Git 2.23.3

This merges up the security fix from v2.17.5. Signed-off-by: Jonathan Nieder <[email protected]>
Elimuhub-Consultants-Kenya · Apr 19, 2020 · f2771ef · f2771ef
2 parents 17a0278 c9808fa
commit f2771ef
Show file tree

Hide file tree

Showing 15 changed files with 489 additions and 42 deletions.
diff --git a/Documentation/RelNotes/2.17.5.txt b/Documentation/RelNotes/2.17.5.txt
@@ -0,0  1,22 @@
 Git v2.17.5 Release Notes
 =========================
 
 This release is to address a security issue: CVE-2020-11008
 
 Fixes since v2.17.4
 -------------------
 
  * With a crafted URL that contains a newline or empty host, or lacks
    a scheme, the credential helper machinery can be fooled into
    providing credential information that is not appropriate for the
    protocol in use and host being contacted.
 
    Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
    credentials are not for a host of the attacker's choosing; instead,
    they are for some unspecified host (based on how the configured
    credential helper handles an absent "host" parameter).
 
    The attack has been made impossible by refusing to work with
    under-specified credential patterns.
 
 Credit for finding the vulnerability goes to Carlo Arenas.
diff --git a/Documentation/RelNotes/2.18.4.txt b/Documentation/RelNotes/2.18.4.txt
@@ -0,0  1,5 @@
 Git v2.18.4 Release Notes
 =========================
 
 This release merges the security fix that appears in v2.17.5; see
 the release notes for that version for details.
diff --git a/Documentation/RelNotes/2.19.5.txt b/Documentation/RelNotes/2.19.5.txt
@@ -0,0  1,5 @@
 Git v2.19.5 Release Notes
 =========================
 
 This release merges the security fix that appears in v2.17.5; see
 the release notes for that version for details.
diff --git a/Documentation/RelNotes/2.20.4.txt b/Documentation/RelNotes/2.20.4.txt
@@ -0,0  1,5 @@
 Git v2.20.4 Release Notes
 =========================
 
 This release merges the security fix that appears in v2.17.5; see
 the release notes for that version for details.
diff --git a/Documentation/RelNotes/2.21.3.txt b/Documentation/RelNotes/2.21.3.txt
@@ -0,0  1,5 @@
 Git v2.21.3 Release Notes
 =========================
 
 This release merges the security fix that appears in v2.17.5; see
 the release notes for that version for details.
diff --git a/Documentation/RelNotes/2.22.4.txt b/Documentation/RelNotes/2.22.4.txt
@@ -0,0  1,5 @@
 Git v2.22.4 Release Notes
 =========================
 
 This release merges the security fix that appears in v2.17.5; see
 the release notes for that version for details.
diff --git a/Documentation/RelNotes/2.23.3.txt b/Documentation/RelNotes/2.23.3.txt
@@ -0,0  1,5 @@
 Git v2.23.3 Release Notes
 =========================
 
 This release merges the security fix that appears in v2.17.5; see
 the release notes for that version for details.
diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN
@@ -1,7  1,7 @@
 #!/bin/sh
 
 GVF=GIT-VERSION-FILE
-DEF_VER=v2.23.2
 DEF_VER=v2.23.3
 
 LF='
 '

diff --git a/RelNotes b/RelNotes
@@ -1  1 @@
-Documentation/RelNotes/2.23.2.txt
 Documentation/RelNotes/2.23.3.txt
diff --git a/credential.c b/credential.c
@@ -89,6  89,11 @@ static int proto_is_http(const char *s)
 
 static void credential_apply_config(struct credential *c)
 {
 	if (!c->host)
 		die(_("refusing to work with credential missing host field"));
 	if (!c->protocol)
 		die(_("refusing to work with credential missing protocol field"));
 
 	if (c->configured)
 		return;
 	git_config(credential_config_callback, c);
@@ -191,8  196,11 @@ int credential_read(struct credential *c, FILE *fp)
 	return 0;
 }
 
