builtin / receive-pack.con commit Merge branch 'mg/verify-commit' (4c24385)
   1#include "builtin.h"
   2#include "lockfile.h"
   3#include "pack.h"
   4#include "refs.h"
   5#include "pkt-line.h"
   6#include "sideband.h"
   7#include "run-command.h"
   8#include "exec_cmd.h"
   9#include "commit.h"
  10#include "object.h"
  11#include "remote.h"
  12#include "connect.h"
  13#include "transport.h"
  14#include "string-list.h"
  15#include "sha1-array.h"
  16#include "connected.h"
  17#include "argv-array.h"
  18#include "version.h"
  19#include "tag.h"
  20#include "gpg-interface.h"
  21#include "sigchain.h"
  22
  23static const char receive_pack_usage[] = "git receive-pack <git-dir>";
  24
  25enum deny_action {
  26        DENY_UNCONFIGURED,
  27        DENY_IGNORE,
  28        DENY_WARN,
  29        DENY_REFUSE,
  30        DENY_UPDATE_INSTEAD
  31};
  32
  33static int deny_deletes;
  34static int deny_non_fast_forwards;
  35static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
  36static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
  37static int receive_fsck_objects = -1;
  38static int transfer_fsck_objects = -1;
  39static int receive_unpack_limit = -1;
  40static int transfer_unpack_limit = -1;
  41static int advertise_atomic_push = 1;
  42static int unpack_limit = 100;
  43static int report_status;
  44static int use_sideband;
  45static int use_atomic;
  46static int quiet;
  47static int prefer_ofs_delta = 1;
  48static int auto_update_server_info;
  49static int auto_gc = 1;
  50static int fix_thin = 1;
  51static int stateless_rpc;
  52static const char *service_dir;
  53static const char *head_name;
  54static void *head_name_to_free;
  55static int sent_capabilities;
  56static int shallow_update;
  57static const char *alt_shallow_file;
  58static struct strbuf push_cert = STRBUF_INIT;
  59static unsigned char push_cert_sha1[20];
  60static struct signature_check sigcheck;
  61static const char *push_cert_nonce;
  62static const char *cert_nonce_seed;
  63
  64static const char *NONCE_UNSOLICITED = "UNSOLICITED";
  65static const char *NONCE_BAD = "BAD";
  66static const char *NONCE_MISSING = "MISSING";
  67static const char *NONCE_OK = "OK";
  68static const char *NONCE_SLOP = "SLOP";
  69static const char *nonce_status;
  70static long nonce_stamp_slop;
  71static unsigned long nonce_stamp_slop_limit;
  72static struct ref_transaction *transaction;
  73
  74static enum deny_action parse_deny_action(const char *var, const char *value)
  75{
  76        if (value) {
  77                if (!strcasecmp(value, "ignore"))
  78                        return DENY_IGNORE;
  79                if (!strcasecmp(value, "warn"))
  80                        return DENY_WARN;
  81                if (!strcasecmp(value, "refuse"))
  82                        return DENY_REFUSE;
  83                if (!strcasecmp(value, "updateinstead"))
  84                        return DENY_UPDATE_INSTEAD;
  85        }
  86        if (git_config_bool(var, value))
  87                return DENY_REFUSE;
  88        return DENY_IGNORE;
  89}
  90
  91static int receive_pack_config(const char *var, const char *value, void *cb)
  92{
  93        int status = parse_hide_refs_config(var, value, "receive");
  94
  95        if (status)
  96                return status;
  97
  98        if (strcmp(var, "receive.denydeletes") == 0) {
  99                deny_deletes = git_config_bool(var, value);
 100                return 0;
 101        }
 102
 103        if (strcmp(var, "receive.denynonfastforwards") == 0) {
 104                deny_non_fast_forwards = git_config_bool(var, value);
 105                return 0;
 106        }
 107
 108        if (strcmp(var, "receive.unpacklimit") == 0) {
 109                receive_unpack_limit = git_config_int(var, value);
 110                return 0;
 111        }
 112
 113        if (strcmp(var, "transfer.unpacklimit") == 0) {
 114                transfer_unpack_limit = git_config_int(var, value);
 115                return 0;
 116        }
 117
 118        if (strcmp(var, "receive.fsckobjects") == 0) {
 119                receive_fsck_objects = git_config_bool(var, value);
 120                return 0;
 121        }
 122
 123        if (strcmp(var, "transfer.fsckobjects") == 0) {
 124                transfer_fsck_objects = git_config_bool(var, value);
 125                return 0;
 126        }
 127
 128        if (!strcmp(var, "receive.denycurrentbranch")) {
 129                deny_current_branch = parse_deny_action(var, value);
 130                return 0;
 131        }
 132
 133        if (strcmp(var, "receive.denydeletecurrent") == 0) {
 134                deny_delete_current = parse_deny_action(var, value);
 135                return 0;
 136        }
 137
 138        if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
 139                prefer_ofs_delta = git_config_bool(var, value);
 140                return 0;
 141        }
 142
 143        if (strcmp(var, "receive.updateserverinfo") == 0) {
 144                auto_update_server_info = git_config_bool(var, value);
 145                return 0;
 146        }
 147
 148        if (strcmp(var, "receive.autogc") == 0) {
 149                auto_gc = git_config_bool(var, value);
 150                return 0;
 151        }
 152
 153        if (strcmp(var, "receive.shallowupdate") == 0) {
 154                shallow_update = git_config_bool(var, value);
 155                return 0;
 156        }
 157
 158        if (strcmp(var, "receive.certnonceseed") == 0)
 159                return git_config_string(&cert_nonce_seed, var, value);
 160
 161        if (strcmp(var, "receive.certnonceslop") == 0) {
 162                nonce_stamp_slop_limit = git_config_ulong(var, value);
 163                return 0;
 164        }
 165
 166        if (strcmp(var, "receive.advertiseatomic") == 0) {
 167                advertise_atomic_push = git_config_bool(var, value);
 168                return 0;
 169        }
 170
 171        return git_default_config(var, value, cb);
 172}
 173
 174static void show_ref(const char *path, const unsigned char *sha1)
 175{
 176        if (ref_is_hidden(path))
 177                return;
 178
 179        if (sent_capabilities) {
 180                packet_write(1, "%s %s\n", sha1_to_hex(sha1), path);
 181        } else {
 182                struct strbuf cap = STRBUF_INIT;
 183
 184                strbuf_addstr(&cap,
 185                              "report-status delete-refs side-band-64k quiet");
 186                if (advertise_atomic_push)
 187                        strbuf_addstr(&cap, " atomic");
 188                if (prefer_ofs_delta)
 189                        strbuf_addstr(&cap, " ofs-delta");
 190                if (push_cert_nonce)
 191                        strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
 192                strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
 193                packet_write(1, "%s %s%c%s\n",
 194                             sha1_to_hex(sha1), path, 0, cap.buf);
 195                strbuf_release(&cap);
 196                sent_capabilities = 1;
 197        }
 198}
 199
 200static int show_ref_cb(const char *path, const unsigned char *sha1, int flag, void *unused)
 201{
 202        path = strip_namespace(path);
 203        /*
 204         * Advertise refs outside our current namespace as ".have"
 205         * refs, so that the client can use them to minimize data
 206         * transfer but will otherwise ignore them. This happens to
 207         * cover ".have" that are thrown in by add_one_alternate_ref()
 208         * to mark histories that are complete in our alternates as
 209         * well.
