From: "Kristoffer Haugsbakk" <kristofferhaugsbakk@fastmail.com>
To: "Josh Soref" <gitgitgadget@gmail.com>, git@vger.kernel.org
Cc: "Eric Sunshine" <sunshine@sunshineco.com>,
"Elijah Newren" <newren@gmail.com>
Subject: Re: [PATCH v2] fast-import: disallow "." and ".." path components
Date: Wed, 27 Nov 2024 09:28:03 +0100 [thread overview]
Message-ID: <79f6027b-123c-40a6-975b-1c6053b9391c@app.fastmail.com> (raw)
In-Reply-To: <pull.1831.v2.git.1732561248717.gitgitgadget@gmail.com>
Hi. I see that this is in `next` now so the following might
be irrelevant.
On Mon, Nov 25, 2024, at 20:00, Elijah Newren via GitGitGadget wrote:
> From: Elijah Newren <newren@gmail.com>
> [...]
> diff --git a/builtin/fast-import.c b/builtin/fast-import.c
> index 76d5c20f141..995ef76f9d6 100644
> --- a/builtin/fast-import.c
> +++ b/builtin/fast-import.c
> @@ -1466,6 +1466,8 @@ static int tree_content_set(
> root->tree = t = grow_tree_content(t, t->entry_count);
> e = new_tree_entry();
> e->name = to_atom(p, n);
> + if (is_dot_or_dotdot(e->name->str_dat))
> + die("path %s contains invalid component", p);
Nit: single-quoting the path seems more common:
$ git grep "\"path '%s'" ':!po/' | wc -l
17
$ git grep "\"path %s" ':!po/' | wc -l
4
> e->versions[0].mode = 0;
> oidclr(&e->versions[0].oid, the_repository->hash_algo);
> t->entries[t->entry_count++] = e;
> diff --git a/t/t9300-fast-import.sh b/t/t9300-fast-import.sh
> index 6224f54d4d2..caf3dc003a0 100755
> --- a/t/t9300-fast-import.sh
> +++ b/t/t9300-fast-import.sh
> @@ -522,6 +522,26 @@ test_expect_success 'B: fail on invalid committer (5)' '
> test_must_fail git fast-import <input
> '
>
> +test_expect_success 'B: fail on invalid file path' '
> + cat >input <<-INPUT_END &&
> + blob
> + mark :1
> + data <<EOF
> + File contents
> + EOF
> +
> + commit refs/heads/badpath
> + committer Name <email> $GIT_COMMITTER_DATE
> + data <<COMMIT
> + Commit Message
> + COMMIT
> + M 100644 :1 ../invalid-path
Maybe the test could be parameterized so that both `..` and `.` can
be tested? Like in `test_path_eol_success`.
--
Kristoffer Haugsbakk
next prev parent reply other threads:[~2024-11-27 8:30 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-25 17:58 [PATCH] fast-import: disallow "." and ".." path components Elijah Newren via GitGitGadget
2024-11-25 18:15 ` Eric Sunshine
2024-11-25 18:24 ` Elijah Newren
2024-11-25 19:00 ` [PATCH v2] " Elijah Newren via GitGitGadget
2024-11-26 6:57 ` Patrick Steinhardt
2024-11-27 14:24 ` Jeff King
2024-11-27 23:07 ` Junio C Hamano
2024-11-27 8:28 ` Kristoffer Haugsbakk [this message]
2024-11-27 13:23 ` Re* " Junio C Hamano
2024-11-27 19:41 ` Eric Sunshine
2024-11-28 0:36 ` [PATCH v2] CodingGuidelines: a handful of error message guidelines Junio C Hamano
2024-11-28 7:57 ` Eric Sunshine
2024-11-28 9:28 ` Junio C Hamano
2024-11-28 9:51 ` Eric Sunshine
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=79f6027b-123c-40a6-975b-1c6053b9391c@app.fastmail.com \
--to=kristofferhaugsbakk@fastmail.com \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=newren@gmail.com \
--cc=sunshine@sunshineco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).