Look for the `GIT_SSH_COMMAND` environment variable and prefer it to
`GIT_SSH`. The `GIT_SSH_COMMAND` will execute via the shell, which is
useful to provide additional arguments.
When sending paths to the remote server, escape them properly.
Escape them with a single quote, followed by the escaped character,
followed by another single quote. This prevents misparsing on the
remote side and potential command injection.
Allow `git_str_puts_escaped` to take an escaping prefix and an escaping
suffix; this allows for more options, including the ability to better
support escaping executed paths.
Construct the arguments for the ssh exec as an explicit array, instead
of trying to create a command-line for sh. The latter may use user input
(the remote path) so this may be vulnerable to command injection.
When using `git_process_new` on win32, resolve the path to the
application in the same way that we do on POSIX.
Search `PATH` for command to execute (unless the given executable is
fully qualified). In addition, better match Windows executable lookup
behavior itself (allowing the command to be `foo`, and looking for a
matching `foo.exe` or `foo.cmd`.)
By default, `git_process_new` will no longer try to prepare a single
string to execute with the shell. Instead, by default, arguments remain
parameterized and the command to execute is located within the `PATH`.
The shell can also still optionally be used (so that additional
arguments can be included and variables handled appropriately) but this
is done by keeping arguments parameterized for safety.
This new behavior prevents accidental misuse and potential command-line
injection.
Ensure that when we look for an executable on Windows that we add
executable suffixes (`.exe`, `.cmd`). Without this, we would not support
looking for (eg) `ssh`, since we actually need to identify a file named
`ssh.exe` (or `ssh.cmd`) in `PATH`.
* Do not search `PATH` for fully- or partially-qualified filenames
(eg, `foo/bar`)
* Ensure that a file in the `PATH` is executable before returning it
The `ssh_custom_free()` function calls `strlen()` on the `publickey`
field, which stores binary data, not a null-terminated string. This
causes a heap buffer overflow when the public key data is not
null-terminated or contains embedded null bytes.
The `publickey` field stores binary data, as required by the underlying
`libssh2_userauth_publickey()` function, which accepts a public key
parameter of the type `const unsigned char*`.
Use the stored `publickey_len` instead of `strlen()` to determine the
correct buffer size.
Fixes a bug likely introduced in
d396819101 (in 1.8.1) whereby
‘proxy_settings.on_status’ would be left uninitialized when using the
‘http-parser’ backend, eventually leading to a segfault in
‘http_parser_execute’. Valgrind would report use of the uninitialized
value like so:
Conditional jump or move depends on uninitialised value(s)
at 0x50CD533: http_parser_execute (http_parser.c:910)
by 0x4928504: git_http_parser_execute (httpparser.c:82)
by 0x4925C42: client_read_and_parse (httpclient.c:1178)
by 0x4926F27: git_http_client_read_response (httpclient.c:1458)
by 0x49255FE: http_stream_read (http.c:427)
by 0x4929B90: git_smart__recv (smart.c:29)
by 0x492C147: git_smart__store_refs (smart_protocol.c:58)
by 0x4929F6C: git_smart__connect (smart.c:171)
by 0x4904DCE: git_remote_connect_ext (remote.c:963)
by 0x48A15D2: clone_into (clone.c:449)
by 0x48A15D2: git__clone (clone.c:546)
by 0x4010E9: main (libgit2-proxy.c:20)
Description: In an older version of libgit2 in git_object_lookup_prefix was a check that repo is valid, but now there is repo->oid_type in the git_object_lookup and must be checked as well
realpath(3) _may_ allocate strings (if the second param is NULL) using
the system allocator. However, callers need an assurance that they can
free memory using git__free. If we made realpath do an allocation, then
make sure that we strdup it into our allocator's memory.
More importantly, avoid this behavior by always providing a buffer to
p_realpath invocations.
Instead of tweaking the `stdalloc` allocator when
`GIT_DEBUG_STRICT_ALLOC` is defined, actually create a debugging
allocator. This allows us to ensure that we are strict about things like
not expecting `malloc(0)` to do something useful, but we can also
introduce an excessively pedantic `realloc` implementation that _always_
creates a new buffer, throws away its original `ptr`, and overwrites the
data that's there with garbage. This may be helpful to identify places
that make assumptions about realloc.
Avoid sloppy aliasing in our (re-)allocation, which is undefined
behavior. This has been problematic before and was helped by `volatile`
(see b62a6a13b2) but that is not
technically correct, and some compilers / architectures do not
understand that `ptr` is changing due to its aliasing.
Just make `git_array_alloc` behave like `realloc`, taking a `void *` and
returning a `void *`.
In attempting to make a clever change that added fetch options as flags,
while keeping ABI and API compatibility, we screwed up. Bitfields in
structs are implementation-specific and are not necessarily ABI
compatible across compilers.
Make `update_fetchhead` a flags value which is weirdly named, but
that's a future problem. This removes the `report_unchanged` option from
API.
Since 3618a2a, `git_error_last` does not return NULL when there was no
error. Adapt to this when testing for a user cancelling a callback but
not setting an error message, testing for `klass` of `GIT_ERROR_NONE`.
Users can now override the "product" portion of the user-agent (via
GIT_OPT_SET_USER_AGENT_PRODUCT). This continues to default to "git/2.0",
but users may define their own string, or may opt out of sending a
user-agent entirely (by passing an empty string). Similarly, users may
now also opt-out of sending any additional "comment" information by
setting the GIT_OPT_SET_USER_AGENT value to an empty string.
The Microsoft C runtime (MSVCRT) may take a heavy lock on the
locale in order to figure out how the `ctype` functions work.
This is deeply slow. Provide our own to avoid that.
On POSIX, provide emulation for that functionality using the ctype
functions, but compress the return value into a `bool`, and cast the
value to an `unsigned char`.
Update `git_fetch_options` to break out the fetch options into
individual options. This prevents creating an API breaking change from
v1.7.0. `git_remote_update_tips` retains the `update_flags` to also
avoid an API breaking change.
