From cc2fc7c2f07c4a2aba5a653137ac9b489e05df43 Mon Sep 17 00:00:00 2001
From: Jeff King <peff@peff.net>
Date: Mon, 24 Nov 2014 13:39:12 -0500
Subject: verify_dotfile(): reject .git case-insensitively

We do not allow ".git" to enter into the index as a path
component, because checking out the result to the working
tree may causes confusion for subsequent git commands.
However, on case-insensitive file systems, ".Git" or ".GIT"
is the same. We should catch and prevent those, too.

Note that technically we could allow this for repos on
case-sensitive filesystems. But there's not much point. It's
unlikely that anybody cares, and it creates a repository
that is unexpectedly non-portable to other systems.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 read-cache.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'read-cache.c')

diff --git a/read-cache.c b/read-cache.c
index 33dd676ccb..122be494f3 100644
--- a/read-cache.c
+++ b/read-cache.c
@@ -759,9 +759,10 @@ static int verify_dotfile(const char *rest)
 	 * shares the path end test with the ".." case.
 	 */
 	case 'g':
-		if (rest[1] != 'i')
+	case 'G':
+		if (rest[1] != 'i' && rest[1] != 'I')
 			break;
-		if (rest[2] != 't')
+		if (rest[2] != 't' && rest[2] != 'T')
 			break;
 		rest += 2;
 	/* fallthrough */
-- 
cgit v1.2.3


From a42643aa8d88a2278acad2da6bc702e426476e9b Mon Sep 17 00:00:00 2001
From: Jeff King <peff@peff.net>
Date: Mon, 15 Dec 2014 18:15:20 -0500
Subject: read-cache: optionally disallow HFS+ .git variants

The point of disallowing ".git" in the index is that we
would never want to accidentally overwrite files in the
repository directory. But this means we need to respect the
filesystem's idea of when two paths are equal. The prior
commit added a helper to make such a comparison for HFS+;
let's use it in verify_path.

We make this check optional for two reasons:

  1. It restricts the set of allowable filenames, which is
     unnecessary for people who are not on HFS+. In practice
     this probably doesn't matter, though, as the restricted
     names are rather obscure and almost certainly would
     never come up in practice.

  2. It has a minor performance penalty for every path we
     insert into the index.

This patch ties the check to the core.protectHFS config
option. Though this is expected to be most useful on OS X,
we allow it to be set everywhere, as HFS+ may be mounted on
other platforms. The variable does default to on for OS X,
though.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 Documentation/config.txt       |  5 +++++
 cache.h                        |  1 +
 config.c                       |  5 +++++
 config.mak.uname               |  1 +
 environment.c                  |  5 +++++
 read-cache.c                   |  3 +++
 t/t1014-read-tree-confusing.sh | 24 ++++++++++++++++++++----
 t/test-lib.sh                  |  6 +++++-
 8 files changed, 45 insertions(+), 5 deletions(-)

(limited to 'read-cache.c')

diff --git a/Documentation/config.txt b/Documentation/config.txt
index ab26963d61..0677bd8df5 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -234,6 +234,11 @@ core.precomposeunicode::
 	When false, file names are handled fully transparent by Git,
 	which is backward compatible with older versions of Git.
 
+core.protectHFS::
+	If set to true, do not allow checkout of paths that would
+	be considered equivalent to `.git` on an HFS+ filesystem.
+	Defaults to `true` on Mac OS, and `false` elsewhere.
+
 core.trustctime::
 	If false, the ctime differences between the index and the
 	working tree are ignored; useful when the inode change time
diff --git a/cache.h b/cache.h
index ce377e1354..b600a0c3e4 100644
--- a/cache.h
+++ b/cache.h
@@ -584,6 +584,7 @@ extern int fsync_object_files;
 extern int core_preload_index;
 extern int core_apply_sparse_checkout;
 extern int precomposed_unicode;
+extern int protect_hfs;
 
