diff --git a/Documentation/config.txt b/Documentation/config.txt

index c26a7c8..7076aa9 100644

--- a/Documentation/config.txt

+++ b/Documentation/config.txt

@@ -234,6 +234,17 @@ core.precomposeunicode::

 	When false, file names are handled fully transparent by Git,

 	which is backward compatible with older versions of Git.

+core.protectHFS::

+	If set to true, do not allow checkout of paths that would

+	be considered equivalent to `.git` on an HFS+ filesystem.

+	Defaults to `true` on Mac OS, and `false` elsewhere.

+

+core.protectNTFS::

+	If set to true, do not allow checkout of paths that would

+	cause problems with the NTFS filesystem, e.g. conflict with

+	8.3 "short" names.

+	Defaults to `true` on Windows, and `false` elsewhere.

+

 core.trustctime::

 	If false, the ctime differences between the index and the

 	working tree are ignored; useful when the inode change time

--- a/builtin/annotate.c

+++ b/builtin/annotate.c

@@ -5,20 +5,18 @@

  */

 #include "git-compat-util.h"

 #include "builtin.h"

+#include "argv-array.h"

 int cmd_annotate(int argc, const char **argv, const char *prefix)

 {

-	const char **nargv;

+	struct argv_array args = ARGV_ARRAY_INIT;

 	int i;

-	nargv = xmalloc(sizeof(char *) * (argc + 2));

-	nargv[0] = "annotate";

-	nargv[1] = "-c";

+	argv_array_pushl(&args, "annotate", "-c", NULL);

 	for (i = 1; i < argc; i++) {

-		nargv[i+1] = argv[i];

+		argv_array_push(&args, argv[i]);

 	}

-	nargv[argc + 1] = NULL;

-	return cmd_blame(argc + 1, nargv, prefix);

+	return cmd_blame(args.argc, args.argv, prefix);

 }

diff --git a/builtin/clean.c b/builtin/clean.c

index 977a068..8926ca8 100644

--- a/builtin/clean.c

+++ b/builtin/clean.c

@@ -48,7 +48,7 @@ enum color_clean {

 	CLEAN_COLOR_PROMPT = 2,

 	CLEAN_COLOR_HEADER = 3,

 	CLEAN_COLOR_HELP = 4,

-	CLEAN_COLOR_ERROR = 5,

+	CLEAN_COLOR_ERROR = 5

 };

 #define MENU_OPTS_SINGLETON		01

diff --git a/cache.h b/cache.h

index ebe9a40..017c487 100644

--- a/cache.h

+++ b/cache.h

@@ -587,6 +587,8 @@ extern int fsync_object_files;

 extern int core_preload_index;

 extern int core_apply_sparse_checkout;

 extern int precomposed_unicode;

+extern int protect_hfs;

+extern int protect_ntfs;

 /*

  * The character that begins a commented line in user-editable file

@@ -782,6 +784,7 @@ int longest_ancestor_length(const char *path, struct string_list *prefixes);

 char *strip_path_suffix(const char *path, const char *suffix);

 int daemon_avoid_alias(const char *path);

 int offset_1st_component(const char *path);

+extern int is_ntfs_dotgit(const char *name);

 /* object replacement */

 #define LOOKUP_REPLACE_OBJECT 1

diff --git a/config.c b/config.c

index 314d8ee..8984ad2 100644

--- a/config.c

+++ b/config.c

@@ -885,6 +885,16 @@ static int git_default_core_config(const char *var, const char *value)

 		return 0;

 	}

+	if (!strcmp(var, "core.protecthfs")) {

+		protect_hfs = git_config_bool(var, value);

+		return 0;

+	}

+

+	if (!strcmp(var, "core.protectntfs")) {

+		protect_ntfs = git_config_bool(var, value);

+		return 0;

+	}

+

 	/* Add other config variables here and to Documentation/config.txt. */

 	return 0;

 }

diff --git a/config.mak.uname b/config.mak.uname

index efaed94..f3cdcbc 100644

--- a/config.mak.uname

+++ b/config.mak.uname

@@ -97,6 +97,7 @@ ifeq ($(uname_S),Darwin)

