builtin / receive-pack.con commit Merge branch 'jk/path-name-safety-2.6' into jk/path-name-safety-2.7 (55c45a7)
   1#include "builtin.h"
   2#include "lockfile.h"
   3#include "pack.h"
   4#include "refs.h"
   5#include "pkt-line.h"
   6#include "sideband.h"
   7#include "run-command.h"
   8#include "exec_cmd.h"
   9#include "commit.h"
  10#include "object.h"
  11#include "remote.h"
  12#include "connect.h"
  13#include "transport.h"
  14#include "string-list.h"
  15#include "sha1-array.h"
  16#include "connected.h"
  17#include "argv-array.h"
  18#include "version.h"
  19#include "tag.h"
  20#include "gpg-interface.h"
  21#include "sigchain.h"
  22#include "fsck.h"
  23
  24static const char receive_pack_usage[] = "git receive-pack <git-dir>";
  25
  26enum deny_action {
  27        DENY_UNCONFIGURED,
  28        DENY_IGNORE,
  29        DENY_WARN,
  30        DENY_REFUSE,
  31        DENY_UPDATE_INSTEAD
  32};
  33
  34static int deny_deletes;
  35static int deny_non_fast_forwards;
  36static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
  37static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
  38static int receive_fsck_objects = -1;
  39static int transfer_fsck_objects = -1;
  40static struct strbuf fsck_msg_types = STRBUF_INIT;
  41static int receive_unpack_limit = -1;
  42static int transfer_unpack_limit = -1;
  43static int advertise_atomic_push = 1;
  44static int unpack_limit = 100;
  45static int report_status;
  46static int use_sideband;
  47static int use_atomic;
  48static int quiet;
  49static int prefer_ofs_delta = 1;
  50static int auto_update_server_info;
  51static int auto_gc = 1;
  52static int fix_thin = 1;
  53static int stateless_rpc;
  54static const char *service_dir;
  55static const char *head_name;
  56static void *head_name_to_free;
  57static int sent_capabilities;
  58static int shallow_update;
  59static const char *alt_shallow_file;
  60static struct strbuf push_cert = STRBUF_INIT;
  61static unsigned char push_cert_sha1[20];
  62static struct signature_check sigcheck;
  63static const char *push_cert_nonce;
  64static const char *cert_nonce_seed;
  65
  66static const char *NONCE_UNSOLICITED = "UNSOLICITED";
  67static const char *NONCE_BAD = "BAD";
  68static const char *NONCE_MISSING = "MISSING";
  69static const char *NONCE_OK = "OK";
  70static const char *NONCE_SLOP = "SLOP";
  71static const char *nonce_status;
  72static long nonce_stamp_slop;
  73static unsigned long nonce_stamp_slop_limit;
  74static struct ref_transaction *transaction;
  75
  76static enum deny_action parse_deny_action(const char *var, const char *value)
  77{
  78        if (value) {
  79                if (!strcasecmp(value, "ignore"))
  80                        return DENY_IGNORE;
  81                if (!strcasecmp(value, "warn"))
  82                        return DENY_WARN;
  83                if (!strcasecmp(value, "refuse"))
  84                        return DENY_REFUSE;
  85                if (!strcasecmp(value, "updateinstead"))
  86                        return DENY_UPDATE_INSTEAD;
  87        }
  88        if (git_config_bool(var, value))
  89                return DENY_REFUSE;
  90        return DENY_IGNORE;
  91}
  92
  93static int receive_pack_config(const char *var, const char *value, void *cb)
  94{
  95        int status = parse_hide_refs_config(var, value, "receive");
  96
  97        if (status)
  98                return status;
  99
 100        if (strcmp(var, "receive.denydeletes") == 0) {
 101                deny_deletes = git_config_bool(var, value);
 102                return 0;
 103        }
 104
 105        if (strcmp(var, "receive.denynonfastforwards") == 0) {
 106                deny_non_fast_forwards = git_config_bool(var, value);
 107                return 0;
 108        }
 109
 110        if (strcmp(var, "receive.unpacklimit") == 0) {
 111                receive_unpack_limit = git_config_int(var, value);
 112                return 0;
 113        }
 114
 115        if (strcmp(var, "transfer.unpacklimit") == 0) {
 116                transfer_unpack_limit = git_config_int(var, value);
 117                return 0;
 118        }
 119
 120        if (strcmp(var, "receive.fsck.skiplist") == 0) {
 121                const char *path;
 122
 123                if (git_config_pathname(&path, var, value))
 124                        return 1;
