Commit graph

43591 commits

Author SHA1 Message Date
Joey Hess
c50aa21d5f
init: Avoid autoenabling special remotes that have control characters in their names
I'm on the fence about this. Notice that pulling from a git remote can
pull branches that have escape sequences in their names. Git will
display those as-is. Arguably git should try harder to avoid that.

But, names of remotes are usually up to the local user, and autoenable
changes that, and so it makes sense that git chooses to display control
characters in names of remotes, and so autoenable needs to guard against
it.

Sponsored-by: Graham Spencer on Patreon
2023-04-12 12:37:12 -04:00
Joey Hess
de68e3dd4f
allow tab in controlCharacterInFilePath
Seems unlikely to have a tab in a path, but it's not a control character
that needs to be prevented either.

Left \n \r \v and \a as other non-threatening control characters
that are still obnoxious to have in a filepath because of how it causes
issues with display and/or with shell scripting.
2023-04-12 12:31:16 -04:00
Joey Hess
ad71f005b8
fix reversion in warning newline
indent removes any trailing newline, so put the trailing newline after
calling indent.

Sponsored-by: unqueued on Patreon
2023-04-12 12:30:50 -04:00
Joey Hess
708f4756d4
Merge branch 'master' of ssh://git-annex.branchable.com 2023-04-11 16:31:42 -04:00
Joey Hess
27915817b0
update 2023-04-11 16:31:31 -04:00
Joey Hess
31111d15c8
newline and tab are safe control characters
Oops, let's let git-annex display those! Lol
2023-04-11 15:38:47 -04:00
Joey Hess
4a5f18a8ec
IsString StringContainingQuotedPath optimisation
This causes an encodeBS thunk, and the first evaluation of the string
forces it. From then on, further uses operate on a ByteString. This
avoids converting repeatedly.
2023-04-11 15:29:04 -04:00
Joey Hess
afa5b883dc
find, findkeys, examinekey: escape output to terminal when --format is not used
Note that filenames are not quoted, only escaped. This is to match the
output of --format with escaping.

Sponsored-by: Lawrence Brogan on Patreon
2023-04-11 15:27:07 -04:00
Joey Hess
df6f9f1ee8
filter out control characters and quote filenames
Searched for uses of putStr and hPutStr and changed appropriate ones to filter
out control characters and quote filenames.

This notably does not make find and findkeys quote filenames in their default
output. Because they should only do that when stdout is non a pipe.

A few commands like calckey and lookupkey seem too low-level to make sense to filter
output, so skipped those.

Also when relaying output from other commands that is not progress output,
have git-annex filter out control characters.

Sponsored-by: k0ld on Patreon
2023-04-11 14:27:22 -04:00
xloem
59aa498876 Added a comment 2023-04-11 18:07:04 +00:00
Joey Hess
11e89c5a29
mention control characters 2023-04-11 14:06:46 -04:00
xloem
893cd20bee Added a comment 2023-04-11 18:03:26 +00:00
Joey Hess
c775b3ed70
clean up cabal.project.local~*
Make whenever cabal configure is run with new cabal, and I don't need
100 copies of that to be backed up.
2023-04-11 13:18:31 -04:00
Joey Hess
8b6c7bdbcc
filter out control characters in all other Messages
This does, as a side effect, make long notes in json output not
be indented. The indentation is only needed to offset them
underneath the display of the file they apply to, so that's ok.

Sponsored-by: Brock Spratlen on Patreon
2023-04-11 12:58:01 -04:00
Joey Hess
a0e6fa18eb
eliminate showStart showStartOther
These were not handling control characters and are redundant.

Sponsored-by: Jack Hill on Patreon
2023-04-10 16:28:58 -04:00
Joey Hess
3290a09a70
filter out control characters in warning messages
Converted warning and similar to use StringContainingQuotedPath. Most
warnings are static strings, some do refer to filepaths that need to be
quoted, and others don't need quoting.

Note that, since quote filters out control characters of even
UnquotedString, this makes all warnings safe, even when an attacker
sneaks in a control character in some other way.

When json is being output, no quoting is done, since json gets its own
quoting.

This does, as a side effect, make warning messages in json output not
be indented. The indentation is only needed to offset warning messages
underneath the display of the file they apply to, so that's ok.

Sponsored-by: Brett Eisenberg on Patreon
2023-04-10 15:55:44 -04:00
Joey Hess
007e302637
use safeOutput when quoting UnquotedString
UnquotedString does not need to be quoted, but still it's possible
it contains something attacker-controlled, which could have an
escape sequence or control character in it. This is a convenient
place to filter out such things, since quoting alrready handles
those in filenames.

