Merge branch 'disallow-dotgit-via-ntfs-alternate-data-streams'

This patch series plugs an attack vector we had overlooked in our
December 2014 work on `core.protectNTFS`.

Essentially, the path `.git::$INDEX_ALLOCATION/config` is interpreted as
`.git/config` when NTFS Alternate Data Streams are available (which they
are on Windows, and at least on network shares that are SMB-mounted on
macOS).

Needless to say: we don't want that.

In fact, we want to stay on the very safe side and not even special-case
the `$INDEX_ALLOCATION` stream type: let's just prevent Git from
touching _any_ explicitly specified Alternate Data Stream of `.git`.

In essence, we'll prevent Git from tracking, or writing to, any path
with a segment of the form `.git:<anything>`.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

1 files changed, 10 insertions, 1 deletions

diff --git a/fsck.c b/fsck.c
index b1579c7e28..d80a96f4be 100644
--- a/fsck.c
+++ b/fsck.c
@@ -551,7 +551,7 @@ static int fsck_tree(struct tree *item, struct fsck_options *options)
 
 	while (desc.size) {
 		unsigned mode;
-		const char *name;
+		const char *name, *backslash;
 		const struct object_id *oid;
 
 		oid = tree_entry_extract(&desc, &name, &mode);
@@ -565,6 +565,15 @@ static int fsck_tree(struct tree *item, struct fsck_options *options)
 			       is_hfs_dotgit(name) ||
 			       is_ntfs_dotgit(name));
 		has_zero_pad |= *(char *)desc.buffer == '0';
+
+		if ((backslash = strchr(name, '\\'))) {
+			while (backslash) {
+				backslash++;
+				has_dotgit |= is_ntfs_dotgit(backslash);
+				backslash = strchr(backslash, '\\');
+			}
+		}
+
 		if (update_tree_entry_gently(&desc)) {
 			retval += report(options, &item->object, FSCK_MSG_BAD_TREE, "cannot be parsed as a tree");
 			break;