 	HAVE_DEV_TTY = YesPlease

 	COMPAT_OBJS += compat/precompose_utf8.o

 	BASIC_CFLAGS += -DPRECOMPOSE_UNICODE

+	BASIC_CFLAGS += -DPROTECT_HFS_DEFAULT=1

 endif

 ifeq ($(uname_S),SunOS)

 	NEEDS_SOCKET = YesPlease

@@ -369,6 +370,7 @@ ifeq ($(uname_S),Windows)

 	EXTLIBS = user32.lib advapi32.lib shell32.lib wininet.lib ws2_32.lib

 	PTHREAD_LIBS =

 	lib =

+	BASIC_CFLAGS += -DPROTECT_NTFS_DEFAULT=1

 ifndef DEBUG

 	BASIC_CFLAGS += -GL -Os -MT

 	BASIC_LDFLAGS += -LTCG

@@ -513,6 +515,7 @@ ifneq (,$(findstring MINGW,$(uname_S)))

 	COMPAT_OBJS += compat/mingw.o compat/winansi.o \

 		compat/win32/pthread.o compat/win32/syslog.o \

 		compat/win32/dirent.o

+	BASIC_CFLAGS += -DPROTECT_NTFS_DEFAULT=1

 	BASIC_LDFLAGS += -Wl,--large-address-aware

 	EXTLIBS += -lws2_32

 	GITLIBS += git.res

diff --git a/environment.c b/environment.c

index 4a3437d..39a8c6c 100644

--- a/environment.c

+++ b/environment.c

@@ -64,6 +64,16 @@ int precomposed_unicode = -1; /* see probe_utf8_pathname_composition() */

 struct startup_info *startup_info;

 unsigned long pack_size_limit_cfg;

+#ifndef PROTECT_HFS_DEFAULT

+#define PROTECT_HFS_DEFAULT 0

+#endif

+int protect_hfs = PROTECT_HFS_DEFAULT;

+

+#ifndef PROTECT_NTFS_DEFAULT

+#define PROTECT_NTFS_DEFAULT 0

+#endif

+int protect_ntfs = PROTECT_NTFS_DEFAULT;

+

 /*

  * The character that begins a commented line in user-editable file

  * that is subject to stripspace.

diff --git a/fsck.c b/fsck.c

index 64bf279..ee7f531 100644

--- a/fsck.c

+++ b/fsck.c

@@ -6,6 +6,7 @@

 #include "commit.h"

 #include "tag.h"

 #include "fsck.h"

+#include "utf8.h"

 static int fsck_walk_tree(struct tree *tree, fsck_walk_func walk, void *data)

 {

@@ -175,7 +176,8 @@ static int fsck_tree(struct tree *item, int strict, fsck_error error_func)

 			has_dot = 1;

 		if (!strcmp(name, ".."))

 			has_dotdot = 1;

-		if (!strcmp(name, ".git"))

+		if (!strcasecmp(name, ".git") || is_hfs_dotgit(name) ||

+				is_ntfs_dotgit(name))

 			has_dotgit = 1;

 		has_zero_pad |= *(char *)desc.buffer == '0';

 		update_tree_entry(&desc);

diff --git a/path.c b/path.c

index f9c5062..dfd58f4 100644

--- a/path.c

+++ b/path.c

@@ -830,3 +830,36 @@ int offset_1st_component(const char *path)

 		return 2 + is_dir_sep(path[2]);

 	return is_dir_sep(path[0]);

 }

+

+static int only_spaces_and_periods(const char *path, size_t len, size_t skip)

+{

+	if (len < skip)

+		return 0;

+	len -= skip;

+	path += skip;

+	while (len-- > 0) {

+		char c = *(path++);

+		if (c != ' ' && c != '.')

+			return 0;

+	}

+	return 1;

+}

+

+int is_ntfs_dotgit(const char *name)

+{

+	int len;

+

+	for (len = 0; ; len++)

+		if (!name[len] || name[len] == '\\' || is_dir_sep(name[len])) {

+			if (only_spaces_and_periods(name, len, 4) &&

+					!strncasecmp(name, ".git", 4))

+				return 1;

+			if (only_spaces_and_periods(name, len, 5) &&

+					!strncasecmp(name, "git~1", 5))

+				return 1;

+			if (name[len] != '\\')

+				return 0;

+			name += len + 1;

+			len = -1;

