From patchwork Tue Jul 23 02:18:58 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Junio C Hamano X-Patchwork-Id: 13739280 Received: from pb-smtp1.pobox.com (pb-smtp1.pobox.com [64.147.108.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 76ECF132122 for ; Tue, 23 Jul 2024 02:19:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=64.147.108.70 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721701147; cv=none; b=DyOchc9EuO/2zbIHd56c/eovW7V6Q+f5Dcs55h3WZQ4Sld+p6sgNn504Q1yxaw2ydckULNCqsGxFNLXtCp7HgGOHQMYe36IUnW7D3Jfq9ojrmr3yuzoxNE9xwFSqgQ8L7A3nAXiijSKlGUo69+//4moZngKjrHUhEJ9wyniKZ1s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721701147; c=relaxed/simple; bh=cPH0vqUY2/Rz8Q6E/5uPXS8eqhhAKGF5ymfCa2iIMEk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=cWDobIsexSS9wYhd5eKcxAvddzO5RrytsIR+Dr+pnoWpKBF6p9J/UVJcMuedD/7dtOxTCYPvszkIzndSrtw/5SX2VZ/Qq+kFGHNeDINBP01Rp4lpP5Xoyyso+Sh4waS+O1KhUM/jbQkd1fW6/b6X+mahKeDvyDyS94IWgjqwMTM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=pobox.com; spf=pass smtp.mailfrom=pobox.com; dkim=pass (1024-bit key) header.d=pobox.com header.i=@pobox.com header.b=C7+/eYLi; arc=none smtp.client-ip=64.147.108.70 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=pobox.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=pobox.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=pobox.com header.i=@pobox.com header.b="C7+/eYLi" Received: from pb-smtp1.pobox.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id 5D18425861; Mon, 22 Jul 2024 22:19:04 -0400 (EDT) (envelope-from gitster@pobox.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=pobox.com; h=from:to:cc :subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; s=sasl; bh=cPH0vqUY2/Rz8Q6E/5uPXS8eq hhAKGF5ymfCa2iIMEk=; b=C7+/eYLitiGIhlEViyv5AGMWvQzyr0N0IQoxOXWvA rIWygGiWAwwFsQmEr6Ur9DBcKT2eFDkvYCAJHRir17NQMhXDPa/7hMZ7l9zVYaSf FkdMeLeC0Gef64WfqxhVJuZH/DwcZUVa1lZdi8mDtvvGUTVP7/OxTHEVOv2maPuh UQ= Received: from pb-smtp1.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id 5578525860; Mon, 22 Jul 2024 22:19:04 -0400 (EDT) (envelope-from gitster@pobox.com) Received: from pobox.com (unknown [34.125.139.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp1.pobox.com (Postfix) with ESMTPSA id B394D2585E; Mon, 22 Jul 2024 22:19:03 -0400 (EDT) (envelope-from gitster@pobox.com) From: Junio C Hamano To: git@vger.kernel.org Cc: Phillip Wood Subject: [PATCH v2 1/3] safe.directory: normalize the checked path Date: Mon, 22 Jul 2024 19:18:58 -0700 Message-ID: <20240723021900.388020-2-gitster@pobox.com> X-Mailer: git-send-email 2.46.0-rc1-52-gda884b23f2 In-Reply-To: <20240723021900.388020-1-gitster@pobox.com> References: <20240720220915.2933266-1-gitster@pobox.com> <20240723021900.388020-1-gitster@pobox.com> Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Pobox-Relay-ID: EE54B2B4-4899-11EF-BC0A-34EEED2EC81B-77302942!pb-smtp1.pobox.com The pathname of a repository comes from getcwd() and it could be a path aliased via symbolic links, e.g., the real directory may be /home/u/repository but a symbolic link /home/u/repo may point at it, and the clone request may come as "git clone file:///home/u/repo/". A request to check if /home/u/repo is safe would be rejected if the safe.directory configuration allows /home/u/repository/ but not its alias /home/u/repo/. Normalize the path being checked before comparing with safe.directory value(s). Suggested-by: Phillip Wood Signed-off-by: Junio C Hamano --- setup.c | 16 ++++++++--- t/t0033-safe-directory.sh | 57 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 69 insertions(+), 4 deletions(-) diff --git a/setup.c b/setup.c index