 210         */
 211        if (!path)
 212                path = ".have";
 213        show_ref(path, sha1);
 214        return 0;
 215}
 216
 217static void show_one_alternate_sha1(const unsigned char sha1[20], void *unused)
 218{
 219        show_ref(".have", sha1);
 220}
 221
 222static void collect_one_alternate_ref(const struct ref *ref, void *data)
 223{
 224        struct sha1_array *sa = data;
 225        sha1_array_append(sa, ref->old_sha1);
 226}
 227
 228static void write_head_info(void)
 229{
 230        struct sha1_array sa = SHA1_ARRAY_INIT;
 231        for_each_alternate_ref(collect_one_alternate_ref, &sa);
 232        sha1_array_for_each_unique(&sa, show_one_alternate_sha1, NULL);
 233        sha1_array_clear(&sa);
 234        for_each_ref(show_ref_cb, NULL);
 235        if (!sent_capabilities)
 236                show_ref("capabilities^{}", null_sha1);
 237
 238        advertise_shallow_grafts(1);
 239
 240        /* EOF */
 241        packet_flush(1);
 242}
 243
 244struct command {
 245        struct command *next;
 246        const char *error_string;
 247        unsigned int skip_update:1,
 248                     did_not_exist:1;
 249        int index;
 250        unsigned char old_sha1[20];
 251        unsigned char new_sha1[20];
 252        char ref_name[FLEX_ARRAY]; /* more */
 253};
 254
 255static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
 256static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
 257
 258static void report_message(const char *prefix, const char *err, va_list params)
 259{
 260        int sz = strlen(prefix);
 261        char msg[4096];
 262
 263        strncpy(msg, prefix, sz);
 264        sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
 265        if (sz > (sizeof(msg) - 1))
 266                sz = sizeof(msg) - 1;
 267        msg[sz++] = '\n';
 268
 269        if (use_sideband)
 270                send_sideband(1, 2, msg, sz, use_sideband);
 271        else
 272                xwrite(2, msg, sz);
 273}
 274
 275static void rp_warning(const char *err, ...)
 276{
 277        va_list params;
 278        va_start(params, err);
 279        report_message("warning: ", err, params);
 280        va_end(params);
 281}
 282
 283static void rp_error(const char *err, ...)
 284{
 285        va_list params;
 286        va_start(params, err);
 287        report_message("error: ", err, params);
 288        va_end(params);
 289}
 290
 291static int copy_to_sideband(int in, int out, void *arg)
 292{
 293        char data[128];
 294        while (1) {
 295                ssize_t sz = xread(in, data, sizeof(data));
 296                if (sz <= 0)
 297                        break;
 298                send_sideband(1, 2, data, sz, use_sideband);
 299        }
 300        close(in);
 301        return 0;
 302}
 303
 304#define HMAC_BLOCK_SIZE 64
 305
 306static void hmac_sha1(unsigned char *out,
 307                      const char *key_in, size_t key_len,
 308                      const char *text, size_t text_len)
 309{
 310        unsigned char key[HMAC_BLOCK_SIZE];
 311        unsigned char k_ipad[HMAC_BLOCK_SIZE];
 312        unsigned char k_opad[HMAC_BLOCK_SIZE];
 313        int i;
 314        git_SHA_CTX ctx;
 315
 316        /* RFC 2104 2. (1) */
 317        memset(key, '\0', HMAC_BLOCK_SIZE);
 318        if (HMAC_BLOCK_SIZE < key_len) {
 319                git_SHA1_Init(&ctx);
 320                git_SHA1_Update(&ctx, key_in, key_len);
 321                git_SHA1_Final(key, &ctx);
 322        } else {
 323                memcpy(key, key_in, key_len);
 324        }
 325
 326        /* RFC 2104 2. (2) & (5) */
 327        for (i = 0; i < sizeof(key); i++) {
 328                k_ipad[i] = key[i] ^ 0x36;
 329                k_opad[i] = key[i] ^ 0x5c;
 330        }
 331
 332        /* RFC 2104 2. (3) & (4) */
 333        git_SHA1_Init(&ctx);
 334        git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
 335        git_SHA1_Update(&ctx, text, text_len);
 336        git_SHA1_Final(out, &ctx);
 337
 338        /* RFC 2104 2. (6) & (7) */
 339        git_SHA1_Init(&ctx);
 340        git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
 341        git_SHA1_Update(&ctx, out, 20);
 342        git_SHA1_Final(out, &ctx);
 343}
 344
 345static char *prepare_push_cert_nonce(const char *path, unsigned long stamp)
 346{
 347        struct strbuf buf = STRBUF_INIT;
 348        unsigned char sha1[20];
 349
 350        strbuf_addf(&buf, "%s:%lu", path, stamp);
 351        hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));;
 352        strbuf_release(&buf);
 353
 354        /* RFC 2104 5. HMAC-SHA1-80 */
 355        strbuf_addf(&buf, "%lu-%.*s", stamp, 20, sha1_to_hex(sha1));
 356        return strbuf_detach(&buf, NULL);
 357}
 358
 359/*
 360 * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
 361 * after dropping "_commit" from its name and possibly moving it out
 362 * of commit.c
 363 */
 364static char *find_header(const char *msg, size_t len, const char *key)
 365{
 366        int key_len = strlen(key);
 367        const char *line = msg;
 368
 369        while (line && line < msg + len) {
 370                const char *eol = strchrnul(line, '\n');
 371
 372                if ((msg + len <= eol) || line == eol)
 373                        return NULL;
 374                if (line + key_len < eol &&
 375                    !memcmp(line, key, key_len) && line[key_len] == ' ') {
 376                        int offset = key_len + 1;
 377                        return xmemdupz(line + offset, (eol - line) - offset);
 378                }
 379                line = *eol ? eol + 1 : NULL;
 380        }
 381        return NULL;
 382}
 383
 384static const char *check_nonce(const char *buf, size_t len)
 385{
 386        char *nonce = find_header(buf, len, "nonce");
 387        unsigned long stamp, ostamp;
 388        char *bohmac, *expect = NULL;
 389        const char *retval = NONCE_BAD;
 390
 391        if (!nonce) {
 392                retval = NONCE_MISSING;
 393                goto leave;
 394        } else if (!push_cert_nonce) {
 395                retval = NONCE_UNSOLICITED;
 396                goto leave;
 397        } else if (!strcmp(push_cert_nonce, nonce)) {
 398                retval = NONCE_OK;
 399                goto leave;
 400        }
 401
 402        if (!stateless_rpc) {
 403                /* returned nonce MUST match what we gave out earlier */
 404                retval = NONCE_BAD;
 405                goto leave;
 406        }
 407
 408        /*
 409         * In stateless mode, we may be receiving a nonce issued by
 410         * another instance of the server that serving the same
 411         * repository, and the timestamps may not match, but the
 412         * nonce-seed and dir should match, so we can recompute and
 413         * report the time slop.
 414         *
 415         * In addition, when a nonce issued by another instance has
 416         * timestamp within receive.certnonceslop seconds, we pretend
 417         * as if we issued that nonce when reporting to the hook.
 418         */
 419
 420        /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
 421        if (*nonce <= '0' || '9' < *nonce) {
 422                retval = NONCE_BAD;
 423                goto leave;
 424        }
 425        stamp = strtoul(nonce, &bohmac, 10);
 426        if (bohmac == nonce || bohmac[0] != '-') {
 427                retval = NONCE_BAD;
 428                goto leave;
 429        }
 430
 431        expect = prepare_push_cert_nonce(service_dir, stamp);
 432        if (strcmp(expect, nonce)) {
 433                /* Not what we would have signed earlier */
 434                retval = NONCE_BAD;
 435                goto leave;
 436        }
 437
 438        /*
 439         * By how many seconds is this nonce stale?  Negative value
 440         * would mean it was issued by another server with its clock
 441         * skewed in the future.
