From 4f2ce038374e43e25df7a0cc79dd205cf9541814 Mon Sep 17 00:00:00 2001
From: DongHun Kwak <dh0128.kwak@samsung.com>
Date: Wed, 3 Mar 2021 15:14:59 +0900
Subject: [PATCH] Imported Upstream version 2.3.7

---
 Documentation/RelNotes/2.3.7.txt       | 21 +++++++++++++++++++++
 Documentation/git.txt                  |  3 ++-
 GIT-VERSION-GEN                        |  2 +-
 RelNotes                               |  2 +-
 connect.c                              |  2 ++
 contrib/completion/git-completion.bash |  2 +-
 send-pack.c                            | 23 +++++++++++++++++++++++
 t/t5500-fetch-pack.sh                  | 17 ++++++++++-------
 t/t5601-clone.sh                       | 21 ++++++++++++---------
 9 files changed, 73 insertions(+), 20 deletions(-)
 create mode 100644 Documentation/RelNotes/2.3.7.txt

diff --git a/Documentation/RelNotes/2.3.7.txt b/Documentation/RelNotes/2.3.7.txt
new file mode 100644
index 0000000..fc95812
--- /dev/null
+++ b/Documentation/RelNotes/2.3.7.txt
@@ -0,0 +1,21 @@
+Git v2.3.7 Release Notes
+========================
+
+Fixes since v2.3.6
+------------------
+
+ * An earlier update to the parser that disects a URL broke an
+   address, followed by a colon, followed by an empty string (instead
+   of the port number), e.g. ssh://example.com:/path/to/repo.
+
+ * The completion script (in contrib/) contaminated global namespace
+   and clobbered on a shell variable $x.
+
+ * The "git push --signed" protocol extension did not limit what the
+   "nonce" that is a server-chosen string can contain or how long it
+   can be, which was unnecessarily lax.  Limit both the length and the
+   alphabet to a reasonably small space that can still have enough
+   entropy.
+
+Also contains typofixes, documentation updates and trivial code
+clean-ups.
diff --git a/Documentation/git.txt b/Documentation/git.txt
index 085bc34..8704ffd 100644
--- a/Documentation/git.txt
+++ b/Documentation/git.txt
@@ -43,9 +43,10 @@ unreleased) version of Git, that is available from the 'master'
 branch of the `git.git` repository.
 Documentation for older releases are available here:
 
-* link:v2.3.6/git.html[documentation for release 2.3.6]
+* link:v2.3.7/git.html[documentation for release 2.3.7]
 
 * release notes for
+  link:RelNotes/2.3.7.txt[2.3.7],
   link:RelNotes/2.3.6.txt[2.3.6],
   link:RelNotes/2.3.5.txt[2.3.5],
   link:RelNotes/2.3.4.txt[2.3.4],
diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN
index 3baaa9d..0c1ee67 100755
--- a/GIT-VERSION-GEN
+++ b/GIT-VERSION-GEN
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 GVF=GIT-VERSION-FILE
-DEF_VER=v2.3.6
+DEF_VER=v2.3.7
 
 LF='
 '
diff --git a/RelNotes b/RelNotes
index d92e7b8..8f376a9 120000
--- a/RelNotes
+++ b/RelNotes
@@ -1 +1 @@
-Documentation/RelNotes/2.3.6.txt
\ No newline at end of file
+Documentation/RelNotes/2.3.7.txt
\ No newline at end of file
diff --git a/connect.c b/connect.c
index ce0e121..14c924b 100644
--- a/connect.c
+++ b/connect.c
@@ -310,6 +310,8 @@ static void get_host_and_port(char **host, const char **port)
 		if (end != colon + 1 && *end == '\0' && 0 <= portnr && portnr < 65536) {
 			*colon = 0;
 			*port = colon + 1;
+		} else if (!colon[1]) {
+			*colon = 0;
 		}
 	}
 }
diff --git a/contrib/completion/git-completion.bash b/contrib/completion/git-completion.bash
index 661a829..1620546 100644
--- a/contrib/completion/git-completion.bash
+++ b/contrib/completion/git-completion.bash
@@ -186,7 +186,7 @@ fi
 
 __gitcompappend ()
 {
-	local i=${#COMPREPLY[@]}
+	local x i=${#COMPREPLY[@]}
 	for x in $1; do
 		if [[ "$x" == "$3"* ]]; then
 			COMPREPLY[i++]="$2$x$4"
diff --git a/send-pack.c b/send-pack.c
index 25947d7..677bac3 100644
--- a/send-pack.c
+++ b/send-pack.c
@@ -281,6 +281,28 @@ free_return:
 	return update_seen;
 }
 
