debian/patches/0013-path-safeguard-.git-against-NTFS-Alternate-Streams-Ac.diff

   1 From 62af2054b86cd8be8ba13e0713ffa2032845761d Mon Sep 17 00:00:00 2001
   2 From: Johannes Schindelin <johannes.schindelin@gmx.de>
   3 Date: Wed, 28 Aug 2019 12:22:17 +0200
   4 Subject: path: safeguard `.git` against NTFS Alternate Streams Accesses
   5
   6 Probably inspired by HFS' resource streams, NTFS supports "Alternate
   7 Data Streams": by appending `:<stream-name>` to the file name,
   8 information in addition to the file contents can be written and read,
   9 information that is copied together with the file (unless copied to a
  10 non-NTFS location).
  11
  12 These Alternate Data Streams are typically used for things like marking
  13 an executable as having just been downloaded from the internet (and
  14 hence not necessarily being trustworthy).
  15
  16 In addition to a stream name, a stream type can be appended, like so:
  17 `:<stream-name>:<stream-type>`. Unless specified, the default stream
  18 type is `$DATA` for files and `$INDEX_ALLOCATION` for directories. In
  19 other words, `.git::$INDEX_ALLOCATION` is a valid way to reference the
  20 `.git` directory!
  21
  22 In our work in Git v2.2.1 to protect Git on NTFS drives under
  23 `core.protectNTFS`, we focused exclusively on NTFS short names, unaware
  24 of the fact that NTFS Alternate Data Streams offer a similar attack
  25 vector.
  26
  27 Let's fix this.
  28
  29 Seeing as it is better to be safe than sorry, we simply disallow paths
  30 referring to *any* NTFS Alternate Data Stream of `.git`, not just
  31 `::$INDEX_ALLOCATION`. This also simplifies the implementation.
  32
  33 This closes CVE-2019-1352.
  34
  35 Further reading about NTFS Alternate Data Streams:
  36 https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
  37
  38 Reported-by: Nicolas Joly <Nicolas.Joly@microsoft.com>
  39 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
  40 (cherry picked from commit 7c3745fc6185495d5765628b4dfe1bd2c25a2981)
  41 Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
  42 ---
  43  path.c                         | 12 +++++++++++-
  44  t/t1014-read-tree-confusing.sh |  1 +
  45  2 files changed, 12 insertions(+), 1 deletion(-)
  46
  47 diff --git a/path.c b/path.c
  48 index 95d53f0067..562fdcad02 100644
  49 --- a/path.c
  50 +++ b/path.c
  51 @@ -1349,10 +1349,19 @@ static int only_spaces_and_periods(const char *path, size_t len, size_t skip)
  52   *   `.git` is the first item in a directory, therefore it will be associated
  53   *   with the short name `git~1` (unless short names are disabled).
  54   *
  55 + * - For yet other historical reasons, NTFS supports so-called "Alternate Data
  56 + *   Streams", i.e. metadata associated with a given file, referred to via
  57 + *   `<filename>:<stream-name>:<stream-type>`. There exists a default stream
  58 + *   type for directories, allowing `.git/` to be accessed via
  59 + *   `.git::$INDEX_ALLOCATION/`.
  60 + *
  61   * When this function returns 1, it indicates that the specified file/directory
  62   * name refers to a `.git` file or directory, or to any of these synonyms, and
  63   * Git should therefore not track it.
  64   *
  65 + * For performance reasons, _all_ Alternate Data Streams of `.git/` are
  66 + * forbidden, not just `::$INDEX_ALLOCATION`.
  67 + *
  68   * This function is intended to be used by `git fsck` even on platforms where
  69   * the backslash is a regular filename character, therefore it needs to handle
  70   * backlash characters in the provided `name` specially: they are interpreted
  71 @@ -1363,7 +1372,8 @@ int is_ntfs_dotgit(const char *name)
  72         size_t len;
  73
  74         for (len = 0; ; len++)
  75 -               if (!name[len] || name[len] == '\\' || is_dir_sep(name[len])) {
  76 +               if (!name[len] || name[len] == '\\' || is_dir_sep(name[len]) ||
  77 +                   name[len] == ':') {
  78                         if (only_spaces_and_periods(name, len, 4) &&
  79                                         !strncasecmp(name, ".git", 4))
  80                                 return 1;
  81 diff --git a/t/t1014-read-tree-confusing.sh b/t/t1014-read-tree-confusing.sh
  82 index 2f5a25d503..da3376b3bb 100755
  83 --- a/t/t1014-read-tree-confusing.sh
  84 +++ b/t/t1014-read-tree-confusing.sh
  85 @@ -49,6 +49,7 @@ git~1
  86  .git.SPACE .git.{space}
  87  .\\\\.GIT\\\\foobar backslashes
  88  .git\\\\foobar backslashes2
  89 +.git...:alternate-stream
  90  EOF
  91
  92  test_expect_success 'utf-8 paths allowed with core.protectHFS off' '
  93 --
  94 2.24.0.393.g34dc348eaf
  95