diff options
| author | Jeff King <peff@peff.net> | 2023-08-31 08:20:01 +0200 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2023-09-01 00:51:07 +0200 |
| commit | 0fbcaef6b49250eb92b08e70f815962c729d5615 (patch) | |
| tree | a7d1476a2bc1dac74c4258372d7e74475771523d /environment.h | |
| parent | tree-walk: rename "error" variable (diff) | |
| download | git-0fbcaef6b49250eb92b08e70f815962c729d5615.tar.xz git-0fbcaef6b49250eb92b08e70f815962c729d5615.zip | |
fsck: detect very large tree pathnames
In general, Git tries not to arbitrarily limit what it will store, and
there are currently no limits at all on the size of the path we find in
a tree. In theory you could have one that is gigabytes long.
But in practice this freedom is not really helping anybody, and is
potentially harmful:
1. Most operating systems have much lower limits for the size of a
single pathname component (e.g., on Linux you'll generally get
ENAMETOOLONG for anything over 255 bytes). And while you _can_ use
Git in a way that never touches the filesystem (manipulating the
index and trees directly), it's still probably not a good idea to
have gigantic tree names. Many operations load and traverse them,
so any clever Git-as-a-database scheme is likely to perform poorly
in that case.
2. We still have a lot of code which assumes strings are reasonably
sized, and I won't be at all surprised if you can trigger some
interesting integer overflows with gigantic pathnames. Stopping
malicious trees from entering the repository provides an extra line
of defense, protecting downstream code.
This patch implements an fsck check so that such trees can be rejected
by transfer.fsckObjects. I've picked a reasonably high maximum depth
here (4096) that hopefully should not bother anybody in practice. I've
also made it configurable, as an escape hatch.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'environment.h')
0 files changed, 0 insertions, 0 deletions