github jelmer/dulwich dulwich-1.2.11

4 hours ago

Security and hardening

  • Apply core.protectHFS and core.protectNTFS together when selecting the checkout path-element validator. Previously only the NTFS validator ran when protectNTFS was on (the default), so on macOS an HFS+ spelling of .git using ignorable code points could pass validation and poison .git on checkout.
  • Canonicalize file modes in git archive tarballs, so a crafted tree entry can no longer carry setuid/setgid/sticky bits into an extracted file.
  • Collapse embedded whitespace in reflog messages, so a crafted multi-line commit message can no longer forge additional reflog entries with attacker-chosen SHAs.
  • Verify that a .bitmap index matches the pack it is loaded for, so a stale or swapped-in bitmap can't produce a wrong reachable-object set during fetch negotiation.
  • Parse commit-message trailers in linear time, fixing a cubic blowup where a crafted commit message could tie up CPU for minutes to hours.

Features and fixes

  • Honour core.worktree, so the working tree can live outside the parent of the control directory.
  • Porcelain functions now take an env argument, and read GIT_PROTOCOL, GIT_SSH_COMMAND/GIT_SSH when called as a library rather than only from the CLI (fixes a regression since 1.2.1 where porcelain.clone() silently ignored the SSH variables).
  • porcelain.archive() gained a remote argument.
  • Recurse into subtrees when merging trees, so non-overlapping changes under a shared directory merge cleanly.
  • Clear core.bare when setting up a submodule's working tree.

Security and hardening fixes in this release were contributed by Kartik Kenchi (@netliomax25-code).

Don't miss a new dulwich release

NewReleases is sending notifications on new releases.