 /*
  * The character that begins a commented line in user-editable file
diff --git a/config.c b/config.c
index e1d66a145b..b519cedc01 100644
--- a/config.c
+++ b/config.c
@@ -881,6 +881,11 @@ static int git_default_core_config(const char *var, const char *value)
 		return 0;
 	}
 
+	if (!strcmp(var, "core.protecthfs")) {
+		protect_hfs = git_config_bool(var, value);
+		return 0;
+	}
+
 	/* Add other config variables here and to Documentation/config.txt. */
 	return 0;
 }
diff --git a/config.mak.uname b/config.mak.uname
index 82d549e48b..23af148837 100644
--- a/config.mak.uname
+++ b/config.mak.uname
@@ -97,6 +97,7 @@ ifeq ($(uname_S),Darwin)
 	HAVE_DEV_TTY = YesPlease
 	COMPAT_OBJS += compat/precompose_utf8.o
 	BASIC_CFLAGS += -DPRECOMPOSE_UNICODE
+	BASIC_CFLAGS += -DPROTECT_HFS_DEFAULT=1
 endif
 ifeq ($(uname_S),SunOS)
 	NEEDS_SOCKET = YesPlease
diff --git a/environment.c b/environment.c
index 0a15349cfe..828b574a29 100644
--- a/environment.c
+++ b/environment.c
@@ -63,6 +63,11 @@ int precomposed_unicode = -1; /* see probe_utf8_pathname_composition() */
 struct startup_info *startup_info;
 unsigned long pack_size_limit_cfg;
 
+#ifndef PROTECT_HFS_DEFAULT
+#define PROTECT_HFS_DEFAULT 0
+#endif
+int protect_hfs = PROTECT_HFS_DEFAULT;
+
 /*
  * The character that begins a commented line in user-editable file
  * that is subject to stripspace.
diff --git a/read-cache.c b/read-cache.c
index 122be494f3..7f48a08c15 100644
--- a/read-cache.c
+++ b/read-cache.c
@@ -14,6 +14,7 @@
 #include "resolve-undo.h"
 #include "strbuf.h"
 #include "varint.h"
+#include "utf8.h"
 
 static struct cache_entry *refresh_cache_entry(struct cache_entry *ce, int really);
 
@@ -786,6 +787,8 @@ int verify_path(const char *path)
 			return 1;
 		if (is_dir_sep(c)) {
 inside:
+			if (protect_hfs && is_hfs_dotgit(path))
+				return 0;
 			c = *path++;
 			if ((c == '.' && !verify_dotfile(path)) ||
 			    is_dir_sep(c) || c == '\0')
diff --git a/t/t1014-read-tree-confusing.sh b/t/t1014-read-tree-confusing.sh
index eff8aedf7a..ec310d5938 100755
--- a/t/t1014-read-tree-confusing.sh
+++ b/t/t1014-read-tree-confusing.sh
@@ -11,23 +11,39 @@ test_expect_success 'create base tree' '
 	tree=$(git rev-parse HEAD^{tree})
 '
 
-while read path; do
-	test_expect_success "reject $path at end of path" '
+test_expect_success 'enable core.protectHFS for rejection tests' '
+	git config core.protectHFS true
+'
+
+while read path pretty; do
+	: ${pretty:=$path}
+	test_expect_success "reject $pretty at end of path" '
 		printf "100644 blob %s\t%s" "$blob" "$path" >tree &&
 		bogus=$(git mktree <tree) &&
 		test_must_fail git read-tree $bogus
 	'
 
-	test_expect_success "reject $path as subtree" '
+	test_expect_success "reject $pretty as subtree" '
 		printf "040000 tree %s\t%s" "$tree" "$path" >tree &&
 		bogus=$(git mktree <tree) &&
 		test_must_fail git read-tree $bogus
 	'
-done <<-\EOF
+done <<-EOF
 .
 ..
 .git
 .GIT
+${u200c}.Git {u200c}.Git
+.gI${u200c}T .gI{u200c}T
+.GiT${u200c} .GiT{u200c}
 EOF
 
