Merge branch 'jt/config-quote-cr' into maint-2.43

This merges in the fix for CVE-2025-48384. * jt/config-quote-cr: config: quote values containing CR character Signed-off-by: Taylor Blau <me@ttaylorr.com>
2026-01-10 01:56:42 +00:00 · 2025-05-28 12:55:15 -04:00
parent d2bc61fcab 05e9cd64ee
commit 2d22f0cd07
3 changed files with 45 additions and 1 deletions
--- a/config.c
+++ b/config.c
@@ -2999,7 +2999,7 @@ static ssize_t write_pair(int fd, const char *key, const char *value,
 	if (value[0] == ' ')
 		quote = "\"";
 	for (i = 0; value[i]; i++)
-		if (value[i] == ';' || value[i] == '#')
+		if (value[i] == ';' || value[i] == '#' || value[i] == '\r')
 			quote = "\"";
 	if (i && value[i - 1] == ' ')
 		quote = "\"";
--- a/t/t1300-config.sh
+++ b/t/t1300-config.sh
@@ -2590,4 +2590,15 @@ test_expect_success 'includeIf.hasconfig:remote.*.url forbids remote url in such
 	grep "fatal: remote URLs cannot be configured in file directly or indirectly included by includeIf.hasconfig:remote.*.url" err
 '

+test_expect_success 'writing value with trailing CR not stripped on read' '
+	test_when_finished "rm -rf cr-test" &&
+
+	printf "bar\r\n" >expect &&
+	git init cr-test &&
+	git -C cr-test config set core.foo $(printf "bar\r") &&
+	git -C cr-test config get core.foo >actual &&
+
+	test_cmp expect actual
+'
+
 test_done
--- a/t/t7450-bad-git-dotfiles.sh
+++ b/t/t7450-bad-git-dotfiles.sh
@@ -347,4 +347,37 @@ test_expect_success 'checkout -f --recurse-submodules must not use a nested gitd
 	test_path_is_missing nested_checkout/thing2/.git
 '

+test_expect_success SYMLINKS,!WINDOWS,!MINGW 'submodule must not checkout into different directory' '
+	test_when_finished "rm -rf sub repo bad-clone" &&
+
+	git init sub &&
+	write_script sub/post-checkout <<-\EOF &&
+	touch "$PWD/foo"
+	EOF
+	git -C sub add post-checkout &&
+	git -C sub commit -m hook &&
+
+	git init repo &&
+	git -C repo -c protocol.file.allow=always submodule add "$PWD/sub" sub &&
+	git -C repo mv sub $(printf "sub\r") &&
+
+	# Ensure config values containing CR are wrapped in quotes.
+	git config unset -f repo/.gitmodules submodule.sub.path &&
+	printf "\tpath = \"sub\r\"\n" >>repo/.gitmodules &&
+
+	git config unset -f repo/.git/modules/sub/config core.worktree &&
+	{
+		printf "[core]\n" &&
+		printf "\tworktree = \"../../../sub\r\"\n"
+	} >>repo/.git/modules/sub/config &&
+
+	ln -s .git/modules/sub/hooks repo/sub &&
+	git -C repo add -A &&
+	git -C repo commit -m submodule &&
+
+	git -c protocol.file.allow=always clone --recurse-submodules repo bad-clone &&
+	! test -f "$PWD/foo" &&
+	test -f $(printf "bad-clone/sub\r/post-checkout")
+'
+
 test_done