diff options
Diffstat (limited to '')
| -rw-r--r-- | debian/changelog | 12 | ||||
| -rw-r--r-- | debian/changelog.upstream | 1881 | ||||
| -rw-r--r-- | debian/copyright | 7 | ||||
| -rw-r--r-- | debian/patches/0001-hook-plug-a-new-memory-leak.diff | 34 | ||||
| -rw-r--r-- | debian/patches/0002-Revert-core.hooksPath-add-some-protection-while-cloni.diff | 82 | ||||
| -rw-r--r-- | debian/patches/0003-tests-verify-that-clone-c-core.hooksPath-dev-null-wor.diff | 48 | ||||
| -rw-r--r-- | debian/patches/0004-hook-clone-protections-add-escape-hatch.diff | 182 | ||||
| -rw-r--r-- | debian/patches/0005-hooks-clone-protections-special-case-current-Git-LFS-.diff | 82 | ||||
| -rw-r--r-- | debian/patches/0006-hooks-clone-protections-simplify-templates-hooks-vali.diff | 198 | ||||
| -rw-r--r-- | debian/patches/0007-Revert-Add-a-helper-function-to-compare-file-contents.diff | 185 | ||||
| -rw-r--r-- | debian/patches/series | 7 | ||||
| -rw-r--r-- | debian/versions.upstream | 17 |
12 files changed, 2716 insertions, 19 deletions
diff --git a/debian/changelog b/debian/changelog index 16c199d..0c60561 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +git (1:2.45.1-1) unstable; urgency=medium + + * new upstream release (see RelNotes/2.44.0.txt, RelNotes/2.45.0.txt). + * new upstream point release (see RelNotes/2.45.1.txt; addresses + CVE-2024-32002, CVE-2024-32004, CVE-2024-32020, CVE-2024-32021 and + CVE-2024-32465; closes: #1071160). + * debian/patches/0001..0007: new from upstream: followups intended + for v2.45.2 to avoid regressions from the fixes included in + v2.45.1 (thx Johannes Schindelin). + + -- Jonathan Nieder <jrnieder@gmail.com> Mon, 20 May 2024 03:36:58 +0000 + git (1:2.43.0-1~progress7.99u1) graograman-backports; urgency=low * Initial reupload to graograman-backports. diff --git a/debian/changelog.upstream b/debian/changelog.upstream index 69e5ac8..2342f06 100644 --- a/debian/changelog.upstream +++ b/debian/changelog.upstream @@ -1,3 +1,1627 @@ +Version v2.45.1; changes since v2.45.0: +--------------------------------------- + +Filip Hejsek (4): + t0411: add tests for cloning from partial repo + has_dir_name(): do not get confused by characters < '/' + t7423: add tests for symlinked submodule directories + clone: prevent clashing git dirs when cloning submodule in parallel + +Jeff King (6): + http: reset POSTFIELDSIZE when clearing curl handle + INSTALL: bump libcurl version to 7.21.3 + remote-curl: add Transfer-Encoding header only for older curl + test-lib: ignore uninteresting LSan output + upload-pack: disable lazy-fetching by default + docs: document security issues around untrusted .git dirs + +Johannes Schindelin (26): + repository: avoid leaking `fsmonitor` data + ci: upgrade to using macos-13 + ci(linux-asan/linux-ubsan): let's save some time + ci: bump remaining outdated Actions versions + ci(linux32): add a note about Actions that must not be updated + fetch/clone: detect dubious ownership of local repositories + submodules: submodule paths must not contain symlinks + clone_submodule: avoid using `access()` on directories + submodule: require the submodule path to contain directories only + t5510: verify that D/F confusion cannot lead to an RCE + entry: report more colliding paths + clone: when symbolic links collide with directories, keep the latter + find_hook(): refactor the `STRIP_EXTENSION` logic + init: refactor the template directory discovery into its own function + Add a helper function to compare file contents + clone: prevent hooks from running during a clone + init.templateDir: consider this config setting protected + core.hooksPath: add some protection while cloning + fsck: warn about symlink pointing inside a gitdir + Git 2.39.4 + Git 2.40.2 + Git 2.41.1 + Git 2.42.2 + Git 2.43.4 + Git 2.44.1 + Git 2.45.1 + +Junio C Hamano (2): + GitHub Actions: update to checkout@v4 + GitHub Actions: update to github-script@v7 + +Patrick Steinhardt (4): + builtin/clone: stop resolving symlinks when copying files + builtin/clone: abort when hardlinked source and target file differ + setup.c: introduce `die_upon_dubious_ownership()` + builtin/clone: refuse local clones of unsafe repositories + + +Version v2.45.0; changes since v2.45.0-rc1: +------------------------------------------- + +Alexander Shopov (1): + l10n: bg.po: Updated Bulgarian translation (5652t) + +Arkadii Yakovets (1): + l10n: uk: v2.45 update + +Bagas Sanjaya (1): + l10n: po-id for 2.45 + +Emir SARI (1): + l10n: tr: Update Turkish translations + +Jean-Noël Avila (1): + l10n: fr: v2.45.0 + +Jiang Xin (1): + l10n: TEAMS: retire l10n teams no update in 1 year + +Junio C Hamano (1): + Git 2.45 + +Peter Krefting (1): + l10n: sv.po: Update Swedish translation + +Ralf Thielow (1): + l10n: Update German translation + +René Scharfe (1): + don't report vsnprintf(3) error as bug + +Rubén Justo (4): + apply: plug a leak in apply_data + add-interactive: plug a leak in get_untracked_files + add-patch: plug a leak handling the '/' command + add: plug a leak on interactive_add + +Taylor Blau (1): + Documentation/RelNotes/2.45.0.txt: fix typo + +Teng Long (1): + l10n: zh_CN: for git 2.45 rounds + +Vũ Tiến Hưng (2): + l10n: Update Vietnamese team contact + l10n: vi: Updated translation for 2.45 + +Yi-Jyun Pan (1): + l10n: zh-TW: Git 2.45 + + +Version v2.45.0-rc1; changes since v2.45.0-rc0: +----------------------------------------------- + +Junio C Hamano (2): + A bit more topics before -rc1 + Git 2.45-rc1 + +Linus Arver (5): + format_trailer_info(): use trailer_item objects + format_trailer_info(): drop redundant unfold_value() + format_trailer_info(): append newline for non-trailer lines + trailer: begin formatting unification + trailer: finish formatting unification + +Marcel Röthke (1): + rerere: fix crashes due to unmatched opening conflict markers + +Orgad Shaneh (1): + docs: remove duplicate entry and fix typo in 2.45 changelog + +Patrick Steinhardt (15): + reftable/block: rename `block_reader_start()` + reftable/block: merge `block_iter_seek()` and `block_reader_seek()` + reftable/block: better grouping of functions + reftable/block: introduce `block_reader_release()` + reftable/block: move ownership of block reader into `struct table_iter` + reftable/reader: iterate to next block in place + reftable/block: reuse uncompressed blocks + reftable/block: open-code call to `uncompress2()` + reftable/block: reuse `zstream` state on inflation + reftable/block: avoid copying block iterators on seek + pack-bitmap: gracefully handle missing BTMP chunks + run-command: introduce function to prepare auto-maintenance process + builtin/receive-pack: convert to use git-maintenance(1) + docs: improve changelog entry for `git pack-refs --auto` + docs: address typos in Git v2.45 changelog + +Peter Krefting (1): + bisect: report the found commit with "show" + +René Scharfe (3): + git-compat-util: fix NO_OPENSSL on current macOS + imap-send: increase command size limit + apply: avoid using fixed-size buffer in write_out_one_reject() + +Rubén Justo (1): + launch_editor: waiting message on error + +Thalia Archibald (8): + fast-import: tighten path unquoting + fast-import: directly use strbufs for paths + fast-import: allow unquoted empty path for root + fast-import: remove dead strbuf + fast-import: improve documentation for path quoting + fast-import: document C-style escapes for paths + fast-import: forbid escaped NUL in paths + fast-import: make comments more precise + +Xing Xin (1): + Documentation: fix typos describing date format + +Yehezkel Bernat (1): + Documentation: fix linkgit reference + +Đoàn Trần Công Danh (1): + t9604: Fix test for musl libc and new Debian + + +Version v2.45.0-rc0; changes since v2.44.1: +------------------------------------------- + +Ahelenia Ziemiańska (1): + grep: improve errors for unmatched ( and ) + +Alexander Shopov (4): + transport-helper.c: trivial fix of error message + builtin/remote.c: trivial fix of error message + builtin/clone.c: trivial fix of message + revision.c: trivial fix to message + +Aryan Gupta (1): + tests: modernize the test script t0010-racy-git.sh + +Beat Bolli (25): + completion: use awk for filtering the config entries + date: make "iso-strict" conforming for the UTC timezone + t0006: add more tests with a negative TZ offset + doc: avoid redundant use of cat + contrib/subtree/t: avoid redundant use of cat + t/lib-cvs.sh: avoid redundant use of cat + t/annotate-tests.sh: avoid redundant use of cat + t/perf: avoid redundant use of cat + t/t0*: avoid redundant uses of cat + t/t1*: avoid redundant uses of cat + t/t3*: avoid redundant uses of cat + t/t4*: avoid redundant uses of cat + t/t5*: avoid redundant uses of cat + t/t6*: avoid redundant uses of cat + t/t7*: avoid redundant use of cat + t/t8*: avoid redundant use of cat + t/t9*: avoid redundant uses of cat + t/t1*: merge a "grep | sed" pipeline + t/t3*: merge a "grep | awk" pipeline + t/t4*: merge a "grep | sed" pipeline + t/t5*: merge a "grep | sed" pipeline + t/t8*: merge "grep | sed" pipelines + t/t9*: merge "grep | sed" pipelines + contrib/coverage-diff: avoid redundant pipelines + git-quiltimport: avoid an unnecessary subshell + +Bo Anderson (5): + t/lib-credential: clean additional credential + osxkeychain: replace deprecated SecKeychain API + osxkeychain: erase all matching credentials + osxkeychain: erase matching passwords only + osxkeychain: store new attributes + +Brian C Tracy (1): + fuzz: add fuzzer for config parsing + +Brian Lyles (13): + docs: clarify file options in git-config `--edit` + docs: fix typo in git-config `--default` + docs: correct trailer `key_value_separator` description + docs: adjust trailer `separator` and `key_value_separator` language + pretty: update tests to use `test_config` + pretty: find pretty formats case-insensitively + docs: address inaccurate `--empty` default with `--exec` + docs: clean up `--empty` formatting in git-rebase(1) and git-am(1) + rebase: update `--empty=ask` to `--empty=stop` + sequencer: handle unborn branch with `--allow-empty` + sequencer: do not require `allow_empty` for redundant commit options + cherry-pick: enforce `--keep-redundant-commits` incompatibility + cherry-pick: add `--empty` for more robust redundant commit handling + +Chandra Pratap (2): + apply: ignore working tree filemode when !core.filemode + t9146: replace test -d/-e/-f with appropriate test_path_is_* function + +Christian Couder (5): + revision: clarify a 'return NULL' in get_reference() + oidset: refactor oidset_insert_from_set() + t6022: fix 'test' style and 'even though' typo + rev-list: allow missing tips with --missing=[print|allow*] + revision: fix --missing=[print|allow*] for annotated tags + +Derrick Stolee (1): + fetch: return when parsing submodule.recurse + +Dirk Gouders (6): + Documentation/user-manual.txt: example for generating object hashes + MyFirstObjectWalk: use additional arg in config_fn_t + MyFirstObjectWalk: fix misspelled "builtins/" + MyFirstObjectWalk: fix filtered object walk + MyFirstObjectWalk: fix description for counting omitted objects + MyFirstObjectWalk: add stderr to pipe processing + +Dragan Simic (8): + documentation: send-email: use camel case consistently + config: minor addition of whitespace + config: really keep value-internal whitespace verbatim + t1300: add more tests for whitespace and inline comments + config.txt: describe handling of whitespace further + grep docs: describe --recurse-submodules further and improve formatting a bit + grep docs: describe --no-index further and improve formatting a bit + config: fix some small capitalization issues, as spotted + +Eric Sunshine (2): + docs: sort configuration variable groupings alphabetically + test-lib: fix non-functioning GIT_TEST_MAINT_SCHEDULER fallback + +Eric W. Biederman (23): + object-file-convert: stubs for converting from one object format to another + oid-array: teach oid-array to handle multiple kinds of oids + object-names: support input of oids in any supported hash + repository: add a compatibility hash algorithm + loose: compatibilty short name support + object-file: update the loose object map when writing loose objects + object-file: add a compat_oid_in parameter to write_object_file_flags + commit: convert mergetag before computing the signature of a commit + commit: export add_header_signature to support handling signatures on tags + tag: sign both hashes + object: factor out parse_mode out of fast-import and tree-walk into in object.h + object-file-convert: don't leak when converting tag objects + object-file-convert: convert commits that embed signed tags + object-file: update object_info_extended to reencode objects + rev-parse: add an --output-object-format parameter + builtin/cat-file: let the oid determine the output algorithm + tree-walk: init_tree_desc take an oid to get the hash algorithm + object-file: handle compat objects in check_object_signature + builtin/ls-tree: let the oid determine the output algorithm + test-lib: compute the compatibility hash so tests may use it + t1006: rename sha1 to oid + t1006: test oid compatibility with cat-file + t1016-compatObjectFormat: add tests to verify the conversion between objects + +Eugenio Gigante (1): + add: use unsigned type for collection of bits + +Florian Schmidt (1): + wt-status: don't find scissors line beyond buf len + +Ghanshyam Thakkar (5): + add-patch: classify '@' as a synonym for 'HEAD' + add -p tests: remove PERL prerequisites + setup: remove unnecessary variable + builtin/commit: error out when passing untracked path with -i + builtin/add: error out when passing untracked path with -u + +Haritha D (1): + build: support z/OS (OS/390). + +Harmen Stoppels (1): + rebase: make warning less passive aggressive + +Jakub Wilk (1): + git-remote.txt: fix typo + +Jean-Noël Avila (17): + doc: git-rev-parse: enforce command-line description syntax + doc: close unclosed angle-bracket of a placeholder in git-clone doc + doc: end sentences with full-stop + doc: clarify the format of placeholders + doc: git-init: format verbatim parts + doc: git-init: format placeholders + doc: git-init: rework definition lists + doc: git-init: rework config item init.templateDir + doc: