Commit graph

43181 commits

Author SHA1 Message Date
Joey Hess
11e89c5a29
mention control characters 2023-04-11 14:06:46 -04:00
xloem
893cd20bee Added a comment 2023-04-11 18:03:26 +00:00
Joey Hess
c775b3ed70
clean up cabal.project.local~*
Make whenever cabal configure is run with new cabal, and I don't need
100 copies of that to be backed up.
2023-04-11 13:18:31 -04:00
Joey Hess
8b6c7bdbcc
filter out control characters in all other Messages
This does, as a side effect, make long notes in json output not
be indented. The indentation is only needed to offset them
underneath the display of the file they apply to, so that's ok.

Sponsored-by: Brock Spratlen on Patreon
2023-04-11 12:58:01 -04:00
Joey Hess
a0e6fa18eb
eliminate showStart showStartOther
These were not handling control characters and are redundant.

Sponsored-by: Jack Hill on Patreon
2023-04-10 16:28:58 -04:00
Joey Hess
3290a09a70
filter out control characters in warning messages
Converted warning and similar to use StringContainingQuotedPath. Most
warnings are static strings, some do refer to filepaths that need to be
quoted, and others don't need quoting.

Note that, since quote filters out control characters of even
UnquotedString, this makes all warnings safe, even when an attacker
sneaks in a control character in some other way.

When json is being output, no quoting is done, since json gets its own
quoting.

This does, as a side effect, make warning messages in json output not
be indented. The indentation is only needed to offset warning messages
underneath the display of the file they apply to, so that's ok.

Sponsored-by: Brett Eisenberg on Patreon
2023-04-10 15:55:44 -04:00
Joey Hess
007e302637
use safeOutput when quoting UnquotedString
UnquotedString does not need to be quoted, but still it's possible
it contains something attacker-controlled, which could have an
escape sequence or control character in it. This is a convenient
place to filter out such things, since quoting alrready handles
those in filenames.

Sponsored-by: Luke Shumaker on Patreon
2023-04-10 14:46:17 -04:00
Joey Hess
cd544e548b
filter out control characters in error messages
giveup changed to filter out control characters. (It is too low level to
make it use StringContainingQuotedPath.)

error still does not, but it should only be used for internal errors,
where the message is not attacker-controlled.

Changed a lot of existing error to giveup when it is not strictly an
internal error.

Of course, other exceptions can still be thrown, either by code in
git-annex, or a library, that include some attacker-controlled value.
This does not guard against those.

Sponsored-by: Noam Kremen on Patreon
2023-04-10 13:50:51 -04:00
Joey Hess
063c00e4f7
git style filename quoting for giveup
When the filenames are part of the git repository or other files that
might have attacker-controlled names, quote them in error messages.

This is fairly complete, although I didn't do the one in
Utility.DirWatcher.INotify.hs because that doesn't have access to
Git.Filename or Annex.

But it's also quite possible I missed some. And also while scanning for
these, I found giveup used with other things that could be attacker
controlled to contain control characters (eg Keys). So, I'm thinking
it would also be good for giveup to just filter out control characters.
This commit is then not the only line of defence, but just good
formatting when git-annex displays a filename in an error message.

Sponsored-by: Kevin Mueller on Patreon
2023-04-10 12:56:45 -04:00
Joey Hess
da83652c76
addurl --preserve-filename: reject control characters
As well as escape sequences, control characters seem unlikely to be desired when
doing addurl, and likely to trip someone up. So disallow them as well.

I did consider going the other way and allowing filenames with control characters
and escape sequences, since git-annex is in the process of escaping display
of all filenames. Might still be a better idea?

Also display the illegal filename git quoted when it rejects it.

Sponsored-by: Nicholas Golder-Manning on Patreon
2023-04-10 12:18:25 -04:00
Joey Hess
1c21ce17d4
avoid unncessary nested lists for combineing StringContainingQuotedPath 2023-04-09 12:53:13 -04:00
Joey Hess
2ba1559a8e
git style quoting for ActionItemOther
Added StringContainingQuotedPath, which is used for ActionItemOther.

In the process, checked every ActionItemOther for those containing
filenames, and made them use quoting.

Sponsored-by: Graham Spencer on Patreon
2023-04-08 16:30:01 -04:00
Joey Hess
d689a5b338
git style filename quoting controlled by core.quotePath
This is by no means complete, but escaping filenames in actionItemDesc does
cover most commands.