+		}

+}

diff --git a/pretty.c b/pretty.c

index 6e266dd..f64ff9a 100644

--- a/pretty.c

+++ b/pretty.c

@@ -274,7 +274,7 @@ static void add_rfc822_quoted(struct strbuf *out, const char *s, int len)

 enum rfc2047_type {

 	RFC2047_SUBJECT,

-	RFC2047_ADDRESS,

+	RFC2047_ADDRESS

 };

 static int is_rfc2047_special(char ch, enum rfc2047_type type)

diff --git a/read-cache.c b/read-cache.c

index 4b4effd..ee07cd6 100644

--- a/read-cache.c

+++ b/read-cache.c

@@ -14,6 +14,7 @@

 #include "resolve-undo.h"

 #include "strbuf.h"

 #include "varint.h"

+#include "utf8.h"

 static struct cache_entry *refresh_cache_entry(struct cache_entry *ce,

 					       unsigned int options);

@@ -752,9 +753,10 @@ static int verify_dotfile(const char *rest)

 	 * shares the path end test with the ".." case.

 	 */

 	case 'g':

-		if (rest[1] != 'i')

+	case 'G':

+		if (rest[1] != 'i' && rest[1] != 'I')

 			break;

-		if (rest[2] != 't')

+		if (rest[2] != 't' && rest[2] != 'T')

 			break;

 		rest += 2;

 	/* fallthrough */

@@ -778,6 +780,10 @@ int verify_path(const char *path)

 			return 1;

 		if (is_dir_sep(c)) {

 inside:

+			if (protect_hfs && is_hfs_dotgit(path))

+				return 0;

+			if (protect_ntfs && is_ntfs_dotgit(path))

+				return 0;

 			c = *path++;

 			if ((c == '.' && !verify_dotfile(path)) ||

 			    is_dir_sep(c) || c == '\0')

diff --git a/t/t1014-read-tree-confusing.sh b/t/t1014-read-tree-confusing.sh

new file mode 100755

index 0000000..2f5a25d

--- /dev/null

+++ b/t/t1014-read-tree-confusing.sh

@@ -0,0 +1,62 @@

+#!/bin/sh

+

+test_description='check that read-tree rejects confusing paths'

+. ./test-lib.sh

+

+test_expect_success 'create base tree' '

+	echo content >file &&

+	git add file &&

+	git commit -m base &&

+	blob=$(git rev-parse HEAD:file) &&

+	tree=$(git rev-parse HEAD^{tree})

+'

+

+test_expect_success 'enable core.protectHFS for rejection tests' '

+	git config core.protectHFS true

+'

+

+test_expect_success 'enable core.protectNTFS for rejection tests' '

+	git config core.protectNTFS true

+'

+

+while read path pretty; do

+	: ${pretty:=$path}

+	case "$path" in

+	*SPACE)

+		path="${path%SPACE} "

+		;;

+	esac

+	test_expect_success "reject $pretty at end of path" '

+		printf "100644 blob %s\t%s" "$blob" "$path" >tree &&

+		bogus=$(git mktree 

+		test_must_fail git read-tree $bogus

+	'

+

+	test_expect_success "reject $pretty as subtree" '

+		printf "040000 tree %s\t%s" "$tree" "$path" >tree &&

+		bogus=$(git mktree 

+		test_must_fail git read-tree $bogus

+	'

+done <<-EOF

+.

+..

+.git

+.GIT

+${u200c}.Git {u200c}.Git

+.gI${u200c}T .gI{u200c}T

+.GiT${u200c} .GiT{u200c}

+git~1

+.git.SPACE .git.{space}

+.\\\\.GIT\\\\foobar backslashes

+.git\\\\foobar backslashes2

+EOF

+

+test_expect_success 'utf-8 paths allowed with core.protectHFS off' '

+	test_when_finished "git read-tree HEAD" &&

+	test_config core.protectHFS false &&

+	printf "100644 blob %s\t%s" "$blob" ".gi${u200c}t" >tree &&

+	ok=$(git mktree 

+	git read-tree $ok

+'

+

+test_done

diff --git a/t/t1450-fsck.sh b/t/t1450-fsck.sh

index 8c739c9..983568a 100755

--- a/t/t1450-fsck.sh

+++ b/t/t1450-fsck.sh

@@ -251,35 +251,40 @@ test_expect_success 'fsck notices submodule entry pointing to null sha1' '

 	)

 '

-test_expect_success 'fsck notices "." and ".." in trees' '

-	(

-		git init dots &&

-		cd dots &&

-		blob=$(echo foo | git hash-object -w --stdin) &&

-		tab=$(printf "\\t") &&

-		git mktree <<-EOF &&

-		100644 blob $blob$tab.

