builtin / receive-pack.con commit notes: don't access hash of NULL object_id pointer (3ea6b85)
   1#include "builtin.h"
   2#include "lockfile.h"
   3#include "pack.h"
   4#include "refs.h"
   5#include "pkt-line.h"
   6#include "sideband.h"
   7#include "run-command.h"
   8#include "exec_cmd.h"
   9#include "commit.h"
  10#include "object.h"
  11#include "remote.h"
  12#include "connect.h"
  13#include "transport.h"
  14#include "string-list.h"
  15#include "sha1-array.h"
  16#include "connected.h"
  17#include "argv-array.h"
  18#include "version.h"
  19#include "tag.h"
  20#include "gpg-interface.h"
  21#include "sigchain.h"
  22#include "fsck.h"
  23#include "tmp-objdir.h"
  24#include "oidset.h"
  25
  26static const char * const receive_pack_usage[] = {
  27        N_("git receive-pack <git-dir>"),
  28        NULL
  29};
  30
  31enum deny_action {
  32        DENY_UNCONFIGURED,
  33        DENY_IGNORE,
  34        DENY_WARN,
  35        DENY_REFUSE,
  36        DENY_UPDATE_INSTEAD
  37};
  38
  39static int deny_deletes;
  40static int deny_non_fast_forwards;
  41static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
  42static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
  43static int receive_fsck_objects = -1;
  44static int transfer_fsck_objects = -1;
  45static struct strbuf fsck_msg_types = STRBUF_INIT;
  46static int receive_unpack_limit = -1;
  47static int transfer_unpack_limit = -1;
  48static int advertise_atomic_push = 1;
  49static int advertise_push_options;
  50static int unpack_limit = 100;
  51static off_t max_input_size;
  52static int report_status;
  53static int use_sideband;
  54static int use_atomic;
  55static int use_push_options;
  56static int quiet;
  57static int prefer_ofs_delta = 1;
  58static int auto_update_server_info;
  59static int auto_gc = 1;
  60static int reject_thin;
  61static int stateless_rpc;
  62static const char *service_dir;
  63static const char *head_name;
  64static void *head_name_to_free;
  65static int sent_capabilities;
  66static int shallow_update;
  67static const char *alt_shallow_file;
  68static struct strbuf push_cert = STRBUF_INIT;
  69static unsigned char push_cert_sha1[20];
  70static struct signature_check sigcheck;
  71static const char *push_cert_nonce;
  72static const char *cert_nonce_seed;
  73
  74static const char *NONCE_UNSOLICITED = "UNSOLICITED";
  75static const char *NONCE_BAD = "BAD";
  76static const char *NONCE_MISSING = "MISSING";
  77static const char *NONCE_OK = "OK";
  78static const char *NONCE_SLOP = "SLOP";
  79static const char *nonce_status;
  80static long nonce_stamp_slop;
  81static timestamp_t nonce_stamp_slop_limit;
  82static struct ref_transaction *transaction;
  83
  84static enum {
  85        KEEPALIVE_NEVER = 0,
  86        KEEPALIVE_AFTER_NUL,
  87        KEEPALIVE_ALWAYS
  88} use_keepalive;
  89static int keepalive_in_sec = 5;
  90
  91static struct tmp_objdir *tmp_objdir;
  92
  93static enum deny_action parse_deny_action(const char *var, const char *value)
  94{
  95        if (value) {
  96                if (!strcasecmp(value, "ignore"))
  97                        return DENY_IGNORE;
  98                if (!strcasecmp(value, "warn"))
  99                        return DENY_WARN;
 100                if (!strcasecmp(value, "refuse"))
 101                        return DENY_REFUSE;
 102                if (!strcasecmp(value, "updateinstead"))
 103                        return DENY_UPDATE_INSTEAD;
 104        }
 105        if (git_config_bool(var, value))
 106                return DENY_REFUSE;
 107        return DENY_IGNORE;
 108}
 109
 110static int receive_pack_config(const char *var, const char *value, void *cb)
 111{
 112        int status = parse_hide_refs_config(var, value, "receive");
 113
 114        if (status)
 115                return status;
 116
 117        if (strcmp(var, "receive.denydeletes") == 0) {
 118                deny_deletes = git_config_bool(var, value);
 119                return 0;
 120        }
 121
 122        if (strcmp(var, "receive.denynonfastforwards") == 0) {
 123                deny_non_fast_forwards = git_config_bool(var, value);
 124                return 0;
 125        }
 126
 127        if (strcmp(var, "receive.unpacklimit") == 0) {
 128                receive_unpack_limit = git_config_int(var, value);
 129                return 0;
 130        }
 131
 132        if (strcmp(var, "transfer.unpacklimit") == 0) {
 133                transfer_unpack_limit = git_config_int(var, value);
 134                return 0;
 135        }
 136
 137        if (strcmp(var, "receive.fsck.skiplist") == 0) {
 138                const char *path;
 139
 140                if (git_config_pathname(&path, var, value))
 141                        return 1;
 142                strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
 143                        fsck_msg_types.len ? ',' : '=', path);
 144                free((char *)path);
 145                return 0;
 146        }
 147
 148        if (skip_prefix(var, "receive.fsck.", &var)) {
 149                if (is_valid_msg_type(var, value))
 150                        strbuf_addf(&fsck_msg_types, "%c%s=%s",
 151                                fsck_msg_types.len ? ',' : '=', var, value);
 152                else
 153                        warning("Skipping unknown msg id '%s'", var);
 154                return 0;
 155        }
 156
 157        if (strcmp(var, "receive.fsckobjects") == 0) {
 158                receive_fsck_objects = git_config_bool(var, value);
 159                return 0;
 160        }
 161
 162        if (strcmp(var, "transfer.fsckobjects") == 0) {
 163                transfer_fsck_objects = git_config_bool(var, value);
 164                return 0;
 165        }
 166
 167        if (!strcmp(var, "receive.denycurrentbranch")) {
 168                deny_current_branch = parse_deny_action(var, value);
 169                return 0;
 170        }
 171
 172        if (strcmp(var, "receive.denydeletecurrent") == 0) {
 173                deny_delete_current = parse_deny_action(var, value);
 174                return 0;
 175        }
 176
 177        if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
 178                prefer_ofs_delta = git_config_bool(var, value);
 179                return 0;
 180        }
 181
 182        if (strcmp(var, "receive.updateserverinfo") == 0) {
 183                auto_update_server_info = git_config_bool(var, value);
 184                return 0;
 185        }
 186
 187        if (strcmp(var, "receive.autogc") == 0) {
 188                auto_gc = git_config_bool(var, value);
 189                return 0;
 190        }
 191
 192        if (strcmp(var, "receive.shallowupdate") == 0) {
 193                shallow_update = git_config_bool(var, value);
 194                return 0;
 195        }
 196
 197        if (strcmp(var, "receive.certnonceseed") == 0)
 198                return git_config_string(&cert_nonce_seed, var, value);
 199
 200        if (strcmp(var, "receive.certnonceslop") == 0) {
 201                nonce_stamp_slop_limit = git_config_ulong(var, value);
 202                return 0;
 203        }
 204
 205        if (strcmp(var, "receive.advertiseatomic") == 0) {
 206                advertise_atomic_push = git_config_bool(var, value);
 207                return 0;
 208        }
 209
 210        if (strcmp(var, "receive.advertisepushoptions") == 0) {
 211                advertise_push_options = git_config_bool(var, value);
 212                return 0;
 213        }
 214
 215        if (strcmp(var, "receive.keepalive") == 0) {
 216                keepalive_in_sec = git_config_int(var, value);
 217                return 0;
 218        }
 219
 220        if (strcmp(var, "receive.maxinputsize") == 0) {
 221                max_input_size = git_config_int64(var, value);
 222                return 0;
 223        }
 224
 225        return git_default_config(var, value, cb);
 226}
 227
 228static void show_ref(const char *path, const struct object_id *oid)
 229{
 230        if (sent_capabilities) {
 231                packet_write_fmt(1, "%s %s\n", oid_to_hex(oid), path);
 232        } else {
 233                struct strbuf cap = STRBUF_INIT;
 234
 235                strbuf_addstr(&cap,
 236                              "report-status delete-refs side-band-64k quiet");
 237                if (advertise_atomic_push)
 238                        strbuf_addstr(&cap, " atomic");
 239                if (prefer_ofs_delta)
 240                        strbuf_addstr(&cap, " ofs-delta");
 241                if (push_cert_nonce)
 242                        strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
 243                if (advertise_push_options)
 244                        strbuf_addstr(&cap, " push-options");
 245                strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
 246                packet_write_fmt(1, "%s %s%c%s\n",
 247                             oid_to_hex(oid), path, 0, cap.buf);
 248                strbuf_release(&cap);
 249                sent_capabilities = 1;
 250        }
 251}
 252
 253static int show_ref_cb(const char *path_full, const struct object_id *oid,
 254                       int flag, void *data)
 255{
 256        struct oidset *seen = data;
 257        const char *path = strip_namespace(path_full);
 258
 259        if (ref_is_hidden(path, path_full))
 260                return 0;
 261
 262        /*
 263         * Advertise refs outside our current namespace as ".have"
 264         * refs, so that the client can use them to minimize data
 265         * transfer but will otherwise ignore them.