 125                strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
 126                        fsck_msg_types.len ? ',' : '=', path);
 127                free((char *)path);
 128                return 0;
 129        }
 130
 131        if (skip_prefix(var, "receive.fsck.", &var)) {
 132                if (is_valid_msg_type(var, value))
 133                        strbuf_addf(&fsck_msg_types, "%c%s=%s",
 134                                fsck_msg_types.len ? ',' : '=', var, value);
 135                else
 136                        warning("Skipping unknown msg id '%s'", var);
 137                return 0;
 138        }
 139
 140        if (strcmp(var, "receive.fsckobjects") == 0) {
 141                receive_fsck_objects = git_config_bool(var, value);
 142                return 0;
 143        }
 144
 145        if (strcmp(var, "transfer.fsckobjects") == 0) {
 146                transfer_fsck_objects = git_config_bool(var, value);
 147                return 0;
 148        }
 149
 150        if (!strcmp(var, "receive.denycurrentbranch")) {
 151                deny_current_branch = parse_deny_action(var, value);
 152                return 0;
 153        }
 154
 155        if (strcmp(var, "receive.denydeletecurrent") == 0) {
 156                deny_delete_current = parse_deny_action(var, value);
 157                return 0;
 158        }
 159
 160        if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
 161                prefer_ofs_delta = git_config_bool(var, value);
 162                return 0;
 163        }
 164
 165        if (strcmp(var, "receive.updateserverinfo") == 0) {
 166                auto_update_server_info = git_config_bool(var, value);
 167                return 0;
 168        }
 169
 170        if (strcmp(var, "receive.autogc") == 0) {
 171                auto_gc = git_config_bool(var, value);
 172                return 0;
 173        }
 174
 175        if (strcmp(var, "receive.shallowupdate") == 0) {
 176                shallow_update = git_config_bool(var, value);
 177                return 0;
 178        }
 179
 180        if (strcmp(var, "receive.certnonceseed") == 0)
 181                return git_config_string(&cert_nonce_seed, var, value);
 182
 183        if (strcmp(var, "receive.certnonceslop") == 0) {
 184                nonce_stamp_slop_limit = git_config_ulong(var, value);
 185                return 0;
 186        }
 187
 188        if (strcmp(var, "receive.advertiseatomic") == 0) {
 189                advertise_atomic_push = git_config_bool(var, value);
 190                return 0;
 191        }
 192
 193        return git_default_config(var, value, cb);
 194}
 195
 196static void show_ref(const char *path, const unsigned char *sha1)
 197{
 198        if (sent_capabilities) {
 199                packet_write(1, "%s %s\n", sha1_to_hex(sha1), path);
 200        } else {
 201                struct strbuf cap = STRBUF_INIT;
 202
 203                strbuf_addstr(&cap,
 204                              "report-status delete-refs side-band-64k quiet");
 205                if (advertise_atomic_push)
 206                        strbuf_addstr(&cap, " atomic");
 207                if (prefer_ofs_delta)
 208                        strbuf_addstr(&cap, " ofs-delta");
 209                if (push_cert_nonce)
 210                        strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
 211                strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
 212                packet_write(1, "%s %s%c%s\n",
 213                             sha1_to_hex(sha1), path, 0, cap.buf);
 214                strbuf_release(&cap);
 215                sent_capabilities = 1;
 216        }
 217}
 218
 219static int show_ref_cb(const char *path_full, const struct object_id *oid,
 220                       int flag, void *unused)
 221{
 222        const char *path = strip_namespace(path_full);
 223
 224        if (ref_is_hidden(path, path_full))
 225                return 0;
 226
 227        /*
 228         * Advertise refs outside our current namespace as ".have"
 229         * refs, so that the client can use them to minimize data
 230         * transfer but will otherwise ignore them. This happens to
 231         * cover ".have" that are thrown in by add_one_alternate_ref()
 232         * to mark histories that are complete in our alternates as
 233         * well.
