+
+/*
+ * This function rejects path components
+ * - with trailing ~<N>, i.e. paths conflicting with 8.3 DOS paths
+ * - ending in a dot, a space or a colon,
+ * - that are reserved on Windows (CON, PRN, etc)
+ */
+int is_ntfs_reserved(const char *path, size_t len)
+{
+	if (conflicts_with_ntfs_short_name(path, len))
+		return 1;
+
+	switch (path[len - 1]) {
+		case '.':
+		case ' ':
+		case ':':
+			return 1;
+	}
+
+	if (only_spaces_and_periods(path, len, 3)) {
+		if (!strncasecmp(path, "CON", 3) ||
+				!strncasecmp(path, "PRN", 3) ||
+				!strncasecmp(path, "AUX", 3) ||
+				!strncasecmp(path, "NUL", 3))
+			return 1;
+	}
+	else if (only_spaces_and_periods(path, len, 4) && isdigit(path[3]))
+		if (!strncasecmp(path, "COM", 3) ||
+				!strncasecmp(path, "LPT", 3))
+			return 1;
+
+	return 0;
+}

read-cache.c

@@ -769,6 +769,7 @@ static int verify_dotfile(const char *rest)
 
 int verify_path(const char *path)
 {
+	const char *start;
 	char c;
 
 	if (has_dos_drive_prefix(path))
@@ -777,18 +778,25 @@ int verify_path(const char *path)
 	goto inside;
 	for (;;) {
 		if (!c)
-			return 1;
+			return !protect_ntfs ||
+				!is_ntfs_reserved(start, path - 1 - start);
 		if (is_dir_sep(c)) {
+			if (protect_ntfs && is_ntfs_reserved(start,
+						path - 1 - start))
+				return 0;
 inside:
 			if (protect_hfs && is_hfs_dotgit(path))
 				return 0;
 			if (protect_ntfs && is_ntfs_dotgit(path))
 				return 0;
+			start = path;
 			c = *path++;
 			if ((c == '.' && !verify_dotfile(path)) ||
 			    is_dir_sep(c) || c == '\0')
 				return 0;
 		}
+		if (protect_ntfs && is_ntfs_reserved_character(c))
+			return 0;
 		c = *path++;
 	}
 }