 442         */
 443        ostamp = strtoul(push_cert_nonce, NULL, 10);
 444        nonce_stamp_slop = (long)ostamp - (long)stamp;
 445
 446        if (nonce_stamp_slop_limit &&
 447            labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
 448                /*
 449                 * Pretend as if the received nonce (which passes the
 450                 * HMAC check, so it is not a forged by third-party)
 451                 * is what we issued.
 452                 */
 453                free((void *)push_cert_nonce);
 454                push_cert_nonce = xstrdup(nonce);
 455                retval = NONCE_OK;
 456        } else {
 457                retval = NONCE_SLOP;
 458        }
 459
 460leave:
 461        free(nonce);
 462        free(expect);
 463        return retval;
 464}
 465
 466static void prepare_push_cert_sha1(struct child_process *proc)
 467{
 468        static int already_done;
 469
 470        if (!push_cert.len)
 471                return;
 472
 473        if (!already_done) {
 474                struct strbuf gpg_output = STRBUF_INIT;
 475                struct strbuf gpg_status = STRBUF_INIT;
 476                int bogs /* beginning_of_gpg_sig */;
 477
 478                already_done = 1;
 479                if (write_sha1_file(push_cert.buf, push_cert.len, "blob", push_cert_sha1))
 480                        hashclr(push_cert_sha1);
 481
 482                memset(&sigcheck, '\0', sizeof(sigcheck));
 483                sigcheck.result = 'N';
 484
 485                bogs = parse_signature(push_cert.buf, push_cert.len);
 486                if (verify_signed_buffer(push_cert.buf, bogs,
 487                                         push_cert.buf + bogs, push_cert.len - bogs,
 488                                         &gpg_output, &gpg_status) < 0) {
 489                        ; /* error running gpg */
 490                } else {
 491                        sigcheck.payload = push_cert.buf;
 492                        sigcheck.gpg_output = gpg_output.buf;
 493                        sigcheck.gpg_status = gpg_status.buf;
 494                        parse_gpg_output(&sigcheck);
 495                }
 496
 497                strbuf_release(&gpg_output);
 498                strbuf_release(&gpg_status);
 499                nonce_status = check_nonce(push_cert.buf, bogs);
 500        }
 501        if (!is_null_sha1(push_cert_sha1)) {
 502                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
 503                                 sha1_to_hex(push_cert_sha1));
 504                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
 505                                 sigcheck.signer ? sigcheck.signer : "");
 506                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
 507                                 sigcheck.key ? sigcheck.key : "");
 508                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
 509                                 sigcheck.result);
 510                if (push_cert_nonce) {
 511                        argv_array_pushf(&proc->env_array,
 512                                         "GIT_PUSH_CERT_NONCE=%s",
 513                                         push_cert_nonce);
 514                        argv_array_pushf(&proc->env_array,
 515                                         "GIT_PUSH_CERT_NONCE_STATUS=%s",
 516                                         nonce_status);
 517                        if (nonce_status == NONCE_SLOP)
 518                                argv_array_pushf(&proc->env_array,
 519                                                 "GIT_PUSH_CERT_NONCE_SLOP=%ld",
 520                                                 nonce_stamp_slop);
 521                }
 522        }
 523}
 524
 525typedef int (*feed_fn)(void *, const char **, size_t *);
 526static int run_and_feed_hook(const char *hook_name, feed_fn feed, void *feed_state)
 527{
 528        struct child_process proc = CHILD_PROCESS_INIT;
 529        struct async muxer;
 530        const char *argv[2];
 531        int code;
 532
 533        argv[0] = find_hook(hook_name);
 534        if (!argv[0])
 535                return 0;
 536
 537        argv[1] = NULL;
 538
 539        proc.argv = argv;
 540        proc.in = -1;
 541        proc.stdout_to_stderr = 1;
 542
 543        if (use_sideband) {
 544                memset(&muxer, 0, sizeof(muxer));
 545                muxer.proc = copy_to_sideband;
 546                muxer.in = -1;
 547                code = start_async(&muxer);
 548                if (code)
 549                        return code;
 550                proc.err = muxer.in;
 551        }
 552
 553        prepare_push_cert_sha1(&proc);
 554
 555        code = start_command(&proc);
 556        if (code) {
 557                if (use_sideband)
 558                        finish_async(&muxer);
 559                return code;
 560        }
 561
 562        sigchain_push(SIGPIPE, SIG_IGN);
 563
 564        while (1) {
 565                const char *buf;
 566                size_t n;
 567                if (feed(feed_state, &buf, &n))
 568                        break;
 569                if (write_in_full(proc.in, buf, n) != n)
 570                        break;
 571        }
 572        close(proc.in);
 573        if (use_sideband)
 574                finish_async(&muxer);
 575
 576        sigchain_pop(SIGPIPE);
 577
 578        return finish_command(&proc);
 579}
 580
 581struct receive_hook_feed_state {
 582        struct command *cmd;
 583        int skip_broken;
 584        struct strbuf buf;
 585};
 586
 587static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
 588{
 589        struct receive_hook_feed_state *state = state_;
 590        struct command *cmd = state->cmd;
 591
 592        while (cmd &&
 593               state->skip_broken && (cmd->error_string || cmd->did_not_exist))
 594                cmd = cmd->next;
 595        if (!cmd)
 596                return -1; /* EOF */
 597        strbuf_reset(&state->buf);
 598        strbuf_addf(&state->buf, "%s %s %s\n",
 599                    sha1_to_hex(cmd->old_sha1), sha1_to_hex(cmd->new_sha1),
 600                    cmd->ref_name);
 601        state->cmd = cmd->next;
 602        if (bufp) {
 603                *bufp = state->buf.buf;
 604                *sizep = state->buf.len;
 605        }
 606        return 0;
 607}
 608
 609static int run_receive_hook(struct command *commands, const char *hook_name,
 610                            int skip_broken)
 611{
 612        struct receive_hook_feed_state state;
 613        int status;
 614
 615        strbuf_init(&state.buf, 0);
 616        state.cmd = commands;
 617        state.skip_broken = skip_broken;
 618        if (feed_receive_hook(&state, NULL, NULL))
 619                return 0;
 620        state.cmd = commands;
 621        status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
 622        strbuf_release(&state.buf);
 623        return status;
 624}
 625
 626static int run_update_hook(struct command *cmd)
 627{
 628        const char *argv[5];
 629        struct child_process proc = CHILD_PROCESS_INIT;
 630        int code;
 631
 632        argv[0] = find_hook("update");
 633        if (!argv[0])
 634                return 0;
 635
 636        argv[1] = cmd->ref_name;
 637        argv[2] = sha1_to_hex(cmd->old_sha1);
 638        argv[3] = sha1_to_hex(cmd->new_sha1);
 639        argv[4] = NULL;
 640
 641        proc.no_stdin = 1;
 642        proc.stdout_to_stderr = 1;
 643        proc.err = use_sideband ? -1 : 0;
 644        proc.argv = argv;
 645
 646        code = start_command(&proc);
 647        if (code)
 648                return code;
 649        if (use_sideband)
 650                copy_to_sideband(proc.err, -1, NULL);
 651        return finish_command(&proc);
 652}
 653
 654static int is_ref_checked_out(const char *ref)
 655{
 656        if (is_bare_repository())
 657                return 0;
 658
 659        if (!head_name)
 660                return 0;
 661        return !strcmp(head_name, ref);
 662}
 663
 664static char *refuse_unconfigured_deny_msg[] = {
 665        "By default, updating the current branch in a non-bare repository",
 666        "is denied, because it will make the index and work tree inconsistent",
 667        "with what you pushed, and will require 'git reset --hard' to match",
 668        "the work tree to HEAD.",
 669        "",
 670        "You can set 'receive.denyCurrentBranch' configuration variable to",
 671        "'ignore' or 'warn' in the remote repository to allow pushing into",
 672        "its current branch; however, this is not recommended unless you",
 673        "arranged to update its work tree to match what you pushed in some",
 674        "other way.",
 675        "",
 676        "To squelch this message and still keep the default behaviour, set",
 677        "'receive.denyCurrentBranch' configuration variable to 'refuse'."