 234         */
 235        if (!path)
 236                path = ".have";
 237        show_ref(path, oid->hash);
 238        return 0;
 239}
 240
 241static void show_one_alternate_sha1(const unsigned char sha1[20], void *unused)
 242{
 243        show_ref(".have", sha1);
 244}
 245
 246static void collect_one_alternate_ref(const struct ref *ref, void *data)
 247{
 248        struct sha1_array *sa = data;
 249        sha1_array_append(sa, ref->old_oid.hash);
 250}
 251
 252static void write_head_info(void)
 253{
 254        struct sha1_array sa = SHA1_ARRAY_INIT;
 255
 256        for_each_alternate_ref(collect_one_alternate_ref, &sa);
 257        sha1_array_for_each_unique(&sa, show_one_alternate_sha1, NULL);
 258        sha1_array_clear(&sa);
 259        for_each_ref(show_ref_cb, NULL);
 260        if (!sent_capabilities)
 261                show_ref("capabilities^{}", null_sha1);
 262
 263        advertise_shallow_grafts(1);
 264
 265        /* EOF */
 266        packet_flush(1);
 267}
 268
 269struct command {
 270        struct command *next;
 271        const char *error_string;
 272        unsigned int skip_update:1,
 273                     did_not_exist:1;
 274        int index;
 275        unsigned char old_sha1[20];
 276        unsigned char new_sha1[20];
 277        char ref_name[FLEX_ARRAY]; /* more */
 278};
 279
 280static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
 281static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
 282
 283static void report_message(const char *prefix, const char *err, va_list params)
 284{
 285        int sz;
 286        char msg[4096];
 287
 288        sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
 289        sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
 290        if (sz > (sizeof(msg) - 1))
 291                sz = sizeof(msg) - 1;
 292        msg[sz++] = '\n';
 293
 294        if (use_sideband)
 295                send_sideband(1, 2, msg, sz, use_sideband);
 296        else
 297                xwrite(2, msg, sz);
 298}
 299
 300static void rp_warning(const char *err, ...)
 301{
 302        va_list params;
 303        va_start(params, err);
 304        report_message("warning: ", err, params);
 305        va_end(params);
 306}
 307
 308static void rp_error(const char *err, ...)
 309{
 310        va_list params;
 311        va_start(params, err);
 312        report_message("error: ", err, params);
 313        va_end(params);
 314}
 315
 316static int copy_to_sideband(int in, int out, void *arg)
 317{
 318        char data[128];
 319        while (1) {
 320                ssize_t sz = xread(in, data, sizeof(data));
 321                if (sz <= 0)
 322                        break;
 323                send_sideband(1, 2, data, sz, use_sideband);
 324        }
 325        close(in);
 326        return 0;
 327}
 328
 329#define HMAC_BLOCK_SIZE 64
 330
 331static void hmac_sha1(unsigned char *out,
 332                      const char *key_in, size_t key_len,
 333                      const char *text, size_t text_len)
 334{
 335        unsigned char key[HMAC_BLOCK_SIZE];
 336        unsigned char k_ipad[HMAC_BLOCK_SIZE];
 337        unsigned char k_opad[HMAC_BLOCK_SIZE];
 338        int i;
 339        git_SHA_CTX ctx;
 340
 341        /* RFC 2104 2. (1) */
 342        memset(key, '\0', HMAC_BLOCK_SIZE);
 343        if (HMAC_BLOCK_SIZE < key_len) {
 344                git_SHA1_Init(&ctx);
 345                git_SHA1_Update(&ctx, key_in, key_len);
 346                git_SHA1_Final(key, &ctx);
 347        } else {
 348                memcpy(key, key_in, key_len);
 349        }
 350
 351        /* RFC 2104 2. (2) & (5) */
 352        for (i = 0; i < sizeof(key); i++) {
 353                k_ipad[i] = key[i] ^ 0x36;
 354                k_opad[i] = key[i] ^ 0x5c;
 355        }
 356
 357        /* RFC 2104 2. (3) & (4) */
 358        git_SHA1_Init(&ctx);
 359        git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
 360        git_SHA1_Update(&ctx, text, text_len);
 361        git_SHA1_Final(out, &ctx);
 362
 363        /* RFC 2104 2. (6) & (7) */
 364        git_SHA1_Init(&ctx);
 365        git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
 366        git_SHA1_Update(&ctx, out, 20);
