Commit Graph

104 Commits (ffe68bf39afc68b767bf30b903507870c0657b57)

Author SHA1 Message Date
Simon McVittie 0463357392 git: don't redundantly pass "--" to git_sha1
git_sha1 already puts "--" before its arguments, so

    git_sha1_file($dir, 'doc/index.mdwn')

would have incorrectly invoked

    git rev-list --max-count=1 HEAD -- -- doc/index.mdwn

If there is no file in the wiki named "--", that's harmless, because
it merely names the latest revision in which either "--" or
"doc/index.mdwn" changed. However, it could return incorrect results
if there is somehow a file named "--".
2017-01-09 13:58:58 +00:00
Simon McVittie 59632384d9 git: use parameters, not global state, to swap working directory 2017-01-09 13:50:54 +00:00
Simon McVittie c29c230c33 Revert "git: Turn $git_dir into a stack"
Now that we have avoided using in_git_dir recursively, we don't need
the stack any more.

This reverts commit 39b8931ad3.
2017-01-09 13:07:24 +00:00
Simon McVittie 6504456454 git: do not mix in_git_dir with eval{}
If we throw an exception (usually from run_or_die), in_git_dir won't
unshift the current directory from the stack. That's usually fine,
but in rcs_preprevert we catch exceptions and do some cleanup before
returning, for which we need the git directory to be the root and
not the temporary working tree.
2017-01-09 13:07:24 +00:00
Simon McVittie d092b0b777 git: Do not disable commit hook for temporary working tree
We exclude .git/hooks from symlinking into the temporary working tree,
which avoids the commit hook being run for the temporary branch anyway.
This avoids the wiki not being updated if an orthogonal change is
received in process A, while process B prepares a revert that is
subsequently cancelled.
2016-12-29 20:46:38 +00:00
Simon McVittie afda054796 git: Attribute reverts to the user doing the revert, not the wiki itself 2016-12-29 20:43:15 +00:00
Simon McVittie 4ad4fc33b5 git: write proposed attachment to temp file without going via system() 2016-12-28 21:32:12 +00:00
Simon McVittie 7f2235478d git: change calling convention of safe_git to have named arguments 2016-12-28 21:32:12 +00:00
Simon McVittie 7e84a1f9d8 git: Do the revert operation in a secondary working tree
This avoids leaving the git directory in an inconsistent state if the
host system is rebooted while we are processing a revert.
2016-12-28 21:32:12 +00:00
Simon McVittie 39b8931ad3 git: Turn $git_dir into a stack
This will be necessary when we use a secondary working tree to do
reverts without leaving the primary working tree in an inconsistent
state.
2016-12-28 21:32:12 +00:00
Simon McVittie a8a7462382 Try revert operations (on a branch) before approving them
Otherwise, we have a time-of-check/time-of-use vulnerability:
rcs_preprevert previously looked at what changed in the commit we are
reverting, not at what would result from reverting it now. In
particular, if some files were renamed since the commit we are
reverting, a revert of changes that were within the designated
subdirectory and allowed by check_canchange() might now affect
files that are outside the designated subdirectory or disallowed
by check_canchange().

It is not sufficient to disable rename detection, since git older
than 2.8.0rc0 (in particular the version in Debian stable) silently
accepts and ignores the relevant options.

OVE-20161226-0002
2016-12-28 21:32:12 +00:00
Simon McVittie 469c842fd5 Revert "Tell `git revert` not to follow renames"
This doesn't work prior to git 2.8: `git revert` silently ignores the
option and succeeds. We will have to fix CVE-2016-10026 some other way.

This reverts commit 9cada49ed6.
2016-12-28 21:32:12 +00:00
Simon McVittie e193c75b7d git: do not fail to commit if committer is anonymous 2016-12-28 21:32:12 +00:00
Simon McVittie a67f4d3944 git: don't issue a warning if rcsinfo is undefined
The intention here seems to be that $prev may be undefined, and the
only way that can legitimately happen is for $params{token} to be
undefined too.
2016-12-28 21:32:12 +00:00
Simon McVittie 9cada49ed6 Tell `git revert` not to follow renames
Otherwise, we have an authorization bypass vulnerability: rcs_preprevert
looks at what changed in the commit we are reverting, not at what would
result from reverting it now. In particular, if some files were renamed
since the commit we are reverting, a revert of changes that were within
the designated subdirectory and allowed by check_canchange() might now
affect files that are outside the designated subdirectory or disallowed
by check_canchange().

Signed-off-by: Simon McVittie <smcv@debian.org>
2016-12-19 18:21:07 +00:00
Simon McVittie 276f0cf578 Use git log --no-renames for recentchanges
Otherwise, recent git releases show renames as renames, and we do not
see that newdir/test5 was affected.

Bug-Debian: https://bugs.debian.org/835612
2016-09-03 23:47:06 +01:00
Florian Wagner bbdba8d770
Correctly handle filenames starting with a dash in add/rm/mv. 2016-03-17 11:01:27 -04:00
Simon McVittie 1f635c6dca ensure_committer: don't do anything if we have the environment variables 2015-11-30 20:46:58 +00:00
Simon McVittie 8550c39701 Don't memoize ensure_committer
This makes it harder to test, and if we're invoking git anyway,
a couple of extra subprocesses are no big deal.
2015-11-30 20:46:58 +00:00
Simon McVittie ed1e1ebe70 git: if no committer identity is known, set it to "IkiWiki <ikiwiki.info>" in .git/config
This resolves commit errors in versions of git that require a non-trivial
committer identity.
2015-11-30 19:34:04 +00:00
Joey Hess ab1bba9dab cloak user PII when making commits etc, and let cloaked PII be used in banned_users
This was needed due to emailauth, but I've also wrapped all IP address
exposure in cloak(), although the function doesn't yet cloak IP addresses.

