bug: git submodule add in of nested submodule handles relative path wrong

bug: git submodule add in of nested submodule handles relative path wrong

[Joey Hess]

[-- Attachment #1: Type: text/plain, Size: 1390 bytes --]

joey@darkstar:/tmp/empty>git init sub1
Initialized empty Git repository in /tmp/empty/sub1/.git/
joey@darkstar:/tmp/empty>git init sub2
Initialized empty Git repository in /tmp/empty/sub2/.git/
joey@darkstar:/tmp/empty>cd sub1
joey@darkstar:/tmp/empty/sub1>date > f1 ; git add f1; git commit -m add -q
joey@darkstar:/tmp/empty/sub1>cd ..
joey@darkstar:/tmp/empty>cd sub2
joey@darkstar:/tmp/empty/sub2>date > f2 ; git add f2; git commit -m add -q
joey@darkstar:/tmp/empty/sub2>cd ..
joey@darkstar:/tmp/empty>git init repo
Initialized empty Git repository in /tmp/empty/repo/.git/
joey@darkstar:/tmp/empty>cd repo
joey@darkstar:/tmp/empty/repo>git submodule add ../sub1 1
Cloning into '1'...
done.
joey@darkstar:/tmp/empty/repo>cd 1
joey@darkstar:/tmp/empty/repo/1>ls
f1
joey@darkstar:/tmp/empty/repo/1>git submodule add ../../sub2 2
fatal: repository '/tmp/sub2' does not exist
fatal: clone of '/tmp/sub2' into submodule path '2' failed

Like the bug I filed yesterday, this is caused by git submodule add's
chdir into .git/modules.

Workaround is to pass absolute paths to git submodule add.

Note that this could be an exploitable security hole under some unusual
circumstances. In the example above, any other local user could create a
/tmp/sub2 containing something nasty, and git would check it out
accidentially.

git version 2.7.0

-- 
see shy jo

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 811 bytes --]

Re: bug: git submodule add in of nested submodule handles relative path wrong

[Stefan Beller]

I'll add Jens, who has deep knowledge of submodules.

On Wed, Mar 2, 2016 at 8:52 AM, Joey Hess <id@joeyh.name> wrote:
> joey@darkstar:/tmp/empty>git init sub1
> Initialized empty Git repository in /tmp/empty/sub1/.git/
> joey@darkstar:/tmp/empty>git init sub2
> Initialized empty Git repository in /tmp/empty/sub2/.git/
> joey@darkstar:/tmp/empty>cd sub1
> joey@darkstar:/tmp/empty/sub1>date > f1 ; git add f1; git commit -m add -q
> joey@darkstar:/tmp/empty/sub1>cd ..
> joey@darkstar:/tmp/empty>cd sub2
> joey@darkstar:/tmp/empty/sub2>date > f2 ; git add f2; git commit -m add -q
> joey@darkstar:/tmp/empty/sub2>cd ..
> joey@darkstar:/tmp/empty>git init repo
> Initialized empty Git repository in /tmp/empty/repo/.git/
> joey@darkstar:/tmp/empty>cd repo
> joey@darkstar:/tmp/empty/repo>git submodule add ../sub1 1
> Cloning into '1'...
> done.
> joey@darkstar:/tmp/empty/repo>cd 1
> joey@darkstar:/tmp/empty/repo/1>ls
> f1
> joey@darkstar:/tmp/empty/repo/1>git submodule add ../../sub2 2
> fatal: repository '/tmp/sub2' does not exist
> fatal: clone of '/tmp/sub2' into submodule path '2' failed

This happens because inside "git submodule add" as in
any git submodule command you cd to the top level of the superproject
and then there is no proper way to describe where you came from.

Compare to [1], where I poke around with submodules as well.

[1] http://thread.gmane.org/gmane.comp.version-control.git/287620

>
> Like the bug I filed yesterday, this is caused by git submodule add's
> chdir into .git/modules.

I wonder if we want to take note of "these small annoyances"
in the submodule wiki[2].

[2] https://github.com/jlehmann/git-submod-enhancements/wiki#submodule-related-bugs-to-fix
  I consider Jens wiki one of the best sources for a high level overview
  of what needs to be done, and what is already solved for submodules.
  I linked to this thread from there. (I did not know I had write permission)

Thanks,
Stefan

>
> Workaround is to pass absolute paths to git submodule add.
>
> Note that this could be an exploitable security hole under some unusual
> circumstances. In the example above, any other local user could create a
> /tmp/sub2 containing something nasty, and git would check it out
> accidentially.
>
> git version 2.7.0
>
> --
> see shy jo