 266         */
 267        if (!path) {
 268                if (oidset_insert(seen, oid))
 269                        return 0;
 270                path = ".have";
 271        } else {
 272                oidset_insert(seen, oid);
 273        }
 274        show_ref(path, oid);
 275        return 0;
 276}
 277
 278static void show_one_alternate_ref(const char *refname,
 279                                   const struct object_id *oid,
 280                                   void *data)
 281{
 282        struct oidset *seen = data;
 283
 284        if (oidset_insert(seen, oid))
 285                return;
 286
 287        show_ref(".have", oid);
 288}
 289
 290static void write_head_info(void)
 291{
 292        static struct oidset seen = OIDSET_INIT;
 293
 294        for_each_ref(show_ref_cb, &seen);
 295        for_each_alternate_ref(show_one_alternate_ref, &seen);
 296        oidset_clear(&seen);
 297        if (!sent_capabilities)
 298                show_ref("capabilities^{}", &null_oid);
 299
 300        advertise_shallow_grafts(1);
 301
 302        /* EOF */
 303        packet_flush(1);
 304}
 305
 306struct command {
 307        struct command *next;
 308        const char *error_string;
 309        unsigned int skip_update:1,
 310                     did_not_exist:1;
 311        int index;
 312        struct object_id old_oid;
 313        struct object_id new_oid;
 314        char ref_name[FLEX_ARRAY]; /* more */
 315};
 316
 317static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
 318static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
 319
 320static void report_message(const char *prefix, const char *err, va_list params)
 321{
 322        int sz;
 323        char msg[4096];
 324
 325        sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
 326        sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
 327        if (sz > (sizeof(msg) - 1))
 328                sz = sizeof(msg) - 1;
 329        msg[sz++] = '\n';
 330
 331        if (use_sideband)
 332                send_sideband(1, 2, msg, sz, use_sideband);
 333        else
 334                xwrite(2, msg, sz);
 335}
 336
 337static void rp_warning(const char *err, ...)
 338{
 339        va_list params;
 340        va_start(params, err);
 341        report_message("warning: ", err, params);
 342        va_end(params);
 343}
 344
 345static void rp_error(const char *err, ...)
 346{
 347        va_list params;
 348        va_start(params, err);
 349        report_message("error: ", err, params);
 350        va_end(params);
 351}
 352
 353static int copy_to_sideband(int in, int out, void *arg)
 354{
 355        char data[128];
 356        int keepalive_active = 0;
 357
 358        if (keepalive_in_sec <= 0)
 359                use_keepalive = KEEPALIVE_NEVER;
 360        if (use_keepalive == KEEPALIVE_ALWAYS)
 361                keepalive_active = 1;
 362
 363        while (1) {
 364                ssize_t sz;
 365
 366                if (keepalive_active) {
 367                        struct pollfd pfd;
 368                        int ret;
 369
 370                        pfd.fd = in;
 371                        pfd.events = POLLIN;
 372                        ret = poll(&pfd, 1, 1000 * keepalive_in_sec);
 373
 374                        if (ret < 0) {
 375                                if (errno == EINTR)
 376                                        continue;
 377                                else
 378                                        break;
 379                        } else if (ret == 0) {
 380                                /* no data; send a keepalive packet */
 381                                static const char buf[] = "0005\1";
 382                                write_or_die(1, buf, sizeof(buf) - 1);
 383                                continue;
 384                        } /* else there is actual data to read */
 385                }
 386
 387                sz = xread(in, data, sizeof(data));
 388                if (sz <= 0)
 389                        break;
 390
 391                if (use_keepalive == KEEPALIVE_AFTER_NUL && !keepalive_active) {
 392                        const char *p = memchr(data, '\0', sz);
 393                        if (p) {
 394                                /*
 395                                 * The NUL tells us to start sending keepalives. Make
 396                                 * sure we send any other data we read along
 397                                 * with it.
 398                                 */
 399                                keepalive_active = 1;
 400                                send_sideband(1, 2, data, p - data, use_sideband);
 401                                send_sideband(1, 2, p + 1, sz - (p - data + 1), use_sideband);
 402                                continue;
 403                        }
 404                }
 405
 406                /*
 407                 * Either we're not looking for a NUL signal, or we didn't see
 408                 * it yet; just pass along the data.
 409                 */
 410                send_sideband(1, 2, data, sz, use_sideband);
 411        }
 412        close(in);
 413        return 0;
 414}
 415
 416#define HMAC_BLOCK_SIZE 64
 417
 418static void hmac_sha1(unsigned char *out,
 419                      const char *key_in, size_t key_len,
 420                      const char *text, size_t text_len)
 421{
 422        unsigned char key[HMAC_BLOCK_SIZE];
 423        unsigned char k_ipad[HMAC_BLOCK_SIZE];
 424        unsigned char k_opad[HMAC_BLOCK_SIZE];
 425        int i;
 426        git_SHA_CTX ctx;
 427
 428        /* RFC 2104 2. (1) */
 429        memset(key, '\0', HMAC_BLOCK_SIZE);
 430        if (HMAC_BLOCK_SIZE < key_len) {
 431                git_SHA1_Init(&ctx);
 432                git_SHA1_Update(&ctx, key_in, key_len);
 433                git_SHA1_Final(key, &ctx);
 434        } else {
 435                memcpy(key, key_in, key_len);
 436        }
 437
 438        /* RFC 2104 2. (2) & (5) */
 439        for (i = 0; i < sizeof(key); i++) {
 440                k_ipad[i] = key[i] ^ 0x36;
 441                k_opad[i] = key[i] ^ 0x5c;
 442        }
 443
 444        /* RFC 2104 2. (3) & (4) */
 445        git_SHA1_Init(&ctx);
 446        git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
 447        git_SHA1_Update(&ctx, text, text_len);
 448        git_SHA1_Final(out, &ctx);
 449
 450        /* RFC 2104 2. (6) & (7) */
 451        git_SHA1_Init(&ctx);
 452        git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
 453        git_SHA1_Update(&ctx, out, 20);
 454        git_SHA1_Final(out, &ctx);
 455}
 456
 457static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
 458{
 459        struct strbuf buf = STRBUF_INIT;
 460        unsigned char sha1[20];
 461
 462        strbuf_addf(&buf, "%s:%"PRItime, path, stamp);
 463        hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));;
 464        strbuf_release(&buf);
 465
 466        /* RFC 2104 5. HMAC-SHA1-80 */
 467        strbuf_addf(&buf, "%"PRItime"-%.*s", stamp, 20, sha1_to_hex(sha1));
 468        return strbuf_detach(&buf, NULL);
 469}
 470
 471/*
 472 * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
 473 * after dropping "_commit" from its name and possibly moving it out
 474 * of commit.c
 475 */
 476static char *find_header(const char *msg, size_t len, const char *key,
 477                         const char **next_line)
 478{
 479        int key_len = strlen(key);
 480        const char *line = msg;
 481
 482        while (line && line < msg + len) {
 483                const char *eol = strchrnul(line, '\n');
 484
 485                if ((msg + len <= eol) || line == eol)
 486                        return NULL;
 487                if (line + key_len < eol &&
 488                    !memcmp(line, key, key_len) && line[key_len] == ' ') {
 489                        int offset = key_len + 1;
 490                        if (next_line)
 491                                *next_line = *eol ? eol + 1 : eol;
 492                        return xmemdupz(line + offset, (eol - line) - offset);
 493                }
 494                line = *eol ? eol + 1 : NULL;
 495        }
 496        return NULL;
 497}
 498
 499static const char *check_nonce(const char *buf, size_t len)
 500{
 501        char *nonce = find_header(buf, len, "nonce", NULL);
 502        timestamp_t stamp, ostamp;
 503        char *bohmac, *expect = NULL;
 504        const char *retval = NONCE_BAD;
 505
 506        if (!nonce) {
 507                retval = NONCE_MISSING;
 508                goto leave;
 509        } else if (!push_cert_nonce) {
 510                retval = NONCE_UNSOLICITED;
 511                goto leave;
 512        } else if (!strcmp(push_cert_nonce, nonce)) {
 513                retval = NONCE_OK;
 514                goto leave;
 515        }
 516
 517        if (!stateless_rpc) {
 518                /* returned nonce MUST match what we gave out earlier */
 519                retval = NONCE_BAD;
 520                goto leave;
 521        }
 522
 523        /*
 524         * In stateless mode, we may be receiving a nonce issued by
 525         * another instance of the server that serving the same
 526         * repository, and the timestamps may not match, but the
 527         * nonce-seed and dir should match, so we can recompute and
 528         * report the time slop.