git-clone: format verbatim words + doc: git-clone: format placeholders + doc: format alternatives in synopsis + doc: fix some placeholders formating + doc: rework CodingGuidelines with new formatting rules + doc: allow literal and emphasis format in doc vs help tests + doc: git-init: apply new documentation formatting guidelines + doc: git-clone: apply new documentation formatting guidelines + doc: git-clone: do not autoreference the manpage in itself + +Jeff Hostetler (17): + name-hash: add index_dir_find() + t7527: add case-insensitve test for FSMonitor + fsmonitor: refactor refresh callback on directory events + fsmonitor: clarify handling of directory events in callback helper + fsmonitor: refactor refresh callback for non-directory events + dir: create untracked_cache_invalidate_trimmed_path() + fsmonitor: refactor untracked-cache invalidation + fsmonitor: move untracked-cache invalidation into helper functions + fsmonitor: return invalidated cache-entry count on directory event + fsmonitor: remove custom loop from non-directory path handler + fsmonitor: return invalidated cache-entry count on non-directory event + fsmonitor: trace the new invalidated cache-entry count + fsmonitor: refactor bit invalidation in refresh callback + fsmonitor: support case-insensitive events + t0211: demonstrate missing 'def_param' events for certain commands + trace2: avoid emitting 'def_param' set more than once + trace2: emit 'def_param' set with 'cmd_name' event + +Jeff King (51): + t0303: check that helper_test_clean removes all credentials + userdiff: skip textconv caching when not in a repository + Revert "refs: allow @{n} to work with n-sized reflog" + get_oid_basic(): special-case ref@{n} for oldest reflog entry + read_ref_at(): special-case ref@{0} for an empty reflog + upload-pack: drop separate v2 "haves" array + upload-pack: switch deepen-not list to an oid_array + upload-pack: use oidset for deepen_not list + upload-pack: use a strmap for want-ref lines + upload-pack: accept only a single packfile-uri line + upload-pack: always turn off save_commit_buffer + upload-pack: use PARSE_OBJECT_SKIP_HASH_CHECK in more places + upload-pack: free tree buffers after parsing + upload-pack: use repository struct to get config + upload-pack: centralize setup of sideband-all config + upload-pack: use existing config mechanism for advertisement + upload-pack: only accept packfile-uris if we advertised it + doc/gitremote-helpers: fix missing single-quote + config: forbid newline as core.commentChar + strbuf: simplify comment-handling in add_lines() helper + strbuf: avoid static variables in strbuf_add_commented_lines() + commit: refactor base-case of adjust_comment_line_char() + strbuf: avoid shadowing global comment_line_char name + environment: store comment_line_char as a string + strbuf: accept a comment string for strbuf_stripspace() + strbuf: accept a comment string for strbuf_commented_addf() + strbuf: accept a comment string for strbuf_add_commented_lines() + prefer comment_line_str to comment_line_char for printing + find multi-byte comment chars in NUL-terminated strings + find multi-byte comment chars in unterminated buffers + sequencer: handle multi-byte comment characters when writing todo list + wt-status: drop custom comment-char stringification + environment: drop comment_line_char compatibility macro + config: allow multi-byte core.commentChar + shortlog: stop setting pp.print_email_subject + pretty: split oneline and email subject printing + pretty: drop print_email_subject flag + log: do not set up extra_headers for non-email formats + format-patch: return an allocated string from log_write_email_headers() + format-patch: simplify after-subject MIME header handling + doc/gitremote-helpers: fix more missing single-quotes + transport-helper: use write helpers more consistently + transport-helper: drop "object-format <algo>" option + transport-helper: send "true" value for object-format option + contrib: drop hg-to-git script + format-patch: fix leak of empty header string + rebase: use child_process_clear() to clean + config: add core.commentString + http: reset POSTFIELDSIZE when clearing curl handle + INSTALL: bump libcurl version to 7.21.3 + remote-curl: add Transfer-Encoding header only for older curl + +Jiamu Sun (1): + bugreport.c: fix a crash in `git bugreport` with `--no-suffix` option + +Johannes Schindelin (22): + merge-tree: accept 3 trees as arguments + merge-tree: fail with a non-zero exit code on missing tree objects + merge-ort: do check `parse_tree()`'s return value + t4301: verify that merge-tree fails on missing blob objects + Always check `parse_tree*()`'s return value + cache-tree: avoid an unnecessary check + fill_tree_descriptor(): mark error message for translation + neue: remove a bogus empty file + commit-reach(paint_down_to_common): plug two memory leaks + commit-reach(repo_in_merge_bases_many): optionally expect missing commits + commit-reach(repo_in_merge_bases_many): report missing commits + commit-reach(paint_down_to_common): prepare for handling shallow commits + commit-reach(paint_down_to_common): start reporting errors + commit-reach(merge_bases_many): pass on "missing commits" errors + commit-reach(get_merge_bases_many_0): pass on "missing commits" errors + commit-reach(repo_get_merge_bases): pass on "missing commits" errors + commit-reach(get_octopus_merge_bases): pass on "missing commits" errors + commit-reach(repo_get_merge_bases_many): pass on "missing commits" errors + commit-reach(repo_get_merge_bases_many_dirty): pass on errors + merge-recursive: prepare for `merge_submodule()` to report errors + merge-ort/merge-recursive: do report errors in `merge_submodule()` + merge-tree: fix argument type of the `--merge-base` option + +John Cai (1): + t5300: fix test_with_bad_commit() + +Jonas Wunderlich (1): + doc: status.showUntrackedFiles does not take "false" + +Josh Triplett (2): + commit: avoid redundant scissor line with --cleanup=scissors -v + commit: unify logic to avoid multiple scissors lines when merging + +Julio Bacellari (1): + doc: remove outdated information about interactive.singleKey + +Junio C Hamano (61): + apply: correctly reverse patch's pre- and post-image mode bits + apply: code simplification + t9210: do not rely on lazy fetching to fail + git: --no-lazy-fetch option + doc: add shortcut to "am --whitespace=<action>" + doc: apply the new placeholder rules to git-add documentation + compat: drop inclusion of <git-compat-util.h> + Start the 2.45 cycle + git: document GIT_NO_REPLACE_OBJECTS environment variable + doc: clarify the wording on <git-compat-util.h> requirement + git: extend --no-lazy-fetch to work across subprocesses + The second batch + The third batch + test_i18ngrep: hard deprecate and forbid its use + unpack: replace xwrite() loop with write_in_full() + sideband: avoid short write(2) + repack: check error writing to pack-objects subprocess + clean: further clean-up of implementation around "--force" + The fourth batch + The fifth batch + setup: notice more types of implicit bare repositories + The sixth batch + status: unify parsing of --untracked= and status.showUntrackedFiles + status: allow --untracked=false and friends + The seventh batch + The eighth batch + config: fix --comment formatting + config: allow tweaking whitespace between value and comment + diff.*Prefix: use camelCase in the doc and test titles + The ninth batch + apply: parse names out of "diff --git" more carefully + The tenth batch + The eleventh batch + SubmittingPatches: release-notes entry experiment + The twelfth batch + t4126: make sure a directory with SP at the end is usable + t4126: fix "funny directory name" test on Windows (again) + advice: omit trailing whitespace + checkout: omit "tracking" information on a detached HEAD + The thirteenth batch + t2104: style fixes + The fourteenth batch + revision: optionally record matches with pathspec elements + The fifteenth batch + CodingGuidelines: describe "export VAR=VAL" rule + CodingGuidelines: quote assigned value in 'local var=$val' + t: local VAR="VAL" (quote positional parameters) + t: local VAR="VAL" (quote command substitution) + t: local VAR="VAL" (quote ${magic-reference}) + t: teach lint that RHS of 'local VAR=VAL' needs to be quoted + t0610: local VAR="VAL" fix + t1016: local VAR="VAL" fix + config: do not leak excludes_file + Makefile(s): do not enforce "all indents must be done with tab" + The sixteenth batch + t2104: style fixes + The seventeenth batch + The eighteenth batch + The ninteenth batch + The twentieth batch + Git 2.45-rc0 + +Justin Tobler (3): + reftable/stack: expose option to disable auto-compaction + reftable/stack: add env to disable autocompaction + reftable/stack: use geometric table compaction + +Karthik Nayak (7): + refs: introduce `is_pseudoref()` and `is_headref()` + refs: extract out `loose_fill_ref_dir_regular_file()` + refs: introduce `refs_for_each_include_root_refs()` + ref-filter: rename 'FILTER_REFS_ALL' to 'FILTER_REFS_REGULAR' + for-each-ref: add new option to include root refs + update-ref: use {old,new}-oid instead of {old,new}value + githooks: use {old,new}-oid instead of {old,new}-value + +Kipras Melnikovas (1): + mergetools: vimdiff: use correct tool's name when reading mergetool config + +Kristoffer Haugsbakk (9): + column: disallow negative padding + column: guard against negative padding + gitcli: drop mention of “non-dashed form” + config: document `core.commentChar` as ASCII-only + t3200: improve test style + advice: make all entries stylistically consistent + advice: use backticks for verbatim + advice: use double quotes for regular quoting + branch: advise about ref syntax rules + +Linus Arver (10): + trailer: free trailer_info _after_ all related usage + shortlog: add test for de-duplicating folded trailers + trailer: rename functions to use 'trailer' + trailer: reorder format_trailers_from_commit() parameters + trailer: move interpret_trailers() to interpret-trailers.c + trailer_info_get(): reorder parameters + format_trailers(): use strbuf instead of FILE + format_trailer_info(): move "fast path" to caller + format_trailers_from_commit(): indirectly call trailer_info_get() + mailmap: change primary address for Linus Arver + +M Hickford (1): + libsecret: retrieve empty password + +Matthias Aßhauer (1): + Win32: detect unix socket support at runtime + +Max Gautier (1): + editorconfig: add Makefiles to "text files" + +Michael Lohmann (2): + revision: ensure MERGE_HEAD is a ref in prepare_show_merge + revision: implement `git log --merge` also for rebase/cherry-pick/revert + +Patrick Steinhardt (84): + refs: introduce reftable backend + ci: add jobs to test with the reftable backend + refs/reftable: fix leak when copying reflog fails + reftable/record: introduce function to compare records by key + reftable/merged: allocation-less dropping of shadowed records + reftable/merged: skip comparison for records of the same subiter + reftable/pq: allocation-less comparison of entry keys + reftable/block: swap buffers instead of copying + reftable/record: don't try to reallocate ref record name + reftable/reader: add comments to `table_iter_next()` + t: move tests exercising the "files" backend + t0410: convert tests to use DEFAULT_REPO_FORMAT prereq + t1400: exercise reflog with gaps with reftable backend + t1404: make D/F conflict tests compatible with reftable backend + t1405: remove unneeded cleanup step + t2011: exercise D/F conflicts with HEAD with the reftable backend + t7003: ensure filter-branch prunes reflogs with the reftable backend + git-difftool--helper: honor `--trust-exit-code` with `--dir-diff` + dir-iterator: pass name to `prepare_next_entry_data()` directly + dir-iterator: support iteration in sorted order + refs/files: sort reflogs returned by the reflog iterator + refs/files: sort merged worktree and common reflogs + refs: always treat iterators as ordered + refs: drop unused params from the reflog iterator callback + refs: stop resolving ref corresponding to reflogs + builtin/reflog: introduce subcommand to list reflogs + builtin/clone: allow remote helpers to detect repo + refs/reftable: don't fail empty transactions in repo without HEAD + reftable/pq: use `size_t` to track iterator index + reftable/merged: make `merged_iter` structure private + reftable/merged: advance subiter on subsequent iteration + reftable/merged: make subiters own their records + reftable/merged: remove unnecessary null check for subiters + reftable/merged: handle subiter cleanup on close only + reftable/merged: circumvent pqueue with single subiter + reftable/merged: avoid duplicate pqueue emptiness check + reftable/record: reuse refname when decoding + reftable/record: reuse refname when copying + reftable/record: decode keys in place + reftable: allow inlining of a few functions + refs/reftable: precompute prefix length + refs/reftable: reload correct stack when creating reflog iter + reftable/record: convert old and new object IDs to arrays + reftable/record: avoid copying author info + reftable/record: reuse refnames when decoding log records + reftable/record: reuse message when decoding log records + reftable/record: use scratch buffer when decoding records + refs/reftable: track last log record name via strbuf + t0610: remove unused variable assignment + lockfile: report when rollback fails + reftable/stack: register new tables as tempfiles + reftable/stack: register lockfiles during compaction + reftable/stack: register compacted tables as tempfiles + reftable/record: fix memory leak when decoding object records + reftable/block: fix binary search over restart counter + t5601: exercise clones with "includeIf.