Improve git_status_list (git status)

CMakeLists.txt

@@ -13,7 +13,7 @@
 
 CMAKE_MINIMUM_REQUIRED(VERSION 3.5.1)
 
-project(libgit2 VERSION "1.3.0" LANGUAGES C)
+project(libgit2 VERSION "1.3.1" LANGUAGES C)
 
 # Add find modules to the path
 set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${libgit2_SOURCE_DIR}/cmake/")

README.md

@@ -4,8 +4,8 @@ libgit2 - the Git linkable library
 | Build Status | |
 | ------------ | - |
 | **main** branch CI builds | [![CI Build](https://github.com/libgit2/libgit2/workflows/CI%20Build/badge.svg?event=push)](https://github.com/libgit2/libgit2/actions?query=workflow%3A%22CI+Build%22+event%3Apush) |
+| **v1.3 branch** CI builds | [![CI Build](https://github.com/libgit2/libgit2/workflows/CI%20Build/badge.svg?branch=maint%2Fv1.2&event=push)](https://github.com/libgit2/libgit2/actions?query=workflow%3A%22CI+Build%22+event%3Apush+branch%3Amaint%2Fv1.2) |
 | **v1.2 branch** CI builds | [![CI Build](https://github.com/libgit2/libgit2/workflows/CI%20Build/badge.svg?branch=maint%2Fv1.2&event=push)](https://github.com/libgit2/libgit2/actions?query=workflow%3A%22CI+Build%22+event%3Apush+branch%3Amaint%2Fv1.2) |
-| **v1.1 branch** CI builds | [![CI Build](https://github.com/libgit2/libgit2/workflows/CI%20Build/badge.svg?branch=maint%2Fv1.1&event=push)](https://github.com/libgit2/libgit2/actions?query=workflow%3A%22CI+Build%22+event%3Apush+branch%3Amaint%2Fv1.1) |
 | **Nightly** builds | [![Nightly Build](https://github.com/libgit2/libgit2/workflows/Nightly%20Build/badge.svg)](https://github.com/libgit2/libgit2/actions?query=workflow%3A%22Nightly+Build%22) [![Coverity Scan Status](https://scan.coverity.com/projects/639/badge.svg)](https://scan.coverity.com/projects/639) |
 
 `libgit2` is a portable, pure C implementation of the Git core methods

docs/changelog.md

@@ -1,3 +1,18 @@
+v1.3.1
+------
+
+🔒 This is a security release to provide compatibility with git's changes to address [CVE 2022-24765](https://github.blog/2022-04-12-git-security-vulnerability-announced/).
+
+**libgit2 is not directly affected** by this vulnerability, because libgit2 does not directly invoke any executable. But we are providing these changes as a security release for any users that use libgit2 for repository discovery and then _also_ use git on that repository. In this release, we will now validate that the user opening the repository is the same user that owns the on-disk repository. This is to match git's behavior.
+
+In addition, we are providing several correctness fixes where invalid input can lead to a crash. These may prevent possible denial of service attacks. At this time there are not known exploits to these issues.
+
+Full list of changes:
+
+* Validate repository directory ownership (v1.3) by @ethomson in https://github.com/libgit2/libgit2/pull/6268
+
+All users of the v1.3 release line are recommended to upgrade.
+
 v1.3
 ----
 

include/git2/checkout.h

@@ -182,7 +182,7 @@ typedef enum {
 	 * notifications; don't update the working directory or index.
 	 */
 	GIT_CHECKOUT_DRY_RUN = (1u << 24),
-	
+
 	/**
 	 * THE FOLLOWING OPTIONS ARE NOT YET IMPLEMENTED
 	 */
@@ -339,6 +339,7 @@ typedef struct git_checkout_options {
 
 	/** Payload passed to perfdata_cb */
 	void *perfdata_payload;
+	git_strarray disabled_filters;
 } git_checkout_options;
 
 #define GIT_CHECKOUT_OPTIONS_VERSION 1

include/git2/common.h

@@ -211,7 +211,9 @@ typedef enum {
 	GIT_OPT_SET_ODB_PACKED_PRIORITY,
 	GIT_OPT_SET_ODB_LOOSE_PRIORITY,
 	GIT_OPT_GET_EXTENSIONS,
-	GIT_OPT_SET_EXTENSIONS
+	GIT_OPT_SET_EXTENSIONS,
+	GIT_OPT_GET_OWNER_VALIDATION,
+	GIT_OPT_SET_OWNER_VALIDATION
 } git_libgit2_opt_t;
 
