Re: [PATCH 4/5] strbuf_readlink(): support link targets that exceed PATH_MAX

git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Patrick Steinhardt <ps@pks.im>
To: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Cc: Karsten Blees via GitGitGadget <gitgitgadget@gmail.com>,
	git@vger.kernel.org, Karsten Blees <karsten.blees@gmail.com>
Subject: Re: [PATCH 4/5] strbuf_readlink(): support link targets that exceed PATH_MAX
Date: Fri, 19 Dec 2025 12:51:23 +0100	[thread overview]
Message-ID: <aUU8O6ltrNj-FmjZ@pks.im> (raw)
In-Reply-To: <5778a03b-2e33-9224-e051-664c2d530fc3@gmx.de>

On Fri, Dec 19, 2025 at 09:50:15AM +0100, Johannes Schindelin wrote:
> Hi Patrick,
> 
> On Wed, 17 Dec 2025, Patrick Steinhardt wrote:
> 
> > On Tue, Dec 16, 2025 at 03:33:48PM +0000, Karsten Blees via GitGitGadget wrote:
> > > diff --git a/strbuf.c b/strbuf.c
> > > index 44a8f6a554..fa4e30f112 100644
> > > --- a/strbuf.c
> > > +++ b/strbuf.c
> > > @@ -566,8 +566,6 @@ ssize_t strbuf_write(struct strbuf *sb, FILE *f)
> > >  	return sb->len ? fwrite(sb->buf, 1, sb->len, f) : 0;
> > >  }
> > >  
> > > -#define STRBUF_MAXLINK (2*PATH_MAX)
> > > -
> > >  int strbuf_readlink(struct strbuf *sb, const char *path, size_t hint)
> > >  {
> > >  	size_t oldalloc = sb->alloc;
> > > @@ -575,7 +573,7 @@ int strbuf_readlink(struct strbuf *sb, const char *path, size_t hint)
> > >  	if (hint < 32)
> > >  		hint = 32;
> > >  
> > > -	while (hint < STRBUF_MAXLINK) {
> > > +	for (;;) {
> > >  		ssize_t len;
> > >  
> > >  		strbuf_grow(sb, hint + 1);
> > 
> > This makes me wonder whether we have a better way to figure out the
> > actual size of the buffer that we ultimately need to allocate. But
> > reading through readlink(3p) doesn't indicate anything, and I'm not sure
> > whether we can always rely on lstat(3p) to return the correct size for
> > symlink contents on all platforms.
> > 
> > One thing that _is_ noted though is that calling the function with a
> > buffer size larger than SSIZE_MAX is implementation-defined. It does
> > make me a bit uneasy in that light to grow indefinitely.
> > 
> > Which makes me wonder whether Windows has a limit for the symlink
> > contents that we could enforce in theory so that we can reasonably turn
> > this into a bounded loop again?
> 
> https://learn.microsoft.com/en-us/windows/win32/fileio/maximum-file-path-limitation
> suggests that the maximum permissible target path should be 32,768. But
> that's not _quite_ correct, as
> `../t/../Documentation/RelNotes/../../README.md` is a perfectly valid (if
> awkward) symlink target.
> 
> Still, I would say that 32,768 would make for a fine (still insanely high,
> but not so high as to allow malicious symlinks to cause memory problems)
> limit.
> 
> Sound good?
> Johannes

Sounds good to me, thanks!

Patrick

next prev parent reply	other threads:[~2025-12-19 11:51 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-16 15:33 [PATCH 0/5] Last preparations before upstreaming Git for Windows' symlink support Johannes Schindelin via GitGitGadget
2025-12-16 15:33 ` [PATCH 1/5] mingw: do resolve symlinks in `getcwd()` Johannes Schindelin via GitGitGadget
2025-12-17 14:44   ` Patrick Steinhardt
2025-12-16 15:33 ` [PATCH 2/5] init: do parse _all_ core.* settings early Johannes Schindelin via GitGitGadget
2025-12-17 14:44   ` Patrick Steinhardt
2025-12-16 15:33 ` [PATCH 3/5] strbuf_readlink(): avoid calling `readlink()` twice in corner-cases Karsten Blees via GitGitGadget
2025-12-16 15:33 ` [PATCH 4/5] strbuf_readlink(): support link targets that exceed PATH_MAX Karsten Blees via GitGitGadget
2025-12-17 14:44   ` Patrick Steinhardt
2025-12-19  8:50     ` Johannes Schindelin
2025-12-19 11:51       ` Patrick Steinhardt [this message]
2025-12-30  5:00         ` Junio C Hamano
2025-12-17 23:39   ` Junio C Hamano
2025-12-16 15:33 ` [PATCH 5/5] trim_last_path_component(): avoid hard-coding the directory separator Karsten Blees via GitGitGadget

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aUU8O6ltrNj-FmjZ@pks.im \
    --to=ps@pks.im \
    --cc=Johannes.Schindelin@gmx.de \
    --cc=git@vger.kernel.org \
    --cc=gitgitgadget@gmail.com \
    --cc=karsten.blees@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).