d458edcc02..45bbbe329f 100644 --- a/setup.c +++ b/setup.c @@ -1215,7 +1215,7 @@ static int canonicalize_ceiling_entry(struct string_list_item *item, } struct safe_directory_data { - const char *path; + char *path; int is_safe; }; @@ -1263,9 +1263,7 @@ static int ensure_valid_ownership(const char *gitfile, const char *worktree, const char *gitdir, struct strbuf *report) { - struct safe_directory_data data = { - .path = worktree ? worktree : gitdir - }; + struct safe_directory_data data = { 0 }; if (!git_env_bool("GIT_TEST_ASSUME_DIFFERENT_OWNER", 0) && (!gitfile || is_path_owned_by_current_user(gitfile, report)) && @@ -1273,6 +1271,15 @@ static int ensure_valid_ownership(const char *gitfile, (!gitdir || is_path_owned_by_current_user(gitdir, report))) return 1; + /* + * normalize the data.path for comparison with normalized paths + * that come from the configuration file. The path is unsafe + * if it cannot be normalized. + */ + data.path = real_pathdup(worktree ? worktree : gitdir, 0); + if (!data.path) + return 0; + /* * data.path is the "path" that identifies the repository and it is * constant regardless of what failed above. data.is_safe should be @@ -1280,6 +1287,7 @@ static int ensure_valid_ownership(const char *gitfile, */ git_protected_config(safe_directory_cb, &data); + free(data.path); return data.is_safe; } diff --git a/t/t0033-safe-directory.sh b/t/t0033-safe-directory.sh index 5fe61f1291..07ac0f9a01 100755 --- a/t/t0033-safe-directory.sh +++ b/t/t0033-safe-directory.sh @@ -119,4 +119,61 @@ test_expect_success 'local clone of unowned repo accepted in safe directory' ' test_path_is_dir target ' +test_expect_success SYMLINKS 'checked paths are normalized' ' + test_when_finished "rm -rf repository; rm -f repo" && + ( + sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER && + git config --global --unset-all safe.directory + ) && + git init repository && + ln -s repository repo && + ( + cd repository && + sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER && + test_commit sample + ) && + + ( + sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER && + git config --global safe.directory "$(pwd)/repository" + ) && + git -C repository for-each-ref && + git -C repository/ for-each-ref && + git -C repo for-each-ref && + git -C repo/ for-each-ref && + test_must_fail git -C repository/.git for-each-ref && + test_must_fail git -C repository/.git/ for-each-ref && + test_must_fail git -C repo/.git for-each-ref && + test_must_fail git -C repo/.git/ for-each-ref +' + +test_expect_success SYMLINKS 'checked leading paths are normalized' ' + test_when_finished "rm -rf repository; rm -f repo" && + ( + sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER && + git config --global --unset-all safe.directory + ) && + mkdir -p repository && + git init repository/s && + ln -s repository repo && + ( + cd repository/s && + sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER && + test_commit sample + ) && + + ( + sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER && + git config --global safe.directory "$(pwd)/repository/*" + ) && + git -C repository/s for-each-ref && + git -C repository/s/ for-each-ref && + git -C repo/s for-each-ref && + git -C repo/s/ for-each-ref && + git -C repository/s/.git for-each-ref && + git -C repository/s/.git/ for-each-ref && + git -C repo/s/.git for-each-ref && + git -C repo/s/.git/ for-each-ref +' + test_done From patchwork Tue Jul 23 02:18:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Junio C Hamano X-Patchwork-Id: 13739281 Received: from pb-smtp21.pobox.com (pb-smtp21.pobox.com [173.228.157.