 678};
 679
 680static void refuse_unconfigured_deny(void)
 681{
 682        int i;
 683        for (i = 0; i < ARRAY_SIZE(refuse_unconfigured_deny_msg); i++)
 684                rp_error("%s", refuse_unconfigured_deny_msg[i]);
 685}
 686
 687static char *refuse_unconfigured_deny_delete_current_msg[] = {
 688        "By default, deleting the current branch is denied, because the next",
 689        "'git clone' won't result in any file checked out, causing confusion.",
 690        "",
 691        "You can set 'receive.denyDeleteCurrent' configuration variable to",
 692        "'warn' or 'ignore' in the remote repository to allow deleting the",
 693        "current branch, with or without a warning message.",
 694        "",
 695        "To squelch this message, you can set it to 'refuse'."
 696};
 697
 698static void refuse_unconfigured_deny_delete_current(void)
 699{
 700        int i;
 701        for (i = 0;
 702             i < ARRAY_SIZE(refuse_unconfigured_deny_delete_current_msg);
 703             i++)
 704                rp_error("%s", refuse_unconfigured_deny_delete_current_msg[i]);
 705}
 706
 707static int command_singleton_iterator(void *cb_data, unsigned char sha1[20]);
 708static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
 709{
 710        static struct lock_file shallow_lock;
 711        struct sha1_array extra = SHA1_ARRAY_INIT;
 712        const char *alt_file;
 713        uint32_t mask = 1 << (cmd->index % 32);
 714        int i;
 715
 716        trace_printf_key(&trace_shallow,
 717                         "shallow: update_shallow_ref %s\n", cmd->ref_name);
 718        for (i = 0; i < si->shallow->nr; i++)
 719                if (si->used_shallow[i] &&
 720                    (si->used_shallow[i][cmd->index / 32] & mask) &&
 721                    !delayed_reachability_test(si, i))
 722                        sha1_array_append(&extra, si->shallow->sha1[i]);
 723
 724        setup_alternate_shallow(&shallow_lock, &alt_file, &extra);
 725        if (check_shallow_connected(command_singleton_iterator,
 726                                    0, cmd, alt_file)) {
 727                rollback_lock_file(&shallow_lock);
 728                sha1_array_clear(&extra);
 729                return -1;
 730        }
 731
 732        commit_lock_file(&shallow_lock);
 733
 734        /*
 735         * Make sure setup_alternate_shallow() for the next ref does
 736         * not lose these new roots..
 737         */
 738        for (i = 0; i < extra.nr; i++)
 739                register_shallow(extra.sha1[i]);
 740
 741        si->shallow_ref[cmd->index] = 0;
 742        sha1_array_clear(&extra);
 743        return 0;
 744}
 745
 746static const char *push_to_deploy(unsigned char *sha1,
 747                                  struct argv_array *env,
 748                                  const char *work_tree)
 749{
 750        const char *update_refresh[] = {
 751                "update-index", "-q", "--ignore-submodules", "--refresh", NULL
 752        };
 753        const char *diff_files[] = {
 754                "diff-files", "--quiet", "--ignore-submodules", "--", NULL
 755        };
 756        const char *diff_index[] = {
 757                "diff-index", "--quiet", "--cached", "--ignore-submodules",
 758                "HEAD", "--", NULL
 759        };
 760        const char *read_tree[] = {
 761                "read-tree", "-u", "-m", NULL, NULL
 762        };
 763        struct child_process child = CHILD_PROCESS_INIT;
 764
 765        child.argv = update_refresh;
 766        child.env = env->argv;
 767        child.dir = work_tree;
 768        child.no_stdin = 1;
 769        child.stdout_to_stderr = 1;
 770        child.git_cmd = 1;
 771        if (run_command(&child))
 772                return "Up-to-date check failed";
 773
 774        /* run_command() does not clean up completely; reinitialize */
 775        child_process_init(&child);
 776        child.argv = diff_files;
 777        child.env = env->argv;
 778        child.dir = work_tree;
 779        child.no_stdin = 1;
 780        child.stdout_to_stderr = 1;
 781        child.git_cmd = 1;
 782        if (run_command(&child))
 783                return "Working directory has unstaged changes";
 784
 785        child_process_init(&child);
 786        child.argv = diff_index;
 787        child.env = env->argv;
 788        child.no_stdin = 1;
 789        child.no_stdout = 1;
 790        child.stdout_to_stderr = 0;
 791        child.git_cmd = 1;
 792        if (run_command(&child))
 793                return "Working directory has staged changes";
 794
 795        read_tree[3] = sha1_to_hex(sha1);
 796        child_process_init(&child);
 797        child.argv = read_tree;
 798        child.env = env->argv;
 799        child.dir = work_tree;
 800        child.no_stdin = 1;
 801        child.no_stdout = 1;
 802        child.stdout_to_stderr = 0;
 803        child.git_cmd = 1;
 804        if (run_command(&child))
 805                return "Could not update working tree to new HEAD";
 806
 807        return NULL;
 808}
 809
 810static const char *push_to_checkout_hook = "push-to-checkout";
 811
 812static const char *push_to_checkout(unsigned char *sha1,
 813                                    struct argv_array *env,
 814                                    const char *work_tree)
 815{
 816        argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
 817        if (run_hook_le(env->argv, push_to_checkout_hook,
 818                        sha1_to_hex(sha1), NULL))
 819                return "push-to-checkout hook declined";
 820        else
 821                return NULL;
 822}
 823
 824static const char *update_worktree(unsigned char *sha1)
 825{
 826        const char *retval;
 827        const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
 828        struct argv_array env = ARGV_ARRAY_INIT;
 829
 830        if (is_bare_repository())
 831                return "denyCurrentBranch = updateInstead needs a worktree";
 832
 833        argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
 834
 835        if (!find_hook(push_to_checkout_hook))
 836                retval = push_to_deploy(sha1, &env, work_tree);
 837        else
 838                retval = push_to_checkout(sha1, &env, work_tree);
 839
 840        argv_array_clear(&env);
 841        return retval;
 842}
 843
 844static const char *update(struct command *cmd, struct shallow_info *si)
 845{
 846        const char *name = cmd->ref_name;
 847        struct strbuf namespaced_name_buf = STRBUF_INIT;
 848        const char *namespaced_name, *ret;
 849        unsigned char *old_sha1 = cmd->old_sha1;
 850        unsigned char *new_sha1 = cmd->new_sha1;
 851
 852        /* only refs/... are allowed */
 853        if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
 854                rp_error("refusing to create funny ref '%s' remotely", name);
 855                return "funny refname";
 856        }
 857
 858        strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
 859        namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
 860
 861        if (is_ref_checked_out(namespaced_name)) {
 862                switch (deny_current_branch) {
 863                case DENY_IGNORE:
 864                        break;
 865                case DENY_WARN:
 866                        rp_warning("updating the current branch");
 867                        break;
 868                case DENY_REFUSE:
 869                case DENY_UNCONFIGURED:
 870                        rp_error("refusing to update checked out branch: %s", name);
 871                        if (deny_current_branch == DENY_UNCONFIGURED)
 872                                refuse_unconfigured_deny();
 873                        return "branch is currently checked out";
 874                case DENY_UPDATE_INSTEAD:
 875                        ret = update_worktree(new_sha1);
 876                        if (ret)
 877                                return ret;
 878                        break;
 879                }
 880        }
 881
 882        if (!is_null_sha1(new_sha1) && !has_sha1_file(new_sha1)) {
 883                error("unpack should have generated %s, "
 884                      "but I can't find it!", sha1_to_hex(new_sha1));
 885                return "bad pack";
 886        }
 887
 888        if (!is_null_sha1(old_sha1) && is_null_sha1(new_sha1)) {
 889                if (deny_deletes && starts_with(name, "refs/heads/")) {
 890                        rp_error("denying ref deletion for %s", name);
 891                        return "deletion prohibited";
 892                }
 893
 894                if (!strcmp(namespaced_name, head_name)) {
 895                        switch (deny_delete_current) {
 896                        case DENY_IGNORE:
 897                                break;
 898                        case DENY_WARN:
