git@vger.kernel.org list mirror (unofficial, one of many)
 help / color / mirror / code / Atom feed
From: Philip Oakley <philipoakley@iee.email>
To: Jeff King <peff@peff.net>
Cc: git@vger.kernel.org, Jonathan Nieder <jrnieder@gmail.com>
Subject: Re: [PATCH] documentation symlink restrictions for .git* files
Date: Mon, 26 Oct 2020 22:18:18 +0000	[thread overview]
Message-ID: <8bb54778-507c-2e3f-d35a-5e32edb8bee7@iee.email> (raw)
In-Reply-To: <20201023081711.GB4012156@coredump.intra.peff.net>

On 23/10/2020 09:17, Jeff King wrote:
> On Wed, Oct 21, 2020 at 12:19:25AM +0100, Philip Oakley wrote:
>
>> On 05/10/2020 13:16, Jeff King wrote:
>>> On Mon, Oct 05, 2020 at 03:17:51AM -0400, Jeff King wrote:
>>>
>>>> About 2 years ago as part of a security release we made it illegal to
>>>> have a symlinked .gitmodules file (refusing it both in the index and via
>>>> fsck). At the time we discussed (on the security list) outlawing
>>>> symlinks for other .git files in the same way, but we decided not to do
>>>> so as part of the security release, as it wasn't strictly necessary.
>> Is this something that should be recorded in the documentation, either as a
>> simple (sensible) limitation, or explicitly as a security related safety
>> measure?
>>
>> I didn't see any changes to the .txt docs in the change list below.
> Yeah, that's a good point.
>
> How about this (on top of jk/symlinked-dotgitx-files)?
>
> -- >8 --
> Subject: [PATCH] documentation symlink restrictions for .git* files
>
> We outlawed symbolic link versions of various .git files in 10ecfa7649
> (verify_path: disallow symlinks in .gitmodules, 2018-05-04) and
> dd4c2fe66b (verify_path(): disallow symlinks in .gitattributes and
> .gitignore, 2020-10-05). The reasons are discussed in detail there, but
> we never adjusted the documentation to let users know.
>
> This hasn't been a big deal since the point is that such setups were
> mildly broken and thought to be unusual anyway. But it certainly doesn't
> hurt to be clear and explicit about it.
>
> Suggested-by: Philip Oakley <philipoakley@iee.email>
> Signed-off-by: Jeff King <peff@peff.net>
> ---
>  Documentation/gitattributes.txt | 7 +++++++
>  Documentation/gitignore.txt     | 5 +++++
>  Documentation/gitmodules.txt    | 8 ++++++++
>  3 files changed, 20 insertions(+)
>
> diff --git a/Documentation/gitattributes.txt b/Documentation/gitattributes.txt
> index 2d0a03715b..9a2ce4f1ea 100644
> --- a/Documentation/gitattributes.txt
> +++ b/Documentation/gitattributes.txt
> @@ -1241,6 +1241,13 @@ to:
>  [attr]binary -diff -merge -text
>  ------------
>  
> +NOTES
> +-----
> +
> +Note that Git does not allow a `.gitattributes` file within the working
> +tree to be a symbolic link, and will refuse to check out such a tree
> +entry.  This keeps behavior consistent when the file is accessed from
> +the index or a tree versus from the filesystem.
>  
>  EXAMPLES
>  --------
> diff --git a/Documentation/gitignore.txt b/Documentation/gitignore.txt
> index d47b1ae296..7e9a1d49d6 100644
> --- a/Documentation/gitignore.txt
> +++ b/Documentation/gitignore.txt
> @@ -149,6 +149,11 @@ not tracked by Git remain untracked.
>  To stop tracking a file that is currently tracked, use
>  'git rm --cached'.
>  
> +Note that Git does not allow a `.gitignore` file within the working tree
> +to be a symbolic link, and will refuse to check out such a tree entry.
> +This keeps behavior consistent when the file is accessed from the index
> +or a tree versus from the filesystem.
> +
>  EXAMPLES
>  --------
>  
> diff --git a/Documentation/gitmodules.txt b/Documentation/gitmodules.txt
> index 539b4e1997..2b884be3c7 100644
> --- a/Documentation/gitmodules.txt
> +++ b/Documentation/gitmodules.txt
> @@ -98,6 +98,14 @@ submodule.<name>.shallow::
>  	shallow clone (with a history depth of 1) unless the user explicitly
>  	asks for a non-shallow clone.
>  
> +NOTES
> +-----
> +
> +Note that Git does not allow the `.gitmodules` file within a working
> +tree to be a symbolic link, and will refuse to check out such a tree
> +entry. This keeps behavior consistent when the file is accessed from the
> +index or a tree versus from the filesystem, and helps Git reliably
> +enforce security checks of the file contents.
>  
>  EXAMPLES
>  --------
The text looks good to me, with security point explicitly mentioned just
for .gitmodules file.

