Sync with 2.16.5

gitster · gitster · commit e43aab778c72 · 2018-09-27T11:41:02.000-07:00
* maint-2.16:
  Git 2.16.5
  Git 2.15.3
  Git 2.14.5
  submodule-config: ban submodule paths that start with a dash
  submodule-config: ban submodule urls that start with dash
  submodule--helper: use "--" to signal end of clone options
diff --git a/Documentation/RelNotes/2.14.5.txt b/Documentation/RelNotes/2.14.5.txt
@@ -0,0 +1,16 @@
+Git v2.14.5 Release Notes
+=========================
+
+This release is to address the recently reported CVE-2018-17456.
+
+Fixes since v2.14.4
+-------------------
+
+ * Submodules' "URL"s come from the untrusted .gitmodules file, but
+   we blindly gave it to "git clone" to clone submodules when "git
+   clone --recurse-submodules" was used to clone a project that has
+   such a submodule.  The code has been hardened to reject such
+   malformed URLs (e.g. one that begins with a dash).
+
+Credit for finding and fixing this vulnerability goes to joernchen
+and Jeff King, respectively.
diff --git a/Documentation/RelNotes/2.15.3.txt b/Documentation/RelNotes/2.15.3.txt
@@ -0,0 +1,6 @@
+Git v2.15.3 Release Notes
+=========================
+
+This release merges up the fixes that appear in v2.14.5 to address
+the recently reported CVE-2018-17456; see the release notes for that
+version for details.
diff --git a/Documentation/RelNotes/2.16.5.txt b/Documentation/RelNotes/2.16.5.txt
@@ -0,0 +1,6 @@
+Git v2.16.5 Release Notes
+=========================
+
+This release merges up the fixes that appear in v2.14.5 to address
+the recently reported CVE-2018-17456; see the release notes for that
+version for details.
diff --git a/builtin/submodule--helper.c b/builtin/submodule--helper.c
@@ -1078,6 +1078,7 @@ static int clone_submodule(const char *path, const char *gitdir, const char *url
 	if (gitdir && *gitdir)
 		argv_array_pushl(&cp.args, "--separate-git-dir", gitdir, NULL);
 
+	argv_array_push(&cp.args, "--");
 	argv_array_push(&cp.args, url);
 	argv_array_push(&cp.args, path);
 
diff --git a/submodule-config.c b/submodule-config.c
@@ -383,6 +383,12 @@ static void warn_multiple_config(const unsigned char *treeish_name,
 			commit_string, name, option);
 }
 
+static void warn_command_line_option(const char *var, const char *value)
+{
+	warning(_("ignoring '%s' which may be interpreted as"
+		  " a command-line option: %s"), var, value);
+}
+
 struct parse_config_parameter {
 	struct submodule_cache *cache;
 	const unsigned char *treeish_name;
@@ -408,6 +414,8 @@ static int parse_config(const char *var, const char *value, void *data)
 	if (!strcmp(item.buf, "path")) {
 		if (!value)
 			ret = config_error_nonbool(var);
+		else if (looks_like_command_line_option(value))
+			warn_command_line_option(var, value);
 		else if (!me->overwrite && submodule->path)
 			warn_multiple_config(me->treeish_name, submodule->name,
 					"path");
@@ -448,6 +456,8 @@ static int parse_config(const char *var, const char *value, void *data)
 	} else if (!strcmp(item.buf, "url")) {
 		if (!value) {
 			ret = config_error_nonbool(var);
+		} else if (looks_like_command_line_option(value)) {
+			warn_command_line_option(var, value);
 		} else if (!me->overwrite && submodule->url) {
 			warn_multiple_config(me->treeish_name, submodule->name,
 					"url");
diff --git a/t/t7416-submodule-dash-url.sh b/t/t7416-submodule-dash-url.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+test_description='check handling of .gitmodule url with dash'
+. ./test-lib.sh
+
+test_expect_success 'create submodule with protected dash in url' '
+	git init upstream &&
+	git -C upstream commit --allow-empty -m base &&
+	mv upstream ./-upstream &&
+	git submodule add ./-upstream sub &&
+	git add sub .gitmodules &&
+	git commit -m submodule
+'
+
+test_expect_success 'clone can recurse submodule' '
+	test_when_finished "rm -rf dst" &&
+	git clone --recurse-submodules . dst &&
+	echo base >expect &&
+	git -C dst/sub log -1 --format=%s >actual &&
+	test_cmp expect actual
+'
+
+test_expect_success 'remove ./ protection from .gitmodules url' '
+	perl -i -pe "s{\./}{}" .gitmodules &&
+	git commit -am "drop protection"
+'
+
+test_expect_success 'clone rejects unprotected dash' '
+	test_when_finished "rm -rf dst" &&
+	test_must_fail git clone --recurse-submodules . dst 2>err &&
+	test_i18ngrep ignoring err
+'
+
+test_done
diff --git a/t/t7417-submodule-path-url.sh b/t/t7417-submodule-path-url.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+test_description='check handling of .gitmodule path with dash'
+. ./test-lib.sh
+
+test_expect_success 'create submodule with dash in path' '
+	git init upstream &&
+	git -C upstream commit --allow-empty -m base &&
+	git submodule add ./upstream sub &&
+	git mv sub ./-sub &&
+	git commit -m submodule
+'
+
+test_expect_success 'clone rejects unprotected dash' '
+	test_when_finished "rm -rf dst" &&
+	git clone --recurse-submodules . dst 2>err &&
+	test_i18ngrep ignoring err
+'
+
+test_done