 529         *
 530         * In addition, when a nonce issued by another instance has
 531         * timestamp within receive.certnonceslop seconds, we pretend
 532         * as if we issued that nonce when reporting to the hook.
 533         */
 534
 535        /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
 536        if (*nonce <= '0' || '9' < *nonce) {
 537                retval = NONCE_BAD;
 538                goto leave;
 539        }
 540        stamp = parse_timestamp(nonce, &bohmac, 10);
 541        if (bohmac == nonce || bohmac[0] != '-') {
 542                retval = NONCE_BAD;
 543                goto leave;
 544        }
 545
 546        expect = prepare_push_cert_nonce(service_dir, stamp);
 547        if (strcmp(expect, nonce)) {
 548                /* Not what we would have signed earlier */
 549                retval = NONCE_BAD;
 550                goto leave;
 551        }
 552
 553        /*
 554         * By how many seconds is this nonce stale?  Negative value
 555         * would mean it was issued by another server with its clock
 556         * skewed in the future.
 557         */
 558        ostamp = parse_timestamp(push_cert_nonce, NULL, 10);
 559        nonce_stamp_slop = (long)ostamp - (long)stamp;
 560
 561        if (nonce_stamp_slop_limit &&
 562            labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
 563                /*
 564                 * Pretend as if the received nonce (which passes the
 565                 * HMAC check, so it is not a forged by third-party)
 566                 * is what we issued.
 567                 */
 568                free((void *)push_cert_nonce);
 569                push_cert_nonce = xstrdup(nonce);
 570                retval = NONCE_OK;
 571        } else {
 572                retval = NONCE_SLOP;
 573        }
 574
 575leave:
 576        free(nonce);
 577        free(expect);
 578        return retval;
 579}
 580
 581/*
 582 * Return 1 if there is no push_cert or if the push options in push_cert are
 583 * the same as those in the argument; 0 otherwise.
 584 */
 585static int check_cert_push_options(const struct string_list *push_options)
 586{
 587        const char *buf = push_cert.buf;
 588        int len = push_cert.len;
 589
 590        char *option;
 591        const char *next_line;
 592        int options_seen = 0;
 593
 594        int retval = 1;
 595
 596        if (!len)
 597                return 1;
 598
 599        while ((option = find_header(buf, len, "push-option", &next_line))) {
 600                len -= (next_line - buf);
 601                buf = next_line;
 602                options_seen++;
 603                if (options_seen > push_options->nr
 604                    || strcmp(option,
 605                              push_options->items[options_seen - 1].string)) {
 606                        retval = 0;
 607                        goto leave;
 608                }
 609                free(option);
 610        }
 611
 612        if (options_seen != push_options->nr)
 613                retval = 0;
 614
 615leave:
 616        free(option);
 617        return retval;
 618}
 619
 620static void prepare_push_cert_sha1(struct child_process *proc)
 621{
 622        static int already_done;
 623
 624        if (!push_cert.len)
 625                return;
 626
 627        if (!already_done) {
 628                struct strbuf gpg_output = STRBUF_INIT;
 629                struct strbuf gpg_status = STRBUF_INIT;
 630                int bogs /* beginning_of_gpg_sig */;
 631
 632                already_done = 1;
 633                if (write_sha1_file(push_cert.buf, push_cert.len, "blob", push_cert_sha1))
 634                        hashclr(push_cert_sha1);
 635
 636                memset(&sigcheck, '\0', sizeof(sigcheck));
 637                sigcheck.result = 'N';
 638
 639                bogs = parse_signature(push_cert.buf, push_cert.len);
 640                if (verify_signed_buffer(push_cert.buf, bogs,
 641                                         push_cert.buf + bogs, push_cert.len - bogs,
 642                                         &gpg_output, &gpg_status) < 0) {
 643                        ; /* error running gpg */
 644                } else {
 645                        sigcheck.payload = push_cert.buf;
 646                        sigcheck.gpg_output = gpg_output.buf;
 647                        sigcheck.gpg_status = gpg_status.buf;
 648                        parse_gpg_output(&sigcheck);
 649                }
 650
 651                strbuf_release(&gpg_output);
 652                strbuf_release(&gpg_status);
 653                nonce_status = check_nonce(push_cert.buf, bogs);
 654        }
 655        if (!is_null_sha1(push_cert_sha1)) {
 656                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
 657                                 sha1_to_hex(push_cert_sha1));
 658                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
 659                                 sigcheck.signer ? sigcheck.signer : "");
 660                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
 661                                 sigcheck.key ? sigcheck.key : "");
 662                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
 663                                 sigcheck.result);
 664                if (push_cert_nonce) {
 665                        argv_array_pushf(&proc->env_array,
 666                                         "GIT_PUSH_CERT_NONCE=%s",
 667                                         push_cert_nonce);
 668                        argv_array_pushf(&proc->env_array,
 669                                         "GIT_PUSH_CERT_NONCE_STATUS=%s",
 670                                         nonce_status);
 671                        if (nonce_status == NONCE_SLOP)
 672                                argv_array_pushf(&proc->env_array,
 673                                                 "GIT_PUSH_CERT_NONCE_SLOP=%ld",
 674                                                 nonce_stamp_slop);
 675                }
 676        }
 677}
 678
 679struct receive_hook_feed_state {
 680        struct command *cmd;
 681        int skip_broken;
 682        struct strbuf buf;
 683        const struct string_list *push_options;
 684};
 685
 686typedef int (*feed_fn)(void *, const char **, size_t *);
 687static int run_and_feed_hook(const char *hook_name, feed_fn feed,
 688                             struct receive_hook_feed_state *feed_state)
 689{
 690        struct child_process proc = CHILD_PROCESS_INIT;
 691        struct async muxer;
 692        const char *argv[2];
 693        int code;
 694
 695        argv[0] = find_hook(hook_name);
 696        if (!argv[0])
 697                return 0;
 698
 699        argv[1] = NULL;
 700
 701        proc.argv = argv;
 702        proc.in = -1;
 703        proc.stdout_to_stderr = 1;
 704        if (feed_state->push_options) {
 705                int i;
 706                for (i = 0; i < feed_state->push_options->nr; i++)
 707                        argv_array_pushf(&proc.env_array,
 708                                "GIT_PUSH_OPTION_%d=%s", i,
 709                                feed_state->push_options->items[i].string);
 710                argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT=%d",
 711                                 feed_state->push_options->nr);
 712        } else
 713                argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT");
 714
 715        if (tmp_objdir)
 716                argv_array_pushv(&proc.env_array, tmp_objdir_env(tmp_objdir));
 717
 718        if (use_sideband) {
 719                memset(&muxer, 0, sizeof(muxer));
 720                muxer.proc = copy_to_sideband;
 721                muxer.in = -1;
 722                code = start_async(&muxer);
 723                if (code)
 724                        return code;
 725                proc.err = muxer.in;
 726        }
 727
 728        prepare_push_cert_sha1(&proc);
 729
 730        code = start_command(&proc);
 731        if (code) {
 732                if (use_sideband)
 733                        finish_async(&muxer);
 734                return code;
 735        }
 736
 737        sigchain_push(SIGPIPE, SIG_IGN);
 738
 739        while (1) {
 740                const char *buf;
 741                size_t n;
 742                if (feed(feed_state, &buf, &n))
 743                        break;
 744                if (write_in_full(proc.in, buf, n) != n)
 745                        break;
 746        }
 747        close(proc.in);
 748        if (use_sideband)
 749                finish_async(&muxer);
 750
 751        sigchain_pop(SIGPIPE);
 752
 753        return finish_command(&proc);
 754}
 755
 756static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
 757{
 758        struct receive_hook_feed_state *state = state_;
 759        struct command *cmd = state->cmd;
 760
 761        while (cmd &&
 762               state->skip_broken && (cmd->error_string || cmd->did_not_exist))
 763                cmd = cmd->next;
 764        if (!cmd)
 765                return -1; /* EOF */
 766        strbuf_reset(&state->buf);
 767        strbuf_addf(&state->buf, "%s %s %s\n",
 768                    oid_to_hex(&cmd->old_oid), oid_to_hex(&cmd->new_oid),
 769                    cmd->ref_name);
 770        state->cmd = cmd->next;
 771        if (bufp) {
 772                *bufp = state->buf.buf;
 773                *sizep = state->buf.len;
 774        }
 775        return 0;
 776}
 777
 778static int run_receive_hook(struct command *commands,