 367        git_SHA1_Final(out, &ctx);
 368}
 369
 370static char *prepare_push_cert_nonce(const char *path, unsigned long stamp)
 371{
 372        struct strbuf buf = STRBUF_INIT;
 373        unsigned char sha1[20];
 374
 375        strbuf_addf(&buf, "%s:%lu", path, stamp);
 376        hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));;
 377        strbuf_release(&buf);
 378
 379        /* RFC 2104 5. HMAC-SHA1-80 */
 380        strbuf_addf(&buf, "%lu-%.*s", stamp, 20, sha1_to_hex(sha1));
 381        return strbuf_detach(&buf, NULL);
 382}
 383
 384/*
 385 * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
 386 * after dropping "_commit" from its name and possibly moving it out
 387 * of commit.c
 388 */
 389static char *find_header(const char *msg, size_t len, const char *key)
 390{
 391        int key_len = strlen(key);
 392        const char *line = msg;
 393
 394        while (line && line < msg + len) {
 395                const char *eol = strchrnul(line, '\n');
 396
 397                if ((msg + len <= eol) || line == eol)
 398                        return NULL;
 399                if (line + key_len < eol &&
 400                    !memcmp(line, key, key_len) && line[key_len] == ' ') {
 401                        int offset = key_len + 1;
 402                        return xmemdupz(line + offset, (eol - line) - offset);
 403                }
 404                line = *eol ? eol + 1 : NULL;
 405        }
 406        return NULL;
 407}
 408
 409static const char *check_nonce(const char *buf, size_t len)
 410{
 411        char *nonce = find_header(buf, len, "nonce");
 412        unsigned long stamp, ostamp;
 413        char *bohmac, *expect = NULL;
 414        const char *retval = NONCE_BAD;
 415
 416        if (!nonce) {
 417                retval = NONCE_MISSING;
 418                goto leave;
 419        } else if (!push_cert_nonce) {
 420                retval = NONCE_UNSOLICITED;
 421                goto leave;
 422        } else if (!strcmp(push_cert_nonce, nonce)) {
 423                retval = NONCE_OK;
 424                goto leave;
 425        }
 426
 427        if (!stateless_rpc) {
 428                /* returned nonce MUST match what we gave out earlier */
 429                retval = NONCE_BAD;
 430                goto leave;
 431        }
 432
 433        /*
 434         * In stateless mode, we may be receiving a nonce issued by
 435         * another instance of the server that serving the same
 436         * repository, and the timestamps may not match, but the
 437         * nonce-seed and dir should match, so we can recompute and
 438         * report the time slop.
 439         *
 440         * In addition, when a nonce issued by another instance has
 441         * timestamp within receive.certnonceslop seconds, we pretend
 442         * as if we issued that nonce when reporting to the hook.
 443         */
 444
 445        /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
 446        if (*nonce <= '0' || '9' < *nonce) {
 447                retval = NONCE_BAD;
 448                goto leave;
 449        }
 450        stamp = strtoul(nonce, &bohmac, 10);
 451        if (bohmac == nonce || bohmac[0] != '-') {
 452                retval = NONCE_BAD;
 453                goto leave;
 454        }
 455
 456        expect = prepare_push_cert_nonce(service_dir, stamp);
 457        if (strcmp(expect, nonce)) {
 458                /* Not what we would have signed earlier */
 459                retval = NONCE_BAD;
 460                goto leave;
 461        }
 462
 463        /*
 464         * By how many seconds is this nonce stale?  Negative value
 465         * would mean it was issued by another server with its clock
 466         * skewed in the future.
 467         */
 468        ostamp = strtoul(push_cert_nonce, NULL, 10);
 469        nonce_stamp_slop = (long)ostamp - (long)stamp;
 470
 471        if (nonce_stamp_slop_limit &&
 472            labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
 473                /*
 474                 * Pretend as if the received nonce (which passes the
 475                 * HMAC check, so it is not a forged by third-party)
 476                 * is what we issued.
