From: Patrick Steinhardt <ps@pks.im>
To: Adrian Ratiu <adrian.ratiu@collabora.com>
Cc: git@vger.kernel.org, Emily Shaffer <emilyshaffer@google.com>,
Rodrigo Damazio Bovendorp <rdamazio@google.com>,
Jeff King <peff@peff.net>, Junio C Hamano <gitster@pobox.com>,
Aaron Schrab <aaron@schrab.com>,
Jonathan Nieder <jrnieder@gmail.com>,
Josh Steadmon <steadmon@google.com>,
Ben Knoble <ben.knoble@gmail.com>,
Phillip Wood <phillip.wood123@gmail.com>
Subject: Re: [PATCH v5 3/7] submodule: always validate gitdirs inside submodule_name_to_gitdir
Date: Fri, 5 Dec 2025 13:17:00 +0100 [thread overview]
Message-ID: <aTLNPKlDnsNzyZkC@pks.im> (raw)
In-Reply-To: <20251119211030.2008441-4-adrian.ratiu@collabora.com>
On Wed, Nov 19, 2025 at 11:10:26PM +0200, Adrian Ratiu wrote:
> diff --git a/builtin/submodule--helper.c b/builtin/submodule--helper.c
> index 2873b2780e..9914ca0786 100644
> --- a/builtin/submodule--helper.c
> +++ b/builtin/submodule--helper.c
> @@ -1780,23 +1776,6 @@ static int clone_submodule(const struct module_clone_data *clone_data,
> free(path);
> }
>
> - /*
> - * We already performed this check at the beginning of this function,
> - * before cloning the objects. This tries to detect racy behavior e.g.
> - * in parallel clones, where another process could easily have made the
> - * gitdir nested _after_ it was created.
> - *
> - * To prevent further harm coming from this unintentionally-nested
> - * gitdir, let's disable it by deleting the `HEAD` file.
> - */
> - if (validate_submodule_git_dir(sm_gitdir, clone_data->name) < 0) {
> - char *head = xstrfmt("%s/HEAD", sm_gitdir);
> - unlink(head);
> - free(head);
> - die(_("refusing to create/use '%s' in another submodule's "
> - "git dir"), sm_gitdir);
> - }
> -
> connect_work_tree_and_git_dir(clone_data_path, sm_gitdir, 0);
>
> p = repo_submodule_path(the_repository, clone_data_path, "config");
Hm. This one is a bit puzzling to me. This seems to explicitly be a
check about a TOCTOU-style race, where a concurrent process might have
created the parent repository after our initial validation of the path.
We don't call `submodule_name_to_gitdir()` inbetween those two calls
though, so why is this not a concern anymore with the unified API?
> diff --git a/submodule.c b/submodule.c
> index 35c55155f7..8ef028f26b 100644
> --- a/submodule.c
> +++ b/submodule.c
> @@ -2153,30 +2153,11 @@ int submodule_move_head(const char *path, const char *super_prefix,
>
> if (!(flags & SUBMODULE_MOVE_HEAD_DRY_RUN)) {
> if (old_head) {
> - if (!submodule_uses_gitfile(path))
> - absorb_git_dir_into_superproject(path,
> - super_prefix);
> - else {
> - char *dotgit = xstrfmt("%s/.git", path);
> - char *git_dir = xstrdup(read_gitfile(dotgit));
> -
> - free(dotgit);
> - if (validate_submodule_git_dir(git_dir,
> - sub->name) < 0)
> - die(_("refusing to create/use '%s' in "
> - "another submodule's git dir"),
> - git_dir);
> - free(git_dir);
> - }
> + absorb_git_dir_into_superproject(path, super_prefix);
> } else {
> struct strbuf gitdir = STRBUF_INIT;
> submodule_name_to_gitdir(&gitdir, the_repository,
> sub->name);
> - if (validate_submodule_git_dir(gitdir.buf,
> - sub->name) < 0)
> - die(_("refusing to create/use '%s' in another "
> - "submodule's git dir"),
> - gitdir.buf);
> connect_work_tree_and_git_dir(path, gitdir.buf, 0);
> strbuf_release(&gitdir);
The second case here makes sense to me, as we do call
`submodule_name_to_gitdir()`. But in the first branch of the condition
we retrieve the path directly, so we're not guarded by the validation
anymore, are we?