 779                            const char *hook_name,
 780                            int skip_broken,
 781                            const struct string_list *push_options)
 782{
 783        struct receive_hook_feed_state state;
 784        int status;
 785
 786        strbuf_init(&state.buf, 0);
 787        state.cmd = commands;
 788        state.skip_broken = skip_broken;
 789        if (feed_receive_hook(&state, NULL, NULL))
 790                return 0;
 791        state.cmd = commands;
 792        state.push_options = push_options;
 793        status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
 794        strbuf_release(&state.buf);
 795        return status;
 796}
 797
 798static int run_update_hook(struct command *cmd)
 799{
 800        const char *argv[5];
 801        struct child_process proc = CHILD_PROCESS_INIT;
 802        int code;
 803
 804        argv[0] = find_hook("update");
 805        if (!argv[0])
 806                return 0;
 807
 808        argv[1] = cmd->ref_name;
 809        argv[2] = oid_to_hex(&cmd->old_oid);
 810        argv[3] = oid_to_hex(&cmd->new_oid);
 811        argv[4] = NULL;
 812
 813        proc.no_stdin = 1;
 814        proc.stdout_to_stderr = 1;
 815        proc.err = use_sideband ? -1 : 0;
 816        proc.argv = argv;
 817
 818        code = start_command(&proc);
 819        if (code)
 820                return code;
 821        if (use_sideband)
 822                copy_to_sideband(proc.err, -1, NULL);
 823        return finish_command(&proc);
 824}
 825
 826static int is_ref_checked_out(const char *ref)
 827{
 828        if (is_bare_repository())
 829                return 0;
 830
 831        if (!head_name)
 832                return 0;
 833        return !strcmp(head_name, ref);
 834}
 835
 836static char *refuse_unconfigured_deny_msg =
 837        N_("By default, updating the current branch in a non-bare repository\n"
 838           "is denied, because it will make the index and work tree inconsistent\n"
 839           "with what you pushed, and will require 'git reset --hard' to match\n"
 840           "the work tree to HEAD.\n"
 841           "\n"
 842           "You can set the 'receive.denyCurrentBranch' configuration variable\n"
 843           "to 'ignore' or 'warn' in the remote repository to allow pushing into\n"
 844           "its current branch; however, this is not recommended unless you\n"
 845           "arranged to update its work tree to match what you pushed in some\n"
 846           "other way.\n"
 847           "\n"
 848           "To squelch this message and still keep the default behaviour, set\n"
 849           "'receive.denyCurrentBranch' configuration variable to 'refuse'.");
 850
 851static void refuse_unconfigured_deny(void)
 852{
 853        rp_error("%s", _(refuse_unconfigured_deny_msg));
 854}
 855
 856static char *refuse_unconfigured_deny_delete_current_msg =
 857        N_("By default, deleting the current branch is denied, because the next\n"
 858           "'git clone' won't result in any file checked out, causing confusion.\n"
 859           "\n"
 860           "You can set 'receive.denyDeleteCurrent' configuration variable to\n"
 861           "'warn' or 'ignore' in the remote repository to allow deleting the\n"
 862           "current branch, with or without a warning message.\n"
 863           "\n"
 864           "To squelch this message, you can set it to 'refuse'.");
 865
 866static void refuse_unconfigured_deny_delete_current(void)
 867{
 868        rp_error("%s", _(refuse_unconfigured_deny_delete_current_msg));
 869}
 870
 871static int command_singleton_iterator(void *cb_data, unsigned char sha1[20]);
 872static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
 873{
 874        static struct lock_file shallow_lock;
 875        struct oid_array extra = OID_ARRAY_INIT;
 876        struct check_connected_options opt = CHECK_CONNECTED_INIT;
 877        uint32_t mask = 1 << (cmd->index % 32);
 878        int i;
 879
 880        trace_printf_key(&trace_shallow,
 881                         "shallow: update_shallow_ref %s\n", cmd->ref_name);
 882        for (i = 0; i < si->shallow->nr; i++)
 883                if (si->used_shallow[i] &&
 884                    (si->used_shallow[i][cmd->index / 32] & mask) &&
 885                    !delayed_reachability_test(si, i))
 886                        oid_array_append(&extra, &si->shallow->oid[i]);
 887
 888        opt.env = tmp_objdir_env(tmp_objdir);
 889        setup_alternate_shallow(&shallow_lock, &opt.shallow_file, &extra);
 890        if (check_connected(command_singleton_iterator, cmd, &opt)) {
 891                rollback_lock_file(&shallow_lock);
 892                oid_array_clear(&extra);
 893                return -1;
 894        }
 895
 896        commit_lock_file(&shallow_lock);
 897
 898        /*
 899         * Make sure setup_alternate_shallow() for the next ref does
 900         * not lose these new roots..
 901         */
 902        for (i = 0; i < extra.nr; i++)
 903                register_shallow(&extra.oid[i]);
 904
 905        si->shallow_ref[cmd->index] = 0;
 906        oid_array_clear(&extra);
 907        return 0;
 908}
 909
 910/*
 911 * NEEDSWORK: we should consolidate various implementions of "are we
 912 * on an unborn branch?" test into one, and make the unified one more
 913 * robust. !get_sha1() based check used here and elsewhere would not
 914 * allow us to tell an unborn branch from corrupt ref, for example.
 915 * For the purpose of fixing "deploy-to-update does not work when
 916 * pushing into an empty repository" issue, this should suffice for
 917 * now.
 918 */
 919static int head_has_history(void)
 920{
 921        unsigned char sha1[20];
 922
 923        return !get_sha1("HEAD", sha1);
 924}
 925
 926static const char *push_to_deploy(unsigned char *sha1,
 927                                  struct argv_array *env,
 928                                  const char *work_tree)
 929{
 930        const char *update_refresh[] = {
 931                "update-index", "-q", "--ignore-submodules", "--refresh", NULL
 932        };
 933        const char *diff_files[] = {
 934                "diff-files", "--quiet", "--ignore-submodules", "--", NULL
 935        };
 936        const char *diff_index[] = {
 937                "diff-index", "--quiet", "--cached", "--ignore-submodules",
 938                NULL, "--", NULL
 939        };
 940        const char *read_tree[] = {
 941                "read-tree", "-u", "-m", NULL, NULL
 942        };
 943        struct child_process child = CHILD_PROCESS_INIT;
 944
 945        child.argv = update_refresh;
 946        child.env = env->argv;
 947        child.dir = work_tree;
 948        child.no_stdin = 1;
 949        child.stdout_to_stderr = 1;
 950        child.git_cmd = 1;
 951        if (run_command(&child))
 952                return "Up-to-date check failed";
 953
 954        /* run_command() does not clean up completely; reinitialize */
 955        child_process_init(&child);
 956        child.argv = diff_files;
 957        child.env = env->argv;
 958        child.dir = work_tree;
 959        child.no_stdin = 1;
 960        child.stdout_to_stderr = 1;
 961        child.git_cmd = 1;
 962        if (run_command(&child))
 963                return "Working directory has unstaged changes";
 964
 965        /* diff-index with either HEAD or an empty tree */
 966        diff_index[4] = head_has_history() ? "HEAD" : EMPTY_TREE_SHA1_HEX;
 967
 968        child_process_init(&child);
 969        child.argv = diff_index;
 970        child.env = env->argv;
 971        child.no_stdin = 1;
 972        child.no_stdout = 1;
 973        child.stdout_to_stderr = 0;
 974        child.git_cmd = 1;
 975        if (run_command(&child))
 976                return "Working directory has staged changes";
 977
 978        read_tree[3] = sha1_to_hex(sha1);
 979        child_process_init(&child);
 980        child.argv = read_tree;
 981        child.env = env->argv;
 982        child.dir = work_tree;
 983        child.no_stdin = 1;
 984        child.no_stdout = 1;
 985        child.stdout_to_stderr = 0;
 986        child.git_cmd = 1;
 987        if (run_command(&child))
 988                return "Could not update working tree to new HEAD";
 989
 990        return NULL;
 991}
 992
 993static const char *push_to_checkout_hook = "push-to-checkout";
 994
 995static const char *push_to_checkout(unsigned char *sha1,
 996                                    struct argv_array *env,
 997                                    const char *work_tree)
 998{
 999        argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
1000        if (run_hook_le(env->argv, push_to_checkout_hook,
1001                        sha1_to_hex(sha1), NULL))
1002                return "push-to-checkout hook declined";
1003        else
1004                return NULL;
1005}
1006
1007static const char *update_worktree(unsigned char *sha1)
1008{
1009        const char *retval;
1010        const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
1011        struct argv_array env = ARGV_ARRAY_INIT;
1012
1013        if (is_bare_repository())
1014                return "denyCurrentBranch = updateInstead needs a worktree";
1015
1016        argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
1017
1018        if (!find_hook(push_to_checkout_hook))
1019                retval = push_to_deploy(sha1, &env, work_tree);
1020        else
1021                retval = push_to_checkout(sha1, &env, work_tree);
1022
