From: Johannes Schindelin <redacted>
Date: Wed, 4 Dec 2019 21:27:04 +0000 (+0100)
Subject: Sync with 2.18.2
X-Git-Url: http://git.99rst.org/?a=commitdiff_plain;h=7c9fbda6e2e0ac4a491863253aeedeafb3cb9dab;p=git.git

Sync with 2.18.2

* maint-2.18: (33 commits)
  Git 2.18.2
  Git 2.17.3
  Git 2.16.6
  test-drop-caches: use `has_dos_drive_prefix()`
  Git 2.15.4
  Git 2.14.6
  mingw: handle `subst`-ed "DOS drives"
  mingw: refuse to access paths with trailing spaces or periods
  mingw: refuse to access paths with illegal characters
  unpack-trees: let merged_entry() pass through do_add_entry()'s errors
  quote-stress-test: offer to test quoting arguments for MSYS2 sh
  t6130/t9350: prepare for stringent Win32 path validation
  quote-stress-test: allow skipping some trials
  quote-stress-test: accept arguments to test via the command-line
  tests: add a helper to stress test argument quoting
  mingw: fix quoting of arguments
  Disallow dubiously-nested submodule git directories
  protect_ntfs: turn on NTFS protection by default
  path: also guard `.gitmodules` against NTFS Alternate Data Streams
  is_ntfs_dotgit(): speed it up
  ...
---

7c9fbda6e2e0ac4a491863253aeedeafb3cb9dab
diff --cc compat/mingw.c
index 18caf21969,0c0c474221..886d60a46c
--- a/compat/mingw.c
+++ b/compat/mingw.c
@@@ -341,74 -347,12 +347,74 @@@ int mingw_mkdir(const char *path, int m
  	return ret;
  }
  
 +/*
 + * Calling CreateFile() using FILE_APPEND_DATA and without FILE_WRITE_DATA
 + * is documented in [1] as opening a writable file handle in append mode.
 + * (It is believed that) this is atomic since it is maintained by the
 + * kernel unlike the O_APPEND flag which is racily maintained by the CRT.
 + *
 + * [1] https://docs.microsoft.com/en-us/windows/desktop/fileio/file-access-rights-constants
 + *
 + * This trick does not appear to work for named pipes.  Instead it creates
 + * a named pipe client handle that cannot be written to.  Callers should
 + * just use the regular _wopen() for them.  (And since client handle gets
 + * bound to a unique server handle, it isn't really an issue.)
 + */
 +static int mingw_open_append(wchar_t const *wfilename, int oflags, ...)
 +{
 +	HANDLE handle;
 +	int fd;
 +	DWORD create = (oflags & O_CREAT) ? OPEN_ALWAYS : OPEN_EXISTING;
 +
 +	/* only these flags are supported */
 +	if ((oflags & ~O_CREAT) != (O_WRONLY | O_APPEND))
 +		return errno = ENOSYS, -1;
 +
 +	/*
 +	 * FILE_SHARE_WRITE is required to permit child processes
 +	 * to append to the file.
 +	 */
 +	handle = CreateFileW(wfilename, FILE_APPEND_DATA,
 +			FILE_SHARE_WRITE | FILE_SHARE_READ,
 +			NULL, create, FILE_ATTRIBUTE_NORMAL, NULL);
 +	if (handle == INVALID_HANDLE_VALUE)
 +		return errno = err_win_to_posix(GetLastError()), -1;
 +
 +	/*
 +	 * No O_APPEND here, because the CRT uses it only to reset the
 +	 * file pointer to EOF before each write(); but that is not
 +	 * necessary (and may lead to races) for a file created with
 +	 * FILE_APPEND_DATA.
 +	 */
 +	fd = _open_osfhandle((intptr_t)handle, O_BINARY);
 +	if (fd < 0)
 +		CloseHandle(handle);
 +	return fd;
 +}
 +
 +/*
 + * Does the pathname map to the local named pipe filesystem?
 + * That is, does it have a "//./pipe/" prefix?
 + */
 +static int is_local_named_pipe_path(const char *filename)
 +{
 +	return (is_dir_sep(filename[0]) &&
 +		is_dir_sep(filename[1]) &&
 +		filename[2] == '.'  &&
 +		is_dir_sep(filename[3]) &&
 +		!strncasecmp(filename+4, "pipe", 4) &&
 +		is_dir_sep(filename[8]) &&
 +		filename[9]);
 +}
 +
  int mingw_open (const char *filename, int oflags, ...)
  {
 +	typedef int (*open_fn_t)(wchar_t const *wfilename, int oflags, ...);
  	va_list args;
  	unsigned mode;
- 	int fd;
+ 	int fd, create = (oflags & (O_CREAT | O_EXCL)) == (O_CREAT | O_EXCL);
  	wchar_t wfilename[MAX_PATH];
 +	open_fn_t open_fn;
  