 899                                rp_warning("deleting the current branch");
 900                                break;
 901                        case DENY_REFUSE:
 902                        case DENY_UNCONFIGURED:
 903                        case DENY_UPDATE_INSTEAD:
 904                                if (deny_delete_current == DENY_UNCONFIGURED)
 905                                        refuse_unconfigured_deny_delete_current();
 906                                rp_error("refusing to delete the current branch: %s", name);
 907                                return "deletion of the current branch prohibited";
 908                        default:
 909                                return "Invalid denyDeleteCurrent setting";
 910                        }
 911                }
 912        }
 913
 914        if (deny_non_fast_forwards && !is_null_sha1(new_sha1) &&
 915            !is_null_sha1(old_sha1) &&
 916            starts_with(name, "refs/heads/")) {
 917                struct object *old_object, *new_object;
 918                struct commit *old_commit, *new_commit;
 919
 920                old_object = parse_object(old_sha1);
 921                new_object = parse_object(new_sha1);
 922
 923                if (!old_object || !new_object ||
 924                    old_object->type != OBJ_COMMIT ||
 925                    new_object->type != OBJ_COMMIT) {
 926                        error("bad sha1 objects for %s", name);
 927                        return "bad ref";
 928                }
 929                old_commit = (struct commit *)old_object;
 930                new_commit = (struct commit *)new_object;
 931                if (!in_merge_bases(old_commit, new_commit)) {
 932                        rp_error("denying non-fast-forward %s"
 933                                 " (you should pull first)", name);
 934                        return "non-fast-forward";
 935                }
 936        }
 937        if (run_update_hook(cmd)) {
 938                rp_error("hook declined to update %s", name);
 939                return "hook declined";
 940        }
 941
 942        if (is_null_sha1(new_sha1)) {
 943                struct strbuf err = STRBUF_INIT;
 944                if (!parse_object(old_sha1)) {
 945                        old_sha1 = NULL;
 946                        if (ref_exists(name)) {
 947                                rp_warning("Allowing deletion of corrupt ref.");
 948                        } else {
 949                                rp_warning("Deleting a non-existent ref.");
 950                                cmd->did_not_exist = 1;
 951                        }
 952                }
 953                if (ref_transaction_delete(transaction,
 954                                           namespaced_name,
 955                                           old_sha1,
 956                                           0, "push", &err)) {
 957                        rp_error("%s", err.buf);
 958                        strbuf_release(&err);
 959                        return "failed to delete";
 960                }
 961                strbuf_release(&err);
 962                return NULL; /* good */
 963        }
 964        else {
 965                struct strbuf err = STRBUF_INIT;
 966                if (shallow_update && si->shallow_ref[cmd->index] &&
 967                    update_shallow_ref(cmd, si))
 968                        return "shallow error";
 969
 970                if (ref_transaction_update(transaction,
 971                                           namespaced_name,
 972                                           new_sha1, old_sha1,
 973                                           0, "push",
 974                                           &err)) {
 975                        rp_error("%s", err.buf);
 976                        strbuf_release(&err);
 977
 978                        return "failed to update ref";
 979                }
 980                strbuf_release(&err);
 981
 982                return NULL; /* good */
 983        }
 984}
 985
 986static void run_update_post_hook(struct command *commands)
 987{
 988        struct command *cmd;
 989        int argc;
 990        const char **argv;
 991        struct child_process proc = CHILD_PROCESS_INIT;
 992        char *hook;
 993
 994        hook = find_hook("post-update");
 995        for (argc = 0, cmd = commands; cmd; cmd = cmd->next) {
 996                if (cmd->error_string || cmd->did_not_exist)
 997                        continue;
 998                argc++;
 999        }
1000        if (!argc || !hook)
1001                return;
1002
1003        argv = xmalloc(sizeof(*argv) * (2 + argc));
1004        argv[0] = hook;
1005
1006        for (argc = 1, cmd = commands; cmd; cmd = cmd->next) {
1007                if (cmd->error_string || cmd->did_not_exist)
1008                        continue;
1009                argv[argc] = xstrdup(cmd->ref_name);
1010                argc++;
1011        }
1012        argv[argc] = NULL;
1013
1014        proc.no_stdin = 1;
1015        proc.stdout_to_stderr = 1;
1016        proc.err = use_sideband ? -1 : 0;
1017        proc.argv = argv;
1018
1019        if (!start_command(&proc)) {
1020                if (use_sideband)
1021                        copy_to_sideband(proc.err, -1, NULL);
1022                finish_command(&proc);
1023        }
1024}
1025
1026static void check_aliased_update(struct command *cmd, struct string_list *list)
1027{
1028        struct strbuf buf = STRBUF_INIT;
1029        const char *dst_name;
1030        struct string_list_item *item;
1031        struct command *dst_cmd;
1032        unsigned char sha1[20];
1033        char cmd_oldh[41], cmd_newh[41], dst_oldh[41], dst_newh[41];
1034        int flag;
1035
1036        strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1037        dst_name = resolve_ref_unsafe(buf.buf, 0, sha1, &flag);
1038        strbuf_release(&buf);
1039
1040        if (!(flag & REF_ISSYMREF))
1041                return;
1042
1043        dst_name = strip_namespace(dst_name);
1044        if (!dst_name) {
1045                rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1046                cmd->skip_update = 1;
1047                cmd->error_string = "broken symref";
1048                return;
1049        }
1050
1051        if ((item = string_list_lookup(list, dst_name)) == NULL)
1052                return;
1053
1054        cmd->skip_update = 1;
1055
1056        dst_cmd = (struct command *) item->util;
1057
1058        if (!hashcmp(cmd->old_sha1, dst_cmd->old_sha1) &&
1059            !hashcmp(cmd->new_sha1, dst_cmd->new_sha1))
1060                return;
1061
1062        dst_cmd->skip_update = 1;
1063
1064        strcpy(cmd_oldh, find_unique_abbrev(cmd->old_sha1, DEFAULT_ABBREV));
1065        strcpy(cmd_newh, find_unique_abbrev(cmd->new_sha1, DEFAULT_ABBREV));
1066        strcpy(dst_oldh, find_unique_abbrev(dst_cmd->old_sha1, DEFAULT_ABBREV));
1067        strcpy(dst_newh, find_unique_abbrev(dst_cmd->new_sha1, DEFAULT_ABBREV));
1068        rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1069                 " its target '%s' (%s..%s)",
1070                 cmd->ref_name, cmd_oldh, cmd_newh,
1071                 dst_cmd->ref_name, dst_oldh, dst_newh);
1072
1073        cmd->error_string = dst_cmd->error_string =
1074                "inconsistent aliased update";
1075}
1076
1077static void check_aliased_updates(struct command *commands)
1078{
1079        struct command *cmd;
1080        struct string_list ref_list = STRING_LIST_INIT_NODUP;
1081
1082        for (cmd = commands; cmd; cmd = cmd->next) {
1083                struct string_list_item *item =
1084                        string_list_append(&ref_list, cmd->ref_name);
1085                item->util = (void *)cmd;
1086        }
1087        string_list_sort(&ref_list);
1088
1089        for (cmd = commands; cmd; cmd = cmd->next) {
1090                if (!cmd->error_string)
1091                        check_aliased_update(cmd, &ref_list);
1092        }
1093
1094        string_list_clear(&ref_list, 0);
1095}
1096
1097static int command_singleton_iterator(void *cb_data, unsigned char sha1[20])
1098{
1099        struct command **cmd_list = cb_data;
1100        struct command *cmd = *cmd_list;
1101
1102        if (!cmd || is_null_sha1(cmd->new_sha1))
1103                return -1; /* end of list */
1104        *cmd_list = NULL; /* this returns only one */
1105        hashcpy(sha1, cmd->new_sha1);
1106        return 0;
1107}
1108
1109static void set_connectivity_errors(struct command *commands,
1110                                    struct shallow_info *si)
1111{
1112        struct command *cmd;
1113
1114        for (cmd = commands; cmd; cmd = cmd->next) {
1115                struct command *singleton = cmd;
1116                if (shallow_update && si->shallow_ref[cmd->index])