1023        argv_array_clear(&env);
1024        return retval;
1025}
1026
1027static const char *update(struct command *cmd, struct shallow_info *si)
1028{
1029        const char *name = cmd->ref_name;
1030        struct strbuf namespaced_name_buf = STRBUF_INIT;
1031        static char *namespaced_name;
1032        const char *ret;
1033        struct object_id *old_oid = &cmd->old_oid;
1034        struct object_id *new_oid = &cmd->new_oid;
1035
1036        /* only refs/... are allowed */
1037        if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
1038                rp_error("refusing to create funny ref '%s' remotely", name);
1039                return "funny refname";
1040        }
1041
1042        strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
1043        free(namespaced_name);
1044        namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
1045
1046        if (is_ref_checked_out(namespaced_name)) {
1047                switch (deny_current_branch) {
1048                case DENY_IGNORE:
1049                        break;
1050                case DENY_WARN:
1051                        rp_warning("updating the current branch");
1052                        break;
1053                case DENY_REFUSE:
1054                case DENY_UNCONFIGURED:
1055                        rp_error("refusing to update checked out branch: %s", name);
1056                        if (deny_current_branch == DENY_UNCONFIGURED)
1057                                refuse_unconfigured_deny();
1058                        return "branch is currently checked out";
1059                case DENY_UPDATE_INSTEAD:
1060                        ret = update_worktree(new_oid->hash);
1061                        if (ret)
1062                                return ret;
1063                        break;
1064                }
1065        }
1066
1067        if (!is_null_oid(new_oid) && !has_object_file(new_oid)) {
1068                error("unpack should have generated %s, "
1069                      "but I can't find it!", oid_to_hex(new_oid));
1070                return "bad pack";
1071        }
1072
1073        if (!is_null_oid(old_oid) && is_null_oid(new_oid)) {
1074                if (deny_deletes && starts_with(name, "refs/heads/")) {
1075                        rp_error("denying ref deletion for %s", name);
1076                        return "deletion prohibited";
1077                }
1078
1079                if (head_name && !strcmp(namespaced_name, head_name)) {
1080                        switch (deny_delete_current) {
1081                        case DENY_IGNORE:
1082                                break;
1083                        case DENY_WARN:
1084                                rp_warning("deleting the current branch");
1085                                break;
1086                        case DENY_REFUSE:
1087                        case DENY_UNCONFIGURED:
1088                        case DENY_UPDATE_INSTEAD:
1089                                if (deny_delete_current == DENY_UNCONFIGURED)
1090                                        refuse_unconfigured_deny_delete_current();
1091                                rp_error("refusing to delete the current branch: %s", name);
1092                                return "deletion of the current branch prohibited";
1093                        default:
1094                                return "Invalid denyDeleteCurrent setting";
1095                        }
1096                }
1097        }
1098
1099        if (deny_non_fast_forwards && !is_null_oid(new_oid) &&
1100            !is_null_oid(old_oid) &&
1101            starts_with(name, "refs/heads/")) {
1102                struct object *old_object, *new_object;
1103                struct commit *old_commit, *new_commit;
1104
1105                old_object = parse_object(old_oid);
1106                new_object = parse_object(new_oid);
1107
1108                if (!old_object || !new_object ||
1109                    old_object->type != OBJ_COMMIT ||
1110                    new_object->type != OBJ_COMMIT) {
1111                        error("bad sha1 objects for %s", name);
1112                        return "bad ref";
1113                }
1114                old_commit = (struct commit *)old_object;
1115                new_commit = (struct commit *)new_object;
1116                if (!in_merge_bases(old_commit, new_commit)) {
1117                        rp_error("denying non-fast-forward %s"
1118                                 " (you should pull first)", name);
1119                        return "non-fast-forward";
1120                }
1121        }
1122        if (run_update_hook(cmd)) {
1123                rp_error("hook declined to update %s", name);
1124                return "hook declined";
1125        }
1126
1127        if (is_null_oid(new_oid)) {
1128                struct strbuf err = STRBUF_INIT;
1129                if (!parse_object(old_oid)) {
1130                        old_oid = NULL;
1131                        if (ref_exists(name)) {
1132                                rp_warning("Allowing deletion of corrupt ref.");
1133                        } else {
1134                                rp_warning("Deleting a non-existent ref.");
1135                                cmd->did_not_exist = 1;
1136                        }
1137                }
1138                if (ref_transaction_delete(transaction,
1139                                           namespaced_name,
1140                                           old_oid->hash,
1141                                           0, "push", &err)) {
1142                        rp_error("%s", err.buf);
1143                        strbuf_release(&err);
1144                        return "failed to delete";
1145                }
1146                strbuf_release(&err);
1147                return NULL; /* good */
1148        }
1149        else {
1150                struct strbuf err = STRBUF_INIT;
1151                if (shallow_update && si->shallow_ref[cmd->index] &&
1152                    update_shallow_ref(cmd, si))
1153                        return "shallow error";
1154
1155                if (ref_transaction_update(transaction,
1156                                           namespaced_name,
1157                                           new_oid->hash, old_oid->hash,
1158                                           0, "push",
1159                                           &err)) {
1160                        rp_error("%s", err.buf);
1161                        strbuf_release(&err);
1162
1163                        return "failed to update ref";
1164                }
1165                strbuf_release(&err);
1166
1167                return NULL; /* good */
1168        }
1169}
1170
1171static void run_update_post_hook(struct command *commands)
1172{
1173        struct command *cmd;
1174        struct child_process proc = CHILD_PROCESS_INIT;
1175        const char *hook;
1176
1177        hook = find_hook("post-update");
1178        if (!hook)
1179                return;
1180
1181        for (cmd = commands; cmd; cmd = cmd->next) {
1182                if (cmd->error_string || cmd->did_not_exist)
1183                        continue;
1184                if (!proc.args.argc)
1185                        argv_array_push(&proc.args, hook);
1186                argv_array_push(&proc.args, cmd->ref_name);
1187        }
1188        if (!proc.args.argc)
1189                return;
1190
1191        proc.no_stdin = 1;
1192        proc.stdout_to_stderr = 1;
1193        proc.err = use_sideband ? -1 : 0;
1194
1195        if (!start_command(&proc)) {
1196                if (use_sideband)
1197                        copy_to_sideband(proc.err, -1, NULL);
1198                finish_command(&proc);
1199        }
1200}
1201
1202static void check_aliased_update(struct command *cmd, struct string_list *list)
1203{
1204        struct strbuf buf = STRBUF_INIT;
1205        const char *dst_name;
1206        struct string_list_item *item;
1207        struct command *dst_cmd;
1208        unsigned char sha1[GIT_MAX_RAWSZ];
1209        int flag;
1210
1211        strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1212        dst_name = resolve_ref_unsafe(buf.buf, 0, sha1, &flag);
1213        strbuf_release(&buf);
1214
1215        if (!(flag & REF_ISSYMREF))
1216                return;
1217
1218        if (!dst_name) {
1219                rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1220                cmd->skip_update = 1;
1221                cmd->error_string = "broken symref";
1222                return;
1223        }
1224        dst_name = strip_namespace(dst_name);
1225
1226        if ((item = string_list_lookup(list, dst_name)) == NULL)
1227                return;
1228
1229        cmd->skip_update = 1;
1230
1231        dst_cmd = (struct command *) item->util;
1232
1233        if (!oidcmp(&cmd->old_oid, &dst_cmd->old_oid) &&
1234            !oidcmp(&cmd->new_oid, &dst_cmd->new_oid))
1235                return;
1236
1237        dst_cmd->skip_update = 1;
1238
1239        rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1240                 " its target '%s' (%s..%s)",
1241                 cmd->ref_name,
1242                 find_unique_abbrev(cmd->old_oid.hash, DEFAULT_ABBREV),
1243                 find_unique_abbrev(cmd->new_oid.hash, DEFAULT_ABBREV),
1244                 dst_cmd->ref_name,
1245                 find_unique_abbrev(dst_cmd->old_oid.hash, DEFAULT_ABBREV),
1246                 find_unique_abbrev(dst_cmd->new_oid.hash, DEFAULT_ABBREV));
1247