+#define NONCE_LEN_LIMIT 256
+
+static void reject_invalid_nonce(const char *nonce, int len)
+{
+	int i = 0;
+
+	if (NONCE_LEN_LIMIT <= len)
+		die("the receiving end asked to sign an invalid nonce <%.*s>",
+		    len, nonce);
+
+	for (i = 0; i < len; i++) {
+		int ch = nonce[i] & 0xFF;
+		if (isalnum(ch) ||
+		    ch == '-' || ch == '.' ||
+		    ch == '/' || ch == '+' ||
+		    ch == '=' || ch == '_')
+			continue;
+		die("the receiving end asked to sign an invalid nonce <%.*s>",
+		    len, nonce);
+	}
+}
+
 int send_pack(struct send_pack_args *args,
 	      int fd[], struct child_process *conn,
 	      struct ref *remote_refs,
@@ -323,6 +345,7 @@ int send_pack(struct send_pack_args *args,
 		push_cert_nonce = server_feature_value("push-cert", &len);
 		if (!push_cert_nonce)
 			die(_("the receiving end does not support --signed push"));
+		reject_invalid_nonce(push_cert_nonce, len);
 		push_cert_nonce = xmemdupz(push_cert_nonce, len);
 	}
 
diff --git a/t/t5500-fetch-pack.sh b/t/t5500-fetch-pack.sh
index bd37f04..ed40407 100755
--- a/t/t5500-fetch-pack.sh
+++ b/t/t5500-fetch-pack.sh
@@ -576,13 +576,16 @@ do
 	do
 		for h in host user@host user@[::1] user@::1
 		do
-			test_expect_success "fetch-pack --diag-url $p://$h/$r" '
-				check_prot_host_port_path $p://$h/$r $p "$h" NONE "/$r"
-			'
-			# "/~" -> "~" conversion
-			test_expect_success "fetch-pack --diag-url $p://$h/~$r" '
-				check_prot_host_port_path $p://$h/~$r $p "$h" NONE "~$r"
-			'
+			for c in "" :
+			do
+				test_expect_success "fetch-pack --diag-url $p://$h$c/$r" '
+					check_prot_host_port_path $p://$h/$r $p "$h" NONE "/$r"
+				'
+				# "/~" -> "~" conversion
+				test_expect_success "fetch-pack --diag-url $p://$h$c/~$r" '
+					check_prot_host_port_path $p://$h/~$r $p "$h" NONE "~$r"
+				'
+			done
 		done
 		for h in host User@host User@[::1]
 		do
diff --git a/t/t5601-clone.sh b/t/t5601-clone.sh
index 02b40b1..1befc45 100755
--- a/t/t5601-clone.sh
+++ b/t/t5601-clone.sh
@@ -387,14 +387,17 @@ do
 done
 
 #with ssh:// scheme
-test_expect_success 'clone ssh://host.xz/home/user/repo' '
-	test_clone_url "ssh://host.xz/home/user/repo" host.xz "/home/user/repo"
-'
-
-# from home directory
-test_expect_success 'clone ssh://host.xz/~repo' '
-	test_clone_url "ssh://host.xz/~repo" host.xz "~repo"
+#ignore trailing colon
+for tcol in "" :
+do
+	test_expect_success "clone ssh://host.xz$tcol/home/user/repo" '
+		test_clone_url "ssh://host.xz$tcol/home/user/repo" host.xz /home/user/repo
+	'
+	# from home directory
+	test_expect_success "clone ssh://host.xz$tcol/~repo" '
+	test_clone_url "ssh://host.xz$tcol/~repo" host.xz "~repo"
 '
+done
 
 # with port number
 test_expect_success 'clone ssh://host.xz:22/home/user/repo' '
@@ -407,9 +410,9 @@ test_expect_success 'clone ssh://host.xz:22/~repo' '
 '
 
 #IPv6
-for tuah in ::1 [::1] user@::1 user@[::1] [user@::1]
+for tuah in ::1 [::1] [::1]: user@::1 user@[::1] user@[::1]: [user@::1] [user@::1]:
 do
-	ehost=$(echo $tuah | tr -d "[]")
+	ehost=$(echo $tuah | sed -e "s/1]:/1]/ "| tr -d "[]")
 	test_expect_success "clone ssh://$tuah/home/user/repo" "
 	  test_clone_url ssh://$tuah/home/user/repo $ehost /home/user/repo
 	"
-- 
2.7.4