From 51d656586bcd1d72af5288ea78f8e6bffd2c8809 Mon Sep 17 00:00:00 2001 From: Jonathan Nieder Date: Sun, 7 Oct 2018 21:59:35 +0000 Subject: [PATCH] SubmoduleAddCommand: Remove double-check of submodule name Since v4.7.5.201810051826-r~3 (SubmoduleAddCommand: Reject submodule URIs that look like cli options, 2018-09-24), SubmoduleAddCommand checks submodule names for ".." path components in assertValidSubmoduleName. This additional check for the same is redundant. Change-Id: I993326a370978880b690dc133a81fa3025935bcb Signed-off-by: Jonathan Nieder --- .../org/eclipse/jgit/api/SubmoduleAddCommand.java | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/api/SubmoduleAddCommand.java b/org.eclipse.jgit/src/org/eclipse/jgit/api/SubmoduleAddCommand.java index 244a15686..f92455a96 100644 --- a/org.eclipse.jgit/src/org/eclipse/jgit/api/SubmoduleAddCommand.java +++ b/org.eclipse.jgit/src/org/eclipse/jgit/api/SubmoduleAddCommand.java @@ -179,21 +179,6 @@ public class SubmoduleAddCommand extends // Use the path as the default. name = path; } - if (name.contains("/../") || name.contains("\\..\\") //$NON-NLS-1$ //$NON-NLS-2$ - || name.startsWith("../") || name.startsWith("..\\") //$NON-NLS-1$ //$NON-NLS-2$ - || name.endsWith("/..") || name.endsWith("\\..")) { //$NON-NLS-1$ //$NON-NLS-2$ - // Submodule names are used to store the submodule repositories - // under $GIT_DIR/modules. Having ".." in submodule names makes a - // vulnerability (CVE-2018-11235 - // https://bugs.eclipse.org/bugs/show_bug.cgi?id=535027#c0) - // Reject the names with them. The callers need to make sure the - // names free from these. We don't automatically replace these - // characters or canonicalize by regarding the name as a file path. - // Since Path class is platform dependent, we manually check '/' and - // '\\' patterns here. - throw new IllegalArgumentException(MessageFormat - .format(JGitText.get().invalidNameContainsDotDot, name)); - } try { SubmoduleValidator.assertValidSubmoduleName(name);