Patrick
next prev parent reply other threads:[~2025-12-05 12:17 UTC|newest]
Thread overview: 179+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-16 21:36 [PATCH 0/9] Encode submodule gitdir names to avoid conflicts Adrian Ratiu
2025-08-16 21:36 ` [PATCH 1/9] submodule--helper: use submodule_name_to_gitdir in add_submodule Adrian Ratiu
2025-08-20 19:04 ` Josh Steadmon
2025-08-21 11:26 ` Adrian Ratiu
2025-08-16 21:36 ` [PATCH 2/9] submodule: create new gitdirs under submodules path Adrian Ratiu
2025-09-08 14:24 ` Phillip Wood
2025-09-08 15:46 ` Adrian Ratiu
2025-09-09 8:53 ` Phillip Wood
2025-09-09 10:57 ` Adrian Ratiu
2025-08-16 21:36 ` [PATCH 3/9] submodule: add gitdir path config override Adrian Ratiu
2025-08-20 19:37 ` Josh Steadmon
2025-08-21 12:18 ` Adrian Ratiu
2025-08-20 21:38 ` Josh Steadmon
2025-08-21 13:04 ` Adrian Ratiu
2025-08-20 21:50 ` Josh Steadmon
2025-08-21 13:05 ` Adrian Ratiu
2025-09-08 14:23 ` Phillip Wood
2025-09-09 12:02 ` Adrian Ratiu
2025-08-16 21:36 ` [PATCH 4/9] t: submodules: add basic mixed gitdir path tests Adrian Ratiu
2025-08-20 22:07 ` Josh Steadmon
2025-09-02 23:02 ` Junio C Hamano
2025-08-16 21:36 ` [PATCH 5/9] strbuf: bring back is_rfc3986_unreserved Adrian Ratiu
2025-08-16 21:56 ` Ben Knoble
2025-08-21 13:08 ` Adrian Ratiu
2025-08-16 21:36 ` [PATCH 6/9] submodule: encode gitdir paths to avoid conflicts Adrian Ratiu
2025-08-20 19:29 ` Jeff King
2025-08-21 13:14 ` Adrian Ratiu
2025-08-16 21:36 ` [PATCH 7/9] submodule: remove validate_submodule_git_dir() Adrian Ratiu
2025-09-08 14:23 ` Phillip Wood
2025-08-16 21:36 ` [PATCH 8/9] t: move nested gitdir tests to proper location Adrian Ratiu
2025-08-16 21:36 ` [PATCH 9/9] t: add gitdir encoding tests Adrian Ratiu
2025-08-18 22:06 ` Junio C Hamano
2025-08-21 13:17 ` Adrian Ratiu
2025-08-17 13:01 ` [PATCH 0/9] Encode submodule gitdir names to avoid conflicts Adrian Ratiu
2025-09-08 14:01 ` [PATCH v2 00/10] " Adrian Ratiu
2025-09-08 14:01 ` [PATCH v2 01/10] submodule--helper: use submodule_name_to_gitdir in add_submodule Adrian Ratiu
2025-09-30 13:37 ` Kristoffer Haugsbakk
2025-09-08 14:01 ` [PATCH v2 02/10] submodule: create new gitdirs under submodules path Adrian Ratiu
2025-09-09 7:40 ` Patrick Steinhardt
2025-09-09 16:17 ` Adrian Ratiu
2025-09-08 14:01 ` [PATCH v2 03/10] submodule: add gitdir path config override Adrian Ratiu
2025-09-09 7:40 ` Patrick Steinhardt
2025-09-09 17:46 ` Adrian Ratiu
2025-09-08 14:01 ` [PATCH v2 04/10] t7425: add basic mixed submodule gitdir path tests Adrian Ratiu
2025-09-08 14:01 ` [PATCH v2 05/10] strbuf: bring back is_rfc3986_unreserved Adrian Ratiu
2025-09-08 14:01 ` [PATCH v2 06/10] submodule: encode gitdir paths to avoid conflicts Adrian Ratiu
2025-09-10 18:15 ` SZEDER Gábor
