From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS3215 2.6.0.0/16 X-Spam-Status: No, score=-3.5 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by dcvr.yhbt.net (Postfix) with ESMTP id 0B9DB1F72A for ; Thu, 30 Jun 2022 18:16:31 +0000 (UTC) Authentication-Results: dcvr.yhbt.net; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="YWv/4lVa"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236606AbiF3SOe (ORCPT ); Thu, 30 Jun 2022 14:14:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32912 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236477AbiF3SOK (ORCPT ); Thu, 30 Jun 2022 14:14:10 -0400 Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DCD81403C1 for ; Thu, 30 Jun 2022 11:14:07 -0700 (PDT) Received: by mail-wr1-x436.google.com with SMTP id v14so28455720wra.5 for ; Thu, 30 Jun 2022 11:14:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:in-reply-to:references:from:date:subject:fcc :content-transfer-encoding:mime-version:to:cc; bh=vK/cK2CsYvziF+h6RxKNGee1lI7W8gvh+Wi2KpMeAJo=; b=YWv/4lVajihzRbJNmhWPtwzTPBN6my82HPzbM4MsjL0NXO/xKIzkctrYwhlVSn2MoK dG24awj15fpWJDehNvb6pyO+P6oMLCqq6USshqlDOns1JqmInWaB8hPSHFK5MnDkiw8/ /3FlsB1UMjd7nRhMowQL2QNUkYFpF8ArC0H/p+VP+yLgMoYhW7ItwQ2iO1fks+PgqhBD m10FCB4uAG0mHz/kIDW8wGodk7dSZdcA58n3z1JTuIqFRY5UusnFc1IEZb7JQJb9lRoS hXXchujXc35uV80HN1hjODHNjsxddigIIWRjGn6Q2Jwh6OV9kGJ1sJY7pjDfco9srOed mQTg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:in-reply-to:references:from:date :subject:fcc:content-transfer-encoding:mime-version:to:cc; bh=vK/cK2CsYvziF+h6RxKNGee1lI7W8gvh+Wi2KpMeAJo=; b=R8+ookfiZqrua8Dq6K2O9r4dwX6DM037EFhoTyoOWwRPTG9A+OYCxXAVx2YEFJY+Jf 2+beAyZ0Ygr4frmALR3KYg508s6FqhZa/atibsW8CjUalWbBN0Gb2RYJhL6d5SYrWqkZ mXFd1MpOJ8pT5zRI+fnOfvncCsJpib9kWlrR6DTo2QrTmkNzPThyV+zibrnASXGs/KGJ bvsQRaAP709BV6tZsXOgXU7RqtRZcagYHAVcL87VQrbJL70geBRMtDKnTaBUJm0bdlDo fLDyJi5J7KUu5NiTeRxwrsKf+7egU1USCkna0DXJ1BjweBb4HBVYEf6mZtbafpMjWaBj x1Hw== X-Gm-Message-State: AJIora8bb9SrS31aqrvDTPTW3/RLi9jg/UonAmlD8y7QfoXV7EAoR7b2 9wT9QFcwadlzqKeQQt8prpblzVE3KWM= X-Google-Smtp-Source: AGRyM1v2m+wo/Mq4p/IkbFVIGrrMyO32AlJSOZVyjv3Rh9kRCzpUNoolKzpEEyC2RfcoDDwFtHvsmg== X-Received: by 2002:a5d:664c:0:b0:21d:2d0d:e729 with SMTP id f12-20020a5d664c000000b0021d2d0de729mr8805873wrw.585.1656612846153; Thu, 30 Jun 2022 11:14:06 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id t5-20020a1c4605000000b0039db31f6372sm3445922wma.2.2022.06.30.11.14.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 11:14:05 -0700 (PDT) Message-Id: In-Reply-To: References: From: "Glen Choo via GitGitGadget" Date: Thu, 30 Jun 2022 18:13:58 +0000 Subject: [PATCH v6 4/5] safe.directory: use git_protected_config() Fcc: Sent Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit MIME-Version: 1.0 To: git@vger.kernel.org Cc: Taylor Blau , "brian m. carlson" , Derrick Stolee , Junio C Hamano , Emily Shaffer , Jonathan Tan , =?UTF-8?Q?=C3=86var_Arnfj=C3=B6r=C3=B0?