debian/patches/0016-protect_ntfs-turn-on-NTFS-protection-by-default.diff

   1 From a56c907014db8adb59570c55de5f6042a9a00e3e Mon Sep 17 00:00:00 2001
   2 From: Johannes Schindelin <johannes.schindelin@gmx.de>
   3 Date: Mon, 9 Sep 2019 21:04:41 +0200
   4 Subject: protect_ntfs: turn on NTFS protection by default
   5
   6 Back in the DOS days, in the FAT file system, file names always
   7 consisted of a base name of length 8 plus a file extension of length 3.
   8 Shorter file names were simply padded with spaces to the full 8.3
   9 format.
  10
  11 Later, the FAT file system was taught to support _also_ longer names,
  12 with an 8.3 "short name" as primary file name. While at it, the same
  13 facility allowed formerly illegal file names, such as `.git` (empty base
  14 names were not allowed), which would have the "short name" `git~1`
  15 associated with it.
  16
  17 For backwards-compatibility, NTFS supports alternative 8.3 short
  18 filenames, too, even if starting with Windows Vista, they are only
  19 generated on the system drive by default.
  20
  21 We addressed the problem that the `.git/` directory can _also_ be
  22 accessed via `git~1/` (when short names are enabled) in 2b4c6efc821
  23 (read-cache: optionally disallow NTFS .git variants, 2014-12-16), i.e.
  24 since Git v1.9.5, by introducing the config setting `core.protectNTFS`
  25 and enabling it by default on Windows.
  26
  27 In the meantime, Windows 10 introduced the "Windows Subsystem for Linux"
  28 (short: WSL), i.e. a way to run Linux applications/distributions in a
  29 thinly-isolated subsystem on Windows (giving rise to many a "2016 is the
  30 Year of Linux on the Desktop" jokes). WSL is getting increasingly
  31 popular, also due to the painless way Linux application can operate
  32 directly ("natively") on files on Windows' file system: the Windows
  33 drives are mounted automatically (e.g. `C:` as `/mnt/c/`).
  34
  35 Taken together, this means that we now have to enable the safe-guards of
  36 Git v1.9.5 also in WSL: it is possible to access a `.git` directory
  37 inside `/mnt/c/` via the 8.3 name `git~1` (unless short name generation
  38 was disabled manually). Since regular Linux distributions run in WSL,
  39 this means we have to enable `core.protectNTFS` at least on Linux, too.
  40
  41 To enable Services for Macintosh in Windows NT to store so-called
  42 resource forks, NTFS introduced "Alternate Data Streams". Essentially,
  43 these constitute additional metadata that are connected to (and copied
  44 with) their associated files, and they are accessed via pseudo file
  45 names of the form `filename:<stream-name>:<stream-type>`.
  46
  47 In a recent patch, we extended `core.protectNTFS` to also protect
  48 against accesses via NTFS Alternate Data Streams, e.g. to prevent
  49 contents of the `.git/` directory to be "tracked" via yet another
  50 alternative file name.
  51
  52 While it is not possible (at least by default) to access files via NTFS
  53 Alternate Data Streams from within WSL, the defaults on macOS when
  54 mounting network shares via SMB _do_ allow accessing files and
  55 directories in that way. Therefore, we need to enable `core.protectNTFS`
  56 on macOS by default, too, and really, on any Operating System that can
  57 mount network shares via SMB/CIFS.
  58
  59 A couple of approaches were considered for fixing this:
  60
  61 1. We could perform a dynamic NTFS check similar to the `core.symlinks`
  62    check in `init`/`clone`: instead of trying to create a symbolic link
  63    in the `.git/` directory, we could create a test file and try to
  64    access `.git/config` via 8.3 name and/or Alternate Data Stream.
  65
  66 2. We could simply "flip the switch" on `core.protectNTFS`, to make it
  67    "on by default".
