Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.

base: a7d1716fa648f6557ea9c91e0f04bae2e8738e6a

...

compare: a437f5bc93330a70b42a230e52f3bd036ca1b1da

16 commits
20 files changed
3 contributors

Commits on May 23, 2025

git-gui: remove Tcl 8.4 workaround on 2>@1 redirection

Since b792230 ("git-gui: Show a progress meter for checking out files",
2007-07-08), git-gui includes a workaround for Tcl that does not support
using 2>@1 to redirect stderr to stdout. Tcl added such support in
8.4.7, released in 2004, and this is fully supported in all 8.5
releases.

As git-gui has a hard-coded requirement for Tcl >= 8.5, the workaround
is no longer needed. Delete it.

Signed-off-by: Mark Levedahl <[email protected]>
Signed-off-by: Johannes Sixt <[email protected]>

Signed-off-by: Taylor Blau <[email protected]>

mark987 authored and ttaylorr committed May 23, 2025

git-gui: remove HEAD detachment implementation for git < 1.5.3

git-gui provides an implementation to detach HEAD on Git versions prior
to 1.5.3.  Nobody should be using such an old version anymore.
(Moreover, since 0730a5a, git-gui requires git v2.36 or later).
Keep only the code for modern Git.

Signed-off-by: Mark Levedahl <[email protected]>
[j6t: message tweaked]
Signed-off-by: Johannes Sixt <[email protected]>

Signed-off-by: Taylor Blau <[email protected]>

mark987 authored and ttaylorr committed May 23, 2025

git-gui: remove git config --list handling for git < 1.5.3

git-gui uses `git config --null --list` to parse configuration. Git
versions prior to 1.5.3 do not have --null and need different treatment.
Nobody should be using such an old version anymore. (Moreover, since
0730a5a, git-gui requires git v2.36 or later). Keep only the code for
modern Git.

Signed-off-by: Johannes Sixt <[email protected]>

Signed-off-by: Taylor Blau <[email protected]>

j6t authored and ttaylorr committed May 23, 2025

git-gui: treat file names beginning with "|" as relative paths

The Tcl 'open' function has a very wide interface. It can open files as
well as pipes to external processes. The difference is made only by the
first character of the file name: if it is "|", a process is spawned.

We have a number of calls of Tcl 'open' that take a file name from the
environment in which Git GUI is running. Be prepared that insane values
are injected. In particular, when we intend to open a file, do not take
a file name that happens to begin with "|" as a request to run a process.

Signed-off-by: Johannes Sixt <[email protected]>

Signed-off-by: Taylor Blau <[email protected]>

j6t authored and ttaylorr committed May 23, 2025

git-gui: sanitize 'exec' arguments: simple cases

Tcl 'exec' assigns special meaning to its argument when they begin with
redirection, pipe or background operator. There are a number of
invocations of 'exec' which construct arguments that are taken from the
Git repository or a user input. However, when file names or ref names
are taken from the repository, it is possible to find names that have
these special forms. They must not be interpreted by 'exec' lest it
redirects input or output, or attempts to build a pipeline using a
command name controlled by the repository.

Introduce a helper function that identifies such arguments and prepends
"./" to force such a name to be regarded as a relative file name.

Convert those 'exec' calls where the arguments can simply be packed
into a list.

Note that most commands containing the word 'exec' route through
console::exec or console::chain, which we will treat in another commit.

Signed-off-by: Johannes Sixt <[email protected]>

Signed-off-by: Taylor Blau <[email protected]>

j6t authored and ttaylorr committed May 23, 2025

git-gui: sanitize 'exec' arguments: background

As in the previous commits, introduce a function that sanitizes
arguments intended for the process, but runs the process in the
background. Convert 'exec' calls to use this new function.

Signed-off-by: Johannes Sixt <[email protected]>
Signed-off-by: Taylor Blau <[email protected]>

j6t authored and ttaylorr committed May 23, 2025

git-gui: remove option --stderr from git_read

Some callers of git_read want to redirect stderr of the invoked command
to stdout.  The function offers option --stderr for this purpose.
However, the option only appends 2>@1 to the commands.  The callers can
do that themselves. In lib/console.tcl we even have a caller that
already knew implictly what --stderr does behind the scenes.

This is a preparation for a later change where we want to make git_read
non-variadic. Then it cannot have optional leading arguments.

Signed-off-by: Johannes Sixt <[email protected]>
Signed-off-by: Taylor Blau <[email protected]>

j6t authored and ttaylorr committed May 23, 2025

git-gui: break out a separate function git_read_nice

There are two callers of git_read that request special treatment using
option --nice. Rewrite them to call a new function git_read_nice that
does the special treatment. Now we can remove all option treatment from
git_read.

git_write has the same capability, but there are no callers that
request --nice. Remove the feature without substitution.

This is a preparation for a later change where we want to make git_read
and friends non-variadic. Then it cannot have optional arguments.

Signed-off-by: Johannes Sixt <[email protected]>

Signed-off-by: Taylor Blau <[email protected]>

j6t authored and ttaylorr committed May 23, 2025

git-gui: use git_read in githook_read

0730a5a ("git-gui - use git-hook, honor core.hooksPath", 2023-09-17)
rewrote githook_read to use `git hook` to run a hook script. The code
that was replaced discovered the hook script file manually and invoked
it using function _open_stdout_stderr. After the rewrite, this function
is still invoked, but it calls into `git` instead of the hook scripts.