1117                        /* to be checked in update_shallow_ref() */
1118                        continue;
1119                if (!check_everything_connected(command_singleton_iterator,
1120                                                0, &singleton))
1121                        continue;
1122                cmd->error_string = "missing necessary objects";
1123        }
1124}
1125
1126struct iterate_data {
1127        struct command *cmds;
1128        struct shallow_info *si;
1129};
1130
1131static int iterate_receive_command_list(void *cb_data, unsigned char sha1[20])
1132{
1133        struct iterate_data *data = cb_data;
1134        struct command **cmd_list = &data->cmds;
1135        struct command *cmd = *cmd_list;
1136
1137        for (; cmd; cmd = cmd->next) {
1138                if (shallow_update && data->si->shallow_ref[cmd->index])
1139                        /* to be checked in update_shallow_ref() */
1140                        continue;
1141                if (!is_null_sha1(cmd->new_sha1) && !cmd->skip_update) {
1142                        hashcpy(sha1, cmd->new_sha1);
1143                        *cmd_list = cmd->next;
1144                        return 0;
1145                }
1146        }
1147        *cmd_list = NULL;
1148        return -1; /* end of list */
1149}
1150
1151static void reject_updates_to_hidden(struct command *commands)
1152{
1153        struct command *cmd;
1154
1155        for (cmd = commands; cmd; cmd = cmd->next) {
1156                if (cmd->error_string || !ref_is_hidden(cmd->ref_name))
1157                        continue;
1158                if (is_null_sha1(cmd->new_sha1))
1159                        cmd->error_string = "deny deleting a hidden ref";
1160                else
1161                        cmd->error_string = "deny updating a hidden ref";
1162        }
1163}
1164
1165static int should_process_cmd(struct command *cmd)
1166{
1167        return !cmd->error_string && !cmd->skip_update;
1168}
1169
1170static void warn_if_skipped_connectivity_check(struct command *commands,
1171                                               struct shallow_info *si)
1172{
1173        struct command *cmd;
1174        int checked_connectivity = 1;
1175
1176        for (cmd = commands; cmd; cmd = cmd->next) {
1177                if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1178                        error("BUG: connectivity check has not been run on ref %s",
1179                              cmd->ref_name);
1180                        checked_connectivity = 0;
1181                }
1182        }
1183        if (!checked_connectivity)
1184                die("BUG: connectivity check skipped???");
1185}
1186
1187static void execute_commands_non_atomic(struct command *commands,
1188                                        struct shallow_info *si)
1189{
1190        struct command *cmd;
1191        struct strbuf err = STRBUF_INIT;
1192
1193        for (cmd = commands; cmd; cmd = cmd->next) {
1194                if (!should_process_cmd(cmd))
1195                        continue;
1196
1197                transaction = ref_transaction_begin(&err);
1198                if (!transaction) {
1199                        rp_error("%s", err.buf);
1200                        strbuf_reset(&err);
1201                        cmd->error_string = "transaction failed to start";
1202                        continue;
1203                }
1204
1205                cmd->error_string = update(cmd, si);
1206
1207                if (!cmd->error_string
1208                    && ref_transaction_commit(transaction, &err)) {
1209                        rp_error("%s", err.buf);
1210                        strbuf_reset(&err);
1211                        cmd->error_string = "failed to update ref";
1212                }
1213                ref_transaction_free(transaction);
1214        }
1215        strbuf_release(&err);
1216}
1217
1218static void execute_commands_atomic(struct command *commands,
1219                                        struct shallow_info *si)
1220{
1221        struct command *cmd;
1222        struct strbuf err = STRBUF_INIT;
1223        const char *reported_error = "atomic push failure";
1224
1225        transaction = ref_transaction_begin(&err);
1226        if (!transaction) {
1227                rp_error("%s", err.buf);
1228                strbuf_reset(&err);
1229                reported_error = "transaction failed to start";
1230                goto failure;
1231        }
1232
1233        for (cmd = commands; cmd; cmd = cmd->next) {
1234                if (!should_process_cmd(cmd))
1235                        continue;
1236
1237                cmd->error_string = update(cmd, si);
1238
1239                if (cmd->error_string)
1240                        goto failure;
1241        }
1242
1243        if (ref_transaction_commit(transaction, &err)) {
1244                rp_error("%s", err.buf);
1245                reported_error = "atomic transaction failed";
1246                goto failure;
1247        }
1248        goto cleanup;
1249
1250failure:
1251        for (cmd = commands; cmd; cmd = cmd->next)
1252                if (!cmd->error_string)
1253                        cmd->error_string = reported_error;
1254
1255cleanup:
1256        ref_transaction_free(transaction);
1257        strbuf_release(&err);
1258}
1259
1260static void execute_commands(struct command *commands,
1261                             const char *unpacker_error,
1262                             struct shallow_info *si)
1263{
1264        struct command *cmd;
1265        unsigned char sha1[20];
1266        struct iterate_data data;
1267
1268        if (unpacker_error) {
1269                for (cmd = commands; cmd; cmd = cmd->next)
1270                        cmd->error_string = "unpacker error";
1271                return;
1272        }
1273
1274        data.cmds = commands;
1275        data.si = si;
1276        if (check_everything_connected(iterate_receive_command_list, 0, &data))
1277                set_connectivity_errors(commands, si);
1278
1279        reject_updates_to_hidden(commands);
1280
1281        if (run_receive_hook(commands, "pre-receive", 0)) {
1282                for (cmd = commands; cmd; cmd = cmd->next) {
1283                        if (!cmd->error_string)
1284                                cmd->error_string = "pre-receive hook declined";
1285                }
1286                return;
1287        }
1288
1289        check_aliased_updates(commands);
1290
1291        free(head_name_to_free);
1292        head_name = head_name_to_free = resolve_refdup("HEAD", 0, sha1, NULL);
1293
1294        if (use_atomic)
1295                execute_commands_atomic(commands, si);
1296        else
1297                execute_commands_non_atomic(commands, si);
1298
1299        if (shallow_update)
1300                warn_if_skipped_connectivity_check(commands, si);
1301}
1302
1303static struct command **queue_command(struct command **tail,
1304                                      const char *line,
1305                                      int linelen)
1306{
1307        unsigned char old_sha1[20], new_sha1[20];
1308        struct command *cmd;
1309        const char *refname;
1310        int reflen;
1311
1312        if (linelen < 83 ||
1313            line[40] != ' ' ||
1314            line[81] != ' ' ||
1315            get_sha1_hex(line, old_sha1) ||
1316            get_sha1_hex(line + 41, new_sha1))
1317                die("protocol error: expected old/new/ref, got '%s'", line);
1318
1319        refname = line + 82;
1320        reflen = linelen - 82;
1321        cmd = xcalloc(1, sizeof(struct command) + reflen + 1);
1322        hashcpy(cmd->old_sha1, old_sha1);
1323        hashcpy(cmd->new_sha1, new_sha1);
1324        memcpy(cmd->ref_name, refname, reflen);
1325        cmd->ref_name[reflen] = '\0';
1326        *tail = cmd;
1327        return &cmd->next;
1328}
1329
1330static void queue_commands_from_cert(struct command **tail,
1331                                     struct strbuf *push_cert)
1332{
1333        const char *boc, *eoc;
1334
1335        if (*tail)
1336                die("protocol error: got both push certificate and unsigned commands");
1337
1338        boc = strstr(push_cert->buf, "\n\n");
1339        if (!boc)
1340                die("malformed push certificate %.*s", 100, push_cert->buf);
1341        else
1342                boc += 2;
1343        eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1344
1345        while (boc < eoc) {
1346                const char *eol = memchr(boc, '\n', eoc - boc);
1347                tail = queue_command(tail, boc, eol ? eol - boc : eoc - eol);
1348                boc = eol ? eol + 1 : eoc;
1349        }
1350}
1351
1352static struct command *read_head_info(struct sha1_array *shallow)
1353{
1354        struct command *commands = NULL;
1355        struct command **p = &commands;
1356        for (;;) {
