@ -63,7 +63,7 @@ static unsigned char refname_disposition[256] = {
* not legal. It is legal if it is something reasonable to have under
* not legal. It is legal if it is something reasonable to have under
* ".git/refs/"; We do not like it if:
* ".git/refs/"; We do not like it if:
*
*
* - any path component of it begins with ".", or
* - it begins with ".", or
* - it has double dots "..", or
* - it has double dots "..", or
* - it has ASCII control characters, or
* - it has ASCII control characters, or
* - it has ":", "?", "[", "\", "^", "~", SP, or TAB anywhere, or
* - it has ":", "?", "[", "\", "^", "~", SP, or TAB anywhere, or
@ -71,31 +71,63 @@ static unsigned char refname_disposition[256] = {
* - it ends with a "/", or
* - it ends with a "/", or
* - it ends with ".lock", or
* - it ends with ".lock", or
* - it contains a "@{" portion
* - it contains a "@{" portion
*
* When sanitized is not NULL, instead of rejecting the input refname
* as an error, try to come up with a usable replacement for the input
* refname in it.
*/
*/
static int check_refname_component(const char *refname, int *flags)
static int check_refname_component(const char *refname, int *flags,
struct strbuf *sanitized)
{
{
const char *cp;
const char *cp;
char last = '\0';
char last = '\0';
size_t component_start = 0; /* garbage - not a reasonable initial value */
if (sanitized)
component_start = sanitized->len;
for (cp = refname; ; cp++) {
for (cp = refname; ; cp++) {
int ch = *cp & 255;
int ch = *cp & 255;
unsigned char disp = refname_disposition[ch];
unsigned char disp = refname_disposition[ch];
if (sanitized && disp != 1)
strbuf_addch(sanitized, ch);
switch (disp) {
switch (disp) {
case 1:
case 1:
goto out;
goto out;
case 2:
case 2:
if (last == '.')
if (last == '.') { /* Refname contains "..". */
return -1; /* Refname contains "..". */
if (sanitized)
/* collapse ".." to single "." */
strbuf_setlen(sanitized, sanitized->len - 1);
else
return -1;
}
break;
break;
case 3:
case 3:
if (last == '@')
if (last == '@') { /* Refname contains "@{". */
return -1; /* Refname contains "@{". */
if (sanitized)
sanitized->buf[sanitized->len-1] = '-';
else
return -1;
}
break;
break;
case 4:
case 4:
return -1;
/* forbidden char */
if (sanitized)
sanitized->buf[sanitized->len-1] = '-';
else
return -1;
break;
case 5:
case 5:
if (!(*flags & REFNAME_REFSPEC_PATTERN))
if (!(*flags & REFNAME_REFSPEC_PATTERN)) {
return -1; /* refspec can't be a pattern */
/* refspec can't be a pattern */
if (sanitized)
sanitized->buf[sanitized->len-1] = '-';
else
return -1;
}
/*
/*
* Unset the pattern flag so that we only accept
* Unset the pattern flag so that we only accept
@ -109,26 +141,48 @@ static int check_refname_component(const char *refname, int *flags)
out:
out:
if (cp == refname)
if (cp == refname)
return 0; /* Component has zero length. */
return 0; /* Component has zero length. */
if (refname[0] == '.')
return -1; /* Component starts with '.'. */
if (refname[0] == '.') { /* Component starts with '.'. */
if (sanitized)
sanitized->buf[component_start] = '-';
else
return -1;
}
if (cp - refname >= LOCK_SUFFIX_LEN &&
if (cp - refname >= LOCK_SUFFIX_LEN &&
!memcmp(cp - LOCK_SUFFIX_LEN, LOCK_SUFFIX, LOCK_SUFFIX_LEN))
!memcmp(cp - LOCK_SUFFIX_LEN, LOCK_SUFFIX, LOCK_SUFFIX_LEN)) {
return -1; /* Refname ends with ".lock". */
if (!sanitized)
return -1;
/* Refname ends with ".lock". */
while (strbuf_strip_suffix(sanitized, LOCK_SUFFIX)) {
/* try again in case we have .lock.lock */
}
}
return cp - refname;
return cp - refname;
}
}
int check_refname_format(const char *refname, int flags)
static int check_or_sanitize_refname(const char *refname, int flags,
struct strbuf *sanitized)
{
{
int component_len, component_count = 0;
int component_len, component_count = 0;
if (!strcmp(refname, "@"))
if (!strcmp(refname, "@")) {
/* Refname is a single character '@'. */
/* Refname is a single character '@'. */
return -1;
if (sanitized)
strbuf_addch(sanitized, '-');
else
return -1;
}
while (1) {
while (1) {
if (sanitized && sanitized->len)
strbuf_complete(sanitized, '/');
/* We are at the start of a path component. */
/* We are at the start of a path component. */
component_len = check_refname_component(refname, &flags);
component_len = check_refname_component(refname, &flags,
if (component_len <= 0)
sanitized);
if (sanitized && component_len == 0)
; /* OK, omit empty component */
else if (component_len <= 0)
return -1;
return -1;
component_count++;
component_count++;
@ -138,13 +192,29 @@ int check_refname_format(const char *refname, int flags)
refname += component_len + 1;
refname += component_len + 1;
}
}
if (refname[component_len - 1] == '.')
if (refname[component_len - 1] == '.') {
return -1; /* Refname ends with '.'. */
/* Refname ends with '.'. */
if (sanitized)
; /* omit ending dot */
else
return -1;
}
if (!(flags & REFNAME_ALLOW_ONELEVEL) && component_count < 2)
if (!(flags & REFNAME_ALLOW_ONELEVEL) && component_count < 2)
return -1; /* Refname has only one component. */
return -1; /* Refname has only one component. */
return 0;
return 0;
}
}
int check_refname_format(const char *refname, int flags)
{
return check_or_sanitize_refname(refname, flags, NULL);
}
void sanitize_refname_component(const char *refname, struct strbuf *out)
{
if (check_or_sanitize_refname(refname, REFNAME_ALLOW_ONELEVEL, out))
BUG("sanitizing refname '%s' check returned error", refname);
}
int refname_is_safe(const char *refname)
int refname_is_safe(const char *refname)
{
{
const char *rest;
const char *rest;