Notice though, that we have function git_read that invokes git and
prepares a pipe for the caller to read from. Replace the implementation
of githook_read to be just a wrapper around git_read. This unifies the
way in which the git executable is invoked. git_read ultimately also
calls into _open_stdout_stderr, but it modifies the path to the git
executable before doing so.

Signed-off-by: Johannes Sixt <[email protected]>

Signed-off-by: Taylor Blau <[email protected]>

j6t authored and ttaylorr committed May 23, 2025

git-gui: convert git_read*, git_write to be non-variadic

We are going to treat command arguments and redirections differently to
avoid passing arguments that look like redirections to the command
accidentally. To do so, it will be necessary to know which arguments
are intentional redirections. As a preparation, convert git_read,
git_read_nice, and git_write to take just a single argument that is
the command in a list. Adjust all call sites accordingly.

In the future, this argument will be the regular command arguments and
a second argument will be the redirection operations.

Signed-off-by: Johannes Sixt <[email protected]>

Signed-off-by: Taylor Blau <[email protected]>

j6t authored and ttaylorr committed May 23, 2025

git-gui: pass redirections as separate argument to _open_stdout_stderr

We are going to treat command arguments and redirections differently to
avoid passing arguments that look like redirections to the command
accidentally. To do so, it will be necessary to know which arguments
are intentional redirections. Rewrite direct callers of
_open_stdout_stderr to pass intentional redirections as a second
(optional) argument.

Passing arbitrary arguments is not safe right now, but we rename it
to safe_open_command anyway to avoid having to touch the call sites
again later when we make it actually safe.

We cannot make the function safe right away because one caller is
git_read, which does not yet know which of its arguments are
redirections. This is the topic of the next commit.

Signed-off-by: Johannes Sixt <[email protected]>

Signed-off-by: Taylor Blau <[email protected]>

j6t authored and ttaylorr committed May 23, 2025

git-gui: pass redirections as separate argument to git_read

We are going to treat command arguments and redirections differently to
avoid passing arguments that look like redirections to the command
accidentally. To do so, it will be necessary to know which arguments
are intentional redirections. Rewrite direct call sites of git_read
to pass intentional redirections as a second (optional) argument.

git_read defers to safe_open_command, but we cannot make it safe, yet,
because one of the callers of git_read is proc git, which does not yet
know which of its arguments are redirections. This is the topic of the
next commit.

Signed-off-by: Johannes Sixt <[email protected]>
Signed-off-by: Taylor Blau <[email protected]>

j6t authored and ttaylorr committed May 23, 2025

git-gui: introduce function git_redir for git calls with redirections

Proc git invokes git and collects all output, which is it returns.
We are going to treat command arguments and redirections differently to
avoid passing arguments that look like redirections to the command
accidentally. A few invocations also pass redirection operators as
command arguments deliberately. Rewrite these cases to use a new
function git_redir that takes two lists, one for the regular command
arguments and one for the redirection operations.

Signed-off-by: Johannes Sixt <[email protected]>

Signed-off-by: Taylor Blau <[email protected]>

j6t authored and ttaylorr committed May 23, 2025

git-gui: do not mistake command arguments as redirection operators

Tcl 'open' assigns special meaning to its argument when they begin with
redirection, pipe or background operator. There are many calls of the
'open' variant that runs a process which construct arguments that are
taken from the Git repository or are user input. However, when file
names or ref names are taken from the repository, it is possible to
find names that have these special forms. They must not be interpreted
by 'open' lest it redirects input or output, or attempts to build a
pipeline using a command name controlled by the repository.

Use the helper function make_arglist_safe, which identifies such
arguments and prepends "./" to force such a name to be regarded as a
relative file name.

After this change the following 'open' calls that start a process do not
apply the argument processing:

git-gui.sh:4095:         || [catch {set spell_fd [open $spell_cmd r+]} spell_err]} {
lib/spellcheck.tcl:47:                                          set pipe_fd [open [list | $s_prog -v] r]
lib/spellcheck.tcl:133:         _connect $this [open $spell_cmd r+]
lib/spellcheck.tcl:405:         set fd [open [list | aspell dump dicts] r]

In all cases, the command arguments are constant strings (or begin with
a constant string) that are of a form that would not be affected by the
processing anyway.

Signed-off-by: Johannes Sixt <[email protected]>

Signed-off-by: Taylor Blau <[email protected]>

j6t authored and ttaylorr committed May 23, 2025

Merge branch 'ml/replace-auto-execok' into js/fix-open-exec
```
Signed-off-by: Taylor Blau <[email protected]>
```
ttaylorr committed May 23, 2025
Configuration menu
View commit details

Copy full SHA for afca9a4

Browse repository at this point
Copy the full SHA

afca9a4 View commit details

Browse the repository at this point in the history
git-gui: sanitize 'exec' arguments: convert new 'cygpath' calls
```
The side branch merged in the previous commit introduces new 'exec'
calls. Convert these in the same way we did earlier for existing
'exec' calls.

Signed-off-by: Johannes Sixt <[email protected]>

Signed-off-by: Taylor Blau <[email protected]>
```
j6t authored and ttaylorr committed May 23, 2025
Configuration menu
View commit details

Copy full SHA for a437f5b

Browse repository at this point
Copy the full SHA

a437f5b View commit details

Browse the repository at this point in the history