2025-09-10 19:30 ` Adrian Ratiu
2025-09-10 20:18 ` Kristoffer Haugsbakk
2025-09-30 13:36 ` Kristoffer Haugsbakk
2025-09-08 14:01 ` [PATCH v2 07/10] submodule: error out if gitdir name is too long Adrian Ratiu
2025-09-08 15:51 ` Jeff King
2025-09-08 17:15 ` Adrian Ratiu
2025-09-30 13:35 ` Kristoffer Haugsbakk
2025-09-08 14:01 ` [PATCH v2 08/10] submodule: remove validate_submodule_git_dir() Adrian Ratiu
2025-09-30 13:35 ` Kristoffer Haugsbakk
2025-10-03 7:56 ` Adrian Ratiu
2025-09-08 14:01 ` [PATCH v2 09/10] t7450: move nested gitdir tests to t7425 Adrian Ratiu
2025-09-08 14:01 ` [PATCH v2 10/10] t7425: add gitdir encoding tests Adrian Ratiu
2025-10-06 11:25 ` [PATCH v3 0/5] Encode submodule gitdir names to avoid conflicts Adrian Ratiu
2025-10-06 11:25 ` [PATCH v3 1/5] submodule--helper: use submodule_name_to_gitdir in add_submodule Adrian Ratiu
2025-10-06 16:37 ` Junio C Hamano
2025-10-07 9:23 ` Adrian Ratiu
2025-10-06 11:25 ` [PATCH v3 2/5] submodule: add gitdir path config override Adrian Ratiu
2025-10-06 16:47 ` Junio C Hamano
2025-10-07 15:41 ` Junio C Hamano
2025-10-21 8:06 ` Patrick Steinhardt
2025-10-21 11:50 ` Adrian Ratiu
2025-10-21 8:05 ` Patrick Steinhardt
2025-10-21 11:57 ` Adrian Ratiu
2025-10-06 11:25 ` [PATCH v3 3/5] strbuf: bring back is_rfc3986_unreserved Adrian Ratiu
2025-10-06 16:51 ` Junio C Hamano
2025-10-06 17:47 ` Junio C Hamano
2025-10-07 9:43 ` Adrian Ratiu
2025-10-21 8:06 ` Patrick Steinhardt
2025-10-06 11:25 ` [PATCH v3 4/5] submodule: encode gitdir paths to avoid conflicts Adrian Ratiu
2025-10-06 16:57 ` Junio C Hamano
2025-10-07 14:10 ` Adrian Ratiu
2025-10-07 17:20 ` Junio C Hamano
2025-10-07 17:41 ` Adrian Ratiu
2025-10-07 19:55 ` Junio C Hamano
2025-10-06 11:25 ` [PATCH v3 5/5] submodule: error out if gitdir name is too long Adrian Ratiu
2025-10-06 17:06 ` Junio C Hamano
2025-10-07 10:17 ` Adrian Ratiu
2025-10-07 15:58 ` Junio C Hamano
2025-10-21 8:06 ` Patrick Steinhardt
2025-10-21 13:13 ` Adrian Ratiu
2025-10-06 16:21 ` [PATCH v3 0/5] Encode submodule gitdir names to avoid conflicts Junio C Hamano
2025-10-07 11:13 ` Adrian Ratiu
2025-10-07 15:36 ` Junio C Hamano
2025-10-07 16:58 ` Adrian Ratiu
2025-10-07 17:27 ` Junio C Hamano
2025-10-07 16:21 ` Junio C Hamano
2025-10-07 17:21 ` Adrian Ratiu
2025-11-07 15:05 ` [PATCH v4 0/4] " Adrian Ratiu
2025-11-07 15:05 ` [PATCH v4 1/4] submodule--helper: use submodule_name_to_gitdir in add_submodule Adrian Ratiu
2025-11-07 15:05 ` [PATCH v4 2/4] builtin/credential-store: move is_rfc3986_unreserved to url.[ch] Adrian Ratiu
2025-11-07 15:05 ` [PATCH v4 3/4] submodule: add extension to encode gitdir paths Adrian Ratiu
2025-11-07 15:05 ` [PATCH v4 4/4] submodule: fix case-folding gitdir filesystem colisions Adrian Ratiu