1248        cmd->error_string = dst_cmd->error_string =
1249                "inconsistent aliased update";
1250}
1251
1252static void check_aliased_updates(struct command *commands)
1253{
1254        struct command *cmd;
1255        struct string_list ref_list = STRING_LIST_INIT_NODUP;
1256
1257        for (cmd = commands; cmd; cmd = cmd->next) {
1258                struct string_list_item *item =
1259                        string_list_append(&ref_list, cmd->ref_name);
1260                item->util = (void *)cmd;
1261        }
1262        string_list_sort(&ref_list);
1263
1264        for (cmd = commands; cmd; cmd = cmd->next) {
1265                if (!cmd->error_string)
1266                        check_aliased_update(cmd, &ref_list);
1267        }
1268
1269        string_list_clear(&ref_list, 0);
1270}
1271
1272static int command_singleton_iterator(void *cb_data, unsigned char sha1[20])
1273{
1274        struct command **cmd_list = cb_data;
1275        struct command *cmd = *cmd_list;
1276
1277        if (!cmd || is_null_oid(&cmd->new_oid))
1278                return -1; /* end of list */
1279        *cmd_list = NULL; /* this returns only one */
1280        hashcpy(sha1, cmd->new_oid.hash);
1281        return 0;
1282}
1283
1284static void set_connectivity_errors(struct command *commands,
1285                                    struct shallow_info *si)
1286{
1287        struct command *cmd;
1288
1289        for (cmd = commands; cmd; cmd = cmd->next) {
1290                struct command *singleton = cmd;
1291                struct check_connected_options opt = CHECK_CONNECTED_INIT;
1292
1293                if (shallow_update && si->shallow_ref[cmd->index])
1294                        /* to be checked in update_shallow_ref() */
1295                        continue;
1296
1297                opt.env = tmp_objdir_env(tmp_objdir);
1298                if (!check_connected(command_singleton_iterator, &singleton,
1299                                     &opt))
1300                        continue;
1301
1302                cmd->error_string = "missing necessary objects";
1303        }
1304}
1305
1306struct iterate_data {
1307        struct command *cmds;
1308        struct shallow_info *si;
1309};
1310
1311static int iterate_receive_command_list(void *cb_data, unsigned char sha1[20])
1312{
1313        struct iterate_data *data = cb_data;
1314        struct command **cmd_list = &data->cmds;
1315        struct command *cmd = *cmd_list;
1316
1317        for (; cmd; cmd = cmd->next) {
1318                if (shallow_update && data->si->shallow_ref[cmd->index])
1319                        /* to be checked in update_shallow_ref() */
1320                        continue;
1321                if (!is_null_oid(&cmd->new_oid) && !cmd->skip_update) {
1322                        hashcpy(sha1, cmd->new_oid.hash);
1323                        *cmd_list = cmd->next;
1324                        return 0;
1325                }
1326        }
1327        *cmd_list = NULL;
1328        return -1; /* end of list */
1329}
1330
1331static void reject_updates_to_hidden(struct command *commands)
1332{
1333        struct strbuf refname_full = STRBUF_INIT;
1334        size_t prefix_len;
1335        struct command *cmd;
1336
1337        strbuf_addstr(&refname_full, get_git_namespace());
1338        prefix_len = refname_full.len;
1339
1340        for (cmd = commands; cmd; cmd = cmd->next) {
1341                if (cmd->error_string)
1342                        continue;
1343
1344                strbuf_setlen(&refname_full, prefix_len);
1345                strbuf_addstr(&refname_full, cmd->ref_name);
1346
1347                if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1348                        continue;
1349                if (is_null_oid(&cmd->new_oid))
1350                        cmd->error_string = "deny deleting a hidden ref";
1351                else
1352                        cmd->error_string = "deny updating a hidden ref";
1353        }
1354
1355        strbuf_release(&refname_full);
1356}
1357
1358static int should_process_cmd(struct command *cmd)
1359{
1360        return !cmd->error_string && !cmd->skip_update;
1361}
1362
1363static void warn_if_skipped_connectivity_check(struct command *commands,
1364                                               struct shallow_info *si)
1365{
1366        struct command *cmd;
1367        int checked_connectivity = 1;
1368
1369        for (cmd = commands; cmd; cmd = cmd->next) {
1370                if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1371                        error("BUG: connectivity check has not been run on ref %s",
1372                              cmd->ref_name);
1373                        checked_connectivity = 0;
1374                }
1375        }
1376        if (!checked_connectivity)
1377                die("BUG: connectivity check skipped???");
1378}
1379
1380static void execute_commands_non_atomic(struct command *commands,
1381                                        struct shallow_info *si)
1382{
1383        struct command *cmd;
1384        struct strbuf err = STRBUF_INIT;
1385
1386        for (cmd = commands; cmd; cmd = cmd->next) {
1387                if (!should_process_cmd(cmd))
1388                        continue;
1389
1390                transaction = ref_transaction_begin(&err);
1391                if (!transaction) {
1392                        rp_error("%s", err.buf);
1393                        strbuf_reset(&err);
1394                        cmd->error_string = "transaction failed to start";
1395                        continue;
1396                }
1397
1398                cmd->error_string = update(cmd, si);
1399
1400                if (!cmd->error_string
1401                    && ref_transaction_commit(transaction, &err)) {
1402                        rp_error("%s", err.buf);
1403                        strbuf_reset(&err);
1404                        cmd->error_string = "failed to update ref";
1405                }
1406                ref_transaction_free(transaction);
1407        }
1408        strbuf_release(&err);
1409}
1410
1411static void execute_commands_atomic(struct command *commands,
1412                                        struct shallow_info *si)
1413{
1414        struct command *cmd;
1415        struct strbuf err = STRBUF_INIT;
1416        const char *reported_error = "atomic push failure";
1417
1418        transaction = ref_transaction_begin(&err);
1419        if (!transaction) {
1420                rp_error("%s", err.buf);
1421                strbuf_reset(&err);
1422                reported_error = "transaction failed to start";
1423                goto failure;
1424        }
1425
1426        for (cmd = commands; cmd; cmd = cmd->next) {
1427                if (!should_process_cmd(cmd))
1428                        continue;
1429
1430                cmd->error_string = update(cmd, si);
1431
1432                if (cmd->error_string)
1433                        goto failure;
1434        }
1435
1436        if (ref_transaction_commit(transaction, &err)) {
1437                rp_error("%s", err.buf);
1438                reported_error = "atomic transaction failed";
1439                goto failure;
1440        }
1441        goto cleanup;
1442
1443failure:
1444        for (cmd = commands; cmd; cmd = cmd->next)
1445                if (!cmd->error_string)
1446                        cmd->error_string = reported_error;
1447
1448cleanup:
1449        ref_transaction_free(transaction);
1450        strbuf_release(&err);
1451}
1452
1453static void execute_commands(struct command *commands,
1454                             const char *unpacker_error,
1455                             struct shallow_info *si,
1456                             const struct string_list *push_options)
1457{
1458        struct check_connected_options opt = CHECK_CONNECTED_INIT;
1459        struct command *cmd;
1460        struct object_id oid;
1461        struct iterate_data data;
1462        struct async muxer;
1463        int err_fd = 0;
1464
1465        if (unpacker_error) {
1466                for (cmd = commands; cmd; cmd = cmd->next)
1467                        cmd->error_string = "unpacker error";
1468                return;
1469        }
1470
1471        if (use_sideband) {
1472                memset(&muxer, 0, sizeof(muxer));
1473                muxer.proc = copy_to_sideband;
1474                muxer.in = -1;
1475                if (!start_async(&muxer))
1476                        err_fd = muxer.in;
1477                /* ...else, continue without relaying sideband */
1478        }
1479
1480        data.cmds = commands;
1481        data.si = si;
1482        opt.err_fd = err_fd;
1483        opt.progress = err_fd && !quiet;
1484        opt.env = tmp_objdir_env(tmp_objdir);
1485        if (check_connected(iterate_receive_command_list, &data, &opt))
1486                set_connectivity_errors(commands, si);
1487
1488        if (use_sideband)
1489                finish_async(&muxer);
1490
1491        reject_updates_to_hidden(commands);
1492
1493        if (run_receive_hook(commands, "pre-receive", 0, push_options)) {
1494                for (cmd = commands; cmd; cmd = cmd->next) {
1495                        if (!cmd->error_string)
1496                                cmd->error_string = "pre-receive hook declined";
1497                }
1498                return;
1499        }
1500
1501        /*
1502         * Now we'll start writing out refs, which means the objects need
1503         * to be in their final positions so that other processes can see them.
