The unfortunate commit d95138e (setup: set env $GIT_WORK_TREE when
work tree is set, like $GIT_DIR - 2015-06-26) exposes another problem,
besides git-clone that's described in the previous commit. If
GIT_WORK_TREE (or even GIT_DIR) is exported to an alias script, it may
mislead git commands in the script where the repo is. Granted, most
scripts work on the repo where the alias is summoned from. But nowhere
do we forbid the script to visit another repository.
The revert of d95138e in the previous commit is sufficient as a
fix. However, to protect us from accidentally leaking GIT_*
environment variables again, we restore certain sensitive env before
calling the external script.
GIT_PREFIX is let through because there's another setup side effect
that we simply accepted so far: current working directory is
moved. Maybe in future we can introduce a new alias format that
guarantees no cwd move, then we can unexport GIT_PREFIX.
Reported-by: Gabriel Ganne <gabriel.ga...@gmail.com>
Signed-off-by: Nguyễn Thái Ngọc Duy <pclo...@gmail.com>
---
Let's hope there will be no third report about this commit..
git.c | 10 +++++++---
t/t0001-init.sh | 27 +++++++++++++++++++++++++++
2 files changed, 34 insertions(+), 3 deletions(-)
diff --git a/git.c b/git.c
index e2f187d..83b6c56 100644
--- a/git.c
+++ b/git.c
@@ -41,13 +41,16 @@ static void save_env_before_alias(void)
}
}
-static void restore_env(void)
+static void restore_env(int external_alias)
{
int i;
- if (orig_cwd && chdir(orig_cwd))
+ if (!external_alias && orig_cwd && chdir(orig_cwd))
die_errno("could not move to %s", orig_cwd);
free(orig_cwd);
for (i = 0; i < ARRAY_SIZE(env_names); i++) {
+ if (external_alias &&
+ !strcmp(env_names[i], GIT_PREFIX_ENVIRONMENT))
+ continue;
if (orig_env[i])
setenv(env_names[i], orig_env[i], 1);
else
@@ -244,6 +247,7 @@ static int handle_alias(int *argcp, const char ***argv)
int argc = *argcp, i;
commit_pager_choice();
+ restore_env(1);
/* build alias_argv */
alias_argv = xmalloc(sizeof(*alias_argv) * (argc + 1));
@@ -531,7 +535,7 @@ static void handle_builtin(int argc, const char **argv)
builtin = get_builtin(cmd);
if (builtin) {
if (saved_env_before_alias)
- restore_env();
+ restore_env(0);
else
exit(run_builtin(builtin, argc, argv));
}
diff --git a/t/t0001-init.sh b/t/t0001-init.sh
index f91bbcf..19539fc 100755
--- a/t/t0001-init.sh
+++ b/t/t0001-init.sh
@@ -87,6 +87,33 @@ test_expect_success 'plain nested in bare through aliased
command' '
check_config bare-ancestor-aliased.git/plain-nested/.git false unset
'
+test_expect_success 'No extra GIT_* on alias scripts' '
+ cat <<-\EOF >expected &&
+ GIT_ATTR_NOSYSTEM
+ GIT_AUTHOR_EMAIL
+ GIT_AUTHOR_NAME
+ GIT_COMMITTER_EMAIL
+ GIT_COMMITTER_NAME
+ GIT_CONFIG_NOSYSTEM
+ GIT_EXEC_PATH
+ GIT_MERGE_AUTOEDIT
+ GIT_MERGE_VERBOSITY
+ GIT_PREFIX
+ GIT_TEMPLATE_DIR
+ GIT_TEXTDOMAINDIR
+ GIT_TRACE_BARE
+ EOF
+ cat <<-\EOF >script &&
+ #!/bin/sh
+ env | grep GIT_ | sed "s/=.*//" | sort >actual
+ exit 0
+ EOF
+ chmod 755 script &&
+ git config alias.script \!./script &&
+ ( mkdir sub && cd sub && git script ) &&
+ test_cmp expected actual
+'
+
test_expect_success 'plain with GIT_WORK_TREE' '
mkdir plain-wt &&
test_must_fail env GIT_WORK_TREE="$(pwd)/plain-wt" git init plain-wt
--
2.2.0.513.g477eb31
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
