[4/6] init: make a copy of $GIT_DIR string

Message ID	20190111221631.GD10188@sigill.intra.peff.net (mailing list archive)
State	New, archived
Headers	show Return-Path: <git-owner@kernel.org> Date: Fri, 11 Jan 2019 17:16:31 -0500 From: Jeff King <peff@peff.net> To: git@vger.kernel.org Subject: [PATCH 4/6] init: make a copy of $GIT_DIR string Message-ID: <20190111221631.GD10188@sigill.intra.peff.net> References: <20190111221414.GA31335@sigill.intra.peff.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20190111221414.GA31335@sigill.intra.peff.net> Sender: git-owner@vger.kernel.org Precedence: bulk
Series	getenv() timing fixes \| expand [0/6] getenv() timing fixes [1/6] get_super_prefix(): copy getenv() result [2/6] commit: copy saved getenv() result [3/6] config: make a copy of $GIT_CONFIG string [4/6] init: make a copy of $GIT_DIR string [5/6] merge-recursive: copy $GITHEAD strings [6/6] builtin_diff(): read $GIT_DIFF_OPTS closer to use

Message ID

20190111221631.GD10188@sigill.intra.peff.net (mailing list archive)

State

New, archived

Headers

Date: Fri, 11 Jan 2019 17:16:31 -0500
From: Jeff King <peff@peff.net>
To: git@vger.kernel.org
Subject: [PATCH 4/6] init: make a copy of $GIT_DIR string
Message-ID: <20190111221631.GD10188@sigill.intra.peff.net>
References: <20190111221414.GA31335@sigill.intra.peff.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20190111221414.GA31335@sigill.intra.peff.net>
Sender: git-owner@vger.kernel.org
Precedence: bulk

Series

getenv() timing fixes | expand

Commit Message

Jeff King Jan. 11, 2019, 10:16 p.m. UTC

We pass the result of getenv("GIT_DIR") to init_db() and assume that the
string remains valid. But that's not guaranteed across calls to setenv()
or even getenv(), although it often works in practice. Let's make a copy
of the string so that we follow the rules.

Note that we need to mark it with UNLEAK(), since the value persists
until the end of program (but we have no opportunity to free it).

This patch also handles $GIT_WORK_TREE the same way. It actually doesn't
have as long a lifetime and is probably fine, but it's simpler to just
treat the two side-by-side variables the same.

Signed-off-by: Jeff King <peff@peff.net>
---
 builtin/init-db.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Comments

Junio C Hamano Jan. 12, 2019, 3:08 a.m. UTC | #1

Jeff King <peff@peff.net> writes:

> We pass the result of getenv("GIT_DIR") to init_db() and assume that the
> string remains valid. But that's not guaranteed across calls to setenv()
> or even getenv(), although it often works in practice. Let's make a copy
> of the string so that we follow the rules.
>
> Note that we need to mark it with UNLEAK(), since the value persists
> until the end of program (but we have no opportunity to free it).

Makes sense.  Thanks.

diff --git a/builtin/init-db.c b/builtin/init-db.c
index 41faffd28d..93eff7618c 100644
--- a/builtin/init-db.c
+++ b/builtin/init-db.c
@@ -542,8 +542,8 @@  int cmd_init_db(int argc, const char **argv, const char *prefix)
 	 * GIT_WORK_TREE makes sense only in conjunction with GIT_DIR
 	 * without --bare.  Catch the error early.
 	 */
-	git_dir = getenv(GIT_DIR_ENVIRONMENT);
-	work_tree = getenv(GIT_WORK_TREE_ENVIRONMENT);
+	git_dir = xstrdup_or_null(getenv(GIT_DIR_ENVIRONMENT));
+	work_tree = xstrdup_or_null(getenv(GIT_WORK_TREE_ENVIRONMENT));
 	if ((!git_dir || is_bare_repository_cfg == 1) && work_tree)
 		die(_("%s (or --work-tree=<directory>) not allowed without "
 			  "specifying %s (or --git-dir=<directory>)"),
@@ -582,6 +582,8 @@  int cmd_init_db(int argc, const char **argv, const char *prefix)
 	}
 
 	UNLEAK(real_git_dir);
+	UNLEAK(git_dir);
+	UNLEAK(work_tree);
 
 	flags |= INIT_DB_EXIST_OK;
 	return init_db(git_dir, real_git_dir, template_dir, flags);

[4/6] init: make a copy of $GIT_DIR string

Commit Message

Comments

Patch