*.onbranch" + reftable: fix tests being broken by NFS' delete-after-close semantics + t7800: improve test descriptions with empty arguments + t7800: use single quotes for test bodies + t/README: document how to loop around test cases + reftable/stack: fix error handling in `reftable_stack_init_addition()` + reftable/error: discern locked/outdated errors + reftable/stack: use error codes when locking fails during compaction + reftable/stack: gracefully handle failed auto-compaction due to locks + refs/reftable: print errors on compaction failure + t/helper: drop pack-refs wrapper + refs: move `struct pack_refs_opts` to where it's used + refs: remove `PACK_REFS_ALL` flag + refs/reftable: expose auto compaction via new flag + builtin/pack-refs: release allocated memory + builtin/pack-refs: introduce new "--auto" flag + builtin/gc: move `struct maintenance_run_opts` + t6500: extract objects with "17" prefix + builtin/gc: forward git-gc(1)'s `--auto` flag when packing refs + builtin/gc: pack refs when using `git maintenance run --auto` + reftable/basics: fix return type of `binsearch()` to be `size_t` + reftable/basics: improve `binsearch()` test + reftable/refname: refactor binary search over refnames + reftable/block: refactor binary search over restart points + reftable/block: fix error handling when searching restart points + reftable/record: extract function to decode key lengths + reftable/block: avoid decoding keys when searching restart points + t0610: make `--shared=` tests reusable + t0610: execute git-pack-refs(1) with specified umask + +Peter Hutterer (1): + diff: add diff.srcPrefix and diff.dstPrefix configuration variables + +Philippe Blain (5): + merge-ort: turn submodule conflict suggestions into an advice + ci(github): make Windows test artifacts name unique + sequencer: allow disabling conflict advice + builtin/am: allow disabling conflict advice + t/README: mention test files are make targets + +Phillip Wood (9): + rebase -i: stop setting GIT_CHERRY_PICK_HELP + xdiff-interface: refactor parsing of merge.conflictstyle + merge-ll: introduce LL_MERGE_OPTIONS_INIT + merge options: add a conflict style member + checkout: cleanup --conflict=<style> parsing + checkout: fix interaction between --conflict and --merge + t3428: modernize test setup + t3428: use test_commit_message + t3428: restore coverage for "apply" backend + +Pi Fisher (1): + typo: replace 'commitish' with 'committish' + +Ralph Seichter (1): + config: add --comment option to add a comment + +René Scharfe (28): + use xstrncmpz() + fetch: convert strncmp() with strlen() to starts_with() + mem-pool: add mem_pool_strfmt() + name-rev: use mem_pool_strfmt() + submodule: use strvec_pushf() for --submodule-prefix + t-ctype: allow NUL anywhere in the specification string + t-ctype: simplify EOF check + t-ctype: align output of i + t-ctype: avoid duplicating class names + parse-options: recognize abbreviated negated option with arg + parse-options: set arg of abbreviated option lazily + parse-options: factor out register_abbrev() and struct parsed_option + parse-options: detect ambiguous self-negation + parse-options: normalize arg and long_name before comparison + parse-options: rearrange long_name matching code + t-prio-queue: shorten array index message + t-prio-queue: check result array bounds + factor out strbuf_expand_bad_format() + cat-file: use strbuf_expand_bad_format() + midx: use strvec_pushf() for pack-objects base name + mem-pool: use st_add() in mem_pool_strvfmt() + imap-send: use xsnprintf to format command + t-prio-queue: simplify using compound literals + apply: avoid fixed-size buffer in create_one_file() + path: remove mksnpath() + apply: don't leak fd on fdopen() error + usage: report vsnprintf(3) failure + date: make DATE_MODE thread-safe + +Richard Macklin (1): + rebase: fix typo in autosquash documentation + +Rubén Justo (13): + tag: error when git-column fails + completion: fix __git_complete_worktree_paths + completion: reflog with implicit "show" + completion: reflog show <log-options> + completion: introduce __git_find_subcommand + completion: factor out __git_resolve_builtins + completion: reflog subcommands and options + checkout: plug some leaks in git-restore + add-patch: introduce 'p' in interactive-patch + add-patch: do not print hunks repeatedly + add: use advise_if_enabled for ADVICE_ADD_IGNORED_FILE + add: use advise_if_enabled for ADVICE_ADD_EMPTY_PATHSPEC + add: use advise_if_enabled for ADVICE_ADD_EMBEDDED_REPO + +SZEDER Gábor (1): + upload-pack: don't send null character in abort message to the client + +Sergey Organov (1): + clean: improve -n and -f implementation and documentation + +Steven Jeuris (1): + userdiff: better method/property matching for C# + +Taylor Blau (8): + Documentation/config/pack.txt: fix broken AsciiDoc mark-up + upload-pack: disallow object-info capability by default + midx-write: move writing-related functions from midx.c + midx-write.c: factor out common want_included_pack() routine + midx-write.c: check count of packs to repack after grouping + midx-write.c: use `--stdin-packs` when repacking + t/t7700-repack.sh: fix test breakages with `GIT_TEST_MULTI_PACK_INDEX=1 ` + Makefile(s): avoid recipe prefix in conditional statements + +Ville Skyttä (2): + completion: fix prompt with unset SHOWCONFLICTSTATE in nounset mode + completion: protect prompt against unset SHOWUPSTREAM in nounset mode + +Vincenzo Mezzela (1): + t7301: use test_path_is_(missing|file) + +brian m. carlson (7): + loose: add a mapping between SHA-1 and SHA-256 for loose objects + commit: write commits for both hashes + cache: add a function to read an OID of a specific algorithm + object-file-convert: add a function to convert trees between algorithms + object-file-convert: convert tag objects when writing + object-file-convert: convert commit objects when writing + repository: implement extensions.compatObjectFormat + +shejialuo (1): + t9117: prefer test_path_* helper functions + + +Version v2.44.1; changes since v2.44.0: +--------------------------------------- + +Filip Hejsek (4): + t0411: add tests for cloning from partial repo + has_dir_name(): do not get confused by characters < '/' + t7423: add tests for symlinked submodule directories + clone: prevent clashing git dirs when cloning submodule in parallel + +Jeff King (6): + http: reset POSTFIELDSIZE when clearing curl handle + INSTALL: bump libcurl version to 7.21.3 + remote-curl: add Transfer-Encoding header only for older curl + test-lib: ignore uninteresting LSan output + upload-pack: disable lazy-fetching by default + docs: document security issues around untrusted .git dirs + +Johannes Schindelin (25): + repository: avoid leaking `fsmonitor` data + ci: upgrade to using macos-13 + ci(linux-asan/linux-ubsan): let's save some time + ci: bump remaining outdated Actions versions + ci(linux32): add a note about Actions that must not be updated + fetch/clone: detect dubious ownership of local repositories + submodules: submodule paths must not contain symlinks + clone_submodule: avoid using `access()` on directories + submodule: require the submodule path to contain directories only + t5510: verify that D/F confusion cannot lead to an RCE + entry: report more colliding paths + clone: when symbolic links collide with directories, keep the latter + find_hook(): refactor the `STRIP_EXTENSION` logic + init: refactor the template directory discovery into its own function + Add a helper function to compare file contents + clone: prevent hooks from running during a clone + init.templateDir: consider this config setting protected + core.hooksPath: add some protection while cloning + fsck: warn about symlink pointing inside a gitdir + Git 2.39.4 + Git 2.40.2 + Git 2.41.1 + Git 2.42.2 + Git 2.43.4 + Git 2.44.1 + +Junio C Hamano (2): + GitHub Actions: update to checkout@v4 + GitHub Actions: update to github-script@v7 + +Patrick Steinhardt (4): + builtin/clone: stop resolving symlinks when copying files + builtin/clone: abort when hardlinked source and target file differ + setup.c: introduce `die_upon_dubious_ownership()` + builtin/clone: refuse local clones of unsafe repositories + + +Version v2.44.0; changes since v2.44.0-rc2: +------------------------------------------- + +Junio C Hamano (1): + Git 2.43.3 + + +Version v2.44.0-rc2; changes since v2.44.0-rc1: +----------------------------------------------- + +Alexander Shopov (1): + l10n: bg.po: Updated Bulgarian translation (5610t) + +Arkadii Yakovets (3): + l10n: uk: v2.44 localization update + l10n: uk: v2.44 update (round 2) + l10n: uk: v2.44 update (round 3) + +Bagas Sanjaya (1): + l10n: po-id for 2.44 (round 1) + +Emir SARI (1): + l10n: tr: Update Turkish translations for 2.44 + +Jean-Noël Avila (1): + l10n: fr.po: v2.44.0 round 3 + +Jeff King (1): + trailer: fix comment/cut-line regression with opts->no_divider + +Jiang Xin (3): + diff: mark param1 and param2 as placeholders + l10n: ci: remove unused param for add-pr-comment@v2 + l10n: ci: disable cache for setup-go to suppress warnings + +Johannes Schindelin (2): + Always check the return value of `repo_read_object_file()` + l10n: bump Actions versions in l10n.yml + +Jordi Mas (1): + l10n: Update Catalan translation + +Junio C Hamano (2): + Hopefully the last batch of fixes before 2.44 final + Git 2.44-rc2 + +Peter Krefting (1): + l10n: sv.po: Update Swedish translation + +Philippe Blain (4): + completion: add space after config variable names also in Bash 3 + completion: complete 'submodule.*' config variables + completion: add and use __git_compute_first_level_config_vars_for_section + completion: add and use __git_compute_second_level_config_vars_for_section + +Phillip Wood (1): + prune: mark rebase autostash and orig-head as reachable + +Ralf Thielow (1): + l10n: Update German translation + +René Scharfe (2): + receive-pack: use find_commit_header() in check_cert_push_options() + receive-pack: use find_commit_header() in check_nonce() + +Teng Long (1): + l10n: zh_CN: for git 2.44 rounds + +Todd Zullinger (1): + RelNotes: minor typo fixes in 2.44.0 draft + +Vegard Nossum (1): + sequencer: unset GIT_CHERRY_PICK_HELP for 'exec' commands + +Yi-Jyun Pan (1): + l10n: zh_TW: Git 2.44 + + +Version v2.44.0-rc1; changes since v2.44.0-rc0: +----------------------------------------------- + +Britton Leo Kerin (7): + completion: tests: always use 'master' for default initial branch name + completion: bisect: complete bad, new, old, and help subcommands + completion: bisect: complete custom terms and related options + completion: bisect: complete missing --first-parent and - -no-checkout options + completion: new function __git_complete_log_opts + completion: bisect: complete log opts for visualize subcommand + completion: bisect: recognize but do not complete view subcommand + +Johannes Schindelin (2): + ci: bump remaining outdated Actions versions + ci(linux32): add a note about Actions that must not be updated + +Junio C Hamano (11): + GitHub Actions: update to checkout@v4 + GitHub Actions: update to github-script@v7 + tag: fix sign_buffer() call to create a signed tag + bisect: document "terms" subcommand more fully + bisect: document command line arguments for "bisect start" + ssh signing: signal an error with a negative return value + unit-tests: do show relative file paths on non-Windows, too + A few more topics before -rc1 + write-or-die: fix the polarity of GIT_FLUSH environment variable + A few more fixes before -rc1 + Git 2.43.2 + +Patrick Steinhardt (15): + reftable/reader: be more careful about errors in indexed seeks + reftable/writer: use correct type to iterate through index entries + reftable/writer: simplify writing index records + reftable/writer: fix writing multi-level indices + reftable: document reading and writing indices + builtin/stash: report failure to write to index + reftable: introduce macros to grow arrays + reftable: introduce macros to allocate arrays + reftable/stack: fix parameter validation when compacting range + reftable/stack: index segments with `size_t` + reftable/stack: use `size_t` to track stack slices during compaction + reftable/stack: use `size_t` to track stack length + reftable/merged: refactor seeking of records + reftable/merged: refactor initialization of iterators + reftable/record: improve semantics when initializing records + +Philippe Blain (1): + .github/PULL_REQUEST_TEMPLATE.md: add a note about single-commit PRs + +Phillip Wood (2): + show-ref --verify: accept pseudorefs + t1400: use show-ref to check pseudorefs + +Taylor Blau (2): + t5332-multi-pack-reuse.sh: extract pack-objects helper functions + pack-objects: enable multi-pack reuse via `feature.experimental` + +Victoria Dye (1): + ref-filter.c: sort formatted dates by byte value + + +Version v2.44.0-rc0; changes since v2.43.4: +------------------------------------------- + +Achu Luma (2): + unit-tests: rewrite t/helper/test-ctype.c as a unit test + t2400: avoid losing exit status to pipes + +Andy Koppe (3): + rebase: fully ignore rebase.autoSquash without -i + rebase: support --autosquash without -i + rebase: rewrite --(no-)autosquash documentation + +Antonin Delpeuch (2): + merge-file: add --diff-algorithm option + merge-ll: expose revision names to custom drivers + +Arthur Chan (1): + fuzz: add new oss-fuzz fuzzer for date.c / date.h + +Britton Leo Kerin (2): + doc: use singular form of repeatable path arg + doc: refer to pathspec instead of path + +Carlo Marcelo Arenas Belón (1): + ci: update FreeBSD cirrus job + +Chandra Pratap (2): + t4129: prevent loss of exit code due to the use of pipes + tests: move t0009-prio-queue.sh to the new unit testing framework + +Elijah Newren (19): + t6429: remove switching aspects of fast-rebase + replay: introduce new builtin + replay: start using parse_options API + replay: die() instead of failing assert() + replay: introduce pick_regular_commit() + replay: change rev walking options + replay: add an important FIXME comment about gpg signing + replay: remove progress and info output + replay: remove HEAD related sanity check + replay: make it a minimal server side command + replay: use standard revision ranges + replay: add --advance or 'cherry-pick' mode + replay: add --contained to rebase contained branches + replay: stop assuming replayed branches do not diverge + completion: squelch stray errors in sparse-checkout completion + completion: fix logic for determining whether cone mode is active + completion: avoid misleading completions in cone mode + completion: avoid user confusion in non-cone mode + sparse-checkout: be consistent with end of options markers + +Ghanshyam Thakkar (4): + t7501: add tests for --include and --only + t7501: add tests for --amend --signoff + t0024: avoid losing exit status to pipes + t0024: style fix + +Jean-Noël Avila (2): + doc: enforce dashes in placeholders + doc: enforce placeholders in documentation + +Jeff Hostetler (1): + sparse-index: pass string length to index_file_exists() + +Jeff King (13): + commit-graph: handle overflow in chunk_size checks + midx: check consistency of fanout table + commit-graph: drop redundant call to "lite" verification + commit-graph: clarify missing-chunk error messages + commit-graph: abort as soon as we see a bogus chunk + commit-graph: use fanout value for graph size + commit-graph: check order while reading fanout chunk + commit-graph: drop verify_commit_graph_lite() + commit-graph: mark chunk error messages for translation + transport-helper: re-examine object dir after fetching + Makefile: use mkdir_p_parent_template for UNIT_TEST_BIN + Makefile: remove UNIT_TEST_BIN directory with "make clean" + t/Makefile: get UNIT_TESTS list from C sources + +Jiang Xin (6): + transport-helper: no connection restriction in connect_helper + remote-curl: supports git-upload-archive service + transport-helper: protocol v2 supports upload-archive + http-backend: new rpc-service for git-upload-archive + transport-helper: call do_take_over() in connect_helper + transport-helper: call do_take_over() in process_connect + +Joanna Wang (2): + attr: enable attr pathspec magic for git-add and git-stash + attr: add builtin objectmode values support + +Johannes Schindelin (7): + cmake: also build unit tests + unit-tests: do not mistake `.pdb` files for being executable + unit-tests: do show relative file paths + artifacts-tar: when including `.dll` files, don't forget the unit-tests + cmake: fix typo in variable name + cmake: use test names instead of full paths + cmake: handle also unit tests + +John Cai (15): + t3210: move to t0601 + remove REFFILES prerequisite for some tests in t1405 and t2017 + t1414: convert test to use Git commands instead of writing refs manually + t1404: move reffiles specific tests to t0600 + t1405: move reffiles specific tests to t0601 + t1406: move reffiles specific tests to t0600 + t1410: move reffiles specific tests to t0600 + t1415: move reffiles specific tests to t0601 + t1503: move reffiles specific tests to t0600 + t3903: make drop stash test ref backend agnostic + t4202: move reffiles specific tests to t0600 + t5312: move reffiles specific tests to t0601 + reftable: honor core.fsync + index-pack: test and document --strict=<msg-id>=<severity>... + index-pack: --fsck-objects to take an optional argument for fsck msgs + +Josh Steadmon (4): + unit tests: add a project plan document + ci: run unit tests in CI + fuzz: fix fuzz test build rules + ci: build and run minimal fuzzers in GitHub CI + +Junio C Hamano (26): + cache: add fake_lstat() + diff-lib: fix check_removed() when fsmonitor is active + checkout: refactor die_if_checked_out() caller + Start the 2.44 cycle + checkout: forbid "-B <branch>" from touching a branch used elsewhere + The second batch + The third batch + The fourth batch + The fifth batch + The sixth batch + messages: mark some strings with "up-to-date" not to touch + The seventh batch + The eighth batch + The ninth batch + ls-files: avoid the verb "deprecate" for individual options + The tenth batch + The eleventh batch + t0091: allow test in a repository without tags + The twelfth batch + Makefile: reduce repetitive library paths + Makefile: simplify output of the libpath_template + The thirteenth batch + t/Makefile: say the default target upfront + The fourteenth batch + The fifteenth batch + Git 2.44-rc0 + +Justin Tobler (2): + t1401: remove lockfile creation + t5541: remove lockfile creation + +Kristoffer Haugsbakk (5): + config: format newlines + config: rename global config function + config: factor out global config file retrieval + maintenance: use XDG config if it exists + config: add back code comment + +Kyle Lippincott (1): + setup: allow cwd=.git w/ bareRepository=explicit + +M Hickford (1): + credential/wincred: store oauth_refresh_token + +Marcelo Roberto Jimenez (1): + gitweb: die when a configuration file cannot be read + +Patrick Steinhardt (93): + t: allow skipping expected object ID in `ref-store update-ref` + t: convert tests to not write references via the filesystem + t: convert tests to not access symrefs via the filesystem + t: convert tests to not access reflog via the filesystem + t1450: convert tests to remove worktrees via git-worktree(1) + t4207: delete replace references via git-update-ref(1) + t7300: assert exact states of repo + t7900: assert the absence of refs via git-for-each-ref(1) + t: mark several tests that assume the files backend with REFFILES + t/lib-httpd: dynamically detect httpd and modules path + t/lib-httpd: stop using legacy crypt(3) for authentication + t9164: fix inability to find basename(1) in Subversion hooks + global: convert trivial usages of `test <expr> -a/-o <expr>` + contrib/subtree: stop using `-o` to test for number of args + contrib/subtree: convert subtree type check to use case statement + Makefile: stop using `test -o` when unlinking duplicate executables + t5510: ensure that the packed-refs file needs locking + refs/files: use transactions to delete references + refs: deduplicate code to delete references + refs: remove `delete_refs` callback from backends + setup: extract function to create the refdb + setup: allow skipping creation of the refdb + remote-curl: rediscover repository when fetching refs + builtin/clone: fix bundle URIs with mismatching object formats + builtin/clone: set up sparse checkout later + builtin/clone: skip reading HEAD when retrieving remote + builtin/clone: create the refdb with the correct object format + wt-status: read HEAD and ORIG_HEAD via the refdb + refs: propagate errno when reading special refs fails + refs: complete list of special refs + bisect: consistently write BISECT_EXPECTED_REV via the refdb + t: introduce DEFAULT_REPO_FORMAT prereq + worktree: skip reading HEAD when repairing worktrees + refs: refactor logic to look up storage backends + setup: start tracking ref storage format + setup: set repository's formats on init + setup: introduce "extensions.refStorage" extension + setup: introduce GIT_DEFAULT_REF_FORMAT envvar + t: introduce GIT_TEST_DEFAULT_REF_FORMAT envvar + builtin/rev-parse: introduce `--show-ref-format` flag + builtin/init: introduce `--ref-format=` value flag + builtin/clone: introduce `--ref-format=` value flag + t9500: write "extensions.refstorage" into config + reftable/stack: do not overwrite errors when compacting + reftable/stack: do not auto-compact twice in `reftable_stack_add()` + reftable/writer: fix index corruption when writing multiple indices + reftable/record: constify some parts of the interface + reftable/record: store "val1" hashes as static arrays + reftable/record: store "val2" hashes as static arrays + reftable/merged: really reuse buffers to compute record keys + reftable/merged: transfer ownership of records when iterating + git-prompt: stop manually parsing HEAD with unknown ref formats + ci: add job performing static analysis on GitLab CI + refs: prepare `refs_init_db()` for initializing worktree refs + setup: move creation of "refs/" into the files backend + refs/files: skip creation of "refs/{heads,tags}" for worktrees + builtin/worktree: move setup of commondir file earlier + worktree: expose interface to look up worktree by name + builtin/worktree: create refdb via ref backend + reftable/stack: refactor stack reloading to have common exit path + reftable/stack: refactor reloading to use file descriptor + reftable/stack: use stat info to avoid re-reading stack list + reftable/blocksource: refactor code to match our coding style + reftable/blocksource: use mmap to read tables + git-p4: stop reaching into the refdb + commit-graph: fix memory leak when not writing graph + completion: discover repo path in `__git_pseudoref_exists ()` + t9902: verify that completion does not print anything + completion: improve existence check for pseudo-refs + completion: silence pseudoref existence check + completion: treat dangling symrefs as existing pseudorefs + t7527: decrease likelihood of racing with fsmonitor daemon + Makefile: detect new Homebrew location for ARM-based Macs + ci: handle TEST_OUTPUT_DIRECTORY when printing test failures + ci: make p4 setup on macOS more robust + ci: add macOS jobs to GitLab CI + reftable/stack: unconditionally reload stack after commit + reftable/stack: fix race in up-to-date check + sequencer: clean up pseudo refs with REF_NO_DEREF + sequencer: delete REBASE_HEAD in correct repo when picking commits + refs: convert AUTO_MERGE to become a normal pseudo-ref + sequencer: introduce functions to handle autostashes via refs + refs: convert MERGE_AUTOSTASH to become a normal pseudo-ref + refs: redefine special refs + Documentation: add "special refs" to the glossary + reftable/stack: adjust permissions of compacted tables + t1300: make tests more robust with non-default ref backends + t1301: mark test for `core.sharedRepository` as reffiles specific + t1302: make tests more robust with new extensions + t1419: mark test suite as files-backend specific + t5526: break test submodule differently + t: mark tests regarding git-pack-refs(1) to be backend specific + reftable/stack: fsync "tables.list" during compaction + +Philippe Blain (5): + completion: complete missing rev-list options + completion: complete --patch-with-raw + completion: complete --encoding + completion: complete missing 'git log' options + ci(github): also skip logs of broken test cases + +Phillip Wood (1): + unit tests: add TAP unit test framework + +René Scharfe (3): + git-compat-util: convert skip_{prefix,suffix}{,_mem} to bool + mem-pool: fix big allocations + mem-pool: simplify alignment calculation + +Rubén Justo (9): + branch: clarify <oldbranch> term + advice: sort the advice related lists + advice: fix an unexpected leading space + branch: make the advice to force-deleting a conditional one + advice: allow disabling the automatic hint in advise_if_enabled() + t5332: mark as leak-free + t6113: mark as leak-free + test-lib: check for TEST_PASSES_SANITIZE_LEAK + t0080: mark as leak-free + +Simon Ser (1): + format-patch: fix ignored encode_email_headers for cover letter + +Sören Krecker (1): + mingw: give more details about unsafe directory's ownership + +Tamino Bauknecht (1): + fetch: add new config option fetch.all + +Taylor Blau (26): + pack-objects: free packing_data in more places + pack-bitmap-write: deep-clear the `bb_commit` slab + pack-bitmap: plug leak in find_objects() + midx: factor out `fill_pack_info()` + midx: implement `BTMP` chunk + midx: implement `midx_locate_pack()` + pack-bitmap: pass `bitmapped_pack` struct to pack-reuse functions + ewah: implement `bitmap_is_empty()` + pack-bitmap: simplify `reuse_partial_packfile_from_bitmap()` signature + pack-bitmap: return multiple packs via `reuse_partial_packfile_from_bitmap()` + pack-objects: parameterize pack-reuse routines over a single pack + pack-objects: keep track of `pack_start` for each reuse pack + pack-objects: pass `bitmapped_pack`'s to pack-reuse functions + pack-objects: prepare `write_reused_pack()` for multi-pack reuse + pack-objects: prepare `write_reused_pack_verbatim()` for multi-pack reuse + pack-objects: include number of packs reused in output + git-compat-util.h: implement checked size_t to uint32_t conversion + midx: implement `midx_preferred_pack()` + pack-revindex: factor out `midx_key_to_pack_pos()` helper + pack-revindex: implement `midx_pair_to_pack_pos()` + pack-bitmap: prepare to mark objects from multiple packs for reuse + pack-objects: add tracing for various packfile metrics + t/test-lib-functions.sh: implement `test_trace2_data` helper + pack-objects: allow setting `pack.allowPackReuse` to "single" + pack-bitmap: enable reuse from all bitmapped packs + t/perf: add performance tests for multi-pack reuse + +Victoria Dye (14): + ref-filter.c: really don't sort when using --no-sort + ref-filter.h: add max_count and omit_empty to ref_format + ref-filter.h: move contains caches into filter + ref-filter.h: add functions for filter/format & format-only + ref-filter.c: rename 'ref_filter_handler()' to 'filter_one()' + ref-filter.c: refactor to create common helper functions + ref-filter.c: filter & format refs in the same callback + for-each-ref: clean up documentation of --format + ref-filter.c: use peeled tag for '*' format fields + t/perf: add perf tests for for-each-ref + submodule-config.h: move check_submodule_url + test-submodule: remove command line handling for check-name + t7450: test submodule urls + submodule-config.c: strengthen URL fsck check + +Zach FettersMoore (1): + subtree: fix split processing with multiple subtrees present + + +Version v2.43.4; changes since v2.43.3: +--------------------------------------- + +Filip Hejsek (4): + t0411: add tests for cloning from partial repo + has_dir_name(): do not get confused by characters < '/' + t7423: add tests for symlinked submodule directories + clone: prevent clashing git dirs when cloning submodule in parallel + +Jeff King (6): + http: reset POSTFIELDSIZE when clearing curl handle + INSTALL: bump libcurl version to 7.21.3 + remote-curl: add Transfer-Encoding header only for older curl + test-lib: ignore uninteresting LSan output + upload-pack: disable lazy-fetching by default + docs: document security issues around untrusted .git dirs + +Johannes Schindelin (24): + repository: avoid leaking `fsmonitor` data + ci: upgrade to using macos-13 + ci(linux-asan/linux-ubsan): let's save some time + ci: bump remaining outdated Actions versions + ci(linux32): add a note about Actions that must not be updated + fetch/clone: detect dubious ownership of local repositories + submodules: submodule paths must not contain symlinks + clone_submodule: avoid using `access()` on directories + submodule: require the submodule path to contain directories only + t5510: verify that D/F confusion cannot lead to an RCE + entry: report more colliding