add-interactive: reject malformed numerical input #2044
Conversation
The list-and-choose interface accepts malformed input such as "2m3" and interprets it as "2-", silently selecting a range to the end. This is misleading and makes it easy to select unintended items. Reject such input by treating it as invalid. Signed-off-by: Seonghyeon Cho <seonghyeoncho96@gmail.com>
Welcome to GitGitGadgetHi @sh-cho, and welcome to GitGitGadget, the GitHub App to send patch series to the Git mailing list from GitHub Pull Requests. Please make sure that either:
You can CC potential reviewers by adding a footer to the PR description with the following syntax: NOTE: DO NOT copy/paste your CC list from a previous GGG PR's description, Also, it is a good idea to review the commit messages one last time, as the Git project expects them in a quite specific form:
It is in general a good idea to await the automated test ("Checks") in this Pull Request before contributing the patches, e.g. to avoid trivial issues such as unportable code. Contributing the patchesBefore you can contribute the patches, your GitHub username needs to be added to the list of permitted users. Any already-permitted user can do that, by adding a comment to your PR of the form Both the person who commented An alternative is the channel Once on the list of permitted usernames, you can contribute the patches to the Git mailing list by adding a PR comment If you want to see what email(s) would be sent for a After you submit, GitGitGadget will respond with another comment that contains the link to the cover letter mail in the Git mailing list archive. Please make sure to monitor the discussion in that thread and to address comments and suggestions (while the comments and suggestions will be mirrored into the PR by GitGitGadget, you will still want to reply via mail). If you do not want to subscribe to the Git mailing list just to be able to respond to a mail, you can download the mbox from the Git mailing list archive (click the curl -g --user "<EMailAddress>:<Password>" \
--url "imaps://imap.gmail.com/INBOX" -T /path/to/raw.txtTo iterate on your change, i.e. send a revised patch or patch series, you will first want to (force-)push to the same branch. You probably also want to modify your Pull Request description (or title). It is a good idea to summarize the revision by adding something like this to the cover letter (read: by editing the first comment on the PR, i.e. the PR description): To send a new iteration, just add another PR comment with the contents: Need help?New contributors who want advice are encouraged to join git-mentoring@googlegroups.com, where volunteers who regularly contribute to Git are willing to answer newbie questions, give advice, or otherwise provide mentoring to interested contributors. You must join in order to post or view messages, but anyone can join. You may also be able to find help in real time in the developer IRC channel, |
|
/allow |
|
User sh-cho is now allowed to use GitGitGadget. |
|
/preview |
|
Preview email sent as pull.2044.git.git.1756553190527.gitgitgadget@gmail.com |
|
/submit |
|
Submitted as pull.2044.git.git.1756553495661.gitgitgadget@gmail.com To fetch this version into To fetch this version to local tag |
|
On the Git mailing list, Patrick Steinhardt wrote (reply to this): On Sat, Aug 30, 2025 at 11:31:35AM +0000, Seonghyeon Cho (조성현) via GitGitGadget wrote:
> From: Seonghyeon Cho <seonghyeoncho96@gmail.com>
>
> The list-and-choose interface accepts malformed input such as "2m3" and
> interprets it as "2-", silently selecting a range to the end. This is
> misleading and makes it easy to select unintended items.
>
> Reject such input by treating it as invalid.
Okay, that does feel fishy indeed. It would be good though to have a
test case that demonstrates the new behaviour and at the same time
ensures that we don't regress in the future. You can have a look at
"t3701-add-interactive.sh", which has a bunch of other tests for this
command, as well.
In general though we're not doing a good job here of error checking. We
don't at all verify whether `strtoul()` returned an error, for example
ERANGE. So if a user passes an integer that exceeds whatever we can
store in an `unsigned long` we'll silently proceed with a bogus result,
won't we?
Ideally, we'd use a saner interface to parse these integers, like for
example our own `git_parse_ulong()`. But unfortunately, that interface
does not handle the case where we only want to parse a substring in a
longer string. Too bad.
> diff --git a/add-interactive.c b/add-interactive.c
> index 3e692b47ec..86ff632288 100644
> --- a/add-interactive.c
> +++ b/add-interactive.c
> @@ -396,6 +396,8 @@ static ssize_t list_and_choose(struct add_i_state *s,
> if (endp != p + sep)
> from = -1;
> }
> + else
> + from = -1;
> }
Coding style: the `else` should sit on the same line as the closing
curly brace. And furthermore, if one of the branches of an if-else chain
requires curly braces, then all branches should have curly braces.
Patrick |
|
User |
|
On the Git mailing list, Seonghyeon Cho wrote (reply to this): On Tue, Sep 02, 2025 at 11:07:59AM +0200, Patrick Steinhardt wrote:
> Okay, that does feel fishy indeed. It would be good though to have a
> test case that demonstrates the new behaviour and at the same time
> ensures that we don't regress in the future. You can have a look at
> "t3701-add-interactive.sh", which has a bunch of other tests for this
> command, as well.
Okay, I'll add tests.
> In general though we're not doing a good job here of error checking. We
> don't at all verify whether `strtoul()` returned an error, for example
> ERANGE. So if a user passes an integer that exceeds whatever we can
> store in an `unsigned long` we'll silently proceed with a bogus result,
> won't we?
>
> Ideally, we'd use a saner interface to parse these integers, like for
> example our own `git_parse_ulong()`. But unfortunately, that interface
> does not handle the case where we only want to parse a substring in a
> longer string. Too bad.
Good point. Would you prefer I introduce new parse method here, or
should this be handled in separate patch?
> Coding style: the `else` should sit on the same line as the closing
> curly brace. And furthermore, if one of the branches of an if-else chain
> requires curly braces, then all branches should have curly braces.
Ok, I'll fix coding styles.
Thanks,
Seonghyeon
|
|
On the Git mailing list, Patrick Steinhardt wrote (reply to this): On Sun, Sep 07, 2025 at 09:24:09PM +0900, Seonghyeon Cho wrote:
> On Tue, Sep 02, 2025 at 11:07:59AM +0200, Patrick Steinhardt wrote:
> > In general though we're not doing a good job here of error checking. We
> > don't at all verify whether `strtoul()` returned an error, for example
> > ERANGE. So if a user passes an integer that exceeds whatever we can
> > store in an `unsigned long` we'll silently proceed with a bogus result,
> > won't we?
> >
> > Ideally, we'd use a saner interface to parse these integers, like for
> > example our own `git_parse_ulong()`. But unfortunately, that interface
> > does not handle the case where we only want to parse a substring in a
> > longer string. Too bad.
>
> Good point. Would you prefer I introduce new parse method here, or
> should this be handled in separate patch?
I don't think that would need to be part of your patch series. But we
should have proper error checking for `strtoul()` if we're already
improving this code.
Patrick |
|
On the Git mailing list, Seonghyeon Cho wrote (reply to this): On Mon, Sep 08, 2025 at 06:04:22AM +0200, Patrick Steinhardt wrote:
> I don't think that would need to be part of your patch series. But we
> should have proper error checking for `strtoul()` if we're already
> improving this code.
Understood. I'll handle it too.
Thanks,
Seonghyeon
|
cc: Patrick Steinhardt ps@pks.im