  	va_start(args, oflags);
  	mode = va_arg(args, int);
diff --cc config.mak.uname
index e47af72e01,c3f2c0fc17..d0bd271ff6
--- a/config.mak.uname
+++ b/config.mak.uname
@@@ -538,7 -527,6 +537,7 @@@ ifneq (,$(findstring MINGW,$(uname_S))
  	COMPAT_OBJS += compat/mingw.o compat/winansi.o \
  		compat/win32/pthread.o compat/win32/syslog.o \
  		compat/win32/dirent.o
- 	BASIC_CFLAGS += -DWIN32 -DPROTECT_NTFS_DEFAULT=1
++	BASIC_CFLAGS += -DWIN32
  	EXTLIBS += -lws2_32
  	GITLIBS += git.res
  	PTHREAD_LIBS =
diff --cc submodule.h
index e452919aa4,17347ace2e..faa586b941
--- a/submodule.h
+++ b/submodule.h
@@@ -120,12 -114,17 +120,17 @@@ int push_unpushed_submodules(struct oid
   */
  int submodule_to_gitdir(struct strbuf *buf, const char *submodule);
  
+ /*
+  * Make sure that no submodule's git dir is nested in a sibling submodule's.
+  */
+ int validate_submodule_git_dir(char *git_dir, const char *submodule_name);
+ 
  #define SUBMODULE_MOVE_HEAD_DRY_RUN (1<<0)
  #define SUBMODULE_MOVE_HEAD_FORCE   (1<<1)
 -extern int submodule_move_head(const char *path,
 -			       const char *old,
 -			       const char *new_head,
 -			       unsigned flags);
 +int submodule_move_head(const char *path,
 +			const char *old,
 +			const char *new_head,
 +			unsigned flags);
  
  /*
   * Prepare the "env_array" parameter of a "struct child_process" for executing
diff --cc t/t7406-submodule-update.sh
index 10dc91620a,9a9dff5dea..6a68c472ee
--- a/t/t7406-submodule-update.sh
+++ b/t/t7406-submodule-update.sh
@@@ -481,9 -494,11 +495,12 @@@ test_expect_success 'recursive submodul
  '
  
  test_expect_success 'submodule init does not copy command into .git/config' '
+ 	test_when_finished "git -C super update-index --force-remove submodule1" &&
+ 	test_when_finished git config -f super/.gitmodules \
+ 		--remove-section submodule.submodule1 &&
  	(cd super &&
 -	 H=$(git ls-files -s submodule | cut -d" " -f2) &&
 +	 git ls-files -s submodule >out &&
 +	 H=$(cut -d" " -f2 out) &&
  	 mkdir submodule1 &&
  	 git update-index --add --cacheinfo 160000 $H submodule1 &&
  	 git config -f .gitmodules submodule.submodule1.path submodule1 &&
diff --cc t/t7415-submodule-names.sh
index 293e2e1963,31d1e2d512..33a9126ee0
--- a/t/t7415-submodule-names.sh
+++ b/t/t7415-submodule-names.sh
@@@ -176,19 -176,60 +176,75 @@@ test_expect_success 'fsck detects non-b
  	)
  '
  