2025-11-08 18:20 ` Aaron Schrab
2025-11-10 17:11 ` Adrian Ratiu
2025-11-10 17:31 ` Aaron Schrab
2025-11-10 18:27 ` Adrian Ratiu
2025-11-10 19:10 ` Junio C Hamano
2025-11-10 23:01 ` Adrian Ratiu
2025-11-10 23:17 ` Junio C Hamano
2025-11-11 12:41 ` Adrian Ratiu
2025-11-12 15:28 ` Adrian Ratiu
2025-11-14 23:03 ` [PATCH v4 0/4] Encode submodule gitdir names to avoid conflicts Josh Steadmon
2025-11-17 15:22 ` Adrian Ratiu
2025-11-19 21:10 ` [PATCH v5 0/7] " Adrian Ratiu
2025-11-19 21:10 ` [PATCH v5 1/7] submodule--helper: use submodule_name_to_gitdir in add_submodule Adrian Ratiu
2025-11-19 21:10 ` [PATCH v5 2/7] builtin/credential-store: move is_rfc3986_unreserved to url.[ch] Adrian Ratiu
2025-12-05 12:16 ` Patrick Steinhardt
2025-12-05 17:25 ` Adrian Ratiu
2025-11-19 21:10 ` [PATCH v5 3/7] submodule: always validate gitdirs inside submodule_name_to_gitdir Adrian Ratiu
2025-12-05 12:17 ` Patrick Steinhardt [this message]
2025-12-05 18:17 ` Adrian Ratiu
2025-11-19 21:10 ` [PATCH v5 4/7] submodule: add extension to encode gitdir paths Adrian Ratiu
2025-12-05 12:19 ` Patrick Steinhardt
2025-12-05 19:30 ` Adrian Ratiu
2025-12-05 22:47 ` Junio C Hamano
2025-12-06 11:59 ` Patrick Steinhardt
2025-12-06 16:38 ` Junio C Hamano
2025-12-08 9:01 ` Adrian Ratiu
2025-12-08 11:46 ` Patrick Steinhardt
2025-12-08 15:48 ` Adrian Ratiu
2025-12-08 9:10 ` Adrian Ratiu
2025-11-19 21:10 ` [PATCH v5 5/7] submodule: fix case-folding gitdir filesystem colisions Adrian Ratiu
2025-11-19 21:10 ` [PATCH v5 6/7] submodule: use hashed name for gitdir Adrian Ratiu
2025-11-19 21:10 ` [PATCH v5 7/7] meson/Makefile: allow setting submodule encoding at build time Adrian Ratiu
2025-12-05 12:19 ` Patrick Steinhardt
2025-12-05 19:42 ` Adrian Ratiu
2025-12-05 22:52 ` Junio C Hamano
2025-12-06 12:02 ` Patrick Steinhardt
2025-12-06 16:48 ` Junio C Hamano
2025-12-08 9:23 ` Adrian Ratiu
2025-12-08 9:42 ` Adrian Ratiu
2025-12-13 8:08 ` [PATCH v6 00/10] Add submodulePathConfig extension and gitdir encoding Adrian Ratiu
2025-12-13 8:08 ` [PATCH v6 01/10] submodule--helper: use submodule_name_to_gitdir in add_submodule Adrian Ratiu
2025-12-13 8:08 ` [PATCH v6 02/10] submodule: always validate gitdirs inside submodule_name_to_gitdir Adrian Ratiu
2025-12-16 9:09 ` Patrick Steinhardt
2025-12-13 8:08 ` [PATCH v6 03/10] builtin/submodule--helper: add gitdir command Adrian Ratiu
2025-12-13 8:08 ` [PATCH v6 04/10] submodule: introduce extensions.submodulePathConfig Adrian Ratiu
2025-12-16 9:09 ` Patrick Steinhardt
2025-12-16 9:45 ` Adrian Ratiu
2025-12-16 23:22 ` Josh Steadmon
2025-12-17 7:30 ` Adrian Ratiu
2025-12-13 8:08 ` [PATCH v6 05/10] submodule: allow runtime enabling extensions.submodulePathConfig Adrian Ratiu
2025-12-16 9:09 ` Patrick Steinhardt