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E264D132122 for ; Tue, 23 Jul 2024 02:19:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=173.228.157.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721701152; cv=none; b=ByULgh8uQoyoOteFi7/66vi1jTMlf60dvNyGG08EyZaqtYtdRV3yfR81Io7MNSk0Zzx5wxVFgvs1KwD9O4IrJVFT540sY0MjETOjBGr8oZw1eKkQV2xkhZbSkVYyVSdT5F0ebuVW/58RAkOIJIIQ57VwkiMecmKzbwNPf6x2ag4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721701152; c=relaxed/simple; bh=fEOjwnraNCKPPnTvCz9PL8DGXKdkkaqGisPrgesKQqs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Fv/FHzCxZHOaDxoIctxFN/Y+JX5NfoSrWoX5qkslEar3YeTMxRDph/7cxhzCcRUv9qigxHu1m1XYdRn+3+Ll3AUQrVdPB3nB26dICIUZzI5B1h1sUmGiU1/QX0gziq0zw9TeU546yfUv6Hr/AaJOX9hsDwTtduU1ALHX5D73E6g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=pobox.com; spf=pass smtp.mailfrom=pobox.com; dkim=pass (1024-bit key) header.d=pobox.com header.i=@pobox.com header.b=JYVjGEer; arc=none smtp.client-ip=173.228.157.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=pobox.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=pobox.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=pobox.com header.i=@pobox.com header.b="JYVjGEer" Received: from pb-smtp21.pobox.com (unknown [127.0.0.1]) by pb-smtp21.pobox.com (Postfix) with ESMTP id 6F3FD2887C; Mon, 22 Jul 2024 22:19:10 -0400 (EDT) (envelope-from gitster@pobox.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=pobox.com; h=from:to:cc :subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; s=sasl; bh=fEOjwnraNCKPPnTvCz9PL8DGX KdkkaqGisPrgesKQqs=; b=JYVjGEerRjjLvJQkude1qiwpg7rsCSWJH1hSfMIdK dIVYj45aIhW/BLAquJYR8U8kE5eBBASIFpcC7226FidvJU7738jaqON24hcKGnsX ai8yr7m4KJZsXSPX31v6X8TjNyT0ykrsWIgKVFn4OERUu9liAU6hAwFlDeFgLPCF eI= Received: from pb-smtp21.sea.icgroup.com (unknown [127.0.0.1]) by pb-smtp21.pobox.com (Postfix) with ESMTP id 670D92887A; Mon, 22 Jul 2024 22:19:10 -0400 (EDT) (envelope-from gitster@pobox.com) Received: from pobox.com (unknown [34.125.139.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp21.pobox.com (Postfix) with ESMTPSA id B7F8A28879; Mon, 22 Jul 2024 22:19:05 -0400 (EDT) (envelope-from gitster@pobox.com) From: Junio C Hamano To: git@vger.kernel.org Cc: Phillip Wood Subject: [PATCH v2 2/3] safe.directory: normalize the configured path Date: Mon, 22 Jul 2024 19:18:59 -0700 Message-ID: <20240723021900.388020-3-gitster@pobox.com> X-Mailer: git-send-email 2.46.0-rc1-52-gda884b23f2 In-Reply-To: <20240723021900.388020-1-gitster@pobox.com> References: <20240720220915.2933266-1-gitster@pobox.com> <20240723021900.388020-1-gitster@pobox.com> Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Pobox-Relay-ID: EF887F62-4899-11EF-8D0B-9625FCCAB05B-77302942!pb-smtp21.pobox.com The pathname of a repository comes from getcwd() and it could be a path aliased via symbolic links, e.g., the real directory may be /home/u/repository but a symbolic link /home/u/repo may point at it, and the clone request may come as "git clone file:///home/u/repo/" A request to check if /home/u/repository is safe would be rejected if the safe.directory configuration allows /home/u/repo/ but not its alias /home/u/repository/. Normalize the paths configured for the safe.directory configuration variable before comparing them with the path being checked. Suggested-by: Phillip Wood Signed-off-by: Junio C Hamano --- setup.c | 12 +++++++++ t/t0033-safe-directory.sh | 57 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 69 insertions(+) diff --git a/setup.c b/setup.c index 45bbbe329f..29304d7452 100644 --- a/setup.c +++ b/setup.c @@ -1236,6 +1236,16 @@ static int safe_directory_cb(const char *key, const char *value, if (!git_config_pathname(&allowed, key, value)) { const char *check = allowed ? allowed : value; + char *to_free = real_pathdup(check, 0); + + if (!to_free) { + warning(_("safe.directory '%s' cannot be normalized"), + check); + goto next; + } else { + check = to_free; + } + if (ends_with(check, "/*")) { size_t len = strlen(check); if (!fspathncmp(check, data->path, len - 1)) @@ -1243,7 +1253,9 @@ static int safe_directory_cb(const char *key, const char *value, } else if (!fspathcmp(data->path, check)) { data->is_safe = 1; } + free(to_free); } + next: if (allowed != value) free(allowed); } diff --git a/t/t0033-safe-directory.sh b/t/t0033-safe-directory.sh index 07ac0f9a01..ea74657255 100755 --- a/t/t0033-safe-directory.sh +++ b/t/t0033-safe-directory.sh @@ -176,4 +176,61 @@ test_expect_success SYMLINKS 'checked leading paths are normalized' ' git -C repo/s/.git/ for-each-ref ' +test_expect_success SYMLINKS 'configured paths are normalized' ' + test_when_finished "rm -rf repository; rm -f repo" && + ( + sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER && + git config --global --unset-all safe.directory + ) && + git init repository && + ln -s repository repo && + ( + cd repository && + sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER && + test_commit sample + ) && + + ( + sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER && + git config --global safe.directory "$(pwd)/repo" + ) && + git -C repository for-each-ref && + git -C repository/ for-each-ref && + git -C repo for-each-ref && + git -C repo/ for-each-ref && + test_must_fail git -C repository/.git for-each-ref && + test_must_fail git -C repository/.git/ for-each-ref && + test_must_fail git -C repo/.git for-each-ref && + test_must_fail git -C repo/.git/ for-each-ref +' + +test_expect_success SYMLINKS 'configured leading paths are normalized' ' + test_when_finished "rm -rf repository; rm -f repo" && + ( + sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER && + git config --global --unset-all safe.directory + ) && + mkdir -p repository && + git init repository/s && + ln -s repository repo && + ( + cd repository/s && + sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER && + test_commit sample + ) && + + ( + sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER && + git config --global safe.directory "$(pwd)/repo/*" + ) && + git -C repository/s for-each-ref && + git -C repository/s/ for-each-ref && + git -C repository/s/.git for-each-ref && + git -C repository/s/.git/ for-each-ref && + git -C repo/s for-each-ref && + git -C repo/s/ for-each-ref && + git -C repo/s/.git for-each-ref && + git -C repo/s/.git/ for-each-ref +' + test_done From patchwork Tue Jul 23 02:19:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Junio C Hamano X-Patchwork-Id: 13739282 Received: from pb-smtp20.pobox.com (pb-smtp20.pobox.com [173.228.157.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EB64B13B5B4 for ; Tue, 23 Jul 2024 02:19:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=173.228.157.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721701158; cv=none; b=tT2zkXrKgy2GV4jJ6LXJVtU9luhTrFwTSBsZYwyf6TJ349zSQ+K51PQlBiRMubq0G8eUXQn1bEYZu07Jd330xaKDeyyBuD9JZvhNjjg0AmMdx7zIyJ/KafUkPJvYPh/cnqZ9mtQE83LnNk0sPD/Y2gkCLIpvJl4DQr+Rwe7jtH4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721701158; c=relaxed/simple; bh=fmyYxVtF3kanKHw6ImHfxFQpFJzieB/9x61REybXrWk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=o3ila5rj315ZiA1paj+eURK01cjyGu14akeqQTvlKlngW/vU6Yc7xJ/WO6Dsl2csD1kblUBvvNQc/AR2B7Vm/7viHHXHA2jGapUuTQejnyiBgSjEooUkJX0oyqSO7/mw03D7+IQLqWXLosx5GcfWS4KnbkbgUJGlCpNmgu8u68Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=pobox.com; spf=pass smtp.mailfrom=pobox.com; dkim=pass (1024-bit key) header.d=pobox.com header.i=@pobox.com header.b=tNr/xbJg; arc=none smtp.client-ip=173.228.157.