Sponsored-by: Luke Shumaker on Patreon
2023-04-10 14:46:17 -04:00
Joey Hess
cd544e548b
filter out control characters in error messages
giveup changed to filter out control characters. (It is too low level to
make it use StringContainingQuotedPath.)

error still does not, but it should only be used for internal errors,
where the message is not attacker-controlled.

Changed a lot of existing error to giveup when it is not strictly an
internal error.

Of course, other exceptions can still be thrown, either by code in
git-annex, or a library, that include some attacker-controlled value.
This does not guard against those.

Sponsored-by: Noam Kremen on Patreon
2023-04-10 13:50:51 -04:00
Joey Hess
063c00e4f7
git style filename quoting for giveup
When the filenames are part of the git repository or other files that
might have attacker-controlled names, quote them in error messages.

This is fairly complete, although I didn't do the one in
Utility.DirWatcher.INotify.hs because that doesn't have access to
Git.Filename or Annex.

But it's also quite possible I missed some. And also while scanning for
these, I found giveup used with other things that could be attacker
controlled to contain control characters (eg Keys). So, I'm thinking
it would also be good for giveup to just filter out control characters.
This commit is then not the only line of defence, but just good
formatting when git-annex displays a filename in an error message.

Sponsored-by: Kevin Mueller on Patreon
2023-04-10 12:56:45 -04:00
Joey Hess
da83652c76
addurl --preserve-filename: reject control characters
As well as escape sequences, control characters seem unlikely to be desired when
doing addurl, and likely to trip someone up. So disallow them as well.

I did consider going the other way and allowing filenames with control characters
and escape sequences, since git-annex is in the process of escaping display
of all filenames. Might still be a better idea?

Also display the illegal filename git quoted when it rejects it.

Sponsored-by: Nicholas Golder-Manning on Patreon
2023-04-10 12:18:25 -04:00
Joey Hess
1c21ce17d4
avoid unncessary nested lists for combineing StringContainingQuotedPath 2023-04-09 12:53:13 -04:00
Joey Hess
2ba1559a8e
git style quoting for ActionItemOther
Added StringContainingQuotedPath, which is used for ActionItemOther.

In the process, checked every ActionItemOther for those containing
filenames, and made them use quoting.

Sponsored-by: Graham Spencer on Patreon
2023-04-08 16:30:01 -04:00
Joey Hess
d689a5b338
git style filename quoting controlled by core.quotePath
This is by no means complete, but escaping filenames in actionItemDesc does
cover most commands.

Note that for ActionItemBranchFilePath, the value is branch:file, and I
choose to only quote the file part (if necessary). I considered quoting the
whole thing. But, branch names cannot contain control characters, and while
they can contain unicode, git coes not quote unicode when displaying branch
names. So, it would be surprising for git-annex to quote unicode in a
branch name.

The find command is the most obvious command that still needs to be
dealt with. There are probably other places that filenames also get
displayed, eg embedded in error messages.

Some other commands use ActionItemOther with a filename, I think that
ActionItemOther should either be pre-sanitized, or should explicitly not
be used for filenames, so that needs more work.

When --json is used, unicode does not get escaped, but control
characters were already escaped in json.

(Key escaping may turn out to be needed, but I'm ignoring that for now.)

Sponsored-by: unqueued on Patreon
2023-04-08 14:52:26 -04:00
Joey Hess
81bc57322f
clean up 2023-04-07 17:20:58 -04:00
Joey Hess
c5b017e55b
full emulation of git filename escaping
Not yet used, but the plan is to make git-annex use this when displaying
filenames similar to how git does.

Sponsored-by: Lawrence Brogan on Patreon
2023-04-07 17:17:31 -04:00
Joey Hess
d9b6be7782
convert encode_c to ByteString
This turns out to be possible after all, because the old one decomposed
a unicode Char to multiple Word8s and encoded those. It should be faster
in some places, particularly in Git.Filename.encodeAlways.

The old version encoded all unicode by default as well as ascii control
characters and also '"'. The new one only encodes ascii control
characters by default.

That old behavior was visible in Utility.Format.format, which did escape
'"' when used in eg git-annex find --format='${escaped_file}\n'
So made sure to keep that working the same. Although the man page only
says it will escape "unusual" characters, so it might be able to be
changed.

Git.Filename.encodeAlways also needs to escape '"' ; that was the
original reason that was escaped.