 +test_expect_success 'fsck detects corrupt .gitmodules' '
 +	git init corrupt &&
 +	(
 +		cd corrupt &&
 +
 +		echo "[broken" >.gitmodules &&
 +		git add .gitmodules &&
 +		git commit -m "broken gitmodules" &&
 +
 +		git fsck 2>output &&
 +		grep gitmodulesParse output &&
 +		test_i18ngrep ! "bad config" output
 +	)
 +'
 +
+ test_expect_success MINGW 'prevent git~1 squatting on Windows' '
+ 	git init squatting &&
+ 	(
+ 		cd squatting &&
+ 		mkdir a &&
+ 		touch a/..git &&
+ 		git add a/..git &&
+ 		test_tick &&
+ 		git commit -m initial &&
+ 
+ 		modules="$(test_write_lines \
+ 			"[submodule \"b.\"]" "url = ." "path = c" \
+ 			"[submodule \"b\"]" "url = ." "path = d\\\\a" |
+ 			git hash-object -w --stdin)" &&
+ 		rev="$(git rev-parse --verify HEAD)" &&
+ 		hash="$(echo x | git hash-object -w --stdin)" &&
+ 		git -c core.protectNTFS=false update-index --add \
+ 			--cacheinfo 100644,$modules,.gitmodules \
+ 			--cacheinfo 160000,$rev,c \
+ 			--cacheinfo 160000,$rev,d\\a \
+ 			--cacheinfo 100644,$hash,d./a/x \
+ 			--cacheinfo 100644,$hash,d./a/..git &&
+ 		test_tick &&
+ 		git -c core.protectNTFS=false commit -m "module" &&
+ 		test_must_fail git show HEAD: 2>err &&
+ 		test_i18ngrep backslash err
+ 	) &&
+ 	test_must_fail git -c core.protectNTFS=false \
+ 		clone --recurse-submodules squatting squatting-clone 2>err &&
+ 	test_i18ngrep -e "directory not empty" -e "not an empty directory" err &&
+ 	! grep gitdir squatting-clone/d/a/git~2
+ '
+ 
+ test_expect_success 'git dirs of sibling submodules must not be nested' '
+ 	git init nested &&
+ 	test_commit -C nested nested &&
+ 	(
+ 		cd nested &&
+ 		cat >.gitmodules <<-EOF &&
+ 		[submodule "hippo"]
+ 			url = .
+ 			path = thing1
+ 		[submodule "hippo/hooks"]
+ 			url = .
+ 			path = thing2
+ 		EOF
+ 		git clone . thing1 &&
+ 		git clone . thing2 &&
+ 		git add .gitmodules thing1 thing2 &&
+ 		test_tick &&
+ 		git commit -m nested
+ 	) &&
+ 	test_must_fail git clone --recurse-submodules nested clone 2>err &&
+ 	test_i18ngrep "is inside git dir" err
+ '
+ 
  test_done
diff --cc t/t9300-fast-import.sh
index 40fe7e4976,c4a06c587f..5d69466f72
--- a/t/t9300-fast-import.sh
+++ b/t/t9300-fast-import.sh
@@@ -2191,11 -2216,13 +2216,12 @@@ test_expect_success 'R: --import-marks-
  
  test_expect_success 'R: feature import-marks-if-exists' '
  	rm -f io.marks &&
 -	>expect &&
  
- 	git fast-import --export-marks=io.marks <<-\EOF &&
+ 	git fast-import --export-marks=io.marks \
+ 			--allow-unsafe-features <<-\EOF &&
  	feature import-marks-if-exists=not_io.marks
  	EOF
 -	test_cmp expect io.marks &&
 +	test_must_be_empty io.marks &&
  
  	blob=$(echo hi | git hash-object --stdin) &&
  
@@@ -2226,11 -2255,14 +2254,12 @@@
  	EOF
  	test_cmp expect io.marks &&
  
 -	>expect &&
 -
  	git fast-import --import-marks-if-exists=not_io.marks \
- 			--export-marks=io.marks <<-\EOF &&
+ 			--export-marks=io.marks \
+ 			--allow-unsafe-features <<-\EOF &&
  	feature import-marks-if-exists=io.marks
  	EOF
 -	test_cmp expect io.marks
 +	test_must_be_empty io.marks
  '
  
  test_expect_success 'R: import to output marks works without any content' '