+test_expect_success 'utf-8 paths allowed with core.protectHFS off' '
+	test_when_finished "git read-tree HEAD" &&
+	test_config core.protectHFS false &&
+	printf "100644 blob %s\t%s" "$blob" ".gi${u200c}t" >tree &&
+	ok=$(git mktree <tree) &&
+	git read-tree $ok
+'
+
 test_done
diff --git a/t/test-lib.sh b/t/test-lib.sh
index b25249ec4c..d4569f8df0 100644
--- a/t/test-lib.sh
+++ b/t/test-lib.sh
@@ -154,7 +154,11 @@ _z40=0000000000000000000000000000000000000000
 LF='
 '
 
-export _x05 _x40 _z40 LF
+# UTF-8 ZERO WIDTH NON-JOINER, which HFS+ ignores
+# when case-folding filenames
+u200c=$(printf '\342\200\214')
+
+export _x05 _x40 _z40 LF u200c
 
 # Each test should start with something like this, after copyright notices:
 #
-- 
cgit v1.2.3


From 2b4c6efc82119ba8f4169717473d95d1a89e4c69 Mon Sep 17 00:00:00 2001
From: Johannes Schindelin <johannes.schindelin@gmx.de>
Date: Tue, 16 Dec 2014 23:46:59 +0100
Subject: read-cache: optionally disallow NTFS .git variants

The point of disallowing ".git" in the index is that we
would never want to accidentally overwrite files in the
repository directory. But this means we need to respect the
filesystem's idea of when two paths are equal. The prior
commit added a helper to make such a comparison for NTFS
and FAT32; let's use it in verify_path().

We make this check optional for two reasons:

  1. It restricts the set of allowable filenames, which is
     unnecessary for people who are not on NTFS nor FAT32.
     In practice this probably doesn't matter, though, as
     the restricted names are rather obscure and almost
     certainly would never come up in practice.

  2. It has a minor performance penalty for every path we
     insert into the index.

This patch ties the check to the core.protectNTFS config
option. Though this is expected to be most useful on Windows,
we allow it to be set everywhere, as NTFS may be mounted on
other platforms. The variable does default to on for Windows,
though.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 Documentation/config.txt       |  6 ++++++
 cache.h                        |  1 +
 config.c                       |  5 +++++
 config.mak.uname               |  2 ++
 environment.c                  |  5 +++++
 read-cache.c                   |  2 ++
 t/t1014-read-tree-confusing.sh | 13 +++++++++++++
 7 files changed, 34 insertions(+)

(limited to 'read-cache.c')

diff --git a/Documentation/config.txt b/Documentation/config.txt
index 0677bd8df5..097fdd47e1 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -239,6 +239,12 @@ core.protectHFS::
 	be considered equivalent to `.git` on an HFS+ filesystem.
 	Defaults to `true` on Mac OS, and `false` elsewhere.
 
+core.protectNTFS::
+	If set to true, do not allow checkout of paths that would
+	cause problems with the NTFS filesystem, e.g. conflict with
+	8.3 "short" names.
+	Defaults to `true` on Windows, and `false` elsewhere.
+
 core.trustctime::
 	If false, the ctime differences between the index and the
 	working tree are ignored; useful when the inode change time
diff --git a/cache.h b/cache.h
index d17b1d6295..29ed24b802 100644
--- a/cache.h
+++ b/cache.h
@@ -585,6 +585,7 @@ extern int core_preload_index;
 extern int core_apply_sparse_checkout;
 extern int precomposed_unicode;
 extern int protect_hfs;
+extern int protect_ntfs;
 
 /*
  * The character that begins a commented line in user-editable file
diff --git a/config.c b/config.c
index b519cedc01..2cd64b6e3a 100644
--- a/config.c
+++ b/config.c
@@ -886,6 +886,11 @@ static int git_default_core_config(const char *var, const char *value)
 		return 0;
 	}
 