-		100644 blob $blob$tab..

-		EOF

-		git fsck 2>out &&

-		cat out &&

-		grep "warning.*\\." out

-	)

-'

-

-test_expect_success 'fsck notices ".git" in trees' '

-	(

-		git init dotgit &&

-		cd dotgit &&

-		blob=$(echo foo | git hash-object -w --stdin) &&

-		tab=$(printf "\\t") &&

-		git mktree <<-EOF &&

-		100644 blob $blob$tab.git

-		EOF

-		git fsck 2>out &&

-		cat out &&

-		grep "warning.*\\.git" out

-	)

-'

+while read name path pretty; do

+	while read mode type; do

+		: ${pretty:=$path}

+		test_expect_success "fsck notices $pretty as $type" '

+		(

+			git init $name-$type &&

+			cd $name-$type &&

+			echo content >file &&

+			git add file &&

+			git commit -m base &&

+			blob=$(git rev-parse :file) &&

+			tree=$(git rev-parse HEAD^{tree}) &&

+			value=$(eval "echo \$$type") &&

+			printf "$mode $type %s\t%s" "$value" "$path" >bad &&

+			bad_tree=$(git mktree 

+			git fsck 2>out &&

+			cat out &&

+			grep "warning.*tree $bad_tree" out

+		)'

+	done <<-\EOF

+	100644 blob

+	040000 tree

+	EOF

+done <<-EOF

+dot .

+dotdot ..

+dotgit .git

+dotgit-case .GIT

+dotgit-unicode .gI${u200c}T .gI{u200c}T

+dotgit-case2 .Git

+git-tilde1 git~1

+dotgitdot .git.

+dot-backslash-case .\\\\.GIT\\\\foobar

+dotgit-case-backslash .git\\\\foobar

+EOF

 test_done

diff --git a/t/t7300-clean.sh b/t/t7300-clean.sh

index 74de814..04118ad 100755

--- a/t/t7300-clean.sh

+++ b/t/t7300-clean.sh

@@ -426,10 +426,10 @@ test_expect_success SANITY 'removal failure' '

 	mkdir foo &&

 	touch foo/bar &&

+	test_when_finished "chmod 755 foo" &&

 	(exec 

 	 chmod 0 foo &&

-	 test_must_fail git clean -f -d &&

-	 chmod 755 foo)

+	 test_must_fail git clean -f -d)

 '

 test_expect_success 'nested git work tree' '

diff --git a/t/test-lib.sh b/t/test-lib.sh

index 3c7cb1d..afa411e 100644

--- a/t/test-lib.sh

+++ b/t/test-lib.sh

@@ -158,7 +158,11 @@ _z40=0000000000000000000000000000000000000000

 LF='

 '

-export _x05 _x40 _z40 LF

+# UTF-8 ZERO WIDTH NON-JOINER, which HFS+ ignores

+# when case-folding filenames

+u200c=$(printf '\342\200\214')

+

+export _x05 _x40 _z40 LF u200c

 # Each test should start with something like this, after copyright notices:

 #

diff --git a/unpack-trees.c b/unpack-trees.c

index 164354d..ca7dd0f 100644

--- a/unpack-trees.c

+++ b/unpack-trees.c

@@ -102,7 +102,7 @@ void setup_unpack_trees_porcelain(struct unpack_trees_options *opts,

 		opts->unpack_rejects[i].strdup_strings = 1;

 }

-static void do_add_entry(struct unpack_trees_options *o, struct cache_entry *ce,

+static int do_add_entry(struct unpack_trees_options *o, struct cache_entry *ce,

 			 unsigned int set, unsigned int clear)

 {

 	clear |= CE_HASHED | CE_UNHASHED;

@@ -112,8 +112,8 @@ static void do_add_entry(struct unpack_trees_options *o, struct cache_entry *ce,

 	ce->next = NULL;

 	ce->ce_flags = (ce->ce_flags & ~clear) | set;