 /**
@@ -449,6 +451,14 @@ typedef enum {
  *      > to support repositories with the `noop` extension but does want
  *      > to support repositories with the `newext` extension.
  *
+ *   opts(GIT_OPT_GET_OWNER_VALIDATION, int *enabled)
+ *      > Gets the owner validation setting for repository
+ *      > directories.
+ *
+ *   opts(GIT_OPT_SET_OWNER_VALIDATION, int enabled)
+ *      > Set that repository directories should be owned by the current
+ *      > user. The default is to validate ownership.
+ *
  * @param option Option key
  * @param ... value to set the option
  * @return 0 on success, <0 on failure

include/git2/errors.h

@@ -58,6 +58,7 @@ typedef enum {
 	GIT_EMISMATCH       = -33,	/**< Hashsum mismatch in object */
 	GIT_EINDEXDIRTY     = -34,	/**< Unsaved changes in the index would be overwritten */
 	GIT_EAPPLYFAIL      = -35,	/**< Patch application failed */
+	GIT_EOWNER          = -36	/**< The object is not owned by the current user */
 } git_error_code;
 
 /**

include/git2/sys/custom_tls.h

@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) the libgit2 contributors. All rights reserved.
+ *
+ * This file is part of libgit2, distributed under the GNU GPL v2 with
+ * a Linking Exception. For full terms see the included COPYING file.
+ */
+#ifndef INCLUDE_sys_custom_tls_h__
+#define INCLUDE_sys_custom_tls_h__
+
+#include "git2/common.h"
+
+GIT_BEGIN_DECL
+
+/**
+ * Used to retrieve a pointer from a user of the library to pass to a newly
+ * created internal libgit2 thread. This should allow users of the library to
+ * establish a context that spans an internally threaded operation. This can
+ * useful for libraries that leverage callbacks used in an internally threaded
+ * routine.
+ */
+typedef void *GIT_CALLBACK(git_retrieve_tls_for_internal_thread_cb)(void);
+
+/**
+ * This callback will be called when a thread is exiting so that a user
+ * of the library can clean up their thread local storage.
+ */
+typedef void GIT_CALLBACK(git_set_tls_on_internal_thread_cb)(void *payload);
+
+/**
+ * This callback will be called when a thread is exiting so that a user
+ * of the library can clean up their thread local storage.
+ */
+typedef void GIT_CALLBACK(git_teardown_tls_on_internal_thread_cb)(void);
+
+/**
+ * Sets the callbacks for custom thread local storage used by internally
+ * created libgit2 threads. This allows users of the library an opportunity
+ * to set thread local storage for internal threads based on the creating
+ * thread.
+ *
+ * @param  retrieve_storage_for_internal_thread Used to retrieve a pointer on
+ *                                              a thread before spawning child
+ *                                              threads. This pointer will be
+ *                                              passed to set_storage_on_thread
+ *                                              in the newly spawned threads.
+ * @param  set_storage_on_thread When a thread is spawned internally in libgit2,
+ *                               whatever pointer was retrieved in the calling
+ *                               thread by retrieve_storage_for_internal_thread
+ *                               will be passed to this callback in the newly
+ *                               spawned thread.
+ * @param  teardown_storage_on_thread Before an internally spawned thread exits,
+ *                                    this method will be called allowing a user
+ *                                    of the library an opportunity to clean up
+ *                                    any thread local storage they set up on
+ *                                    the internal thread.
+ * @return 0 on success, or an error code. (use git_error_last for information
+ *         about the error)
+ */
+GIT_EXTERN(int) git_custom_tls_set_callbacks(
+	git_retrieve_tls_for_internal_thread_cb retrieve_storage_for_internal_thread,
+	git_set_tls_on_internal_thread_cb set_storage_on_thread,
+	git_teardown_tls_on_internal_thread_cb teardown_storage_on_thread);
+
+GIT_END_DECL
+
+#endif

include/git2/version.h

@@ -7,10 +7,10 @@
 #ifndef INCLUDE_git_version_h__
 #define INCLUDE_git_version_h__
 
-#define LIBGIT2_VERSION "1.3.0"
+#define LIBGIT2_VERSION "1.3.1"
 #define LIBGIT2_VER_MAJOR 1
 #define LIBGIT2_VER_MINOR 3
-#define LIBGIT2_VER_REVISION 0
+#define LIBGIT2_VER_REVISION 1
 #define LIBGIT2_VER_PATCH 0
 
 #define LIBGIT2_SOVERSION "1.3"

package.json

@@ -1,6 +1,6 @@
 {
   "name": "libgit2",
-  "version": "1.3.0",
+  "version": "1.3.1",
   "repo": "https://github.com/libgit2/libgit2",
   "description": " A cross-platform, linkable library implementation of Git that you can use in your application.",
   "install": "mkdir build && cd build && cmake .. && cmake --build ."