= Bjarmason , Glen Choo , Glen Choo Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Glen Choo Use git_protected_config() to read `safe.directory` instead of read_very_early_config(), making it 'protected configuration only'. As a result, `safe.directory` now respects "-c", so update the tests and docs accordingly. It used to ignore "-c" due to how it was implemented, not because of security or correctness concerns [1]. [1] https://lore.kernel.org/git/xmqqlevabcsu.fsf@gitster.g/ Signed-off-by: Glen Choo --- Documentation/config/safe.txt | 6 +++--- setup.c | 2 +- t/t0033-safe-directory.sh | 24 ++++++++++-------------- 3 files changed, 14 insertions(+), 18 deletions(-) diff --git a/Documentation/config/safe.txt b/Documentation/config/safe.txt index fa02f3ccc54..f72b4408798 100644 --- a/Documentation/config/safe.txt +++ b/Documentation/config/safe.txt @@ -12,9 +12,9 @@ via `git config --add`. To reset the list of safe directories (e.g. to override any such directories specified in the system config), add a `safe.directory` entry with an empty value. + -This config setting is only respected when specified in a system or global -config, not when it is specified in a repository config, via the command -line option `-c safe.directory=`, or in environment variables. +This config setting is only respected in protected configuration (see +<>). This prevents the untrusted repository from tampering with this +value. + The value of this setting is interpolated, i.e. `~/` expands to a path relative to the home directory and `%(prefix)/` expands to a diff --git a/setup.c b/setup.c index faf5095e44d..c8e3c32814d 100644 --- a/setup.c +++ b/setup.c @@ -1137,7 +1137,7 @@ static int ensure_valid_ownership(const char *path) is_path_owned_by_current_user(path)) return 1; - read_very_early_config(safe_directory_cb, &data); + git_protected_config(safe_directory_cb, &data); return data.is_safe; } diff --git a/t/t0033-safe-directory.sh b/t/t0033-safe-directory.sh index 238b25f91a3..5a1cd0d0947 100755 --- a/t/t0033-safe-directory.sh +++ b/t/t0033-safe-directory.sh @@ -16,24 +16,20 @@ test_expect_success 'safe.directory is not set' ' expect_rejected_dir ' -test_expect_success 'ignoring safe.directory on the command line' ' - test_must_fail git -c safe.directory="$(pwd)" status 2>err && - grep "unsafe repository" err +test_expect_success 'safe.directory on the command line' ' + git -c safe.directory="$(pwd)" status ' -test_expect_success 'ignoring safe.directory in the environment' ' - test_must_fail env GIT_CONFIG_COUNT=1 \ - GIT_CONFIG_KEY_0="safe.directory" \ - GIT_CONFIG_VALUE_0="$(pwd)" \ - git status 2>err && - grep "unsafe repository" err +test_expect_success 'safe.directory in the environment' ' + env GIT_CONFIG_COUNT=1 \ + GIT_CONFIG_KEY_0="safe.directory" \ + GIT_CONFIG_VALUE_0="$(pwd)" \ + git status ' -test_expect_success 'ignoring safe.directory in GIT_CONFIG_PARAMETERS' ' - test_must_fail env \ - GIT_CONFIG_PARAMETERS="${SQ}safe.directory${SQ}=${SQ}$(pwd)${SQ}" \ - git status 2>err && - grep "unsafe repository" err +test_expect_success 'safe.directory in GIT_CONFIG_PARAMETERS' ' + env GIT_CONFIG_PARAMETERS="${SQ}safe.directory${SQ}=${SQ}$(pwd)${SQ}" \ + git status ' test_expect_success 'ignoring safe.directory in repo config' ' -- gitgitgadget