git-commit-vandalism/refs.c
Junio C Hamano 0870ca7fab Do not DWIM in userpath library under strict mode.
This should force git-daemon administrator's job a bit harder
because the exact paths need to be given in the whitelist, but
at the same time makes the auditing easier.

This moves validate_symref() from refs.c to path.c, because we
need to link path.c with git-daemon for its "enter_repo()", but
we do not want to link the daemon with the rest of git libraries
and its requirements.

Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-11-19 20:50:38 -08:00

371 lines
8.1 KiB
C

#include "refs.h"
#include "cache.h"
#include <errno.h>
/* We allow "recursive" symbolic refs. Only within reason, though */
#define MAXDEPTH 5
#ifndef USE_SYMLINK_HEAD
#define USE_SYMLINK_HEAD 1
#endif
const char *resolve_ref(const char *path, unsigned char *sha1, int reading)
{
int depth = MAXDEPTH, len;
char buffer[256];
for (;;) {
struct stat st;
char *buf;
int fd;
if (--depth < 0)
return NULL;
/* Special case: non-existing file.
* Not having the refs/heads/new-branch is OK
* if we are writing into it, so is .git/HEAD
* that points at refs/heads/master still to be
* born. It is NOT OK if we are resolving for
* reading.
*/
if (lstat(path, &st) < 0) {
if (reading || errno != ENOENT)
return NULL;
memset(sha1, 0, 20);
return path;
}
/* Follow "normalized" - ie "refs/.." symlinks by hand */
if (S_ISLNK(st.st_mode)) {
len = readlink(path, buffer, sizeof(buffer)-1);
if (len >= 5 && !memcmp("refs/", buffer, 5)) {
path = git_path("%.*s", len, buffer);
continue;
}
}
/*
* Anything else, just open it and try to use it as
* a ref
*/
fd = open(path, O_RDONLY);
if (fd < 0)
return NULL;
len = read(fd, buffer, sizeof(buffer)-1);
close(fd);
/*
* Is it a symbolic ref?
*/
if (len < 4 || memcmp("ref:", buffer, 4))
break;
buf = buffer + 4;
len -= 4;
while (len && isspace(*buf))
buf++, len--;
while (len && isspace(buf[len-1]))
buf[--len] = 0;
path = git_path("%.*s", len, buf);
}
if (len < 40 || get_sha1_hex(buffer, sha1))
return NULL;
return path;
}
int create_symref(const char *git_HEAD, const char *refs_heads_master)
{
const char *lockpath;
char ref[1000];
int fd, len, written;
#if USE_SYMLINK_HEAD
if (!only_use_symrefs) {
unlink(git_HEAD);
if (!symlink(refs_heads_master, git_HEAD))
return 0;
fprintf(stderr, "no symlink - falling back to symbolic ref\n");
}
#endif
len = snprintf(ref, sizeof(ref), "ref: %s\n", refs_heads_master);
if (sizeof(ref) <= len) {
error("refname too long: %s", refs_heads_master);
return -1;
}
lockpath = mkpath("%s.lock", git_HEAD);
fd = open(lockpath, O_CREAT | O_EXCL | O_WRONLY, 0666);
written = write(fd, ref, len);
close(fd);
if (written != len) {
unlink(lockpath);
error("Unable to write to %s", lockpath);
return -2;
}
if (rename(lockpath, git_HEAD) < 0) {
unlink(lockpath);
error("Unable to create %s", git_HEAD);
return -3;
}
return 0;
}
int read_ref(const char *filename, unsigned char *sha1)
{
if (resolve_ref(filename, sha1, 1))
return 0;
return -1;
}
static int do_for_each_ref(const char *base, int (*fn)(const char *path, const unsigned char *sha1))
{
int retval = 0;
DIR *dir = opendir(git_path("%s", base));
if (dir) {
struct dirent *de;
int baselen = strlen(base);
char *path = xmalloc(baselen + 257);
if (!strncmp(base, "./", 2)) {
base += 2;
baselen -= 2;
}
memcpy(path, base, baselen);
if (baselen && base[baselen-1] != '/')
path[baselen++] = '/';
while ((de = readdir(dir)) != NULL) {
unsigned char sha1[20];
struct stat st;
int namelen;
if (de->d_name[0] == '.')
continue;
namelen = strlen(de->d_name);
if (namelen > 255)
continue;
memcpy(path + baselen, de->d_name, namelen+1);
if (stat(git_path("%s", path), &st) < 0)
continue;
if (S_ISDIR(st.st_mode)) {
retval = do_for_each_ref(path, fn);
if (retval)
break;
continue;
}
if (read_ref(git_path("%s", path), sha1) < 0)
continue;
if (!has_sha1_file(sha1))
continue;
retval = fn(path, sha1);
if (retval)
break;
}
free(path);
closedir(dir);
}
return retval;
}
int head_ref(int (*fn)(const char *path, const unsigned char *sha1))
{
unsigned char sha1[20];
if (!read_ref(git_path("HEAD"), sha1))
return fn("HEAD", sha1);
return 0;
}
