[PATCH v2 0/4] "git apply" safety

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

"git apply" have been fairly careless about letting the input follow
symbolic links, especially when used without the --index/--cached
options (which was more or less deliberate to mimic what "patch"
used to do).  When the input tells it to modify a/b/c, and lstat(2)
said that there is "a/b/c" that matches the preimage in the input,
we happily overwrote it, even when a/b is a symbolic link that
pointed somewhere, even outside the working tree.

This series tightens things a bit for safety.

 (1) By default, we reject patches to ".git/file", "../some/where",
     "./this/././that", etc., i.e. the names you cannot add to the
     index.  Those who use "git apply" (without --index/--cached) as
     a replacement for GNU patch can use --unsafe-paths option to
     override this safety.  This is what patch 1/4 does.

 (2) We do not allow a patch to depend on a location beyond a
     symbolic link (this includes "a patch to remove a path beyond a
     symbolic link").  This is patch 2/4 and 3/4.

 (3) We do not allow a patch to create result on a location beyond a
     symbolic link.  This is patch 4/4.

There is no knob to override the latter two points, as this is not a
safety but is a correctness issue.  Because Git keeps track of and
can express changes to symbolic links, a patch that expects a file
"a/b/c" to be tracked (either the patch adds it, or it modifies an
existing file tehre) implicitly expects that there is no symbolic
link "a/b", so attempting to apply such a patch to a tree with a
symbolic link at "a/b", even when the link points at some directory,
must detect that the target tree does not match what the patch's
preimage expects and fail.

The previous attempt begins at around here:

  http://thread.gmane.org/gmane.linux.kernel/1874498/focus=1878385

Junio C Hamano (4):
  apply: reject input that touches outside $cwd
  apply: do not read from the filesystem under --index
  apply: do not read from beyond a symbolic link
  apply: do not touch a file beyond a symbolic link

 Documentation/git-apply.txt     |  14 +++-
 builtin/apply.c                 | 139 +++++++++++++++++++++++++++++++++++++++-
 t/t4122-apply-symlink-inside.sh |  89 +++++++++++++++++++++++++
 t/t4139-apply-escape.sh         | 137 +++++++++++++++++++++++++++++++++++++++
 4 files changed, 377 insertions(+), 2 deletions(-)
 create mode 100755 t/t4139-apply-escape.sh

-- 
2.3.0-rc2-164-g799cdce

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]