| Message ID | xmqq5xsmdarv.fsf_-_@gitster.g (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 1048aa8b7ad44d6c759e894f6ca763614068514d |
| Headers | show |
| Series | safe.directory: preliminary clean-up | expand |
On Tue, Jul 30, 2024 at 10:56:04AM -0700, Junio C Hamano wrote: > One wrong assumption was that the function might yield NULL when > there is no interpolation. This led to the use of an extra "check" > variable, conditionally holding either the interpolated or the > original string. The assumption was with us since 8959555c > (setup_git_directory(): add an owner check for the top-level > directory, 2022-03-02) originally introduced the safe.directory > feature. > > Another wrong assumption was that the function might yield the same > pointer as the input when there is no interpolation. This led to a > conditional free'ing of the interpolated copy, that the conditional > never skipped, as we always received an allocated string. Yup. Good eyes on seeing that second one. Both look correct to me from double-checking git_config_pathname(), and the patch itself looks good. -Peff
diff --git c/setup.c w/setup.c index d458edcc02..3177d010d1 100644 --- c/setup.c +++ w/setup.c @@ -1235,17 +1235,15 @@ static int safe_directory_cb(const char *key, const char *value, char *allowed = NULL; if (!git_config_pathname(&allowed, key, value)) { - const char *check = allowed ? allowed : value; - if (ends_with(check, "/*")) { - size_t len = strlen(check); - if (!fspathncmp(check, data->path, len - 1)) + if (ends_with(allowed, "/*")) { + size_t len = strlen(allowed); + if (!fspathncmp(allowed, data->path, len - 1)) data->is_safe = 1; - } else if (!fspathcmp(data->path, check)) { + } else if (!fspathcmp(data->path, allowed)) { data->is_safe = 1; } - } - if (allowed != value) free(allowed); + } } return 0;
The paths given in the safe.directory configuration variable are allowed to contain "~user" (which interpolates to user's home directory) and "%(prefix)" (which interpolates to the installation location in RUNTIME_PREFIX-enabled builds, and a call to the git_config_pathname() function is tasked to obtain a copy of the path with these constructs interpolated. The function, when it succeeds, always yields an allocated string in the location given as the out-parameter; even when there is nothing to interpolate in the original, a literal copy is made. The code path that contains this caller somehow made two contradicting and incorrect assumptions of the behaviour when there is no need for interpolation, and was written with extra defensiveness against two phantom risks that do not exist. One wrong assumption was that the function might yield NULL when there is no interpolation. This led to the use of an extra "check" variable, conditionally holding either the interpolated or the original string. The assumption was with us since 8959555c (setup_git_directory(): add an owner check for the top-level directory, 2022-03-02) originally introduced the safe.directory feature. Another wrong assumption was that the function might yield the same pointer as the input when there is no interpolation. This led to a conditional free'ing of the interpolated copy, that the conditional never skipped, as we always received an allocated string. Simplify the code by removing the extra defensiveness. Signed-off-by: Junio C Hamano <gitster@pobox.com> --- setup.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-)