1504         */
1505        if (tmp_objdir_migrate(tmp_objdir) < 0) {
1506                for (cmd = commands; cmd; cmd = cmd->next) {
1507                        if (!cmd->error_string)
1508                                cmd->error_string = "unable to migrate objects to permanent storage";
1509                }
1510                return;
1511        }
1512        tmp_objdir = NULL;
1513
1514        check_aliased_updates(commands);
1515
1516        free(head_name_to_free);
1517        head_name = head_name_to_free = resolve_refdup("HEAD", 0, oid.hash, NULL);
1518
1519        if (use_atomic)
1520                execute_commands_atomic(commands, si);
1521        else
1522                execute_commands_non_atomic(commands, si);
1523
1524        if (shallow_update)
1525                warn_if_skipped_connectivity_check(commands, si);
1526}
1527
1528static struct command **queue_command(struct command **tail,
1529                                      const char *line,
1530                                      int linelen)
1531{
1532        struct object_id old_oid, new_oid;
1533        struct command *cmd;
1534        const char *refname;
1535        int reflen;
1536        const char *p;
1537
1538        if (parse_oid_hex(line, &old_oid, &p) ||
1539            *p++ != ' ' ||
1540            parse_oid_hex(p, &new_oid, &p) ||
1541            *p++ != ' ')
1542                die("protocol error: expected old/new/ref, got '%s'", line);
1543
1544        refname = p;
1545        reflen = linelen - (p - line);
1546        FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
1547        oidcpy(&cmd->old_oid, &old_oid);
1548        oidcpy(&cmd->new_oid, &new_oid);
1549        *tail = cmd;
1550        return &cmd->next;
1551}
1552
1553static void queue_commands_from_cert(struct command **tail,
1554                                     struct strbuf *push_cert)
1555{
1556        const char *boc, *eoc;
1557
1558        if (*tail)
1559                die("protocol error: got both push certificate and unsigned commands");
1560
1561        boc = strstr(push_cert->buf, "\n\n");
1562        if (!boc)
1563                die("malformed push certificate %.*s", 100, push_cert->buf);
1564        else
1565                boc += 2;
1566        eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1567
1568        while (boc < eoc) {
1569                const char *eol = memchr(boc, '\n', eoc - boc);
1570                tail = queue_command(tail, boc, eol ? eol - boc : eoc - boc);
1571                boc = eol ? eol + 1 : eoc;
1572        }
1573}
1574
1575static struct command *read_head_info(struct oid_array *shallow)
1576{
1577        struct command *commands = NULL;
1578        struct command **p = &commands;
1579        for (;;) {
1580                char *line;
1581                int len, linelen;
1582
1583                line = packet_read_line(0, &len);
1584                if (!line)
1585                        break;
1586
1587                if (len > 8 && starts_with(line, "shallow ")) {
1588                        struct object_id oid;
1589                        if (get_oid_hex(line + 8, &oid))
1590                                die("protocol error: expected shallow sha, got '%s'",
1591                                    line + 8);
1592                        oid_array_append(shallow, &oid);
1593                        continue;
1594                }
1595
1596                linelen = strlen(line);
1597                if (linelen < len) {
1598                        const char *feature_list = line + linelen + 1;
1599                        if (parse_feature_request(feature_list, "report-status"))
1600                                report_status = 1;
1601                        if (parse_feature_request(feature_list, "side-band-64k"))
1602                                use_sideband = LARGE_PACKET_MAX;
1603                        if (parse_feature_request(feature_list, "quiet"))
1604                                quiet = 1;
1605                        if (advertise_atomic_push
1606                            && parse_feature_request(feature_list, "atomic"))
1607                                use_atomic = 1;
1608                        if (advertise_push_options
1609                            && parse_feature_request(feature_list, "push-options"))
1610                                use_push_options = 1;
1611                }
1612
1613                if (!strcmp(line, "push-cert")) {
1614                        int true_flush = 0;
1615                        char certbuf[1024];
1616
1617                        for (;;) {
1618                                len = packet_read(0, NULL, NULL,
1619                                                  certbuf, sizeof(certbuf), 0);
1620                                if (!len) {
1621                                        true_flush = 1;
1622                                        break;
1623                                }
1624                                if (!strcmp(certbuf, "push-cert-end\n"))
1625                                        break; /* end of cert */
1626                                strbuf_addstr(&push_cert, certbuf);
1627                        }
1628
1629                        if (true_flush)
1630                                break;
1631                        continue;
1632                }
1633
1634                p = queue_command(p, line, linelen);
1635        }
1636
1637        if (push_cert.len)
1638                queue_commands_from_cert(p, &push_cert);
1639
1640        return commands;
1641}
1642
1643static void read_push_options(struct string_list *options)
1644{
1645        while (1) {
1646                char *line;
1647                int len;
1648
1649                line = packet_read_line(0, &len);
1650
1651                if (!line)
1652                        break;
1653
1654                string_list_append(options, line);
1655        }
1656}
1657
1658static const char *parse_pack_header(struct pack_header *hdr)
1659{
1660        switch (read_pack_header(0, hdr)) {
1661        case PH_ERROR_EOF:
1662                return "eof before pack header was fully read";
1663
1664        case PH_ERROR_PACK_SIGNATURE:
1665                return "protocol error (pack signature mismatch detected)";
1666
1667        case PH_ERROR_PROTOCOL:
1668                return "protocol error (pack version unsupported)";
1669
1670        default:
1671                return "unknown error in parse_pack_header";
1672
1673        case 0:
1674                return NULL;
1675        }
1676}
1677
1678static const char *pack_lockfile;
1679
1680static void push_header_arg(struct argv_array *args, struct pack_header *hdr)
1681{
1682        argv_array_pushf(args, "--pack_header=%"PRIu32",%"PRIu32,
1683                        ntohl(hdr->hdr_version), ntohl(hdr->hdr_entries));
1684}
1685
1686static const char *unpack(int err_fd, struct shallow_info *si)
1687{
1688        struct pack_header hdr;
1689        const char *hdr_err;
1690        int status;
1691        struct child_process child = CHILD_PROCESS_INIT;
1692        int fsck_objects = (receive_fsck_objects >= 0
1693                            ? receive_fsck_objects
1694                            : transfer_fsck_objects >= 0
1695                            ? transfer_fsck_objects
1696                            : 0);
1697
1698        hdr_err = parse_pack_header(&hdr);
1699        if (hdr_err) {
1700                if (err_fd > 0)
1701                        close(err_fd);
1702                return hdr_err;
1703        }
1704
1705        if (si->nr_ours || si->nr_theirs) {
1706                alt_shallow_file = setup_temporary_shallow(si->shallow);
1707                argv_array_push(&child.args, "--shallow-file");
1708                argv_array_push(&child.args, alt_shallow_file);
1709        }
1710
1711        tmp_objdir = tmp_objdir_create();
1712        if (!tmp_objdir) {
1713                if (err_fd > 0)
1714                        close(err_fd);
1715                return "unable to create temporary object directory";
1716        }
1717        child.env = tmp_objdir_env(tmp_objdir);
1718
1719        /*
1720         * Normally we just pass the tmp_objdir environment to the child
1721         * processes that do the heavy lifting, but we may need to see these
1722         * objects ourselves to set up shallow information.