-static void credential_write_item(FILE *fp, const char *key, const char *value)
 static void credential_write_item(FILE *fp, const char *key, const char *value,
 				  int required)
 {
 	if (!value && required)
 		BUG("credential value for %s is missing", key);
 	if (!value)
 		return;
 	if (strchr(value, '\n'))
@@ -202,11  210,11 @@ static void credential_write_item(FILE *fp, const char *key, const char *value)
 
 void credential_write(const struct credential *c, FILE *fp)
 {
-	credential_write_item(fp, "protocol", c->protocol);
-	credential_write_item(fp, "host", c->host);
-	credential_write_item(fp, "path", c->path);
-	credential_write_item(fp, "username", c->username);
-	credential_write_item(fp, "password", c->password);
 	credential_write_item(fp, "protocol", c->protocol, 1);
 	credential_write_item(fp, "host", c->host, 1);
 	credential_write_item(fp, "path", c->path, 0);
 	credential_write_item(fp, "username", c->username, 0);
 	credential_write_item(fp, "password", c->password, 0);
 }
 
 static int run_credential_helper(struct credential *c,
@@ -352,8  360,11 @@ int credential_from_url_gently(struct credential *c, const char *url,
 	 *   (3) proto://<user>:<pass>@<host>/...
 	 */
 	proto_end = strstr(url, "://");
-	if (!proto_end)
-		return 0;
 	if (!proto_end || proto_end == url) {
 		if (!quiet)
 			warning(_("url has no scheme: %s"), url);
 		return -1;
 	}
 	cp = proto_end   3;
 	at = strchr(cp, '@');
 	colon = strchr(cp, ':');
@@ -374,10  385,8 @@ int credential_from_url_gently(struct credential *c, const char *url,
 		host = at   1;
 	}
 
-	if (proto_end - url > 0)
-		c->protocol = xmemdupz(url, proto_end - url);
-	if (slash - host > 0)
-		c->host = url_decode_mem(host, slash - host);
 	c->protocol = xmemdupz(url, proto_end - url);
 	c->host = url_decode_mem(host, slash - host);
 	/* Trim leading and trailing slashes from path */
 	while (*slash == '/')
 		slash  ;
@@ -401,8  410,6 @@ int credential_from_url_gently(struct credential *c, const char *url,
 
 void credential_from_url(struct credential *c, const char *url)
 {
-	if (credential_from_url_gently(c, url, 0) < 0) {
-		warning(_("skipping credential lookup for url: %s"), url);
-		credential_clear(c);
-	}
 	if (credential_from_url_gently(c, url, 0) < 0)
 		die(_("credential url cannot be parsed: %s"), url);
 }
diff --git a/fsck.c b/fsck.c
@@ -9,6  9,7 @@
 #include "tag.h"
 #include "fsck.h"
 #include "refs.h"
 #include "url.h"
 #include "utf8.h"
 #include "decorate.h"
 #include "oidset.h"
@@ -948,17  949,147 @@ static int fsck_tag(struct tag *tag, const char *data,
 	return fsck_tag_buffer(tag, data, size, options);
 }
 
 /*
  * Like builtin/submodule--helper.c's starts_with_dot_slash, but without
  * relying on the platform-dependent is_dir_sep helper.
  *
  * This is for use in checking whether a submodule URL is interpreted as
  * relative to the current directory on any platform, since \ is a
  * directory separator on Windows but not on other platforms.
  */
 static int starts_with_dot_slash(const char *str)
 {
 	return str[0] == '.' && (str[1] == '/' || str[1] == '\\');
 }
 
 /*
  * Like starts_with_dot_slash, this is a variant of submodule--helper's
  * helper of the same name with the twist that it accepts backslash as a
  * directory separator even on non-Windows platforms.
  */
 static int starts_with_dot_dot_slash(const char *str)
 {
 	return str[0] == '.' && starts_with_dot_slash(str   1);
 }
 
 static int submodule_url_is_relative(const char *url)
 {
 	return starts_with_dot_slash(url) || starts_with_dot_dot_slash(url);
 }
 