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=pobox.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=pobox.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=pobox.com header.i=@pobox.com header.b="tNr/xbJg" Received: from pb-smtp20.pobox.com (unknown [127.0.0.1]) by pb-smtp20.pobox.com (Postfix) with ESMTP id 88E363FE31; Mon, 22 Jul 2024 22:19:16 -0400 (EDT) (envelope-from gitster@pobox.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=pobox.com; h=from:to:cc :subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; s=sasl; bh=fmyYxVtF3kanKHw6ImHfxFQpF JzieB/9x61REybXrWk=; b=tNr/xbJgfn68kXMmlPyQOTqPqXtdsrYY42BkuKOCa NHuOa3DiGuPQD7kOytERzt7ECfQ71cUu4QjaeYohtwWHlUlYRLqmZQCmbK6+amGI BAS15wttEDmRytzjcJzd6Cy7PWIThScRefzxvl7h8Pmtf56GyyGmSSYA7fi2ZPkt HY= Received: from pb-smtp20.sea.icgroup.com (unknown [127.0.0.1]) by pb-smtp20.pobox.com (Postfix) with ESMTP id 821303FE30; Mon, 22 Jul 2024 22:19:16 -0400 (EDT) (envelope-from gitster@pobox.com) Received: from pobox.com (unknown [34.125.139.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp20.pobox.com (Postfix) with ESMTPSA id C52BF3FE2F; Mon, 22 Jul 2024 22:19:10 -0400 (EDT) (envelope-from gitster@pobox.com) From: Junio C Hamano To: git@vger.kernel.org Cc: Phillip Wood Subject: [PATCH v2 3/3] safe.directory: setting safe.directory="." allows the "current" directory Date: Mon, 22 Jul 2024 19:19:00 -0700 Message-ID: <20240723021900.388020-4-gitster@pobox.com> X-Mailer: git-send-email 2.46.0-rc1-52-gda884b23f2 In-Reply-To: <20240723021900.388020-1-gitster@pobox.com> References: <20240720220915.2933266-1-gitster@pobox.com> <20240723021900.388020-1-gitster@pobox.com> Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Pobox-Relay-ID: F28BDF10-4899-11EF-84EF-92D9AF168FA5-77302942!pb-smtp20.pobox.com When "git daemon" enters a repository, it chdir's to the requested repository and then uses "." (the curent directory) to consult the "is this repository considered safe?" when it is not owned by the same owner as the process. Make sure this access will be allowed by setting safe.directory to ".". Signed-off-by: Junio C Hamano --- t/t0033-safe-directory.sh | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/t/t0033-safe-directory.sh b/t/t0033-safe-directory.sh index ea74657255..1eeb794194 100755 --- a/t/t0033-safe-directory.sh +++ b/t/t0033-safe-directory.sh @@ -233,4 +233,36 @@ test_expect_success SYMLINKS 'configured leading paths are normalized' ' git -C repo/s/.git/ for-each-ref ' +test_expect_success 'safe.directory set to a dot' ' + test_when_finished "rm -rf repository" && + ( + sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER && + git config --global --unset-all safe.directory + ) && + mkdir -p repository/subdir && + git init repository && + ( + cd repository && + sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER && + test_commit sample + ) && + + ( + sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER && + git config --global safe.directory "." + ) && + git -C repository for-each-ref && + git -C repository/ for-each-ref && + git -C repository/.git for-each-ref && + git -C repository/.git/ for-each-ref && + + # what is allowed is repository/subdir but the repository + # path is repository. + test_must_fail git -C repository/subdir for-each-ref && + + # likewise, repository .git/refs is allowed with "." but + # repository/.git that is accessed is not allowed. + test_must_fail git -C repository/.git/refs for-each-ref +' + test_done