Note that for ActionItemBranchFilePath, the value is branch:file, and I
choose to only quote the file part (if necessary). I considered quoting the
whole thing. But, branch names cannot contain control characters, and while
they can contain unicode, git coes not quote unicode when displaying branch
names. So, it would be surprising for git-annex to quote unicode in a
branch name.

The find command is the most obvious command that still needs to be
dealt with. There are probably other places that filenames also get
displayed, eg embedded in error messages.

Some other commands use ActionItemOther with a filename, I think that
ActionItemOther should either be pre-sanitized, or should explicitly not
be used for filenames, so that needs more work.

When --json is used, unicode does not get escaped, but control
characters were already escaped in json.

(Key escaping may turn out to be needed, but I'm ignoring that for now.)

Sponsored-by: unqueued on Patreon
2023-04-08 14:52:26 -04:00
Joey Hess
81bc57322f
clean up 2023-04-07 17:20:58 -04:00
Joey Hess
c5b017e55b
full emulation of git filename escaping
Not yet used, but the plan is to make git-annex use this when displaying
filenames similar to how git does.

Sponsored-by: Lawrence Brogan on Patreon
2023-04-07 17:17:31 -04:00
Joey Hess
d9b6be7782
convert encode_c to ByteString
This turns out to be possible after all, because the old one decomposed
a unicode Char to multiple Word8s and encoded those. It should be faster
in some places, particularly in Git.Filename.encodeAlways.

The old version encoded all unicode by default as well as ascii control
characters and also '"'. The new one only encodes ascii control
characters by default.

That old behavior was visible in Utility.Format.format, which did escape
'"' when used in eg git-annex find --format='${escaped_file}\n'
So made sure to keep that working the same. Although the man page only
says it will escape "unusual" characters, so it might be able to be
changed.

Git.Filename.encodeAlways also needs to escape '"' ; that was the
original reason that was escaped.

Types.Transferrer I judge is ok to not escape '"', because the escaped
value is sent in a line-based protocol, which is decoded at the other
end by decode_c. So old git-annex and new will be fine whether that is
escaped or not, the result will be the same.

Note that when asked to escape a double quote, it is escaped to \"
rather than to \042. That's the same behavior as git has. It's
perhaps somehow more of a special case than it needs to be.

Sponsored-by: k0ld on Patreon
2023-04-07 17:10:49 -04:00
Joey Hess
371d4f8183
decode_c converted to ByteString
This speeds up a few things, notably CmdLine.Seek using Git.Filename
which uses decode_c and this avoids a conversion to String and back,
and probably the ByteString implementation of decode_c is also faster
for simple cases at least than the string version.

encode_c cannot be converted to ByteString (or if it did, it would have
to convert right back to String in order to handle unicode).

Sponsored-by: Brock Spratlen on Patreon
2023-04-07 14:44:19 -04:00
Joey Hess
f0b1034f8f
add news item for git-annex 10.20230407 2023-04-07 13:37:18 -04:00
Joey Hess
9c242af171
releasing package git-annex version 10.20230407 2023-04-07 13:37:03 -04:00
Joey Hess
218cb6ab56
expand 2023-04-07 13:13:16 -04:00
Joey Hess
e6a4782b0c
response 2023-04-07 13:00:56 -04:00
Joey Hess
b4e5f2b8a4
response 2023-04-07 12:52:43 -04:00
Joey Hess
868eb44562
Merge branch 'master' of ssh://git-annex.branchable.com 2023-04-07 12:42:09 -04:00
jwodder
b8afb79ada 2023-04-07 15:19:04 +00:00
mih
c83a783f45 Added a comment: Status of the import/export protocol implementation 2023-04-07 09:17:22 +00:00
Joey Hess
c417336fbb
todo 2023-04-05 19:37:21 -04:00
Joey Hess
98a3ba0ea5
restore old registerurl location tracking behavior
registerurl: When an url is claimed by a special remote other than the web,
update location tracking for that special remote.

registerurl's behavior was changed in commit
451171b7c1, apparently accidentially to not
update location tracking except for the web.

This makes registerurl followed by unregisterurl not be a no-op, when the
url happens to be claimed by a remote other than the web. It is a noop when
the url is unclaimed except by the web. I don't like the inconsistency,
and wish that registerurl and unregisterurl never updated location
tracking, which would be more in keeping with them being plumbing.