 /*
  * Count directory components that a relative submodule URL should chop
  * from the remote_url it is to be resolved against.
  *
  * In other words, this counts "../" components at the start of a
  * submodule URL.
  *
  * Returns the number of directory components to chop and writes a
  * pointer to the next character of url after all leading "./" and
  * "../" components to out.
  */
 static int count_leading_dotdots(const char *url, const char **out)
 {
 	int result = 0;
 	while (1) {
 		if (starts_with_dot_dot_slash(url)) {
 			result  ;
 			url  = strlen("../");
 			continue;
 		}
 		if (starts_with_dot_slash(url)) {
 			url  = strlen("./");
 			continue;
 		}
 		*out = url;
 		return result;
 	}
 }
 /*
  * Check whether a transport is implemented by git-remote-curl.
  *
  * If it is, returns 1 and writes the URL that would be passed to
  * git-remote-curl to the "out" parameter.
  *
  * Otherwise, returns 0 and leaves "out" untouched.
  *
  * Examples:
  *   http::https://example.com/repo.git -> 1, https://example.com/repo.git
  *   https://example.com/repo.git -> 1, https://example.com/repo.git
  *   git://example.com/repo.git -> 0
  *
  * This is for use in checking for previously exploitable bugs that
  * required a submodule URL to be passed to git-remote-curl.
  */
 static int url_to_curl_url(const char *url, const char **out)
 {
 	/*
 	 * We don't need to check for case-aliases, "http.exe", and so
 	 * on because in the default configuration, is_transport_allowed
 	 * prevents URLs with those schemes from being cloned
 	 * automatically.
 	 */
 	if (skip_prefix(url, "http::", out) ||
 	    skip_prefix(url, "https::", out) ||
 	    skip_prefix(url, "ftp::", out) ||
 	    skip_prefix(url, "ftps::", out))
 		return 1;
 	if (starts_with(url, "http://") ||
 	    starts_with(url, "https://") ||
 	    starts_with(url, "ftp://") ||
 	    starts_with(url, "ftps://")) {
 		*out = url;
 		return 1;
 	}
 	return 0;
 }
 
 static int check_submodule_url(const char *url)
 {
-	struct credential c = CREDENTIAL_INIT;
-	int ret;
 	const char *curl_url;
 
 	if (looks_like_command_line_option(url))
 		return -1;
 
-	ret = credential_from_url_gently(&c, url, 1);
-	credential_clear(&c);
-	return ret;
 	if (submodule_url_is_relative(url)) {
 		char *decoded;
 		const char *next;
 		int has_nl;
 
 		/*
 		 * This could be appended to an http URL and url-decoded;
 		 * check for malicious characters.
 		 */
 		decoded = url_decode(url);
 		has_nl = !!strchr(decoded, '\n');
 
 		free(decoded);
 		if (has_nl)
 			return -1;
 
 		/*
 		 * URLs which escape their root via "../" can overwrite
 		 * the host field and previous components, resolving to
 		 * URLs like https::example.com/submodule.git and
 		 * https:///example.com/submodule.git that were
 		 * susceptible to CVE-2020-11008.
 		 */
 		if (count_leading_dotdots(url, &next) > 0 &&
 		    (*next == ':' || *next == '/'))
 			return -1;
 	}
 
 	else if (url_to_curl_url(url, &curl_url)) {
 		struct credential c = CREDENTIAL_INIT;
 		int ret = 0;
 		if (credential_from_url_gently(&c, curl_url, 1) ||
 		    !*c.host)
 			ret = -1;
 		credential_clear(&c);
 		return ret;
 	}
 
 	return 0;
 }
 
 struct fsck_gitmodules_data {

diff --git a/http.c b/http.c
@@ -558,6  558,7 @@ static int has_cert_password(void)
 		return 0;
 	if (!cert_auth.password) {
 		cert_auth.protocol = xstrdup("cert");
 		cert_auth.host = xstrdup("");
 		cert_auth.username = xstrdup("");
 		cert_auth.path = xstrdup(ssl_cert);
 		credential_fill(&cert_auth);