diff options
author | Johannes Schindelin <johannes.schindelin@gmx.de> | 2019-09-16 14:26:40 +0300 |
---|---|---|
committer | Johannes Schindelin <johannes.schindelin@gmx.de> | 2019-12-05 17:37:07 +0300 |
commit | 7f3551dd686e2237490c17946335a675c4f59881 (patch) | |
tree | 00b0bb3ed0584501a3638e7eaaf28d29bc792cf6 /fsck.c | |
parent | 4778452597027f6033db9f3ba6709913eadc3c8c (diff) | |
parent | 91bd46588e6959e6903e275f78b10bd07830d547 (diff) |
Merge branch 'disallow-dotgit-via-ntfs-alternate-data-streams'
This patch series plugs an attack vector we had overlooked in our
December 2014 work on `core.protectNTFS`.
Essentially, the path `.git::$INDEX_ALLOCATION/config` is interpreted as
`.git/config` when NTFS Alternate Data Streams are available (which they
are on Windows, and at least on network shares that are SMB-mounted on
macOS).
Needless to say: we don't want that.
In fact, we want to stay on the very safe side and not even special-case
the `$INDEX_ALLOCATION` stream type: let's just prevent Git from
touching _any_ explicitly specified Alternate Data Stream of `.git`.
In essence, we'll prevent Git from tracking, or writing to, any path
with a segment of the form `.git:<anything>`.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Diffstat (limited to 'fsck.c')
-rw-r--r-- | fsck.c | 11 |
1 files changed, 10 insertions, 1 deletions
@@ -551,7 +551,7 @@ static int fsck_tree(struct tree *item, struct fsck_options *options) while (desc.size) { unsigned mode; - const char *name; + const char *name, *backslash; const struct object_id *oid; oid = tree_entry_extract(&desc, &name, &mode); @@ -565,6 +565,15 @@ static int fsck_tree(struct tree *item, struct fsck_options *options) is_hfs_dotgit(name) || is_ntfs_dotgit(name)); has_zero_pad |= *(char *)desc.buffer == '0'; + + if ((backslash = strchr(name, '\\'))) { + while (backslash) { + backslash++; + has_dotgit |= is_ntfs_dotgit(backslash); + backslash = strchr(backslash, '\\'); + } + } + if (update_tree_entry_gently(&desc)) { retval += report(options, &item->object, FSCK_MSG_BAD_TREE, "cannot be parsed as a tree"); break; |