int for_each_ref(int (*fn)(const char *path, const unsigned char *sha1))
{
return do_for_each_ref("refs", fn);
}
static char *ref_file_name(const char *ref)
{
char *base = get_refs_directory();
int baselen = strlen(base);
int reflen = strlen(ref);
char *ret = xmalloc(baselen + 2 + reflen);
sprintf(ret, "%s/%s", base, ref);
return ret;
}
static char *ref_lock_file_name(const char *ref)
{
char *base = get_refs_directory();
int baselen = strlen(base);
int reflen = strlen(ref);
char *ret = xmalloc(baselen + 7 + reflen);
sprintf(ret, "%s/%s.lock", base, ref);
return ret;
}
int get_ref_sha1(const char *ref, unsigned char *sha1)
{
const char *filename;
if (check_ref_format(ref))
return -1;
filename = git_path("refs/%s", ref);
return read_ref(filename, sha1);
}
static int lock_ref_file(const char *filename, const char *lock_filename,
const unsigned char *old_sha1)
{
int fd = open(lock_filename, O_WRONLY | O_CREAT | O_EXCL, 0666);
unsigned char current_sha1[20];
int retval;
if (fd < 0) {
return error("Couldn't open lock file for %s: %s",
filename, strerror(errno));
}
retval = read_ref(filename, current_sha1);
if (old_sha1) {
if (retval) {
close(fd);
unlink(lock_filename);
return error("Could not read the current value of %s",
filename);
}
if (memcmp(current_sha1, old_sha1, 20)) {
close(fd);
unlink(lock_filename);
error("The current value of %s is %s",
filename, sha1_to_hex(current_sha1));
return error("Expected %s",
sha1_to_hex(old_sha1));
}
} else {
if (!retval) {
close(fd);
unlink(lock_filename);
return error("Unexpectedly found a value of %s for %s",
sha1_to_hex(current_sha1), filename);
}
}
return fd;
}
int lock_ref_sha1(const char *ref, const unsigned char *old_sha1)
{
char *filename;
char *lock_filename;
int retval;
if (check_ref_format(ref))
return -1;
filename = ref_file_name(ref);
lock_filename = ref_lock_file_name(ref);
retval = lock_ref_file(filename, lock_filename, old_sha1);
free(filename);
free(lock_filename);
return retval;
}
static int write_ref_file(const char *filename,
const char *lock_filename, int fd,
const unsigned char *sha1)
{
char *hex = sha1_to_hex(sha1);
char term = '\n';
if (write(fd, hex, 40) < 40 ||
write(fd, &term, 1) < 1) {
error("Couldn't write %s\n", filename);
close(fd);
return -1;
}
close(fd);
rename(lock_filename, filename);
return 0;
}
int write_ref_sha1(const char *ref, int fd, const unsigned char *sha1)
{
char *filename;
char *lock_filename;
int retval;
if (fd < 0)
return -1;
if (check_ref_format(ref))
return -1;
filename = ref_file_name(ref);
lock_filename = ref_lock_file_name(ref);
retval = write_ref_file(filename, lock_filename, fd, sha1);
free(filename);
free(lock_filename);
return retval;
}
/*
* Make sure "ref" is something reasonable to have under ".git/refs/";
* We do not like it if:
*
* - any path component of it begins with ".", or
* - it has double dots "..", or
* - it has ASCII control character, "~", "^", ":" or SP, anywhere, or
* - it ends with a "/".
*/
static inline int bad_ref_char(int ch)
{
return (((unsigned) ch) <= ' ' ||
ch == '~' || ch == '^' || ch == ':');
}
int check_ref_format(const char *ref)
{
int ch, level;
const char *cp = ref;
level = 0;
while (1) {
while ((ch = *cp++) == '/')
; /* tolerate duplicated slashes */
if (!ch)
return -1; /* should not end with slashes */
/* we are at the beginning of the path component */
if (ch == '.' || bad_ref_char(ch))
return -1;
/* scan the rest of the path component */
while ((ch = *cp++) != 0) {
if (bad_ref_char(ch))
return -1;
if (ch == '/')
break;
if (ch == '.' && *cp == '.')
return -1;
}
level++;
if (!ch) {
if (level < 2)
return -1; /* at least of form "heads/blah" */
return 0;
}
}
}
int write_ref_sha1_unlocked(const char *ref, const unsigned char *sha1)
{
char *filename;
char *lock_filename;
int fd;
int retval;
if (check_ref_format(ref))
return -1;
filename = ref_file_name(ref);
lock_filename = ref_lock_file_name(ref);
fd = open(lock_filename, O_WRONLY | O_CREAT | O_EXCL, 0666);
if (fd < 0) {
error("Writing %s", lock_filename);
perror("Open");
}
retval = write_ref_file(filename, lock_filename, fd, sha1);
free(filename);
free(lock_filename);
return retval;
}