2025-12-16 10:01 ` Adrian Ratiu
2025-12-13 8:08 ` [PATCH v6 06/10] submodule--helper: add gitdir migration command Adrian Ratiu
2025-12-16 9:09 ` Patrick Steinhardt
2025-12-16 10:17 ` Adrian Ratiu
2025-12-13 8:08 ` [PATCH v6 07/10] builtin/credential-store: move is_rfc3986_unreserved to url.[ch] Adrian Ratiu
2025-12-13 8:08 ` [PATCH v6 08/10] submodule--helper: fix filesystem collisions by encoding gitdir paths Adrian Ratiu
2025-12-13 8:08 ` [PATCH v6 09/10] submodule: fix case-folding gitdir filesystem collisions Adrian Ratiu
2025-12-13 8:08 ` [PATCH v6 10/10] submodule: hash the submodule name for the gitdir path Adrian Ratiu
2025-12-13 14:03 ` [PATCH v6 00/10] Add submodulePathConfig extension and gitdir encoding Ben Knoble
2025-12-15 16:28 ` Adrian Ratiu
2025-12-16 0:53 ` Junio C Hamano
2025-12-18 3:43 ` Ben Knoble
2025-12-16 23:20 ` Josh Steadmon
2025-12-17 8:17 ` Adrian Ratiu
2025-12-20 10:15 ` [PATCH v7 00/11] " Adrian Ratiu
2025-12-20 10:15 ` [PATCH v7 01/11] submodule--helper: use submodule_name_to_gitdir in add_submodule Adrian Ratiu
2025-12-20 10:15 ` [PATCH v7 02/11] submodule: always validate gitdirs inside submodule_name_to_gitdir Adrian Ratiu
2025-12-20 10:15 ` [PATCH v7 03/11] builtin/submodule--helper: add gitdir command Adrian Ratiu
2025-12-20 10:15 ` [PATCH v7 04/11] submodule: introduce extensions.submodulePathConfig Adrian Ratiu
2025-12-21 3:27 ` Junio C Hamano
2025-12-23 13:35 ` Adrian Ratiu
2025-12-20 10:15 ` [PATCH v7 05/11] submodule: allow runtime enabling extensions.submodulePathConfig Adrian Ratiu
2025-12-20 10:15 ` [PATCH v7 06/11] submodule--helper: add gitdir migration command Adrian Ratiu
2025-12-20 10:15 ` [PATCH v7 07/11] builtin/credential-store: move is_rfc3986_unreserved to url.[ch] Adrian Ratiu
2025-12-20 10:15 ` [PATCH v7 08/11] submodule--helper: fix filesystem collisions by encoding gitdir paths Adrian Ratiu
2025-12-20 10:15 ` [PATCH v7 09/11] submodule: fix case-folding gitdir filesystem collisions Adrian Ratiu
2025-12-20 10:15 ` [PATCH v7 10/11] submodule: hash the submodule name for the gitdir path Adrian Ratiu
2025-12-20 10:15 ` [PATCH v7 11/11] submodule: detect conflicts with existing gitdir configs Adrian Ratiu
2025-12-21 2:39 ` [PATCH v7 00/11] Add submodulePathConfig extension and gitdir encoding Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aTLNPKlDnsNzyZkC@pks.im \
--to=ps@pks.im \
--cc=aaron@schrab.com \
--cc=adrian.ratiu@collabora.com \
--cc=ben.knoble@gmail.com \
--cc=emilyshaffer@google.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=jrnieder@gmail.com \
--cc=peff@peff.net \
--cc=phillip.wood123@gmail.com \
--cc=rdamazio@google.com \
--cc=steadmon@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).