(One IP address I didn't cloak is the one that appears on the password
reset email template. That is expected to be the user's own IP address,
so ok to show it to them.)

Thanks to smcv for the pointer to
http://xmlns.com/foaf/spec/#term_mbox_sha1sum
2015-05-14 11:58:21 -04:00
Joey Hess 59cfb9b6d0 only_committed_changes could fail in a git repository merged with git merge -s ours. 2014-04-05 19:09:05 -04:00
Joey Hess c1fbd66c03 Merge remote-tracking branch 'remotes/smcv/ready/git-push-origin-master' 2014-02-23 14:19:39 -04:00
Simon McVittie be3483fe9b git: explicitly specify the branch to push to origin
git's behaviour when doing "git push origin" is configurable, and the
default is going to change in 2.0. In particular, if you've set
push.default to "nothing", the regression test will warn:

fatal: You didn't specify any refspecs to push, and push.default
is "nothing".
'git push origin' failed:  at .../lib/IkiWiki/Plugin/git.pm line 220.
2014-02-21 16:39:17 +00:00
intrigeri d52774dd45 Do not UTF8-escape "/" in Git's diffurl: cgit does not support this. 2013-12-31 01:47:10 +00:00
Joey Hess 441002e3e6 deal with the case where oldrev is the same as newrev 2013-11-16 20:48:23 -04:00
Joey Hess 727d39b92a fix eq 2013-11-16 18:56:39 -04:00
Joey Hess 654530fa8b Added only_committed_changes config setting, which speeds up wiki refresh by querying git to find the files that were changed, rather than looking at the work tree. Not enabled by default as it can break some setups where not all files get committed to git. 2013-11-16 17:26:20 -04:00
Joey Hess 946af13ae6 Pass --no-edit when used with git 1.7.8 and newer.
Not sure if this is needed to avoid it trying to run an editor. Probably
there is never a controlling terminal and probably git notices and does
nothing. But I'm just copying what I have in git-annex assistant here.

(Although with a much worse git version comparion, that only really works due
to luck.)
2013-07-10 21:52:49 -04:00
Joey Hess b162563dc1 Deal with git behavior change in 1.7.8 and newer that broke support for commits with an empty commit message. 2013-07-10 21:50:18 -04:00
Shlomi Fish 12c9219d67 Fix some warnigns in recent perls.
All existing tests pass.
2012-12-17 22:44:54 +02:00
Joey Hess e7bf599ee0 remove debug message
A file may have no git sha1 if it's in the underlay, or just is not checked
into git. This debug message doesn't add any value and is potentially
confusing.
2012-03-22 13:07:30 -04:00
Joey Hess f0733e6b96 URI escape filename when generating the diffurl.
ikiwiki source files can contain at least one character that
needs to be escaped in an url: +
2012-03-13 11:50:39 -04:00
Joey Hess 1b6c189578 fix display of page name in recentchanges after a revert
When the wiki is in a subdir of the git repo, a web revert would show
in recentchanges as eg, doc/index, instead of just index.

This happened because decode_git_file caches a $prefix that is dependant
on the $git_dir setting, and the revert code runs with a different
$git_dir, which polluted the $prefix for later.

Fix this by adding a with_git_dir that juggles the variables properly.
2012-02-07 03:06:40 -04:00
Joey Hess 5cb0ecc000 Fix web revert of a file deletion.
When reverting, an add is a remove, and a remove is an add.
2011-09-05 14:51:49 -04:00
Joey Hess 7d0ef85d80 git: Fix bug involving attempting to web revert a commit that included changes to attachments. 2010-12-29 20:19:58 -04:00
Joey Hess 8517aa8687 bugfix 2010-12-29 20:10:28 -04:00
Joey Hess 4fb26f4e60 Add a second parameter to the rcs_diff hook, and avoid bloating memory reading in enormous commits. 2010-12-29 19:58:49 -04:00
Joey Hess 170cb02479 git: Avoid adding files when committing, so as not to implicitly add files like recentchanges files that are not normally checked in, when fixing links after rename. 2010-11-29 13:42:03 -04:00
Joey Hess 78a22e2eb2 git: Fix temp file location. 2010-11-29 12:01:50 -04:00
Tuomas Jormola d32a1028ab Use author date instead of commit date
Signed-off-by: Tuomas Jormola <tj@solitudo.net>
2010-10-31 16:06:25 -04:00
Joey Hess 5db2d6f6b2 nice message if someone tries to revert a merge commit 2010-10-23 17:19:48 -04:00
Joey Hess 62a0f2f3d6 bugfix 2010-10-23 16:31:58 -04:00
Joey Hess 9ca9959eda fix web reversion when the srcdir is in a subdir of the git repo. 2010-10-23 16:19:16 -04:00
Joey Hess 4efc1f22d4 taint handling for rev 2010-10-08 18:58:47 -04:00
Joey Hess e7d6dcfed6 remove todo item
I understand the need to avoid chdir when running git_parse_changes
for receive now. At that point, the changes have not been pushed to
the srcdir's repo yet. When running the same code for preprevert,
chdir to the srcdir is ok, and necessary.
2010-10-08 18:46:30 -04:00
Joey Hess 5c6f7a8d1b fix rcs_prepedit implementation to match spec 2010-10-08 18:02:47 -04:00
Joey Hess 238e8b95a5 convert rcs_revert to only stage the reversion 2010-10-06 15:08:12 -04:00
Joey Hess 237ea79d71 remove rcs_showpatch 2010-10-06 14:39:10 -04:00
Joey Hess 80da2b2840 fix $git_root caching 2010-10-04 16:35:17 -04:00