Merge branch 'jt/config-quote-cr' into maint-2.43 · freshlybakedca.ke/git@2d22f0c

Git fork

Merge branch 'jt/config-quote-cr' into maint-2.43

This merges in the fix for CVE-2025-48384.

* jt/config-quote-cr:
config: quote values containing CR character

Signed-off-by: Taylor Blau <me@ttaylorr.com>

Taylor Blau 9 months ago 2d22f0cd d2bc61fc

+45 -1

3 changed files

expand all

unified split

config.c

t1300-config.sh

t7450-bad-git-dotfiles.sh

+1 -1

config.c

··· 2999 2999 if (value[0] == ' ') 3000 3000 quote = "\""; 3001 3001 for (i = 0; value[i]; i++) 3002 - if (value[i] == ';' || value[i] == '#') 3002 + if (value[i] == ';' || value[i] == '#' || value[i] == '\r') 3003 3003 quote = "\""; 3004 3004 if (i && value[i - 1] == ' ') 3005 3005 quote = "\"";

+11

t/t1300-config.sh

··· 2590 2590 grep "fatal: remote URLs cannot be configured in file directly or indirectly included by includeIf.hasconfig:remote.*.url" err 2591 2591 ' 2592 2592 2593 + test_expect_success 'writing value with trailing CR not stripped on read' ' 2594 + test_when_finished "rm -rf cr-test" && 2595 + 2596 + printf "bar\r\n" >expect && 2597 + git init cr-test && 2598 + git -C cr-test config set core.foo $(printf "bar\r") && 2599 + git -C cr-test config get core.foo >actual && 2600 + 2601 + test_cmp expect actual 2602 + ' 2603 + 2593 2604 test_done

+33

t/t7450-bad-git-dotfiles.sh

··· 347 347 test_path_is_missing nested_checkout/thing2/.git 348 348 ' 349 349 350 + test_expect_success SYMLINKS,!WINDOWS,!MINGW 'submodule must not checkout into different directory' ' 351 + test_when_finished "rm -rf sub repo bad-clone" && 352 + 353 + git init sub && 354 + write_script sub/post-checkout <<-\EOF && 355 + touch "$PWD/foo" 356 + EOF 357 + git -C sub add post-checkout && 358 + git -C sub commit -m hook && 359 + 360 + git init repo && 361 + git -C repo -c protocol.file.allow=always submodule add "$PWD/sub" sub && 362 + git -C repo mv sub $(printf "sub\r") && 363 + 364 + # Ensure config values containing CR are wrapped in quotes. 365 + git config unset -f repo/.gitmodules submodule.sub.path && 366 + printf "\tpath = \"sub\r\"\n" >>repo/.gitmodules && 367 + 368 + git config unset -f repo/.git/modules/sub/config core.worktree && 369 + { 370 + printf "[core]\n" && 371 + printf "\tworktree = \"../../../sub\r\"\n" 372 + } >>repo/.git/modules/sub/config && 373 + 374 + ln -s .git/modules/sub/hooks repo/sub && 375 + git -C repo add -A && 376 + git -C repo commit -m submodule && 377 + 378 + git -c protocol.file.allow=always clone --recurse-submodules repo bad-clone && 379 + ! test -f "$PWD/foo" && 380 + test -f $(printf "bad-clone/sub\r/post-checkout") 381 + ' 382 + 350 383 test_done