paths + clone: when symbolic links collide with directories, keep the latter + find_hook(): refactor the `STRIP_EXTENSION` logic + init: refactor the template directory discovery into its own function + Add a helper function to compare file contents + clone: prevent hooks from running during a clone + init.templateDir: consider this config setting protected + core.hooksPath: add some protection while cloning + fsck: warn about symlink pointing inside a gitdir + Git 2.39.4 + Git 2.40.2 + Git 2.41.1 + Git 2.42.2 + Git 2.43.4 + +Junio C Hamano (2): + GitHub Actions: update to checkout@v4 + GitHub Actions: update to github-script@v7 + +Patrick Steinhardt (4): + builtin/clone: stop resolving symlinks when copying files + builtin/clone: abort when hardlinked source and target file differ + setup.c: introduce `die_upon_dubious_ownership()` + builtin/clone: refuse local clones of unsafe repositories + + +Version v2.43.3; changes since v2.43.2: +--------------------------------------- + +Jeff King (1): + trailer: fix comment/cut-line regression with opts->no_divider + +Junio C Hamano (1): + Git 2.43.3 + + +Version v2.43.2; changes since v2.43.1: +--------------------------------------- + +Elijah Newren (1): + diffcore-delta: avoid ignoring final 'line' of file + +James Touton (1): + git-p4: use raw string literals for regular expressions + +Jeff King (1): + diff: handle NULL meta-info when spawning external diff + +Johannes Schindelin (1): + win32: special-case `ENOSPC` when writing to a pipe + +Junio C Hamano (11): + Docs: majordomo@vger.kernel.org has been decomissioned + CoC: whitespace fix + builtin/worktree: comment style fixes + merge-ort.c: comment style fix + reftable/pq_test: comment style fix + tag: fix sign_buffer() call to create a signed tag + bisect: document "terms" subcommand more fully + bisect: document command line arguments for "bisect start" + ssh signing: signal an error with a negative return value + write-or-die: fix the polarity of GIT_FLUSH environment variable + Git 2.43.2 + +Linus Arver (1): + strvec: use correct member name in comments + +Nikolay Borisov (1): + rebase: fix documentation about used shell in -x + +Nikolay Edigaryev (1): + rev-list-options: fix off-by-one in '--filter=blob:limit=<n>' explainer + +Patrick Steinhardt (1): + builtin/stash: report failure to write to index + +Philippe Blain (2): + imap-send: add missing "strbuf.h" include under NO_CURL + .github/PULL_REQUEST_TEMPLATE.md: add a note about single-commit PRs + +René Scharfe (2): + parse-options: fully disable option abbreviation with PARSE_OPT_KEEP_UNKNOWN + parse-options: simplify positivation handling + +Sam Delmerico (1): + push: region_leave trace for negotiate_using_fetch + +Taylor Blau (1): + pack-bitmap: drop unused `reuse_objects` + +Toon Claes (1): + builtin/show-ref: treat directory as non-existing in --exists + + +Version v2.43.1; changes since v2.43.0: +--------------------------------------- + +Chandra Pratap (2): + sideband.c: remove redundant 'NEEDSWORK' tag + write-or-die: make GIT_FLUSH a Boolean environment variable + +Elijah Newren (12): + treewide: remove unnecessary includes from header files + treewide: remove unnecessary includes in source files + archive.h: remove unnecessary include + blame.h: remove unnecessary includes + fsmonitor--daemon.h: remove unnecessary includes + http.h: remove unnecessary include + line-log.h: remove unnecessary include + pkt-line.h: remove unnecessary include + submodule-config.h: remove unnecessary include + trace2/tr2_tls.h: remove unnecessary include + treewide: add direct includes currently only pulled in transitively + treewide: remove unnecessary includes in source files + +Eric Sunshine (1): + git-add.txt: add missing short option -A to synopsis + +Illia Bobyr (1): + rebase: clarify --reschedule-failed-exec default + +Jeff Hostetler (3): + trace2: fix signature of trace2_def_param() macro + t0211: test URL redacting in PERF format + t0212: test URL redacting in EVENT format + +Jeff King (24): + parse-options: decouple "--end-of-options" and "--" + bisect: always clean on reset + config: handle NULL value when parsing non-bools + setup: handle NULL value when parsing extensions + trace2: handle NULL values in tr2_sysenv config callback + help: handle NULL value for alias.* config + submodule: handle NULL value when parsing submodule.*.branch + trailer: handle NULL value when parsing trailer-specific config + fsck: handle NULL value when parsing message config + config: reject bogus values for core.checkstat + git_xmerge_config(): prefer error() to die() + imap-send: don't use git_die_config() inside callback + config: use config_error_nonbool() instead of custom messages + diff: give more detailed messages for bogus diff.* config + config: use git_config_string() for core.checkRoundTripEncoding + push: drop confusing configset/callback redundancy + gpg-interface: drop pointless config_error_nonbool() checks + sequencer: simplify away extra git_config_string() call + mailinfo: fix out-of-bounds memory reads in unquote_quoted_pair() + t5100: make rfc822 comment test more careful + mailinfo: avoid recursion when unquoting From headers + t1006: add tests for %(objectsize:disk) + commit-graph: retain commit slab when closing NULL commit_graph + index-pack: spawn threads atomically + +Jiang Xin (5): + t5574: test porcelain output of atomic fetch + fetch: no redundant error message for atomic fetch + test-pkt-line: add option parser for unpack-sideband + pkt-line: memorize sideband fragment in reader + pkt-line: do not chomp newlines for sideband messages + +Johannes Schindelin (3): + ci: avoid running the test suite _twice_ + packfile.c: fix a typo in `each_file_in_pack_dir_fn()`'s declaration + trace2: redact passwords from https:// URLs by default + +Josh Brobst (1): + builtin/reflog.c: fix dry-run option short name + +Josh Soref (13): + doc: update links to current pages + doc: switch links to https + doc: update links for andre-simon.de + doc: refer to internet archive + CodingGuidelines: move period inside parentheses + CodingGuidelines: write punctuation marks + SubmittingPatches: drop ref to "What's in git.git" + SubmittingPatches: discourage new trailers + SubmittingPatches: update extra tags list + SubmittingPatches: provide tag naming advice + SubmittingPatches: clarify GitHub visual + SubmittingPatches: clarify GitHub artifact format + SubmittingPatches: hyphenate non-ASCII + +Julian Prein (1): + hooks--pre-commit: detect non-ASCII when renaming + +Junio C Hamano (13): + orphan/unborn: add to the glossary and use them consistently + orphan/unborn: fix use of 'orphan' in end-user facing messages + revision: parse integer arguments to --max-count, --skip, etc., more carefully + git.txt: HEAD is not that special + git-bisect.txt: BISECT_HEAD is not that special + refs.h: HEAD is not that special + docs: AUTO_MERGE is not that special + docs: MERGE_AUTOSTASH is not that special + doc: format.notes specify a ref under refs/notes/ hierarchy + remote.h: retire CAS_OPT_NAME + archive: "--list" does not take further options + sparse-checkout: use default patterns for 'set' only !stdin + Git 2.43.1 + +Linus Arver (3): + commit: ignore_non_trailer computes number of bytes to ignore + trailer: find the end of the log message + trailer: use offsets for trailer_start/trailer_end + +Maarten van der Schrieck (1): + Documentation: fix statement about rebase.instructionFormat + +Marcel Krause (1): + doc: make the gitfile syntax easier to discover + +Michael Lohmann (2): + Documentation/git-merge.txt: fix reference to synopsis + Documentation/git-merge.txt: use backticks for command wrapping + +Patrick Steinhardt (31): + ci: reorder definitions for grouping functions + ci: make grouping setup more generic + ci: group installation of Docker dependencies + ci: split out logic to set up failed test artifacts + ci: unify setup of some environment variables + ci: squelch warnings when testing with unusable Git repo + ci: install test dependencies for linux-musl + ci: add support for GitLab CI + commit-graph: disable GIT_COMMIT_GRAPH_PARANOIA by default + t0410: mark tests to require the reffiles backend + t1400: split up generic reflog tests from the reffile-specific ones + t1401: stop treating FETCH_HEAD as real reference + t1410: use test-tool to create empty reflog + t1417: make `reflog --updateref` tests backend agnostic + t3310: stop checking for reference existence via `test -f` + t4013: simplify magic parsing and drop "failure" + t5401: speed up creation of many branches + t5551: stop writing packed-refs directly + t6301: write invalid object ID via `test-tool ref-store` + reftable: wrap EXPECT macros in do/while + reftable: handle interrupted reads + reftable: handle interrupted writes + reftable/stack: verify that `reftable_stack_add()` uses auto-compaction + reftable/stack: perform auto-compaction with transactional interface + reftable/stack: reuse buffers when reloading stack + reftable/stack: fix stale lock when dying + reftable/stack: fix use of unseeded randomness + reftable/merged: reuse buffer to compute record keys + reftable/block: introduce macro to initialize `struct block_iter` + reftable/block: reuse buffer to compute record keys + tests: adjust whitespace in chainlint expectations + +René Scharfe (14): + column: release strbuf and string_list after use + i18n: factorize even more 'incompatible options' messages + push: use die_for_incompatible_opt4() for - -delete/--tags/--all/--mirror + repack: use die_for_incompatible_opt3() for -A/-k/--cruft + revision: use die_for_incompatible_opt3() for - -graph/--reverse/--walk-reflogs + revision, rev-parse: factorize incompatibility messages about - -exclude-hidden + clean: factorize incompatibility message + worktree: standardize incompatibility messages + worktree: simplify incompatibility message for --orphan and commit-ish + show-ref: use die_for_incompatible_opt3() + t6300: avoid hard-coding object sizes + rebase: use strvec_pushf() for format-patch revisions + fast-import: use mem_pool_calloc() + t1006: prefer shell loop to awk for packed object sizes + +Rubén Justo (1): + status: fix branch shown when not only bisecting + +Shreyansh Paliwal (1): + test-lib-functions.sh: fix test_grep fail message wording + +Stan Hu (2): + completion: refactor existence checks for pseudorefs + completion: support pseudoref existence checks for reftables + +Todd Zullinger (2): + perl: bump the required Perl version to 5.8.1 from 5.8.0 + send-email: avoid duplicate specification warnings + + Version v2.43.0; changes since v2.43.0-rc2: ------------------------------------------- @@ -139,7 +1763,7 @@ brian m. carlson (1): merge-file: add an option to process object IDs -Version v2.43.0-rc0; changes since v2.42.1: +Version v2.43.0-rc0; changes since v2.42.2: ------------------------------------------- Alyssa Ross (1): @@ -535,6 +2159,59 @@ brian m. carlson (1): doc: correct the 50 characters soft limit (+) +Version v2.42.2; changes since v2.42.1: +--------------------------------------- + +Filip Hejsek (4): + t0411: add tests for cloning from partial repo + has_dir_name(): do not get confused by characters < '/' + t7423: add tests for symlinked submodule directories + clone: prevent clashing git dirs when cloning submodule in parallel + +Jeff King (6): + http: reset POSTFIELDSIZE when clearing curl handle + INSTALL: bump libcurl version to 7.21.3 + remote-curl: add Transfer-Encoding header only for older curl + test-lib: ignore uninteresting LSan output + upload-pack: disable lazy-fetching by default + docs: document security issues around untrusted .git dirs + +Johannes Schindelin (23): + repository: avoid leaking `fsmonitor` data + ci: upgrade to using macos-13 + ci(linux-asan/linux-ubsan): let's save some time + ci: bump remaining outdated Actions versions + ci(linux32): add a note about Actions that must not be updated + fetch/clone: detect dubious ownership of local repositories + submodules: submodule paths must not contain symlinks + clone_submodule: avoid using `access()` on directories + submodule: require the submodule path to contain directories only + t5510: verify that D/F confusion cannot lead to an RCE + entry: report more colliding paths + clone: when symbolic links collide with directories, keep the latter + find_hook(): refactor the `STRIP_EXTENSION` logic + init: refactor the template directory discovery into its own function + Add a helper function to compare file contents + clone: prevent hooks from running during a clone + init.templateDir: consider this config setting protected + core.hooksPath: add some protection while cloning + fsck: warn about symlink pointing inside a gitdir + Git 2.39.4 + Git 2.40.2 + Git 2.41.1 + Git 2.42.2 + +Junio C Hamano (2): + GitHub Actions: update to checkout@v4 + GitHub Actions: update to github-script@v7 + +Patrick Steinhardt (4): + builtin/clone: stop resolving symlinks when copying files + builtin/clone: abort when hardlinked source and target file differ + setup.c: introduce `die_upon_dubious_ownership()` + builtin/clone: refuse local clones of unsafe repositories + + Version v2.42.1; changes since v2.42.0: --------------------------------------- @@ -800,7 +2477,7 @@ brian m. carlson (2): gitignore: ignore clangd .cache directory -Version v2.42.0-rc0; changes since v2.41.0: +Version v2.42.0-rc0; changes since v2.41.1: ------------------------------------------- Alejandro R. Sedeño (1): @@ -921,7 +2598,7 @@ Jacob Keller (1): Jan Klötzke (1): ref-filter: handle nested tags in --points-at option -Jeff King (36): +Jeff King (35): format-patch: free rev.message_id when exiting format-patch: free elements of rev.ref_message_ids list pathspec: factor out magic-to-name function @@ -931,7 +2608,6 @@ Jeff King (36): ci: run ASan/UBSan in a single job ci: drop linux-clang job commit: pass --no-divider to interpret-trailers - http: handle both "h2" and "h2h3" in curl info lines var: mark unused parameters in git_var callbacks imap-send: use server conf argument in setup_curl() imap-send: drop unused parameter from imap_cmd_cb callback @@ -1289,6 +2965,61 @@ brian m. carlson (7): var: add