From: Jeff King <peff@peff.net>
To: Brandon Williams <bmwill@google.com>
Cc: git@vger.kernel.org, sbeller@google.com, jo@durchholz.org
Subject: Re: [PATCH] submodule: prevent backslash expantion in submodule names
Date: Sat, 8 Apr 2017 06:59:01 -0400 [thread overview]
Message-ID: <20170408105901.2osi2zadboqxhf34@sigill.intra.peff.net> (raw)
In-Reply-To: <20170407172306.172673-1-bmwill@google.com>
On Fri, Apr 07, 2017 at 10:23:06AM -0700, Brandon Williams wrote:
> When attempting to add a submodule with backslashes in its name 'git
> submodule' fails in a funny way. We can see that some of the
> backslashes are expanded resulting in a bogus path:
>
> git -C main submodule add ../sub\\with\\backslash
> fatal: repository '/tmp/test/sub\witackslash' does not exist
> fatal: clone of '/tmp/test/sub\witackslash' into submodule path
>
> To solve this, convert calls to 'read' to 'read -r' in git-submodule.sh
> in order to prevent backslash expantion in submodule names.
This looks sane overall, without digging into the individual read calls.
The reason I mentioned escaping earlier is I wondered what would happen
when the submodule starts with a double-quote, or has a newline in the
name. Git's normal quoting would include backslash escape sequences, and
I wondered if we might be relying on any of these "read" calls to
interpret them. But I don't think so, for two reasons.
One, because that quoting also puts double-quotes around the name. So
plain "read" would not be sufficient to de-quote for us anyway.
And two, because these are being fed from "submodule--helper", which
does not seem to quote in the first place.
So I think your patch is fine there. But it does raise a few concerns.
It looks like git-submodule does not cope well with exotic filenames:
$ git submodule add /some/repo "$(printf 'sub with\nnewline')"
Cloning into '/home/peff/tmp/sub with
newline'...
done.
error: invalid key (newline): submodule.sub with
newline.url
error: invalid key (newline): submodule.sub with
newline.path
Failed to register submodule 'sub with
newline'
I'm not too worried about that. It's a nonsense request, and our config
format has no syntactic mechanism to represent that key. So tough luck.
But what I am more worried about is:
$ git submodule--helper list
160000 576053ed5ad378490974fabe97e4bd59633d2d1e 0 sub with
newline
That's obviously nonsense that git-submodule.sh is going to choke on.
But what happens when the filename is:
foo\n16000 <sha1> 0\t../../escaped
or something. Can a malicious repository provoke git-submodule.sh to
look at or modify files outside the repository?
-Peff
next prev parent reply other threads:[~2017-04-08 10:59 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-07 6:12 problem with backslash in directory name Joachim Durchholz
2017-04-07 6:30 ` Jeff King
2017-04-07 8:24 ` Joachim Durchholz
2017-04-07 8:40 ` Joachim Durchholz
2017-04-07 16:53 ` Brandon Williams
2017-04-07 16:55 ` Stefan Beller
2017-04-07 17:23 ` [PATCH] submodule: prevent backslash expantion in submodule names Brandon Williams
2017-04-07 17:35 ` Joachim Durchholz
2017-04-08 10:59 ` Jeff King [this message]
2017-04-08 20:32 ` Joachim Durchholz
2017-04-17 3:09 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170408105901.2osi2zadboqxhf34@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=bmwill@google.com \
--cc=git@vger.kernel.org \
--cc=jo@durchholz.org \
--cc=sbeller@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.