However, is placing the Note so far down appropriate (.gitattributes and
.gitignore), given that there is within the descriptions a discussion of
the priority order for finding those files?

Philip

  parent reply	other threads:[~2020-10-26 22:18 UTC|newest]

Thread overview: 55+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-05  7:17 [PATCH 0/7] forbidding symlinked .gitattributes and .gitignore Jeff King
2020-10-05  7:19 ` [PATCH 1/7] fsck_tree(): fix shadowed variable Jeff King
2020-10-05  7:44   ` Jonathan Nieder
2020-10-05  8:20     ` Jeff King
2020-10-05  8:29       ` Jonathan Nieder
2020-10-05  7:19 ` [PATCH 2/7] fsck_tree(): wrap some long lines Jeff King
2020-10-05  7:46   ` Jonathan Nieder
2020-10-05  7:19 ` [PATCH 3/7] t7415: rename to expand scope Jeff King
2020-10-05  7:50   ` Jonathan Nieder
2020-10-05  8:24     ` Jeff King
2020-10-05  8:34       ` Jonathan Nieder
2020-10-05  8:49         ` Jeff King
2020-10-05  7:20 ` [PATCH 4/7] t7450: test verify_path() handling of gitmodules Jeff King
2020-10-05  7:53   ` Jonathan Nieder
2020-10-05  8:30     ` Jeff King
2020-10-05  8:38       ` Jonathan Nieder
2020-10-05  7:21 ` [PATCH 5/7] t0060: test obscured .gitattributes and .gitignore matching Jeff King
2020-10-05  8:03   ` Jonathan Nieder
2020-10-05  8:40     ` Jeff King
2020-10-05 21:20       ` Johannes Schindelin
2020-10-06 14:01         ` Jeff King
2020-10-05  7:24 ` [PATCH 6/7] verify_path(): disallow symlinks in .gitattributes and .gitignore Jeff King
2020-10-05  8:09   ` Jonathan Nieder
2020-10-05 12:07     ` Jeff King
2020-10-05  7:25 ` [PATCH 7/7] fsck: complain when .gitattributes or .gitignore is a symlink Jeff King
2020-10-05  8:12   ` Jonathan Nieder
2020-10-05  8:53     ` Jeff King
2020-10-05  7:32 ` [PATCH 0/7] forbidding symlinked .gitattributes and .gitignore Jonathan Nieder
2020-10-05  8:58   ` Jeff King
2020-10-05 12:16 ` [PATCH v2 0/8] " Jeff King
2020-10-05 12:16   ` [PATCH v2 1/8] fsck_tree(): fix shadowed variable Jeff King
2020-10-05 12:16   ` [PATCH v2 2/8] fsck_tree(): wrap some long lines Jeff King
2020-10-05 12:16   ` [PATCH v2 3/8] t7415: rename to expand scope Jeff King
2020-10-05 12:16   ` [PATCH v2 4/8] t7450: test verify_path() handling of gitmodules Jeff King
2020-10-05 12:16   ` [PATCH v2 5/8] t7450: test .gitmodules symlink matching against obscured names Jeff King
2020-10-05 12:16   ` [PATCH v2 6/8] t0060: test obscured .gitattributes and .gitignore matching Jeff King
2020-10-05 12:16   ` [PATCH v2 7/8] verify_path(): disallow symlinks in .gitattributes and .gitignore Jeff King
2020-10-27  3:35     ` Jonathan Nieder
2020-10-27  7:58       ` Jeff King
2020-10-27 22:00         ` Junio C Hamano
2020-10-28  9:41           ` Jeff King
2020-10-27 23:43         ` Jonathan Nieder
2020-10-28 19:18           ` Junio C Hamano
2020-10-05 12:16   ` [PATCH v2 8/8] fsck: complain when .gitattributes or .gitignore is a symlink Jeff King
2020-10-06 20:41   ` [PATCH v2 0/8] forbidding symlinked .gitattributes and .gitignore Junio C Hamano
2020-10-20 23:19   ` Philip Oakley
2020-10-23  8:17     ` [PATCH] documentation symlink restrictions for .git* files Jeff King
2020-10-23  8:27       ` Jeff King
2020-10-26 22:18       ` Philip Oakley [this message]
2020-10-26 22:53         ` Jeff King
2020-10-26 23:32           ` Junio C Hamano
2020-10-27  7:26             ` Jeff King
2020-10-27 18:45               ` Junio C Hamano
2020-10-27 21:00                 ` Philip Oakley
2020-10-28 19:14                   ` Junio C Hamano

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8bb54778-507c-2e3f-d35a-5e32edb8bee7@iee.email \
    --to=philipoakley@iee.email \
    --cc=git@vger.kernel.org \
    --cc=jrnieder@gmail.com \
    --cc=peff@peff.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this inbox:

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).