-	add_index_entry(&o->result, ce,

-			ADD_CACHE_OK_TO_ADD | ADD_CACHE_OK_TO_REPLACE);

+	return add_index_entry(&o->result, ce,

+			       ADD_CACHE_OK_TO_ADD | ADD_CACHE_OK_TO_REPLACE);

 }

 static struct cache_entry *dup_entry(const struct cache_entry *ce)

@@ -608,7 +608,9 @@ static int unpack_nondirectories(int n, unsigned long mask,

 	for (i = 0; i < n; i++)

 		if (src[i] && src[i] != o->df_conflict_entry)

-			do_add_entry(o, src[i], 0, 0);

+			if (do_add_entry(o, src[i], 0, 0))

+				return -1;

+

 	return 0;

 }

diff --git a/utf8.c b/utf8.c

index 536a9c8..015c815 100644

--- a/utf8.c

+++ b/utf8.c

@@ -627,3 +627,67 @@ int mbs_chrlen(const char **text, size_t *remainder_p, const char *encoding)

 	return chrlen;

 }

+

+/*

+ * Pick the next char from the stream, folding as an HFS+ filename comparison

+ * would. Note that this is _not_ complete by any means. It's just enough

+ * to make is_hfs_dotgit() work, and should not be used otherwise.

+ */

+static ucs_char_t next_hfs_char(const char **in)

+{

+	while (1) {

+		ucs_char_t out = pick_one_utf8_char(in, NULL);

+		/*

+		 * check for malformed utf8. Technically this

+		 * gets converted to a percent-sequence, but

+		 * returning 0 is good enough for is_hfs_dotgit

+		 * to realize it cannot be .git

+		 */

+		if (!*in)

+			return 0;

+

+		/* these code points are ignored completely */

+		switch (out) {

+		case 0x200c: /* ZERO WIDTH NON-JOINER */

+		case 0x200d: /* ZERO WIDTH JOINER */

+		case 0x200e: /* LEFT-TO-RIGHT MARK */

+		case 0x200f: /* RIGHT-TO-LEFT MARK */

+		case 0x202a: /* LEFT-TO-RIGHT EMBEDDING */

+		case 0x202b: /* RIGHT-TO-LEFT EMBEDDING */

+		case 0x202c: /* POP DIRECTIONAL FORMATTING */

+		case 0x202d: /* LEFT-TO-RIGHT OVERRIDE */

+		case 0x202e: /* RIGHT-TO-LEFT OVERRIDE */

+		case 0x206a: /* INHIBIT SYMMETRIC SWAPPING */

+		case 0x206b: /* ACTIVATE SYMMETRIC SWAPPING */

+		case 0x206c: /* INHIBIT ARABIC FORM SHAPING */

+		case 0x206d: /* ACTIVATE ARABIC FORM SHAPING */

+		case 0x206e: /* NATIONAL DIGIT SHAPES */

+		case 0x206f: /* NOMINAL DIGIT SHAPES */

+		case 0xfeff: /* ZERO WIDTH NO-BREAK SPACE */

+			continue;

+		}

+

+		/*

+		 * there's a great deal of other case-folding that occurs,

+		 * but this is enough to catch anything that will convert

+		 * to ".git"

+		 */

+		return tolower(out);

+	}

+}

+

+int is_hfs_dotgit(const char *path)

+{

+	ucs_char_t c;

+

+	if (next_hfs_char(&path) != '.' ||

+	    next_hfs_char(&path) != 'g' ||

+	    next_hfs_char(&path) != 'i' ||

+	    next_hfs_char(&path) != 't')

+		return 0;

+	c = next_hfs_char(&path);

+	if (c && !is_dir_sep(c))

+		return 0;

+

+	return 1;

+}

diff --git a/utf8.h b/utf8.h

index 65d0e42..e4d9183 100644

--- a/utf8.h

+++ b/utf8.h

@@ -42,4 +42,12 @@ static inline char *reencode_string(const char *in,

 int mbs_chrlen(const char **text, size_t *remainder_p, const char *encoding);

+/*

+ * Returns true if the the path would match ".git" after HFS case-folding.

+ * The path should be NUL-terminated, but we will match variants of both ".git\0"

+ * and ".git/..." (but _not_ ".../.git"). This makes it suitable for both fsck

+ * and verify_path().

+ */

+int is_hfs_dotgit(const char *path);

+

 #endif