+	if (!strcmp(var, "core.protectntfs")) {
+		protect_ntfs = git_config_bool(var, value);
+		return 0;
+	}
+
 	/* Add other config variables here and to Documentation/config.txt. */
 	return 0;
 }
diff --git a/config.mak.uname b/config.mak.uname
index 23af148837..ec7ed7ac3b 100644
--- a/config.mak.uname
+++ b/config.mak.uname
@@ -362,6 +362,7 @@ ifeq ($(uname_S),Windows)
 	EXTLIBS = user32.lib advapi32.lib shell32.lib wininet.lib ws2_32.lib
 	PTHREAD_LIBS =
 	lib =
+	BASIC_CFLAGS += -DPROTECT_NTFS_DEFAULT=1
 ifndef DEBUG
 	BASIC_CFLAGS += -GL -Os -MT
 	BASIC_LDFLAGS += -LTCG
@@ -506,6 +507,7 @@ ifneq (,$(findstring MINGW,$(uname_S)))
 	COMPAT_OBJS += compat/mingw.o compat/winansi.o \
 		compat/win32/pthread.o compat/win32/syslog.o \
 		compat/win32/dirent.o
+	BASIC_CFLAGS += -DPROTECT_NTFS_DEFAULT=1
 	BASIC_LDFLAGS += -Wl,--large-address-aware
 	EXTLIBS += -lws2_32
 	GITLIBS += git.res
diff --git a/environment.c b/environment.c
index 828b574a29..184748da3e 100644
--- a/environment.c
+++ b/environment.c
@@ -68,6 +68,11 @@ unsigned long pack_size_limit_cfg;
 #endif
 int protect_hfs = PROTECT_HFS_DEFAULT;
 
+#ifndef PROTECT_NTFS_DEFAULT
+#define PROTECT_NTFS_DEFAULT 0
+#endif
+int protect_ntfs = PROTECT_NTFS_DEFAULT;
+
 /*
  * The character that begins a commented line in user-editable file
  * that is subject to stripspace.
diff --git a/read-cache.c b/read-cache.c
index 7f48a08c15..4fa208b662 100644
--- a/read-cache.c
+++ b/read-cache.c
@@ -789,6 +789,8 @@ int verify_path(const char *path)
 inside:
 			if (protect_hfs && is_hfs_dotgit(path))
 				return 0;
+			if (protect_ntfs && is_ntfs_dotgit(path))
+				return 0;
 			c = *path++;
 			if ((c == '.' && !verify_dotfile(path)) ||
 			    is_dir_sep(c) || c == '\0')
diff --git a/t/t1014-read-tree-confusing.sh b/t/t1014-read-tree-confusing.sh
index ec310d5938..2f5a25d503 100755
--- a/t/t1014-read-tree-confusing.sh
+++ b/t/t1014-read-tree-confusing.sh
@@ -15,8 +15,17 @@ test_expect_success 'enable core.protectHFS for rejection tests' '
 	git config core.protectHFS true
 '
 
+test_expect_success 'enable core.protectNTFS for rejection tests' '
+	git config core.protectNTFS true
+'
+
 while read path pretty; do
 	: ${pretty:=$path}
+	case "$path" in
+	*SPACE)
+		path="${path%SPACE} "
+		;;
+	esac
 	test_expect_success "reject $pretty at end of path" '
 		printf "100644 blob %s\t%s" "$blob" "$path" >tree &&
 		bogus=$(git mktree <tree) &&
@@ -36,6 +45,10 @@ done <<-EOF
 ${u200c}.Git {u200c}.Git
 .gI${u200c}T .gI{u200c}T
 .GiT${u200c} .GiT{u200c}
+git~1
+.git.SPACE .git.{space}
+.\\\\.GIT\\\\foobar backslashes
+.git\\\\foobar backslashes2
 EOF
 
 test_expect_success 'utf-8 paths allowed with core.protectHFS off' '
-- 
cgit v1.2.3