summaryrefslogtreecommitdiffstats
path: root/refs.c
diff options
context:
space:
mode:
authorJunio C Hamano <gitster@pobox.com>2019-06-13 22:19:40 +0200
committerJunio C Hamano <gitster@pobox.com>2019-06-13 22:19:40 +0200
commit0d107b19890db191c9281bff67180389fb53df24 (patch)
treed61a6fbd1e41b07107b7a686402c92f5283f7670 /refs.c
parentMerge branch 'en/fast-export-encoding' (diff)
parentworktree add: sanitize worktree names (diff)
downloadgit-0d107b19890db191c9281bff67180389fb53df24.tar.xz
git-0d107b19890db191c9281bff67180389fb53df24.zip
Merge branch 'nd/worktree-name-sanitization'
In recent versions of Git, per-worktree refs are exposed in refs/worktrees/<wtname>/ hierarchy, which means that worktree names must be a valid refname component. The code now sanitizes the names given to worktrees, to make sure these refs are well-formed. * nd/worktree-name-sanitization: worktree add: sanitize worktree names
Diffstat (limited to 'refs.c')
-rw-r--r--refs.c110
1 files changed, 90 insertions, 20 deletions
diff --git a/refs.c b/refs.c
index 92d1f6dbdd..b8a8430c96 100644
--- a/refs.c
+++ b/refs.c
@@ -63,7 +63,7 @@ static unsigned char refname_disposition[256] = {
* not legal. It is legal if it is something reasonable to have under
* ".git/refs/"; We do not like it if:
*
- * - any path component of it begins with ".", or
+ * - it begins with ".", or
* - it has double dots "..", or
* - it has ASCII control characters, or
* - it has ":", "?", "[", "\", "^", "~", SP, or TAB anywhere, or
@@ -71,31 +71,63 @@ static unsigned char refname_disposition[256] = {
* - it ends with a "/", or
* - it ends with ".lock", or
* - it contains a "@{" portion
+ *
+ * When sanitized is not NULL, instead of rejecting the input refname
+ * as an error, try to come up with a usable replacement for the input
+ * refname in it.
*/
-static int check_refname_component(const char *refname, int *flags)
+static int check_refname_component(const char *refname, int *flags,
+ struct strbuf *sanitized)
{
const char *cp;
char last = '\0';
+ size_t component_start = 0; /* garbage - not a reasonable initial value */
+
+ if (sanitized)
+ component_start = sanitized->len;
for (cp = refname; ; cp++) {
int ch = *cp & 255;
unsigned char disp = refname_disposition[ch];
+
+ if (sanitized && disp != 1)
+ strbuf_addch(sanitized, ch);
+
switch (disp) {
case 1:
goto out;
case 2:
- if (last == '.')
- return -1; /* Refname contains "..". */
+ if (last == '.') { /* Refname contains "..". */
+ if (sanitized)
+ /* collapse ".." to single "." */
+ strbuf_setlen(sanitized, sanitized->len - 1);
+ else
+ return -1;
+ }
break;
case 3:
- if (last == '@')
- return -1; /* Refname contains "@{". */
+ if (last == '@') { /* Refname contains "@{". */
+ if (sanitized)
+ sanitized->buf[sanitized->len-1] = '-';
+ else
+ return -1;
+ }
break;
case 4:
- return -1;
+ /* forbidden char */
+ if (sanitized)
+ sanitized->buf[sanitized->len-1] = '-';
+ else
+ return -1;
+ break;
case 5:
- if (!(*flags & REFNAME_REFSPEC_PATTERN))
- return -1; /* refspec can't be a pattern */
+ if (!(*flags & REFNAME_REFSPEC_PATTERN)) {
+ /* refspec can't be a pattern */
+ if (sanitized)
+ sanitized->buf[sanitized->len-1] = '-';
+ else
+ return -1;
+ }
/*
* Unset the pattern flag so that we only accept
@@ -109,26 +141,48 @@ static int check_refname_component(const char *refname, int *flags)
out:
if (cp == refname)
return 0; /* Component has zero length. */
- if (refname[0] == '.')
- return -1; /* Component starts with '.'. */
+
+ if (refname[0] == '.') { /* Component starts with '.'. */
+ if (sanitized)
+ sanitized->buf[component_start] = '-';
+ else
+ return -1;
+ }
if (cp - refname >= LOCK_SUFFIX_LEN &&
- !memcmp(cp - LOCK_SUFFIX_LEN, LOCK_SUFFIX, LOCK_SUFFIX_LEN))
- return -1; /* Refname ends with ".lock". */
+ !memcmp(cp - LOCK_SUFFIX_LEN, LOCK_SUFFIX, LOCK_SUFFIX_LEN)) {
+ if (!sanitized)
+ return -1;
+ /* Refname ends with ".lock". */
+ while (strbuf_strip_suffix(sanitized, LOCK_SUFFIX)) {
+ /* try again in case we have .lock.lock */
+ }
+ }
return cp - refname;
}
-int check_refname_format(const char *refname, int flags)
+static int check_or_sanitize_refname(const char *refname, int flags,
+ struct strbuf *sanitized)
{
int component_len, component_count = 0;
- if (!strcmp(refname, "@"))
+ if (!strcmp(refname, "@")) {
/* Refname is a single character '@'. */
- return -1;
+ if (sanitized)
+ strbuf_addch(sanitized, '-');
+ else
+ return -1;
+ }
while (1) {
+ if (sanitized && sanitized->len)
+ strbuf_complete(sanitized, '/');
+
/* We are at the start of a path component. */
- component_len = check_refname_component(refname, &flags);
- if (component_len <= 0)
+ component_len = check_refname_component(refname, &flags,
+ sanitized);
+ if (sanitized && component_len == 0)
+ ; /* OK, omit empty component */
+ else if (component_len <= 0)
return -1;
component_count++;
@@ -138,13 +192,29 @@ int check_refname_format(const char *refname, int flags)
refname += component_len + 1;
}
- if (refname[component_len - 1] == '.')
- return -1; /* Refname ends with '.'. */
+ if (refname[component_len - 1] == '.') {
+ /* Refname ends with '.'. */
+ if (sanitized)
+ ; /* omit ending dot */
+ else
+ return -1;
+ }
if (!(flags & REFNAME_ALLOW_ONELEVEL) && component_count < 2)
return -1; /* Refname has only one component. */
return 0;
}
+int check_refname_format(const char *refname, int flags)
+{
+ return check_or_sanitize_refname(refname, flags, NULL);
+}
+
+void sanitize_refname_component(const char *refname, struct strbuf *out)
+{
+ if (check_or_sanitize_refname(refname, REFNAME_ALLOW_ONELEVEL, out))
+ BUG("sanitizing refname '%s' check returned error", refname);
+}
+
int refname_is_safe(const char *refname)
{
const char *rest;