Merge branch 'safedir'

src/libgit2/repository.c

@@ -566,6 +566,18 @@ static int validate_ownership_cb(const git_config_entry *entry, void *payload)
 	} else {
 		const char *test_path = entry->value;
 
+		if (git_str_sets(&data->tmp, test_path) < 0 ||
+		    git_fs_path_to_dir(&data->tmp) < 0)
+			return -1;
+
+		/*
+		 * Ensure that `git_fs_path_to_dir` mutated the
+		 * input path by adding a trailing backslash.
+		 * A trailing backslash on the input is not allowed.
+		 */
+		if (strcmp(data->tmp.ptr, test_path) == 0)
+			return 0;
+
 #ifdef GIT_WIN32
 		/*
 		 * Git for Windows does some truly bizarre things with
@@ -596,8 +608,7 @@ static int validate_ownership_cb(const git_config_entry *entry, void *payload)
 			test_path++;
 #endif
 
-		if (git_fs_path_prettify_dir(&data->tmp, test_path, NULL) == 0 &&
-		    strcmp(data->tmp.ptr, data->repo_path) == 0)
+		if (strcmp(data->tmp.ptr, data->repo_path) == 0)
 			*data->is_safe = true;
 	}
 

tests/libgit2/repo/open.c

@@ -555,6 +555,25 @@ void test_repo_open__can_allowlist_dirs_with_problematic_ownership(void)
 
 	git_str_joinpath(&config_filename, config_path.ptr, ".gitconfig");
 
+	/* Test with incorrect exception (slash at the end) */
+	git_str_printf(&config_data,
+		"[foo]\n" \
+		"\tbar = Foobar\n" \
+		"\tbaz = Baz!\n" \
+		"[safe]\n" \
+		"\tdirectory = /non/existent/path\n" \
+		"\tdirectory = /\n" \
+		"\tdirectory = c:\\\\temp\n" \
+		"\tdirectory = %s/%s/\n" \
+		"\tdirectory = /tmp\n" \
+		"[bar]\n" \
+		"\tfoo = barfoo\n",
+		clar_sandbox_path(), "empty_standard_repo");
+	cl_git_rewritefile(config_filename.ptr, config_data.ptr);
+	cl_git_fail_with(GIT_EOWNER, git_repository_open(&repo, "empty_standard_repo"));
+
+	/* Test with correct exception */
+	git_str_clear(&config_data);
 	git_str_printf(&config_data,
 		"[foo]\n" \
 		"\tbar = Foobar\n" \