config file locations +Version v2.41.1; changes since v2.41.0: +--------------------------------------- + +Filip Hejsek (4): + t0411: add tests for cloning from partial repo + has_dir_name(): do not get confused by characters < '/' + t7423: add tests for symlinked submodule directories + clone: prevent clashing git dirs when cloning submodule in parallel + +Jeff King (9): + http: handle both "h2" and "h2h3" in curl info lines + http: factor out matching of curl http/2 trace lines + http: update curl http/2 info matching for curl 8.3.0 + http: reset POSTFIELDSIZE when clearing curl handle + INSTALL: bump libcurl version to 7.21.3 + remote-curl: add Transfer-Encoding header only for older curl + test-lib: ignore uninteresting LSan output + upload-pack: disable lazy-fetching by default + docs: document security issues around untrusted .git dirs + +Johannes Schindelin (22): + repository: avoid leaking `fsmonitor` data + ci: upgrade to using macos-13 + ci(linux-asan/linux-ubsan): let's save some time + ci: bump remaining outdated Actions versions + ci(linux32): add a note about Actions that must not be updated + fetch/clone: detect dubious ownership of local repositories + submodules: submodule paths must not contain symlinks + clone_submodule: avoid using `access()` on directories + submodule: require the submodule path to contain directories only + t5510: verify that D/F confusion cannot lead to an RCE + entry: report more colliding paths + clone: when symbolic links collide with directories, keep the latter + find_hook(): refactor the `STRIP_EXTENSION` logic + init: refactor the template directory discovery into its own function + Add a helper function to compare file contents + clone: prevent hooks from running during a clone + init.templateDir: consider this config setting protected + core.hooksPath: add some protection while cloning + fsck: warn about symlink pointing inside a gitdir + Git 2.39.4 + Git 2.40.2 + Git 2.41.1 + +Junio C Hamano (2): + GitHub Actions: update to checkout@v4 + GitHub Actions: update to github-script@v7 + +Patrick Steinhardt (4): + builtin/clone: stop resolving symlinks when copying files + builtin/clone: abort when hardlinked source and target file differ + setup.c: introduce `die_upon_dubious_ownership()` + builtin/clone: refuse local clones of unsafe repositories + + Version v2.41.0; changes since v2.41.0-rc2: ------------------------------------------- @@ -1382,7 +3113,7 @@ brian m. carlson (1): upload-pack: advertise capabilities when cloning empty repos -Version v2.41.0-rc0; changes since v2.40.1: +Version v2.41.0-rc0; changes since v2.40.2: ------------------------------------------- Adam Johnson (1): @@ -1969,6 +3700,60 @@ ZheNing Hu (2): branch, for-each-ref, tag: add option to omit empty lines +Version v2.40.2; changes since v2.40.1: +--------------------------------------- + +Filip Hejsek (4): + t0411: add tests for cloning from partial repo + has_dir_name(): do not get confused by characters < '/' + t7423: add tests for symlinked submodule directories + clone: prevent clashing git dirs when cloning submodule in parallel + +Jeff King (9): + http: handle both "h2" and "h2h3" in curl info lines + http: factor out matching of curl http/2 trace lines + http: update curl http/2 info matching for curl 8.3.0 + http: reset POSTFIELDSIZE when clearing curl handle + INSTALL: bump libcurl version to 7.21.3 + remote-curl: add Transfer-Encoding header only for older curl + test-lib: ignore uninteresting LSan output + upload-pack: disable lazy-fetching by default + docs: document security issues around untrusted .git dirs + +Johannes Schindelin (21): + repository: avoid leaking `fsmonitor` data + ci: upgrade to using macos-13 + ci(linux-asan/linux-ubsan): let's save some time + ci: bump remaining outdated Actions versions + ci(linux32): add a note about Actions that must not be updated + fetch/clone: detect dubious ownership of local repositories + submodules: submodule paths must not contain symlinks + clone_submodule: avoid using `access()` on directories + submodule: require the submodule path to contain directories only + t5510: verify that D/F confusion cannot lead to an RCE + entry: report more colliding paths + clone: when symbolic links collide with directories, keep the latter + find_hook(): refactor the `STRIP_EXTENSION` logic + init: refactor the template directory discovery into its own function + Add a helper function to compare file contents + clone: prevent hooks from running during a clone + init.templateDir: consider this config setting protected + core.hooksPath: add some protection while cloning + fsck: warn about symlink pointing inside a gitdir + Git 2.39.4 + Git 2.40.2 + +Junio C Hamano (2): + GitHub Actions: update to checkout@v4 + GitHub Actions: update to github-script@v7 + +Patrick Steinhardt (4): + builtin/clone: stop resolving symlinks when copying files + builtin/clone: abort when hardlinked source and target file differ + setup.c: introduce `die_upon_dubious_ownership()` + builtin/clone: refuse local clones of unsafe repositories + + Version v2.40.1; changes since v2.40.0: --------------------------------------- @@ -2144,7 +3929,7 @@ idriss fekir (1): trace.c, git.c: remove unnecessary parameter to trace_repo_setup() -Version v2.40.0-rc0; changes since v2.39.3: +Version v2.40.0-rc0; changes since v2.39.4: ------------------------------------------- Adam Szkoda (1): @@ -2248,11 +4033,10 @@ Harshil-Jani (2): mingw: remove duplicate `USE_NED_ALLOCATOR` directive mingw: remove msysGit/MSYS1 support -Jeff Hostetler (2): +Jeff Hostetler (1): fsmonitor: fix race seen in t7527 - fsmonitor: eliminate call to deprecated FSEventStream function -Jeff King (32): +Jeff King (28): git-jump: move valid-mode check earlier pack-bitmap.c: break out of the bitmap loop early if not tracing pack-bitmap.c: trace bitmap ignore logs when midx-bitmap is found @@ -2279,10 +4063,6 @@ Jeff King (32): hash-object: use fsck for object checks hash-object: fix descriptor leak with --literally fsck: do not assume NUL-termination of buffers - t/lib-httpd: bump required apache version to 2.2 - t/lib-httpd: bump required apache version to 2.4 - t/lib-httpd: drop SSLMutex config - t/lib-httpd: increase ssl key size to 2048 bits doc/ls-remote: cosmetic cleanups for examples doc/ls-remote: clarify pattern format @@ -2557,6 +4337,81 @@ ZheNing Hu (1): date.c: allow ISO 8601 reduced precision times +Version v2.39.4; changes since v2.39.3: +--------------------------------------- + +Filip Hejsek (4): + t0411: add tests for cloning from partial repo + has_dir_name(): do not get confused by characters < '/' + t7423: add tests for symlinked submodule directories + clone: prevent clashing git dirs when cloning submodule in parallel + +Jeff Hostetler (1): + fsmonitor: eliminate call to deprecated FSEventStream function + +Jeff King (29): + t/lib-httpd: bump required apache version to 2.2 + t/lib-httpd: bump required apache version to 2.4 + t/lib-httpd: drop SSLMutex config + t/lib-httpd: increase ssl key size to 2048 bits + t5541: run "used receive-pack service" test earlier + t5541: stop marking "used receive-pack service" test as v0 only + t5541: simplify and move "no empty path components" test + t5551: drop redundant grep for Accept-Language + t5551: lower-case headers in expected curl trace + t5551: handle HTTP/2 when checking curl trace + t5551: stop forcing clone to run with v0 protocol + t5551: handle v2 protocol when checking curl trace + t5551: handle v2 protocol in upload-pack service test + t5551: simplify expected cookie file + t5551: handle v2 protocol in cookie test + t5551: drop curl trace lines without headers + t/lib-httpd: respect $HTTPD_PROTO in expect_askpass() + t/lib-httpd: enable HTTP/2 "h2" protocol, not just h2c + t5559: fix test failures with LIB_HTTPD_SSL + t5559: make SSL/TLS the default + http: handle both "h2" and "h2h3" in curl info lines + http: factor out matching of curl http/2 trace lines + http: update curl http/2 info matching for curl 8.3.0 + http: reset POSTFIELDSIZE when clearing curl handle + INSTALL: bump libcurl version to 7.21.3 + remote-curl: add Transfer-Encoding header only for older curl + test-lib: ignore uninteresting LSan output + upload-pack: disable lazy-fetching by default + docs: document security issues around untrusted .git dirs + +Johannes Schindelin (19): + ci: upgrade to using macos-13 + ci(linux-asan/linux-ubsan): let's save some time + ci: bump remaining outdated Actions versions + ci(linux32): add a note about Actions that must not be updated + fetch/clone: detect dubious ownership of local repositories + submodules: submodule paths must not contain symlinks + clone_submodule: avoid using `access()` on directories + submodule: require the submodule path to contain directories only + t5510: verify that D/F confusion cannot lead to an RCE + entry: report more colliding paths + clone: when symbolic links collide with directories, keep the latter + find_hook(): refactor the `STRIP_EXTENSION` logic + init: refactor the template directory discovery into its own function + Add a helper function to compare file contents + clone: prevent hooks from running during a clone + init.templateDir: consider this config setting protected + core.hooksPath: add some protection while cloning + fsck: warn about symlink pointing inside a gitdir + Git 2.39.4 + +Junio C Hamano (2): + GitHub Actions: update to checkout@v4 + GitHub Actions: update to github-script@v7 + +Patrick Steinhardt (4): + builtin/clone: stop resolving symlinks when copying files + builtin/clone: abort when hardlinked source and target file differ + setup.c: introduce `die_upon_dubious_ownership()` + builtin/clone: refuse local clones of unsafe repositories + + Version v2.39.3; changes since v2.39.2: --------------------------------------- diff --git a/debian/copyright b/debian/copyright index 02ae6fa..13fb9b9 100644 --- a/debian/copyright +++ b/debian/copyright @@ -3,7 +3,7 @@ Upstream-Contact: git@vger.kernel.org Source: https://www.kernel.org/pub/software/scm/git/ Files: * -Copyright: © 2005-2023, Linus Torvalds and others. +Copyright: © 2005-2024, Linus Torvalds and others. License: GPL-2 Files: reftable/* t/t0032-reftable-unittest.sh @@ -218,11 +218,6 @@ Copyright: © 2011, John Szakmeister <john@szakmeister.net> © 2012, Philipp A. Hartmann <pah@qo.cx> License: GPL-2+ -Files: contrib/hg-to-git/hg-to-git.py -Copyright: © 2007, Stelian Pop <stelian@popies.net> -Name: hg-to-git.py - A Mercurial to GIT converter -License: GPL-2+ - Files: contrib/mw-to-git/git-*.perl contrib/mw-to-git/t/t* Copyright: © 2011 Jérémie Nikaes <jeremie.nikaes@ensimag.imag.fr> diff --git a/debian/patches/0001-hook-plug-a-new-memory-leak.diff b/debian/patches/0001-hook-plug-a-new-memory-leak.diff new file mode 100644 index 0000000..ab74831 --- /dev/null +++ b/debian/patches/0001-hook-plug-a-new-memory-leak.diff @@ -0,0 +1,34 @@ +From 94f95a123b10f3837e181ad93b81f1a4f53bb8fc Mon Sep 17 00:00:00 2001 +From: Johannes Schindelin <johannes.schindelin@gmx.de> +Date: Sat, 18 May 2024 10:32:39 +0000 +Subject: hook: plug a new memory leak + +commit 2811ce3a79dc8a0105a6defb59718b35f5b397aa upstream. + +In 8db1e8743c0 (clone: prevent hooks from running during a clone, +2024-03-28), I introduced an inadvertent memory leak that was +unfortunately not caught before v2.45.1 was released. Here is a fix. + +Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> +Signed-off-by: Junio C Hamano <gitster@pobox.com> +Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> +--- + hook.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/hook.c b/hook.c +index eebc4d44734..8de469b134a 100644 +--- a/hook.c ++++ b/hook.c +@@ -26,8 +26,10 @@ static int identical_to_template_hook(const char *name, const char *path) + found_template_hook = access(template_path.buf, X_OK) >= 0; + } + #endif +- if (!found_template_hook) ++ if (!found_template_hook) { ++ strbuf_release(&template_path); + return 0; ++ } + + ret = do_files_match(template_path.buf, path); + diff --git a/debian/patches/0002-Revert-core.hooksPath-add-some-protection-while-cloni.diff b/debian/patches/0002-Revert-core.hooksPath-add-some-protection-while-cloni.diff new file mode 100644 index 0000000..8e1c975 --- /dev/null +++ b/debian/patches/0002-Revert-core.hooksPath-add-some-protection-while-cloni.diff @@ -0,0 +1,82 @@ +From 7db946419c29e185f1cc6e544cfb47b442019ac7 Mon Sep 17 00:00:00 2001 +From: Johannes Schindelin <johannes.schindelin@gmx.de> +Date: Sat, 18 May 2024 10:32:41 +0000 +Subject: Revert "core.hooksPath: add some protection while cloning" + +commit f13e8e2ea56ceef593311b3cff1ba7ba1a493682 upstream. + +This defense-in-depth was intended to protect the clone operation +against future escalations where bugs in `git clone` would allow +attackers to write arbitrary files in the `.git/` directory would allow +for Remote Code Execution attacks via maliciously-placed hooks. + +However, it turns out that the `core.hooksPath` protection has +unintentional side effects so severe that they do not justify the +benefit of the protections. For example, it has been reported in +https://lore.kernel.org/git/FAFA34CB-9732-4A0A-87FB-BDB272E6AEE8@alchemists.io/ +that the following invocation, which is intended to make `git clone` +safer, is itself broken by that protective measure: + + git clone --config core.hooksPath=/dev/null <url> + +Since it turns out that the benefit does not justify the cost, let's revert +20f3588efc6 (core.hooksPath: add some protection while cloning, +2024-03-30). + +Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> +Signed-off-by: Junio C Hamano <gitster@pobox.com> +Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> +--- + config.c | 13 +------------ + t/t1800-hook.sh | 15 --------------- + 2 files changed, 1 insertion(+), 27 deletions(-) + +diff --git a/config.c b/config.c +index 77a0fd2d80e..ae3652b08fa 100644 +--- a/config.c ++++ b/config.c +@@ -1416,19 +1416,8 @@ static int git_default_core_config(const char *var, const char *value, + if (!strcmp(var, "core.attributesfile")) + return git_config_pathname(&git_attributes_file, var, value); + +- if (!strcmp(var, "core.hookspath")) { +- if (ctx->kvi && ctx->kvi->scope == CONFIG_SCOPE_LOCAL && +- git_env_bool("GIT_CLONE_PROTECTION_ACTIVE", 0)) +- die(_("active `core.hooksPath` found in the local " +- "repository config:\n\t%s\nFor security " +- "reasons, this is disallowed by default.