1723         */
1724        tmp_objdir_add_as_alternate(tmp_objdir);
1725
1726        if (ntohl(hdr.hdr_entries) < unpack_limit) {
1727                argv_array_push(&child.args, "unpack-objects");
1728                push_header_arg(&child.args, &hdr);
1729                if (quiet)
1730                        argv_array_push(&child.args, "-q");
1731                if (fsck_objects)
1732                        argv_array_pushf(&child.args, "--strict%s",
1733                                fsck_msg_types.buf);
1734                if (max_input_size)
1735                        argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1736                                (uintmax_t)max_input_size);
1737                child.no_stdout = 1;
1738                child.err = err_fd;
1739                child.git_cmd = 1;
1740                status = run_command(&child);
1741                if (status)
1742                        return "unpack-objects abnormal exit";
1743        } else {
1744                char hostname[HOST_NAME_MAX + 1];
1745
1746                argv_array_pushl(&child.args, "index-pack", "--stdin", NULL);
1747                push_header_arg(&child.args, &hdr);
1748
1749                if (xgethostname(hostname, sizeof(hostname)))
1750                        xsnprintf(hostname, sizeof(hostname), "localhost");
1751                argv_array_pushf(&child.args,
1752                                 "--keep=receive-pack %"PRIuMAX" on %s",
1753                                 (uintmax_t)getpid(),
1754                                 hostname);
1755
1756                if (!quiet && err_fd)
1757                        argv_array_push(&child.args, "--show-resolving-progress");
1758                if (use_sideband)
1759                        argv_array_push(&child.args, "--report-end-of-input");
1760                if (fsck_objects)
1761                        argv_array_pushf(&child.args, "--strict%s",
1762                                fsck_msg_types.buf);
1763                if (!reject_thin)
1764                        argv_array_push(&child.args, "--fix-thin");
1765                if (max_input_size)
1766                        argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1767                                (uintmax_t)max_input_size);
1768                child.out = -1;
1769                child.err = err_fd;
1770                child.git_cmd = 1;
1771                status = start_command(&child);
1772                if (status)
1773                        return "index-pack fork failed";
1774                pack_lockfile = index_pack_lockfile(child.out);
1775                close(child.out);
1776                status = finish_command(&child);
1777                if (status)
1778                        return "index-pack abnormal exit";
1779                reprepare_packed_git();
1780        }
1781        return NULL;
1782}
1783
1784static const char *unpack_with_sideband(struct shallow_info *si)
1785{
1786        struct async muxer;
1787        const char *ret;
1788
1789        if (!use_sideband)
1790                return unpack(0, si);
1791
1792        use_keepalive = KEEPALIVE_AFTER_NUL;
1793        memset(&muxer, 0, sizeof(muxer));
1794        muxer.proc = copy_to_sideband;
1795        muxer.in = -1;
1796        if (start_async(&muxer))
1797                return NULL;
1798
1799        ret = unpack(muxer.in, si);
1800
1801        finish_async(&muxer);
1802        return ret;
1803}
1804
1805static void prepare_shallow_update(struct command *commands,
1806                                   struct shallow_info *si)
1807{
1808        int i, j, k, bitmap_size = (si->ref->nr + 31) / 32;
1809
1810        ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1811        assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1812
1813        si->need_reachability_test =
1814                xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1815        si->reachable =
1816                xcalloc(si->shallow->nr, sizeof(*si->reachable));
1817        si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1818
1819        for (i = 0; i < si->nr_ours; i++)
1820                si->need_reachability_test[si->ours[i]] = 1;
1821
1822        for (i = 0; i < si->shallow->nr; i++) {
1823                if (!si->used_shallow[i])
1824                        continue;
1825                for (j = 0; j < bitmap_size; j++) {
1826                        if (!si->used_shallow[i][j])
1827                                continue;
1828                        si->need_reachability_test[i]++;
1829                        for (k = 0; k < 32; k++)
1830                                if (si->used_shallow[i][j] & (1U << k))
1831                                        si->shallow_ref[j * 32 + k]++;
1832                }
1833
1834                /*
1835                 * true for those associated with some refs and belong
1836                 * in "ours" list aka "step 7 not done yet"
1837                 */
1838                si->need_reachability_test[i] =
1839                        si->need_reachability_test[i] > 1;
1840        }
1841
1842        /*
1843         * keep hooks happy by forcing a temporary shallow file via
1844         * env variable because we can't add --shallow-file to every
1845         * command. check_everything_connected() will be done with
1846         * true .git/shallow though.
1847         */
1848        setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1849}
1850
1851static void update_shallow_info(struct command *commands,
1852                                struct shallow_info *si,
1853                                struct oid_array *ref)
1854{
1855        struct command *cmd;
1856        int *ref_status;
1857        remove_nonexistent_theirs_shallow(si);
1858        if (!si->nr_ours && !si->nr_theirs) {
1859                shallow_update = 0;
1860                return;
1861        }
1862
1863        for (cmd = commands; cmd; cmd = cmd->next) {
1864                if (is_null_oid(&cmd->new_oid))
1865                        continue;
1866                oid_array_append(ref, &cmd->new_oid);
1867                cmd->index = ref->nr - 1;
1868        }
1869        si->ref = ref;
1870
1871        if (shallow_update) {
1872                prepare_shallow_update(commands, si);
1873                return;
1874        }
1875
1876        ALLOC_ARRAY(ref_status, ref->nr);
1877        assign_shallow_commits_to_refs(si, NULL, ref_status);
1878        for (cmd = commands; cmd; cmd = cmd->next) {
1879                if (is_null_oid(&cmd->new_oid))
1880                        continue;
1881                if (ref_status[cmd->index]) {
1882                        cmd->error_string = "shallow update not allowed";
1883                        cmd->skip_update = 1;
1884                }
1885        }
1886        free(ref_status);
1887}
1888
1889static void report(struct command *commands, const char *unpack_status)
1890{
1891        struct command *cmd;
1892        struct strbuf buf = STRBUF_INIT;
1893
1894        packet_buf_write(&buf, "unpack %s\n",
1895                         unpack_status ? unpack_status : "ok");
1896        for (cmd = commands; cmd; cmd = cmd->next) {
1897                if (!cmd->error_string)
1898                        packet_buf_write(&buf, "ok %s\n",
1899                                         cmd->ref_name);
1900                else
1901                        packet_buf_write(&buf, "ng %s %s\n",
1902                                         cmd->ref_name, cmd->error_string);
1903        }
1904        packet_buf_flush(&buf);
1905
1906        if (use_sideband)
1907                send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1908        else
1909                write_or_die(1, buf.buf, buf.len);
1910        strbuf_release(&buf);
1911}
1912
1913static int delete_only(struct command *commands)
1914{
1915        struct command *cmd;
1916        for (cmd = commands; cmd; cmd = cmd->next) {
1917                if (!is_null_oid(&cmd->new_oid))
1918                        return 0;
1919        }
1920        return 1;
1921}
1922
1923int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1924{
1925        int advertise_refs = 0;
1926        struct command *commands;
1927        struct oid_array shallow = OID_ARRAY_INIT;
1928        struct oid_array ref = OID_ARRAY_INIT;
1929        struct shallow_info si;
1930
1931        struct option options[] = {
1932                OPT__QUIET(&quiet, N_("quiet")),
1933                OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1934                OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1935                OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1936                OPT_END()
1937        };
1938
1939        packet_trace_identity("receive-pack");
1940
1941        argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1942
1943        if (argc > 1)
1944                usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1945        if (argc == 0)
1946                usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1947
1948        service_dir = argv[0];
1949
1950        setup_path();
1951
1952        if (!enter_repo(service_dir, 0))
1953                die("'%s' does not appear to be a git repository", service_dir);
1954
1955        git_config(receive_pack_config, NULL);
1956        if (cert_nonce_seed)
1957                push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1958
1959        if (0 <= transfer_unpack_limit)
1960                unpack_limit = transfer_unpack_limit;
1961        else if (0 <= receive_unpack_limit)
1962                unpack_limit = receive_unpack_limit;
1963
1964        if (advertise_refs || !stateless_rpc) {
1965                write_head_info();
1966        }
1967        if (advertise_refs)
1968                return 0;
1969
1970        if ((commands = read_head_info(&shallow)) != NULL) {
1971                const char *unpack_status = NULL;
1972                struct string_list push_options = STRING_LIST_INIT_DUP;
1973
1974                if (use_push_options)
1975                        read_push_options(&push_options);
1976                if (!check_cert_push_options(&push_options)) {
1977                        struct command *cmd;
1978                        for (cmd = commands; cmd; cmd = cmd->next)
1979                                cmd->error_string = "inconsistent push options";
1980                }
1981
1982                prepare_shallow_info(&si, &shallow);
1983                if (!si.nr_ours && !si.nr_theirs)
1984                        shallow_update = 0;
1985                if (!delete_only(commands)) {
1986                        unpack_status = unpack_with_sideband(&si);
1987                        update_shallow_info(commands, &si, &ref);
1988                }
1989                use_keepalive = KEEPALIVE_ALWAYS;
1990                execute_commands(commands, unpack_status, &si,
1991                                 &push_options);
1992                if (pack_lockfile)
1993                        unlink_or_warn(pack_lockfile);
1994                if (report_status)
1995                        report(commands, unpack_status);
1996                run_receive_hook(commands, "post-receive", 1,
1997                                 &push_options);
1998                run_update_post_hook(commands);
1999                string_list_clear(&push_options, 0);
2000                if (auto_gc) {
2001                        const char *argv_gc_auto[] = {
2002                                "gc", "--auto", "--quiet", NULL,
2003                        };
2004                        struct child_process proc = CHILD_PROCESS_INIT;
2005
2006                        proc.no_stdin = 1;
2007                        proc.stdout_to_stderr = 1;
2008                        proc.err = use_sideband ? -1 : 0;
2009                        proc.git_cmd = 1;
2010                        proc.argv = argv_gc_auto;
2011
2012                        close_all_packs();
2013                        if (!start_command(&proc)) {
2014                                if (use_sideband)
2015                                        copy_to_sideband(proc.err, -1, NULL);
2016                                finish_command(&proc);
2017                        }
2018                }
2019                if (auto_update_server_info)
2020                        update_server_info(0);
2021                clear_shallow_info(&si);
2022        }
2023        if (use_sideband)
2024                packet_flush(1);
2025        oid_array_clear(&shallow);
2026        oid_array_clear(&ref);
2027        free((void *)push_cert_nonce);
2028        return 0;
2029}