1357                char *line;
1358                int len, linelen;
1359
1360                line = packet_read_line(0, &len);
1361                if (!line)
1362                        break;
1363
1364                if (len == 48 && starts_with(line, "shallow ")) {
1365                        unsigned char sha1[20];
1366                        if (get_sha1_hex(line + 8, sha1))
1367                                die("protocol error: expected shallow sha, got '%s'",
1368                                    line + 8);
1369                        sha1_array_append(shallow, sha1);
1370                        continue;
1371                }
1372
1373                linelen = strlen(line);
1374                if (linelen < len) {
1375                        const char *feature_list = line + linelen + 1;
1376                        if (parse_feature_request(feature_list, "report-status"))
1377                                report_status = 1;
1378                        if (parse_feature_request(feature_list, "side-band-64k"))
1379                                use_sideband = LARGE_PACKET_MAX;
1380                        if (parse_feature_request(feature_list, "quiet"))
1381                                quiet = 1;
1382                        if (advertise_atomic_push
1383                            && parse_feature_request(feature_list, "atomic"))
1384                                use_atomic = 1;
1385                }
1386
1387                if (!strcmp(line, "push-cert")) {
1388                        int true_flush = 0;
1389                        char certbuf[1024];
1390
1391                        for (;;) {
1392                                len = packet_read(0, NULL, NULL,
1393                                                  certbuf, sizeof(certbuf), 0);
1394                                if (!len) {
1395                                        true_flush = 1;
1396                                        break;
1397                                }
1398                                if (!strcmp(certbuf, "push-cert-end\n"))
1399                                        break; /* end of cert */
1400                                strbuf_addstr(&push_cert, certbuf);
1401                        }
1402
1403                        if (true_flush)
1404                                break;
1405                        continue;
1406                }
1407
1408                p = queue_command(p, line, linelen);
1409        }
1410
1411        if (push_cert.len)
1412                queue_commands_from_cert(p, &push_cert);
1413
1414        return commands;
1415}
1416
1417static const char *parse_pack_header(struct pack_header *hdr)
1418{
1419        switch (read_pack_header(0, hdr)) {
1420        case PH_ERROR_EOF:
1421                return "eof before pack header was fully read";
1422
1423        case PH_ERROR_PACK_SIGNATURE:
1424                return "protocol error (pack signature mismatch detected)";
1425
1426        case PH_ERROR_PROTOCOL:
1427                return "protocol error (pack version unsupported)";
1428
1429        default:
1430                return "unknown error in parse_pack_header";
1431
1432        case 0:
1433                return NULL;
1434        }
1435}
1436
1437static const char *pack_lockfile;
1438
1439static const char *unpack(int err_fd, struct shallow_info *si)
1440{
1441        struct pack_header hdr;
1442        const char *hdr_err;
1443        int status;
1444        char hdr_arg[38];
1445        struct child_process child = CHILD_PROCESS_INIT;
1446        int fsck_objects = (receive_fsck_objects >= 0
1447                            ? receive_fsck_objects
1448                            : transfer_fsck_objects >= 0
1449                            ? transfer_fsck_objects
1450                            : 0);
1451
1452        hdr_err = parse_pack_header(&hdr);
1453        if (hdr_err) {
1454                if (err_fd > 0)
1455                        close(err_fd);
1456                return hdr_err;
1457        }
1458        snprintf(hdr_arg, sizeof(hdr_arg),
1459                        "--pack_header=%"PRIu32",%"PRIu32,
1460                        ntohl(hdr.hdr_version), ntohl(hdr.hdr_entries));
1461
1462        if (si->nr_ours || si->nr_theirs) {
1463                alt_shallow_file = setup_temporary_shallow(si->shallow);
1464                argv_array_push(&child.args, "--shallow-file");
1465                argv_array_push(&child.args, alt_shallow_file);
1466        }
1467
1468        if (ntohl(hdr.hdr_entries) < unpack_limit) {
1469                argv_array_pushl(&child.args, "unpack-objects", hdr_arg, NULL);
1470                if (quiet)
1471                        argv_array_push(&child.args, "-q");
1472                if (fsck_objects)
1473                        argv_array_push(&child.args, "--strict");
1474                child.no_stdout = 1;
1475                child.err = err_fd;
1476                child.git_cmd = 1;
1477                status = run_command(&child);
1478                if (status)
1479                        return "unpack-objects abnormal exit";
1480        } else {
1481                int s;
1482                char keep_arg[256];
1483
1484                s = sprintf(keep_arg, "--keep=receive-pack %"PRIuMAX" on ", (uintmax_t) getpid());
1485                if (gethostname(keep_arg + s, sizeof(keep_arg) - s))
1486                        strcpy(keep_arg + s, "localhost");
1487
1488                argv_array_pushl(&child.args, "index-pack",
1489                                 "--stdin", hdr_arg, keep_arg, NULL);
1490                if (fsck_objects)
1491                        argv_array_push(&child.args, "--strict");
1492                if (fix_thin)
1493                        argv_array_push(&child.args, "--fix-thin");
1494                child.out = -1;
1495                child.err = err_fd;
1496                child.git_cmd = 1;
1497                status = start_command(&child);
1498                if (status)
1499                        return "index-pack fork failed";
1500                pack_lockfile = index_pack_lockfile(child.out);
1501                close(child.out);
1502                status = finish_command(&child);
1503                if (status)
1504                        return "index-pack abnormal exit";
1505                reprepare_packed_git();
1506        }
1507        return NULL;
1508}
1509
1510static const char *unpack_with_sideband(struct shallow_info *si)
1511{
1512        struct async muxer;
1513        const char *ret;
1514
1515        if (!use_sideband)
1516                return unpack(0, si);
1517
1518        memset(&muxer, 0, sizeof(muxer));
1519        muxer.proc = copy_to_sideband;
1520        muxer.in = -1;
1521        if (start_async(&muxer))
1522                return NULL;
1523
1524        ret = unpack(muxer.in, si);
1525
1526        finish_async(&muxer);
1527        return ret;
1528}
1529
1530static void prepare_shallow_update(struct command *commands,
1531                                   struct shallow_info *si)
1532{
1533        int i, j, k, bitmap_size = (si->ref->nr + 31) / 32;
1534
1535        si->used_shallow = xmalloc(sizeof(*si->used_shallow) *
1536                                   si->shallow->nr);
1537        assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1538
1539        si->need_reachability_test =
1540                xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1541        si->reachable =
1542                xcalloc(si->shallow->nr, sizeof(*si->reachable));
1543        si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1544
1545        for (i = 0; i < si->nr_ours; i++)
1546                si->need_reachability_test[si->ours[i]] = 1;
1547
1548        for (i = 0; i < si->shallow->nr; i++) {
1549                if (!si->used_shallow[i])
1550                        continue;
1551                for (j = 0; j < bitmap_size; j++) {
1552                        if (!si->used_shallow[i][j])
1553                                continue;
1554                        si->need_reachability_test[i]++;
1555                        for (k = 0; k < 32; k++)
1556                                if (si->used_shallow[i][j] & (1 << k))
1557                                        si->shallow_ref[j * 32 + k]++;
1558                }
1559
1560                /*
1561                 * true for those associated with some refs and belong
1562                 * in "ours" list aka "step 7 not done yet"
1563                 */
1564                si->need_reachability_test[i] =
1565                        si->need_reachability_test[i] > 1;
1566        }
1567
1568        /*
1569         * keep hooks happy by forcing a temporary shallow file via
1570         * env variable because we can't add --shallow-file to every
1571         * command. check_everything_connected() will be done with
1572         * true .git/shallow though.
