Dulwich Files

Security

• Don't expand config include directives when parsing .gitmodules, so a crafted .gitmodules in a cloned repository can no longer make clone --recurse-submodules read arbitrary files.
• Validate ref names before resolving them to a path, so a client-supplied name like ../../secret can no longer read a file outside the ref store. Closes a traversal via git-upload-archive's argument and other lookup paths. (#2212)
• Reject pack names containing path separators in the dumb HTTP transport, so a malicious server can no longer escape the temporary directory. (#2213)
• Verify that an object retrieved by id actually hashes to the requested id, raising ChecksumMismatch otherwise. (#2223)

New features

• Add porcelain.request_pull and a dulwich request-pull command, like git request-pull. (#1823)
• Add porcelain.range_diff and a dulwich range-diff command, like git range-diff (requires the dulwich[range_diff] extra). (#1828)

Fixes

• Check out files whose names contain a colon or backslash on NTFS, instead of silently dropping them on clone, and abort the checkout on a genuinely invalid path. (#2205)
• Fix apply_patch writing index entries with mode 0, which made native git abort. (#2218)
• Fix deepening of a local shallow fetch not transferring newly-uncovered commits.
• Several gc/repack fixes on Windows (read-only pack files, leaked temporary packs, files-in-use).
• Discover and serve packs with non-pack- names such as loose-<hash> (written by git maintenance). (#2229)

See NEWS for the full changelog.