\nIf " +- "this is intentional and the hook should " +- "actually be run, please\nrun the command " +- "again with " +- "`GIT_CLONE_PROTECTION_ACTIVE=false`"), +- value); ++ if (!strcmp(var, "core.hookspath")) + return git_config_pathname(&git_hooks_path, var, value); +- } + + if (!strcmp(var, "core.bare")) { + is_bare_repository_cfg = git_config_bool(var, value); +diff --git a/t/t1800-hook.sh b/t/t1800-hook.sh +index 1894ebeb0e8..8b0234cf2d5 100755 +--- a/t/t1800-hook.sh ++++ b/t/t1800-hook.sh +@@ -185,19 +185,4 @@ test_expect_success 'stdin to hooks' ' + test_cmp expect actual + ' + +-test_expect_success 'clone protections' ' +- test_config core.hooksPath "$(pwd)/my-hooks" && +- mkdir -p my-hooks && +- write_script my-hooks/test-hook <<-\EOF && +- echo Hook ran $1 +- EOF +- +- git hook run test-hook 2>err && +- test_grep "Hook ran" err && +- test_must_fail env GIT_CLONE_PROTECTION_ACTIVE=true \ +- git hook run test-hook 2>err && +- test_grep "active .core.hooksPath" err && +- test_grep ! "Hook ran" err +-' +- + test_done diff --git a/debian/patches/0003-tests-verify-that-clone-c-core.hooksPath-dev-null-wor.diff b/debian/patches/0003-tests-verify-that-clone-c-core.hooksPath-dev-null-wor.diff new file mode 100644 index 0000000..9a494d9 --- /dev/null +++ b/debian/patches/0003-tests-verify-that-clone-c-core.hooksPath-dev-null-wor.diff @@ -0,0 +1,48 @@ +From ce34e1b7a072db221190446e79cb373c7f6010a5 Mon Sep 17 00:00:00 2001 +From: Johannes Schindelin <johannes.schindelin@gmx.de> +Date: Sat, 18 May 2024 10:32:42 +0000 +Subject: tests: verify that `clone -c core.hooksPath=/dev/null` works again + +commit a25a15726f4d1bf1c8362f1b3146096d6a87f965 upstream. + +As part of the protections added in Git v2.45.1 and friends, +repository-local `core.hooksPath` settings are no longer allowed, as a +defense-in-depth mechanism to prevent future Git vulnerabilities to +raise to critical level if those vulnerabilities inadvertently allow the +repository-local config to be written. + +What the added protection did not anticipate is that such a +repository-local `core.hooksPath` can not only be used to point to +maliciously-placed scripts in the current worktree, but also to +_prevent_ hooks from being called altogether. + +We just reverted the `core.hooksPath` protections, based on the Git +maintainer's recommendation in +https://lore.kernel.org/git/xmqq4jaxvm8z.fsf@gitster.g/ to address this +concern as well as related ones. Let's make sure that we won't regress +while trying to protect the clone operation further. + +Reported-by: Brooke Kuhlmann <brooke@alchemists.io> +Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> +Signed-off-by: Junio C Hamano <gitster@pobox.com> +Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> +--- + t/t1350-config-hooks-path.sh | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/t/t1350-config-hooks-path.sh b/t/t1350-config-hooks-path.sh +index f6dc83e2aab..45a04929170 100755 +--- a/t/t1350-config-hooks-path.sh ++++ b/t/t1350-config-hooks-path.sh +@@ -41,4 +41,11 @@ test_expect_success 'git rev-parse --git-path hooks' ' + test .git/custom-hooks/abc = "$(cat actual)" + ' + ++test_expect_success 'core.hooksPath=/dev/null' ' ++ git clone -c core.hooksPath=/dev/null . no-templates && ++ value="$(git -C no-templates config --local core.hooksPath)" && ++ # The Bash used by Git for Windows rewrites `/dev/null` to `nul` ++ { test /dev/null = "$value" || test nul = "$value"; } ++' ++ + test_done diff --git a/debian/patches/0004-hook-clone-protections-add-escape-hatch.diff b/debian/patches/0004-hook-clone-protections-add-escape-hatch.diff new file mode 100644 index 0000000..b2aa135 --- /dev/null +++ b/debian/patches/0004-hook-clone-protections-add-escape-hatch.diff @@ -0,0 +1,182 @@ +From 1f34eea689413fa10a664f4c154b097be7796b0a Mon Sep 17 00:00:00 2001 +From: Johannes Schindelin <johannes.schindelin@gmx.de> +Date: Sat, 18 May 2024 10:32:43 +0000 +Subject: hook(clone protections): add escape hatch + +commit 85811d32aca9f0ba324a04bd8709c315d472efbe upstream. + +As defense-in-depth measures, v2.39.4 and friends leading up to v2.45.1 +introduced code that detects when hooks have been installed during a +`git clone`, which is indicative of a common attack vector with critical +severity that allows Remote Code Execution. + +There are legitimate use cases for such behavior, though, for example +when those hooks stem from Git's own templates, which system +administrators are at liberty to modify to enforce, say, commit message +conventions. The git clone protections specifically add exceptions to +allow for that. + +Another legitimate use case that has been identified too late to be +handled in these security bug-fix versions is Git LFS: It behaves +somewhat similar to common attack vectors by writing a few hooks while +running the `smudge` filter during a regular clone, which means that Git +has no chance to know that the hooks are benign and e.g. the +`post-checkout` hook can be safely executed as part of the clone +operation. + +To help Git LFS, and other tools behaving similarly (if there are any), +let's add a new, multi-valued `safe.hook.sha256` config setting. Like +the already-existing `safe.*` settings, it is ignored in +repository-local configs, and it is interpreted as a list of SHA-256 +checksums of hooks' contents that are safe to execute during a clone +operation. Future Git LFS versions will need to write those entries at +the same time they install the `smudge`/`clean` filters. + +Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> +Signed-off-by: Junio C Hamano <gitster@pobox.com> +Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> +--- + Documentation/config/safe.txt | 6 +++ + hook.c | 69 ++++++++++++++++++++++++++++++++--- + t/t1800-hook.sh | 15 ++++++++ + 3 files changed, 85 insertions(+), 5 deletions(-) + +diff --git a/Documentation/config/safe.txt b/Documentation/config/safe.txt +index 577df40223a..e2eb4992bef 100644 +--- a/Documentation/config/safe.txt ++++ b/Documentation/config/safe.txt +@@ -59,3 +59,9 @@ which id the original user has. + If that is not what you would prefer and want git to only trust + repositories that are owned by root instead, then you can remove + the `SUDO_UID` variable from root's environment before invoking git. ++ ++safe.hook.sha256:: ++ The value is the SHA-256 of hooks that are considered to be safe ++ to run during a clone operation. +++ ++Multiple values can be added via `git config --global --add`. +diff --git a/hook.c b/hook.c +index 8de469b134a..9eca6c0103a 100644 +--- a/hook.c ++++ b/hook.c +@@ -10,6 +10,9 @@ + #include "environment.h" + #include "setup.h" + #include "copy.h" ++#include "strmap.h" ++#include "hash-ll.h" ++#include "hex.h" + + static int identical_to_template_hook(const char *name, const char *path) + { +@@ -37,11 +40,66 @@ static int identical_to_template_hook(const char *name, const char *path) + return ret; + } + ++static struct strset safe_hook_sha256s = STRSET_INIT; ++static int safe_hook_sha256s_initialized; ++ ++static int get_sha256_of_file_contents(const char *path, char *sha256) ++{ ++ struct strbuf sb = STRBUF_INIT; ++ int fd; ++ ssize_t res; ++ ++ git_hash_ctx ctx; ++ const struct git_hash_algo *algo = &hash_algos[GIT_HASH_SHA256]; ++ unsigned char hash[GIT_MAX_RAWSZ]; ++ ++ if ((fd = open(path, O_RDONLY)) < 0) ++ return -1; ++ res = strbuf_read(&sb, fd, 400); ++ close(fd); ++ if (res < 0) ++ return -1; ++ ++ algo->init_fn(&ctx); ++ algo->update_fn(&ctx, sb.buf, sb.len); ++ strbuf_release(&sb); ++ algo->final_fn(hash, &ctx); ++ ++ hash_to_hex_algop_r(sha256, hash, algo); ++ ++ return 0; ++} ++ ++static int safe_hook_cb(const char *key, const char *value, ++ const struct config_context *ctx UNUSED, void *d) ++{ ++ struct strset *set = d; ++ ++ if (value && !strcmp(key, "safe.hook.sha256")) ++ strset_add(set, value); ++ ++ return 0; ++} ++ ++static int is_hook_safe_during_clone(const char *name, const char *path, char *sha256) ++{ ++ if (get_sha256_of_file_contents(path, sha256) < 0) ++ return 0; ++ ++ if (!safe_hook_sha256s_initialized) { ++ safe_hook_sha256s_initialized = 1; ++ git_protected_config(safe_hook_cb, &safe_hook_sha256s); ++ } ++ ++ return strset_contains(&safe_hook_sha256s, sha256); ++} ++ + const char *find_hook(const char *name) + { + static struct strbuf path = STRBUF_INIT; + + int found_hook; ++ char sha256[GIT_SHA256_HEXSZ + 1] = { '\0' }; + + strbuf_reset(&path); + strbuf_git_path(&path, "hooks/%s", name); +@@ -73,13 +131,14 @@ const char *find_hook(const char *name) + return NULL; + } + if (!git_hooks_path && git_env_bool("GIT_CLONE_PROTECTION_ACTIVE", 0) && +- !identical_to_template_hook(name, path.buf)) ++ !identical_to_template_hook(name, path.buf) && ++ !is_hook_safe_during_clone(name, path.buf, sha256)) + die(_("active `%s` hook found during `git clone`:\n\t%s\n" + "For security reasons, this is disallowed by default.\n" +- "If this is intentional and the hook should actually " +- "be run, please\nrun the command again with " +- "`GIT_CLONE_PROTECTION_ACTIVE=false`"), +- name, path.buf); ++ "If this is intentional and the hook is safe to run, " ++ "please run the following command and try again:\n\n" ++ " git config --global --add safe.hook.sha256 %s"), ++ name, path.buf, sha256); + return path.buf; + } + +diff --git a/t/t1800-hook.sh b/t/t1800-hook.sh +index 8b0234cf2d5..cbdf60c451a 100755 +--- a/t/t1800-hook.sh ++++ b/t/t1800-hook.sh +@@ -185,4 +185,19 @@ test_expect_success 'stdin to hooks' ' + test_cmp expect actual + ' + ++test_expect_success '`safe.hook.sha256` and clone protections' ' ++ git init safe-hook && ++ write_script safe-hook/.git/hooks/pre-push <<-\EOF && ++ echo "called hook" >safe-hook.log ++ EOF ++ ++ test_must_fail env GIT_CLONE_PROTECTION_ACTIVE=true \ ++ git -C safe-hook hook run pre-push 2>err && ++ cmd="$(grep "git config --global --add safe.hook.sha256 [0-9a-f]" err)" && ++ eval "$cmd" && ++ GIT_CLONE_PROTECTION_ACTIVE=true \ ++ git -C safe-hook hook run pre-push && ++ test "called hook" = "$(cat safe-hook/safe-hook.log)" ++' ++ + test_done diff --git a/debian/patches/0005-hooks-clone-protections-special-case-current-Git-LFS-.diff b/debian/patches/0005-hooks-clone-protections-special-case-current-Git-LFS-.diff new file mode 100644 index 0000000..bad67cd --- /dev/null +++ b/debian/patches/0005-hooks-clone-protections-special-case-current-Git-LFS-.diff @@ -0,0 +1,82 @@ +From 09595d6984b41cbb6f653643f826fe009c56b493 Mon Sep 17 00:00:00 2001 +From: Johannes Schindelin <johannes.schindelin@gmx.de> +Date: Sat, 18 May 2024 10:32:44 +0000 +Subject: hooks(clone protections): special-case current Git LFS hooks + +commit c65d0f9ee6894cdf7feeb51639870bfaf826c905 upstream. + +A notable regression in v2.45.1 and friends (all the way down to +v2.39.4) has been that Git LFS-enabled clones error out with a message +indicating that the `post-checkout` hook has been tampered with while +cloning, and as a safety measure it is not executed. + +A generic fix for benign third-party applications wishing to write hooks +during clone operations has been implemented in the parent of this +commit: said applications are expected to add `safe.hook.sha256` values +to a protected config. + +However, the current version of Git LFS, v3.5.1, cannot be adapted +retroactively; Therefore, let's just hard-code the SHA-256 values for +this version. That way, Git LFS usage will no longer be broken, and the +next Git LFS version can be taught to add those `safe.hook.sha256` +entries. + +Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> +Signed-off-by: Junio C Hamano <gitster@pobox.com> +Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> +--- + hook.c | 11 +++++++++++ + t/t1800-hook.sh | 20 ++++++++++++++++++++ + 2 files changed, 31 insertions(+) + +diff --git a/hook.c b/hook.c +index 9eca6c0103a..fc0548edb66 100644 +--- a/hook.c ++++ b/hook.c +@@ -88,6 +88,17 @@ static int is_hook_safe_during_clone(const char *name, const char *path, char *s + + if (!safe_hook_sha256s_initialized) { + safe_hook_sha256s_initialized = 1; ++ ++ /* Hard-code known-safe values for Git LFS v3.4.0..v3.5.1 */ ++ /* pre-push */ ++ strset_add(&safe_hook_sha256s, "df5417b2daa3aa144c19681d1e997df7ebfe144fb7e3e05138bd80ae998008e4"); ++ /* post-checkout */ ++ strset_add(&safe_hook_sha256s, "791471b4ff472aab844a4fceaa48bbb0a12193616f971e8e940625498b4938a6"); ++ /* post-commit */ ++ strset_add(&safe_hook_sha256s, "21e961572bb3f43a5f2fbafc1cc764d86046cc2e5f0bbecebfe9684a0b73b664"); ++ /* post-merge */ ++ strset_add(&safe_hook_sha256s, "75da0da66a803b4b030ad50801ba57062c6196105eb1d2251590d100edb9390b"); ++ + git_protected_config(safe_hook_cb, &safe_hook_sha256s); + } + +diff --git a/t/t1800-hook.sh b/t/t1800-hook.sh +index cbdf60c451a..c51be5f7a06 100755 +--- a/t/t1800-hook.sh ++++ b/t/t1800-hook.sh +@@ -200,4 +200,24 @@ test_expect_success '`safe.hook.sha256` and clone protections' ' + test "called hook" = "$(cat safe-hook/safe-hook.log)" + ' + ++write_lfs_pre_push_hook () { ++ write_script "$1" <<-\EOF ++ command -v git-lfs >/dev/null 2>&1 || { echo >&2 "\nThis repository is configured for Git LFS but 'git-lfs' was not found on your path. If you no longer wish to use Git LFS, remove this hook by deleting the 'pre-push' file in the hooks directory (set by 'core.hookspath'; usually '.git/hooks').