From: Junio C Hamano <gitster@pobox.com>
To: Adam Dinwoodie <adam@dinwoodie.org>
Cc: git@vger.kernel.org, RyotaK <security@ryotak.me>,
Johannes Schindelin <johannes.schindelin@gmx.de>
Subject: Re: [PATCH] cygwin: disallow backslashes in file names
Date: Fri, 30 Apr 2021 09:48:57 +0900 [thread overview]
Message-ID: <xmqqsg38egw6.fsf@gitster.g> (raw)
In-Reply-To: <20210429201144.8936-1-adam@dinwoodie.org> (Adam Dinwoodie's message of "Thu, 29 Apr 2021 21:11:44 +0100")
Adam Dinwoodie <adam@dinwoodie.org> writes:
> The backslash character is not a valid part of a file name on Windows.
> If, in Windows, Git attempts to write a file that has a backslash
> character in the filename, it will be incorrectly interpreted as a
> directory separator.
>
> This caused CVE-2019-1354 in MinGW, as this behaviour can be manipulated
> to cause the checkout to write to files it ought not write to, such as
> adding code to the .git/hooks directory. This was fixed by e1d911dd4c
> (mingw: disallow backslash characters in tree objects' file names,
> 2019-09-12). However, the vulnerability also exists in Cygwin: while
> Cygwin mostly provides a POSIX-like path system, it will still interpret
> a backslash as a directory separator.
>
> To avoid this vulnerability, CVE-2021-29468, extend the previous fix to
> also apply to Cygwin.
>
> Similarly, extend the test case added by the previous version of the
> commit. The test suite doesn't have an easy way to say "run this test
> if in MinGW or Cygwin", so add a new test prerequisite that covers both.
>
> As well as checking behaviour in the presence of paths containing
> backslashes, the existing test also checks behaviour in the presence of
> paths that differ only by the presence of a trailing ".". MinGW follows
> normal Windows application behaviour and treats them as the same path,
> but Cygwin more closely emulates *nix systems (at the expense of
> compatibility with native Windows applications) and will create and
> distinguish between such paths. Gate the relevant bit of that test
> accordingly.
>
> Reported-by: RyotaK <security@ryotak.me>
> Helped-by: Johannes Schindelin <johannes.schindelin@gmx.de>
> Signed-off-by: Adam Dinwoodie <adam@dinwoodie.org>
> ---
Thanks, all. Will queue.
> read-cache.c | 2 +-
> t/test-lib.sh | 2 ++
> t/t7415-submodule-names.sh | 13 ++++++++-----
> 3 files changed, 11 insertions(+), 6 deletions(-)
>
> diff --git a/read-cache.c b/read-cache.c
> index 5a907af2fb..b6c13bc04e 100644
> --- a/read-cache.c
> +++ b/read-cache.c
> @@ -985,7 +985,7 @@ int verify_path(const char *path, unsigned mode)
> }
> }
> if (protect_ntfs) {
> -#ifdef GIT_WINDOWS_NATIVE
> +#if defined GIT_WINDOWS_NATIVE || defined __CYGWIN__
> if (c == '\\')
> return 0;
> #endif
> diff --git a/t/test-lib.sh b/t/test-lib.sh
> index d3f6af6a65..e84b8c87f9 100644
> --- a/t/test-lib.sh
> +++ b/t/test-lib.sh
> @@ -1457,14 +1457,16 @@ case $uname_s in
> test_set_prereq NATIVE_CRLF
> test_set_prereq SED_STRIPS_CR
> test_set_prereq GREP_STRIPS_CR
> + test_set_prereq WINDOWS
> GIT_TEST_CMP=mingw_test_cmp
> ;;
> *CYGWIN*)
> test_set_prereq POSIXPERM
> test_set_prereq EXECKEEPSPID
> test_set_prereq CYGWIN
> test_set_prereq SED_STRIPS_CR
> test_set_prereq GREP_STRIPS_CR
> + test_set_prereq WINDOWS
> ;;
> *)
> test_set_prereq POSIXPERM
> diff --git a/t/t7415-submodule-names.sh b/t/t7415-submodule-names.sh
> index f70368bc2e..6bf098a6be 100755
> --- a/t/t7415-submodule-names.sh
> +++ b/t/t7415-submodule-names.sh
> @@ -191,7 +191,7 @@ test_expect_success 'fsck detects corrupt .gitmodules' '
> )
> '
>
> -test_expect_success MINGW 'prevent git~1 squatting on Windows' '
> +test_expect_success WINDOWS 'prevent git~1 squatting on Windows' '
> git init squatting &&
> (
> cd squatting &&
> @@ -219,10 +219,13 @@ test_expect_success MINGW 'prevent git~1 squatting on Windows' '
> test_tick &&
> git -c core.protectNTFS=false commit -m "module"
> ) &&
> - test_must_fail git -c core.protectNTFS=false \
> - clone --recurse-submodules squatting squatting-clone 2>err &&
> - test_i18ngrep -e "directory not empty" -e "not an empty directory" err &&
> - ! grep gitdir squatting-clone/d/a/git~2
> + if test_have_prereq MINGW
> + then
> + test_must_fail git -c core.protectNTFS=false \
> + clone --recurse-submodules squatting squatting-clone 2>err &&
> + test_i18ngrep -e "directory not empty" -e "not an empty directory" err &&
> + ! grep gitdir squatting-clone/d/a/git~2
> + fi
> '
>
> test_expect_success 'git dirs of sibling submodules must not be nested' '
prev parent reply other threads:[~2021-04-30 0:49 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-24 21:21 [RFC PATCH] cygwin: disallow backslashes in file names Adam Dinwoodie
2021-04-25 2:22 ` Johannes Schindelin
[not found] ` <CA+kUOan3vk1zJezpieRhKwZ8gsYrCxDBefkXJ1fUC61O+gb12A@mail.gmail.com>
2021-04-27 19:22 ` Adam Dinwoodie
2021-04-28 0:27 ` Johannes Schindelin
2021-04-29 20:11 ` [PATCH] " Adam Dinwoodie
2021-04-30 0:48 ` Junio C Hamano [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqsg38egw6.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=adam@dinwoodie.org \
--cc=git@vger.kernel.org \
--cc=johannes.schindelin@gmx.de \
--cc=security@ryotak.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.