diff options
| author | Taylor Blau <me@ttaylorr.com> | 2024-09-26 11:22:32 -0400 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2024-09-27 11:27:46 -0700 |
| commit | d1b44bb76442431eca44279da32deed249dcf213 (patch) | |
| tree | f426f80ac8bc458190a48f0d4e4721fb290dbb4a /builtin/commit.c | |
| parent | 2e7b89e038c0c888acf61f1b4ee5a43d4dd5e94c (diff) | |
finalize_object_file(): check for name collision before renaming
We prefer link()/unlink() to rename() for object files, with the idea
that we should prefer the data that is already on disk to what is
incoming. But we may fall back to rename() if the user has configured us
to do so, or if the filesystem seems not to support cross-directory
links. This loses the "prefer what is on disk" property.
We can mitigate this somewhat by trying to stat() the destination
filename before doing the rename. This is racy, since the object could
be created between the stat() and rename() calls. But in practice it is
expanding the definition of "what is already on disk" to be the point
that the function is called. That is enough to deal with any potential
attacks where an attacker is trying to collide hashes with what's
already in the repository.
Co-authored-by: Jeff King <peff@peff.net>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Taylor Blau <me@ttaylorr.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'builtin/commit.c')
0 files changed, 0 insertions, 0 deletions