\n"; exit 2; } ++ git lfs pre-push "$@" ++ EOF ++} ++ ++test_expect_success 'Git LFS special-handling in clone protections' ' ++ git init lfs-hooks && ++ write_lfs_pre_push_hook lfs-hooks/.git/hooks/pre-push && ++ write_script git-lfs <<-\EOF && ++ echo "called $*" >fake-git-lfs.log ++ EOF ++ ++ PATH="$PWD:$PATH" GIT_CLONE_PROTECTION_ACTIVE=true \ ++ git -C lfs-hooks hook run pre-push && ++ test_write_lines "called pre-push" >expect && ++ test_cmp lfs-hooks/fake-git-lfs.log expect ++' ++ + test_done diff --git a/debian/patches/0006-hooks-clone-protections-simplify-templates-hooks-vali.diff b/debian/patches/0006-hooks-clone-protections-simplify-templates-hooks-vali.diff new file mode 100644 index 0000000..a0642e3 --- /dev/null +++ b/debian/patches/0006-hooks-clone-protections-simplify-templates-hooks-vali.diff @@ -0,0 +1,198 @@ +From 8813bb5f4109991b88c98584a4abbb2d06cfbc28 Mon Sep 17 00:00:00 2001 +From: Johannes Schindelin <johannes.schindelin@gmx.de> +Date: Sat, 18 May 2024 10:32:45 +0000 +Subject: hooks(clone protections): simplify templates hooks validation + +commit eff37e9b1dec25a3e1297eb89a36d8e68fe01b40 upstream. + +When an active hook is encountered during a clone operation, to protect +against Remote Code Execution attack vectors, Git checks whether the +hook was copied over from the templates directory. + +When that logic was introduced, there was no other way to check this +than to add a function to compare files. + +In the meantime, we've added code to compute the SHA-256 checksum of a +given hook and compare that checksum against a list of known-safe ones. + +Let's simplify the logic by adding to said list when copying the +templates' hooks. + +We need to be careful to support multi-process operations such as +recursive submodule clones: In such a scenario, the list of SHA-256 +checksums that is kept in memory is not enough, we also have to pass the +information down to child processes via `GIT_CONFIG_PARAMETERS`. + +Extend the regression test in t5601 to ensure that recursive clones are +handled as expected. + +Note: Technically there is no way that the checksums computed while +initializing the submodules' gitdirs can be passed to the process that +performs the checkout: For historical reasons, these operations are +performed in processes spawned in separate loops from the +super-project's `git clone` process. But since the templates from which +the submodules are initialized are the very same as the ones from which +the super-project is initialized, we can get away with using the list of +SHA-256 checksums that is computed when initializing the super-project +and passing that down to the `submodule--helper` processes that perform +the recursive checkout. + +Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> +Signed-off-by: Junio C Hamano <gitster@pobox.com> +Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> +--- + hook.c | 43 ++++++++++++++++--------------------------- + hook.h | 10 ++++++++++ + setup.c | 7 +++++++ + t/t5601-clone.sh | 19 +++++++++++++++++++ + 4 files changed, 52 insertions(+), 27 deletions(-) + +diff --git a/hook.c b/hook.c +index fc0548edb66..8ac51c9912b 100644 +--- a/hook.c ++++ b/hook.c +@@ -14,32 +14,6 @@ + #include "hash-ll.h" + #include "hex.h" + +-static int identical_to_template_hook(const char *name, const char *path) +-{ +- const char *env = getenv("GIT_CLONE_TEMPLATE_DIR"); +- const char *template_dir = get_template_dir(env && *env ? env : NULL); +- struct strbuf template_path = STRBUF_INIT; +- int found_template_hook, ret; +- +- strbuf_addf(&template_path, "%s/hooks/%s", template_dir, name); +- found_template_hook = access(template_path.buf, X_OK) >= 0; +-#ifdef STRIP_EXTENSION +- if (!found_template_hook) { +- strbuf_addstr(&template_path, STRIP_EXTENSION); +- found_template_hook = access(template_path.buf, X_OK) >= 0; +- } +-#endif +- if (!found_template_hook) { +- strbuf_release(&template_path); +- return 0; +- } +- +- ret = do_files_match(template_path.buf, path); +- +- strbuf_release(&template_path); +- return ret; +-} +- + static struct strset safe_hook_sha256s = STRSET_INIT; + static int safe_hook_sha256s_initialized; + +@@ -70,6 +44,22 @@ static int get_sha256_of_file_contents(const char *path, char *sha256) + return 0; + } + ++void add_safe_hook(const char *path) ++{ ++ char sha256[GIT_SHA256_HEXSZ + 1] = { '\0' }; ++ ++ if (!get_sha256_of_file_contents(path, sha256)) { ++ char *p; ++ ++ strset_add(&safe_hook_sha256s, sha256); ++ ++ /* support multi-process operations e.g. recursive clones */ ++ p = xstrfmt("safe.hook.sha256=%s", sha256); ++ git_config_push_parameter(p); ++ free(p); ++ } ++} ++ + static int safe_hook_cb(const char *key, const char *value, + const struct config_context *ctx UNUSED, void *d) + { +@@ -142,7 +132,6 @@ const char *find_hook(const char *name) + return NULL; + } + if (!git_hooks_path && git_env_bool("GIT_CLONE_PROTECTION_ACTIVE", 0) && +- !identical_to_template_hook(name, path.buf) && + !is_hook_safe_during_clone(name, path.buf, sha256)) + die(_("active `%s` hook found during `git clone`:\n\t%s\n" + "For security reasons, this is disallowed by default.\n" +diff --git a/hook.h b/hook.h +index 19ab9a5806e..b4770d9bd88 100644 +--- a/hook.h ++++ b/hook.h +@@ -87,4 +87,14 @@ int run_hooks(const char *hook_name); + * hook. This function behaves like the old run_hook_le() API. + */ + int run_hooks_l(const char *hook_name, ...); ++ ++/** ++ * Mark the contents of the provided path as safe to run during a clone ++ * operation. ++ * ++ * This function is mainly used when copying templates to mark the ++ * just-copied hooks as benign. ++ */ ++void add_safe_hook(const char *path); ++ + #endif +diff --git a/setup.c b/setup.c +index 30f243fc32d..25828a85ec3 100644 +--- a/setup.c ++++ b/setup.c +@@ -17,6 +17,8 @@ + #include "trace2.h" + #include "worktree.h" + #include "exec-cmd.h" ++#include "run-command.h" ++#include "hook.h" + + static int inside_git_dir = -1; + static int inside_work_tree = -1; +@@ -1868,6 +1870,7 @@ static void copy_templates_1(struct strbuf *path, struct strbuf *template_path, + size_t path_baselen = path->len; + size_t template_baselen = template_path->len; + struct dirent *de; ++ int is_hooks_dir = ends_with(template_path->buf, "/hooks/"); + + /* Note: if ".git/hooks" file exists in the repository being + * re-initialized, /etc/core-git/templates/hooks/update would +@@ -1920,6 +1923,10 @@ static void copy_templates_1(struct strbuf *path, struct strbuf *template_path, + strbuf_release(&lnk); + } + else if (S_ISREG(st_template.st_mode)) { ++ if (is_hooks_dir && ++ is_executable(template_path->buf)) ++ add_safe_hook(template_path->buf); ++ + if (copy_file(path->buf, template_path->buf, st_template.st_mode)) + die_errno(_("cannot copy '%s' to '%s'"), + template_path->buf, path->buf); +diff --git a/t/t5601-clone.sh b/t/t5601-clone.sh +index deb1c282c71..ca3a8d1ebed 100755 +--- a/t/t5601-clone.sh ++++ b/t/t5601-clone.sh +@@ -836,6 +836,25 @@ test_expect_success 'clone with init.templatedir runs hooks' ' + git config --unset init.templateDir && + test_grep ! "active .* hook found" err && + test_path_is_missing hook-run-local-config/hook.run ++ ) && ++ ++ test_config_global protocol.file.allow always && ++ git -C tmpl/hooks submodule add "$(pwd)/tmpl/hooks" sub && ++ test_tick && ++ git -C tmpl/hooks add .gitmodules sub && ++ git -C tmpl/hooks commit -m submodule && ++ ++ ( ++ sane_unset GIT_TEMPLATE_DIR && ++ NO_SET_GIT_TEMPLATE_DIR=t && ++ export NO_SET_GIT_TEMPLATE_DIR && ++ ++ git -c init.templateDir="$(pwd)/tmpl" \ ++ clone --recurse-submodules \ ++ tmpl/hooks hook-run-submodule 2>err && ++ test_grep ! "active .* hook found" err && ++ test_path_is_file hook-run-submodule/hook.run && ++ test_path_is_file hook-run-submodule/sub/hook.run + ) + ' + diff --git a/debian/patches/0007-Revert-Add-a-helper-function-to-compare-file-contents.diff b/debian/patches/0007-Revert-Add-a-helper-function-to-compare-file-contents.diff new file mode 100644 index 0000000..6cf2874 --- /dev/null +++ b/debian/patches/0007-Revert-Add-a-helper-function-to-compare-file-contents.diff @@ -0,0 +1,185 @@ +From 13b17dea6c851b21ceb9ce163cdd7338f1ec4ecf Mon Sep 17 00:00:00 2001 +From: Johannes Schindelin <johannes.schindelin@gmx.de> +Date: Sat, 18 May 2024 10:32:46 +0000 +Subject: Revert "Add a helper function to compare file contents" + +commit 851218a8af645b0abd64882d2b88bc984aa762e9 upstream. + +Now that during a `git clone`, the hooks' contents are no longer +compared to the templates' files', the caller for which the +`do_files_match()` function was introduced is gone, and therefore this +function can be retired, too. + +This reverts commit 584de0b4c23 (Add a helper function to compare file +contents, 2024-03-30). + +Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> +Signed-off-by: Junio C Hamano <gitster@pobox.com> +Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> +--- + copy.c | 58 -------------------------------------- + copy.h | 14 --------- + t/helper/test-path-utils.c | 10 ------- + t/t0060-path-utils.sh | 41 --------------------------- + 4 files changed, 123 deletions(-) + +diff --git a/copy.c b/copy.c +index 3df156f6cea..d9d20920126 100644 +--- a/copy.c ++++ b/copy.c +@@ -70,61 +70,3 @@ int copy_file_with_time(const char *dst, const char *src, int mode) + return copy_times(dst, src); + return status; + } +- +-static int do_symlinks_match(const char *path1, const char *path2) +-{ +- struct strbuf buf1 = STRBUF_INIT, buf2 = STRBUF_INIT; +- int ret = 0; +- +- if (!strbuf_readlink(&buf1, path1, 0) && +- !strbuf_readlink(&buf2, path2, 0)) +- ret = !strcmp(buf1.buf, buf2.buf); +- +- strbuf_release(&buf1); +- strbuf_release(&buf2); +- return ret; +-} +- +-int do_files_match(const char *path1, const char *path2) +-{ +- struct stat st1, st2; +- int fd1 = -1, fd2 = -1, ret = 1; +- char buf1[8192], buf2[8192]; +- +- if ((fd1 = open_nofollow(path1, O_RDONLY)) < 0 || +- fstat(fd1, &st1) || !S_ISREG(st1.st_mode)) { +- if (fd1 < 0 && errno == ELOOP) +- /* maybe this is a symbolic link? */ +- return do_symlinks_match(path1, path2); +- ret = 0; +- } else if ((fd2 = open_nofollow(path2, O_RDONLY)) < 0 || +- fstat(fd2, &st2) || !S_ISREG(st2.st_mode)) { +- ret = 0; +- } +- +- if (ret) +- /* to match, neither must be executable, or both */ +- ret = !(st1.st_mode & 0111) == !(st2.st_mode & 0111); +- +- if (ret) +- ret = st1.st_size == st2.st_size; +- +- while (ret) { +- ssize_t len1 = read_in_full(fd1, buf1, sizeof(buf1)); +- ssize_t len2 = read_in_full(fd2, buf2, sizeof(buf2)); +- +- if (len1 < 0 || len2 < 0 || len1 != len2) +- ret = 0; /* read error or different file size */ +- else if (!len1) /* len2 is also 0; hit EOF on both */ +- break; /* ret is still true */ +- else +- ret = !memcmp(buf1, buf2, len1); +- } +- +- if (fd1 >= 0) +- close(fd1); +- if (fd2 >= 0) +- close(fd2); +- +- return ret; +-} +diff --git a/copy.h b/copy.h +index 057259a3a7a..2af77cba864 100644 +--- a/copy.h ++++ b/copy.h +@@ -7,18 +7,4 @@ int copy_fd(int ifd, int ofd); + int copy_file(const char *dst, const char *src, int mode); + int copy_file_with_time(const char *dst, const char *src, int mode); + +-/* +- * Compare the file mode and contents of two given files. +- * +- * If both files are actually symbolic links, the function returns 1 if the link +- * targets are identical or 0 if they are not. +- * +- * If any of the two files cannot be accessed or in case of read failures, this +- * function returns 0. +- * +- * If the file modes and contents are identical, the function returns 1, +- * otherwise it returns 0. +- */ +-int do_files_match(const char *path1, const char *path2); +- + #endif /* COPY_H */ +diff --git a/t/helper/test-path-utils.c b/t/helper/test-path-utils.c +index 023ed2e1a78..bf0e23ed505 100644 +--- a/t/helper/test-path-utils.c ++++ b/t/helper/test-path-utils.c +@@ -501,16 +501,6 @@ int cmd__path_utils(int argc, const char **argv) + return !!res; + } + +- if (argc == 4 && !strcmp(argv[1], "do_files_match")) { +- int ret = do_files_match(argv[2], argv[3]); +- +- if (ret) +- printf("equal\n"); +- else +- printf("different\n"); +- return !ret; +- } +- + fprintf(stderr, "%s: unknown function name: %s\n", argv[0], + argv[1] ? argv[1] : "(there was none)"); + return 1; +diff --git a/t/t0060-path-utils.sh b/t/t0060-path-utils.sh +index 85686ee15da..0afa3d0d312 100755 +--- a/t/t0060-path-utils.sh ++++ b/t/t0060-path-utils.sh +@@ -610,45 +610,4 @@ test_expect_success !VALGRIND,RUNTIME_PREFIX,CAN_EXEC_IN_PWD '%(prefix)/ works' + test_cmp expect actual + ' + +-test_expect_success 'do_files_match()' ' +- test_seq 0 10 >0-10.txt && +- test_seq -1 10 >-1-10.txt && +- test_seq 1 10 >1-10.txt && +- test_seq 1 9 >1-9.txt && +- test_seq 0 8 >0-8.txt && +- +- test-tool path-utils do_files_match 0-10.txt 0-10.txt >out && +- +- assert_fails() { +- test_must_fail \ +- test-tool path-utils do_files_match "$1" "$2" >out && +- grep different out +- } && +- +- assert_fails 0-8.txt 1-9.txt && +- assert_fails -1-10.txt 0-10.txt && +- assert_fails 1-10.txt 1-9.txt && +- assert_fails 1-10.txt .git && +- assert_fails does-not-exist 1-10.txt && +- +- if test_have_prereq FILEMODE +- then +- cp 0-10.txt 0-10.x && +- chmod a+x 0-10.x && +- assert_fails 0-10.txt 0-10.x +- fi && +- +- if test_have_prereq SYMLINKS +- then +- ln -sf 0-10.txt symlink && +- ln -s 0-10.txt another-symlink && +- ln -s over-the-ocean yet-another-symlink && +- ln -s "$PWD/0-10.txt" absolute-symlink && +- assert_fails 0-10.txt symlink && +- test-tool path-utils do_files_match symlink another-symlink && +- assert_fails symlink yet-another-symlink && +- assert_fails symlink absolute-symlink +- fi +-' +- + test_done diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..7ff1f37 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,7 @@ +0001-hook-plug-a-new-memory-leak.diff +0002-Revert-core.hooksPath-add-some-protection-while-cloni.diff +0003-tests-verify-that-clone-c-core.hooksPath-dev-null-wor.diff +0004-hook-clone-protections-add-escape-hatch.diff +0005-hooks-clone-protections-special-case-current-Git-LFS-.diff +0006-hooks-clone-protections-simplify-templates-hooks-vali.diff +0007-Revert-Add-a-helper-function-to-compare-file-contents.diff diff --git a/debian/versions.upstream b/debian/versions.upstream index 0562272..7af7478 100644 --- a/debian/versions.upstream +++ b/debian/versions.upstream @@ -831,21 +831,38 @@ v2.39.0 v2.39.1 v2.39.2 v2.39.3 +v2.39.4 v2.40.0-rc0 v2.40.0-rc1 v2.40.0-rc2 v2.40.0 v2.40.1 +v2.40.2 v2.41.0-rc0 v2.41.0-rc1 v2.41.0-rc2 v2.41.0 +v2.41.1 v2.42.0-rc0 v2.42.0-rc1 v2.42.0-rc2 v2.42.0 v2.42.1 +v2.42.2 v2.43.0-rc0 v2.43.0-rc1 v2.43.0-rc2 v2.43.0 +v2.43.1 +v2.43.2 +v2.43.3 +v2.43.4 +v2.44.0-rc0 +v2.44.0-rc1 +v2.44.0-rc2 +v2.44.0 +v2.44.1 +v2.45.0-rc0 +v2.45.0-rc1 +v2.45.0 +v2.45.1 |