Types.Transferrer I judge is ok to not escape '"', because the escaped
value is sent in a line-based protocol, which is decoded at the other
end by decode_c. So old git-annex and new will be fine whether that is
escaped or not, the result will be the same.

Note that when asked to escape a double quote, it is escaped to \"
rather than to \042. That's the same behavior as git has. It's
perhaps somehow more of a special case than it needs to be.

Sponsored-by: k0ld on Patreon
2023-04-07 17:10:49 -04:00
Joey Hess
371d4f8183
decode_c converted to ByteString
This speeds up a few things, notably CmdLine.Seek using Git.Filename
which uses decode_c and this avoids a conversion to String and back,
and probably the ByteString implementation of decode_c is also faster
for simple cases at least than the string version.

encode_c cannot be converted to ByteString (or if it did, it would have
to convert right back to String in order to handle unicode).

Sponsored-by: Brock Spratlen on Patreon
2023-04-07 14:44:19 -04:00
Joey Hess
f0b1034f8f
add news item for git-annex 10.20230407 2023-04-07 13:37:18 -04:00
Joey Hess
9c242af171
releasing package git-annex version 10.20230407 2023-04-07 13:37:03 -04:00
Joey Hess
218cb6ab56
expand 2023-04-07 13:13:16 -04:00
Joey Hess
e6a4782b0c
response 2023-04-07 13:00:56 -04:00
Joey Hess
b4e5f2b8a4
response 2023-04-07 12:52:43 -04:00
Joey Hess
868eb44562
Merge branch 'master' of ssh://git-annex.branchable.com 2023-04-07 12:42:09 -04:00
jwodder
b8afb79ada 2023-04-07 15:19:04 +00:00
mih
c83a783f45 Added a comment: Status of the import/export protocol implementation 2023-04-07 09:17:22 +00:00
Joey Hess
c417336fbb
todo 2023-04-05 19:37:21 -04:00
Joey Hess
98a3ba0ea5
restore old registerurl location tracking behavior
registerurl: When an url is claimed by a special remote other than the web,
update location tracking for that special remote.

registerurl's behavior was changed in commit
451171b7c1, apparently accidentially to not
update location tracking except for the web.

This makes registerurl followed by unregisterurl not be a no-op, when the
url happens to be claimed by a remote other than the web. It is a noop when
the url is unclaimed except by the web. I don't like the inconsistency,
and wish that registerurl and unregisterurl never updated location
tracking, which would be more in keeping with them being plumbing.

But there is the fact that it used to behave this way, and also it was
inconsistent that it updated location tracking for the web but not for
other remotes, unlike addurl. And there's an argument that the user might
not know what remote to expect to claim an url, so would be considerably in
the dark when using registerurl. (Although they have to know what content
gets downloaded, since they specify a key..)

Sponsored-By: the NIH-funded NICEMAN (ReproNim TR&D3) project
2023-04-05 17:06:44 -04:00
Joey Hess
26a094ac1a
hm 2023-04-05 16:36:18 -04:00
Joey Hess
eecd02fd3d
Merge branch 'master' of ssh://git-annex.branchable.com 2023-04-05 15:56:31 -04:00
Joey Hess
2b940f7725
registerurl, unregisterurl: Added --remote option
This serves two purposes. --remote=web bypasses other special remotes that
claim the url, same as addurl --raw. And, specifying some other remote
allows making sure that an url is claimed by the remote you expect,
which makes then using setpresentkey not be fragile.

Sponsored-By: the NIH-funded NICEMAN (ReproNim TR&D3) project
2023-04-05 15:54:41 -04:00
yarikoptic
1751ddd759 Added a comment 2023-04-05 19:36:41 +00:00
Joey Hess
c39d72ac78
comments 2023-04-05 15:00:39 -04:00
Joey Hess
06c584a267
Merge branch 'master' of ssh://git-annex.branchable.com 2023-04-05 11:04:55 -04:00
Joey Hess
1780b657bc
update 2023-04-05 11:04:35 -04:00
jkniiv
247430a272 Added a comment 2023-04-05 09:42:12 +00:00
yarikoptic
e4c93a233e Added a comment 2023-04-05 01:03:38 +00:00
yarikoptic
25bdb45b72 Added a comment 2023-04-05 00:30:00 +00:00
yarikoptic
352a274f53 Added a comment 2023-04-04 20:15:59 +00:00
Joey Hess
ac0345aa42
improve comments 2023-04-04 15:23:39 -04:00
Joey Hess
d0e94b4302
fixed 2023-04-04 15:19:25 -04:00