  68
  69 The obvious downside of 1. is that it won't protect worktrees that were
  70 clone with a vulnerable Git version already. We considered patching code
  71 paths that check out files to check whether we're running on an NTFS
  72 system dynamically and persist the result in the repository-local config
  73 setting `core.protectNTFS`, but in the end decided that this solution
  74 would be too fragile, and too involved.
  75
  76 The obvious downside of 2. is that everybody will have to "suffer" the
  77 performance penalty incurred from calling `is_ntfs_dotgit()` on every
  78 path, even in setups where.
  79
  80 After the recent work to accelerate `is_ntfs_dotgit()` in most cases,
  81 it looks as if the time spent on validating ten million random
  82 file names increases only negligibly (less than 20ms, well within the
  83 standard deviation of ~50ms). Therefore the benefits outweigh the cost.
  84
  85 Another downside of this is that paths that might have been acceptable
  86 previously now will be forbidden. Realistically, though, this is an
  87 improvement because public Git hosters already would reject any `git
  88 push` that contains such file names.
  89
  90 Note: There might be a similar problem mounting HFS+ on Linux. However,
  91 this scenario has been considered unlikely and in light of the cost (in
  92 the aforementioned benchmark, `core.protectHFS = true` increased the
  93 time from ~440ms to ~610ms), it was decided _not_ to touch the default
  94 of `core.protectHFS`.
  95
  96 This change addresses CVE-2019-1353.
  97
  98 Reported-by: Nicolas Joly <Nicolas.Joly@microsoft.com>
  99 Helped-by: Garima Singh <garima.singh@microsoft.com>
 100 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 101 (cherry picked from commit 9102f958ee5254b10c0be72672aa3305bf4f4704)
 102 Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
 103 ---
 104  config.mak.uname | 3 +--
 105  environment.c    | 2 +-
 106  2 files changed, 2 insertions(+), 3 deletions(-)
 107
 108 diff --git a/config.mak.uname b/config.mak.uname
 109 index cc8efd95b1..0ab8e00938 100644
 110 --- a/config.mak.uname
 111 +++ b/config.mak.uname
 112 @@ -454,7 +454,6 @@ ifneq ($(USE_MSVC_CRTDBG),)
 113         # Optionally enable memory leak reporting.
 114         BASIC_CFLAGS += -DUSE_MSVC_CRTDBG
 115  endif
 116 -       BASIC_CFLAGS += -DPROTECT_NTFS_DEFAULT=1
 117         # Always give "-Zi" to the compiler and "-debug" to linker (even in
 118         # release mode) to force a PDB to be generated (like RelWithDebInfo).
 119         BASIC_CFLAGS += -Zi
 120 @@ -616,7 +615,7 @@ ifneq (,$(findstring MINGW,$(uname_S)))
 121                 compat/win32/path-utils.o \
 122                 compat/win32/pthread.o compat/win32/syslog.o \
 123                 compat/win32/dirent.o
 124 -       BASIC_CFLAGS += -DWIN32 -DPROTECT_NTFS_DEFAULT=1
 125 +       BASIC_CFLAGS += -DWIN32
 126         EXTLIBS += -lws2_32
 127         GITLIBS += git.res
 128         PTHREAD_LIBS =
 129 diff --git a/environment.c b/environment.c
 130 index efa072680a..6f0be4b7a2 100644
 131 --- a/environment.c
 132 +++ b/environment.c
 133 @@ -78,7 +78,7 @@ enum log_refs_config log_all_ref_updates = LOG_REFS_UNSET;
 134  int protect_hfs = PROTECT_HFS_DEFAULT;
 135
 136  #ifndef PROTECT_NTFS_DEFAULT
 137 -#define PROTECT_NTFS_DEFAULT 0
 138 +#define PROTECT_NTFS_DEFAULT 1
 139  #endif
 140  int protect_ntfs = PROTECT_NTFS_DEFAULT;
 141  const char *core_fsmonitor;
 142 --
 143 2.24.0.393.g34dc348eaf
 144