From b229d18a809c169314b7f0d048dc5a7632e8f916 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Thu, 29 Jan 2009 03:30:16 -0500 Subject: [PATCH 1/2] validate_headref: tighten ref-matching to just branches When we are trying to determine whether a directory contains a git repository, one of the tests we do is to check whether HEAD is either a symlink or a symref into the "refs/" hierarchy, or a detached HEAD. We can tighten this a little more, though: a non-detached HEAD should always point to a branch (since checking out anything else should result in detachment), so it is safe to check for "refs/heads/". Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- path.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/path.c b/path.c index a074aea649..108d9e9599 100644 --- a/path.c +++ b/path.c @@ -154,7 +154,7 @@ int validate_headref(const char *path) /* Make sure it is a "refs/.." symlink */ if (S_ISLNK(st.st_mode)) { len = readlink(path, buffer, sizeof(buffer)-1); - if (len >= 5 && !memcmp("refs/", buffer, 5)) + if (len >= 11 && !memcmp("refs/heads/", buffer, 11)) return 0; return -1; } @@ -178,7 +178,7 @@ int validate_headref(const char *path) len -= 4; while (len && isspace(*buf)) buf++, len--; - if (len >= 5 && !memcmp("refs/", buf, 5)) + if (len >= 11 && !memcmp("refs/heads/", buf, 11)) return 0; } From afe5d3d516114f08d3c4289682a704f5a7889909 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Thu, 29 Jan 2009 03:33:02 -0500 Subject: [PATCH 2/2] symbolic ref: refuse non-ref targets in HEAD When calling "git symbolic-ref" it is easy to forget that the target must be a fully qualified ref. E.g., you might accidentally do: $ git symbolic-ref HEAD master Unfortunately, this is very difficult to recover from, because the bogus contents of HEAD make git believe we are no longer in a git repository (as is_git_dir explicitly checks for "^refs/heads/" in the HEAD target). So immediately trying to fix the situation doesn't work: $ git symbolic-ref HEAD refs/heads/master fatal: Not a git repository and one is left editing the .git/HEAD file manually. Furthermore, one might be tempted to use symbolic-ref to set up a detached HEAD: $ git symbolic-ref HEAD `git rev-parse HEAD` which sets up an even more bogus HEAD: $ cat .git/HEAD ref: 1a9ace4f2ad4176148e61b5a85cd63d5604aac6d This patch introduces a small safety valve to prevent the specific case of anything not starting with refs/heads/ to go into HEAD. The scope of the safety valve is intentionally very limited, to make sure that we are not preventing any behavior that would otherwise be valid (like pointing a different symref than HEAD outside of refs/heads/). Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- builtin-symbolic-ref.c | 3 +++ t/t1401-symbolic-ref.sh | 41 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100755 t/t1401-symbolic-ref.sh diff --git a/builtin-symbolic-ref.c b/builtin-symbolic-ref.c index bfc78bb3f6..cafc4eba7c 100644 --- a/builtin-symbolic-ref.c +++ b/builtin-symbolic-ref.c @@ -44,6 +44,9 @@ int cmd_symbolic_ref(int argc, const char **argv, const char *prefix) check_symref(argv[0], quiet); break; case 2: + if (!strcmp(argv[0], "HEAD") && + prefixcmp(argv[1], "refs/heads/")) + die("Refusing to point HEAD outside of refs/heads/"); create_symref(argv[0], argv[1], msg); break; default: diff --git a/t/t1401-symbolic-ref.sh b/t/t1401-symbolic-ref.sh new file mode 100755 index 0000000000..569f34177d --- /dev/null +++ b/t/t1401-symbolic-ref.sh @@ -0,0 +1,41 @@ +#!/bin/sh + +test_description='basic symbolic-ref tests' +. ./test-lib.sh + +# If the tests munging HEAD fail, they can break detection of +# the git repo, meaning that further tests will operate on +# the surrounding git repo instead of the trash directory. +reset_to_sane() { + echo ref: refs/heads/foo >.git/HEAD +} + +test_expect_success 'symbolic-ref writes HEAD' ' + git symbolic-ref HEAD refs/heads/foo && + echo ref: refs/heads/foo >expect && + test_cmp expect .git/HEAD +' + +test_expect_success 'symbolic-ref reads HEAD' ' + echo refs/heads/foo >expect && + git symbolic-ref HEAD >actual && + test_cmp expect actual +' + +test_expect_success 'symbolic-ref refuses non-ref for HEAD' ' + test_must_fail git symbolic-ref HEAD foo +' +reset_to_sane + +test_expect_success 'symbolic-ref refuses non-branch for HEAD' ' + test_must_fail git symbolic-ref HEAD refs/foo +' +reset_to_sane + +test_expect_success 'symbolic-ref refuses bare sha1' ' + echo content >file && git add file && git commit -m one + test_must_fail git symbolic-ref HEAD `git rev-parse HEAD` +' +reset_to_sane + +test_done