But there is the fact that it used to behave this way, and also it was
inconsistent that it updated location tracking for the web but not for
other remotes, unlike addurl. And there's an argument that the user might
not know what remote to expect to claim an url, so would be considerably in
the dark when using registerurl. (Although they have to know what content
gets downloaded, since they specify a key..)

Sponsored-By: the NIH-funded NICEMAN (ReproNim TR&D3) project
2023-04-05 17:06:44 -04:00
Joey Hess
26a094ac1a
hm 2023-04-05 16:36:18 -04:00
Joey Hess
eecd02fd3d
Merge branch 'master' of ssh://git-annex.branchable.com 2023-04-05 15:56:31 -04:00
Joey Hess
2b940f7725
registerurl, unregisterurl: Added --remote option
This serves two purposes. --remote=web bypasses other special remotes that
claim the url, same as addurl --raw. And, specifying some other remote
allows making sure that an url is claimed by the remote you expect,
which makes then using setpresentkey not be fragile.

Sponsored-By: the NIH-funded NICEMAN (ReproNim TR&D3) project
2023-04-05 15:54:41 -04:00
yarikoptic
1751ddd759 Added a comment 2023-04-05 19:36:41 +00:00
Joey Hess
c39d72ac78
comments 2023-04-05 15:00:39 -04:00
Joey Hess
06c584a267
Merge branch 'master' of ssh://git-annex.branchable.com 2023-04-05 11:04:55 -04:00
Joey Hess
1780b657bc
update 2023-04-05 11:04:35 -04:00
jkniiv
247430a272 Added a comment 2023-04-05 09:42:12 +00:00
yarikoptic
e4c93a233e Added a comment 2023-04-05 01:03:38 +00:00
yarikoptic
25bdb45b72 Added a comment 2023-04-05 00:30:00 +00:00
yarikoptic
352a274f53 Added a comment 2023-04-04 20:15:59 +00:00
Joey Hess
ac0345aa42
improve comments 2023-04-04 15:23:39 -04:00
Joey Hess
d0e94b4302
fixed 2023-04-04 15:19:25 -04:00
Joey Hess
e3f5bd4ca6
Revert "override rather than setting user.name and user.email"
This reverts commit 66eb63dd82.

git-annex init is the only thing that uses ensureCommit. So overriding
there will make later commits to the git-annex branch or by git-annex sync
fail.

It's ugly that git-annex init sets user.name and user.email, but it only
does it on systems that are badly configured.
2023-04-04 15:15:02 -04:00
Joey Hess
e91bf784cd
Support user.useConfigOnly git config
When it's set and git cannot determine user.name or user.email, this will
result in git-annex init failing when committing to create the git-annex
branch. Other git-annex commands that commit can also fail.

Sponsored-by: Jack Hill on Patreon
2023-04-04 15:12:52 -04:00
Joey Hess
66eb63dd82
override rather than setting user.name and user.email
Avoid setting user.name and user.email in the git config when git is unable
to detect them.

git-annex has good reason to want to ensure git commit succeeds when eg
committing to the git-annex branch. But it's not playing nice to set these
values where other commands can see them.

Sponsored-by: Brett Eisenberg on Patreon
2023-04-04 14:56:44 -04:00
Joey Hess
68a0491f83
comment 2023-04-04 14:43:33 -04:00
Joey Hess
4e64af0010
comment 2023-04-04 14:31:25 -04:00
Joey Hess
31ffb0f216
probably fixed but I didn't actually reproduce it 2023-04-04 14:25:55 -04:00
Joey Hess
3eb51ee929
readFileStrict to avoid laziness bug
Fix laziness bug introduced in last release that breaks use of
--unlock-present and --hide-missing adjusted branches.

Since there is a writeFile of the same file immediately after readFile, it
may still have the file open for read (or may have happened to read it
already and closed it).

I was not able to reproduce the problem in brief testing, but this seems
obvious.

Sponsored-by: Luke Shumaker on Patreona
2023-04-04 14:25:01 -04:00
Joey Hess
e37b968383
comment 2023-04-04 14:09:02 -04:00
Joey Hess
bac1a990a6
comments 2023-04-04 13:52:23 -04:00
Joey Hess
c3eaecb244
comment 2023-04-04 13:34:32 -04:00