1573         */
1574        setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1575}
1576
1577static void update_shallow_info(struct command *commands,
1578                                struct shallow_info *si,
1579                                struct sha1_array *ref)
1580{
1581        struct command *cmd;
1582        int *ref_status;
1583        remove_nonexistent_theirs_shallow(si);
1584        if (!si->nr_ours && !si->nr_theirs) {
1585                shallow_update = 0;
1586                return;
1587        }
1588
1589        for (cmd = commands; cmd; cmd = cmd->next) {
1590                if (is_null_sha1(cmd->new_sha1))
1591                        continue;
1592                sha1_array_append(ref, cmd->new_sha1);
1593                cmd->index = ref->nr - 1;
1594        }
1595        si->ref = ref;
1596
1597        if (shallow_update) {
1598                prepare_shallow_update(commands, si);
1599                return;
1600        }
1601
1602        ref_status = xmalloc(sizeof(*ref_status) * ref->nr);
1603        assign_shallow_commits_to_refs(si, NULL, ref_status);
1604        for (cmd = commands; cmd; cmd = cmd->next) {
1605                if (is_null_sha1(cmd->new_sha1))
1606                        continue;
1607                if (ref_status[cmd->index]) {
1608                        cmd->error_string = "shallow update not allowed";
1609                        cmd->skip_update = 1;
1610                }
1611        }
1612        free(ref_status);
1613}
1614
1615static void report(struct command *commands, const char *unpack_status)
1616{
1617        struct command *cmd;
1618        struct strbuf buf = STRBUF_INIT;
1619
1620        packet_buf_write(&buf, "unpack %s\n",
1621                         unpack_status ? unpack_status : "ok");
1622        for (cmd = commands; cmd; cmd = cmd->next) {
1623                if (!cmd->error_string)
1624                        packet_buf_write(&buf, "ok %s\n",
1625                                         cmd->ref_name);
1626                else
1627                        packet_buf_write(&buf, "ng %s %s\n",
1628                                         cmd->ref_name, cmd->error_string);
1629        }
1630        packet_buf_flush(&buf);
1631
1632        if (use_sideband)
1633                send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1634        else
1635                write_or_die(1, buf.buf, buf.len);
1636        strbuf_release(&buf);
1637}
1638
1639static int delete_only(struct command *commands)
1640{
1641        struct command *cmd;
1642        for (cmd = commands; cmd; cmd = cmd->next) {
1643                if (!is_null_sha1(cmd->new_sha1))
1644                        return 0;
1645        }
1646        return 1;
1647}
1648
1649int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1650{
1651        int advertise_refs = 0;
1652        int i;
1653        struct command *commands;
1654        struct sha1_array shallow = SHA1_ARRAY_INIT;
1655        struct sha1_array ref = SHA1_ARRAY_INIT;
1656        struct shallow_info si;
1657
1658        packet_trace_identity("receive-pack");
1659
1660        argv++;
1661        for (i = 1; i < argc; i++) {
1662                const char *arg = *argv++;
1663
1664                if (*arg == '-') {
1665                        if (!strcmp(arg, "--quiet")) {
1666                                quiet = 1;
1667                                continue;
1668                        }
1669
1670                        if (!strcmp(arg, "--advertise-refs")) {
1671                                advertise_refs = 1;
1672                                continue;
1673                        }
1674                        if (!strcmp(arg, "--stateless-rpc")) {
1675                                stateless_rpc = 1;
1676                                continue;
1677                        }
1678                        if (!strcmp(arg, "--reject-thin-pack-for-testing")) {
1679                                fix_thin = 0;
1680                                continue;
1681                        }
1682
1683                        usage(receive_pack_usage);
1684                }
1685                if (service_dir)
1686                        usage(receive_pack_usage);
1687                service_dir = arg;
1688        }
1689        if (!service_dir)
1690                usage(receive_pack_usage);
1691
1692        setup_path();
1693
1694        if (!enter_repo(service_dir, 0))
1695                die("'%s' does not appear to be a git repository", service_dir);
1696
1697        git_config(receive_pack_config, NULL);
1698        if (cert_nonce_seed)
1699                push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1700
1701        if (0 <= transfer_unpack_limit)
1702                unpack_limit = transfer_unpack_limit;
1703        else if (0 <= receive_unpack_limit)
1704                unpack_limit = receive_unpack_limit;
1705
1706        if (advertise_refs || !stateless_rpc) {
1707                write_head_info();
1708        }
1709        if (advertise_refs)
1710                return 0;
1711
1712        if ((commands = read_head_info(&shallow)) != NULL) {
1713                const char *unpack_status = NULL;
1714
1715                prepare_shallow_info(&si, &shallow);
1716                if (!si.nr_ours && !si.nr_theirs)
1717                        shallow_update = 0;
1718                if (!delete_only(commands)) {
1719                        unpack_status = unpack_with_sideband(&si);
1720                        update_shallow_info(commands, &si, &ref);
1721                }
1722                execute_commands(commands, unpack_status, &si);
1723                if (pack_lockfile)
1724                        unlink_or_warn(pack_lockfile);
1725                if (report_status)
1726                        report(commands, unpack_status);
1727                run_receive_hook(commands, "post-receive", 1);
1728                run_update_post_hook(commands);
1729                if (auto_gc) {
1730                        const char *argv_gc_auto[] = {
1731                                "gc", "--auto", "--quiet", NULL,
1732                        };
1733                        int opt = RUN_GIT_CMD | RUN_COMMAND_STDOUT_TO_STDERR;
1734                        run_command_v_opt(argv_gc_auto, opt);
1735                }
1736                if (auto_update_server_info)
1737                        update_server_info(0);
1738                clear_shallow_info(&si);
1739        }
1740        if (use_sideband)
1741                packet_flush(1);
1742        sha1_array_clear(&shallow);
1743        sha1_array_clear(&ref);
1744        free((void *)push_cert_nonce);
1745        return 0;
1746}