 477                 */
 478                free((void *)push_cert_nonce);
 479                push_cert_nonce = xstrdup(nonce);
 480                retval = NONCE_OK;
 481        } else {
 482                retval = NONCE_SLOP;
 483        }
 484
 485leave:
 486        free(nonce);
 487        free(expect);
 488        return retval;
 489}
 490
 491static void prepare_push_cert_sha1(struct child_process *proc)
 492{
 493        static int already_done;
 494
 495        if (!push_cert.len)
 496                return;
 497
 498        if (!already_done) {
 499                struct strbuf gpg_output = STRBUF_INIT;
 500                struct strbuf gpg_status = STRBUF_INIT;
 501                int bogs /* beginning_of_gpg_sig */;
 502
 503                already_done = 1;
 504                if (write_sha1_file(push_cert.buf, push_cert.len, "blob", push_cert_sha1))
 505                        hashclr(push_cert_sha1);
 506
 507                memset(&sigcheck, '\0', sizeof(sigcheck));
 508                sigcheck.result = 'N';
 509
 510                bogs = parse_signature(push_cert.buf, push_cert.len);
 511                if (verify_signed_buffer(push_cert.buf, bogs,
 512                                         push_cert.buf + bogs, push_cert.len - bogs,
 513                                         &gpg_output, &gpg_status) < 0) {
 514                        ; /* error running gpg */
 515                } else {
 516                        sigcheck.payload = push_cert.buf;
 517                        sigcheck.gpg_output = gpg_output.buf;
 518                        sigcheck.gpg_status = gpg_status.buf;
 519                        parse_gpg_output(&sigcheck);
 520                }
 521
 522                strbuf_release(&gpg_output);
 523                strbuf_release(&gpg_status);
 524                nonce_status = check_nonce(push_cert.buf, bogs);
 525        }
 526        if (!is_null_sha1(push_cert_sha1)) {
 527                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
 528                                 sha1_to_hex(push_cert_sha1));
 529                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
 530                                 sigcheck.signer ? sigcheck.signer : "");
 531                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
 532                                 sigcheck.key ? sigcheck.key : "");
 533                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
 534                                 sigcheck.result);
 535                if (push_cert_nonce) {
 536                        argv_array_pushf(&proc->env_array,
 537                                         "GIT_PUSH_CERT_NONCE=%s",
 538                                         push_cert_nonce);
 539                        argv_array_pushf(&proc->env_array,
 540                                         "GIT_PUSH_CERT_NONCE_STATUS=%s",
 541                                         nonce_status);
 542                        if (nonce_status == NONCE_SLOP)
 543                                argv_array_pushf(&proc->env_array,
 544                                                 "GIT_PUSH_CERT_NONCE_SLOP=%ld",
 545                                                 nonce_stamp_slop);
 546                }
 547        }
 548}
 549
 550typedef int (*feed_fn)(void *, const char **, size_t *);
 551static int run_and_feed_hook(const char *hook_name, feed_fn feed, void *feed_state)
 552{
 553        struct child_process proc = CHILD_PROCESS_INIT;
 554        struct async muxer;
 555        const char *argv[2];
 556        int code;
 557
 558        argv[0] = find_hook(hook_name);
 559        if (!argv[0])
 560                return 0;
 561
 562        argv[1] = NULL;
 563
 564        proc.argv = argv;
 565        proc.in = -1;
 566        proc.stdout_to_stderr = 1;
 567
 568        if (use_sideband) {
 569                memset(&muxer, 0, sizeof(muxer));
 570                muxer.proc = copy_to_sideband;
 571                muxer.in = -1;
 572                code = start_async(&muxer);
 573                if (code)
 574                        return code;
 575                proc.err = muxer.in;
 576        }
 577
 578        prepare_push_cert_sha1(&proc);
 579
 580        code = start_command(&proc);
 581        if (code) {
 582                if (use_sideband)
 583                        finish_async(&muxer);
 584                return code;
 585        }
 586
 587        sigchain_push(SIGPIPE, SIG_IGN);
 588
 589        while (1) {
 590                const char *buf;
 591                size_t n;
 592                if (feed(feed_state, &buf, &n))
 593                        break;
 594                if (write_in_full(proc.in, buf, n) != n)
 595                        break;
 596        }
 597        close(proc.in);
 598        if (use_sideband)
 599                finish_async(&muxer);
 600
 601        sigchain_pop(SIGPIPE);
 602
 603        return finish_command(&proc);
 604}
 605
 606struct receive_hook_feed_state {
 607        struct command *cmd;
 608        int skip_broken;
 609        struct strbuf buf;
 610};
 611
 612static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
 613{
 614        struct receive_hook_feed_state *state = state_;
 615        struct command *cmd = state->cmd;
 616
 617        while (cmd &&
 618               state->skip_broken && (cmd->error_string || cmd->did_not_exist))
 619                cmd = cmd->next;
 620        if (!cmd)
 621                return -1; /* EOF */
 622        strbuf_reset(&state->buf);
 623        strbuf_addf(&state->buf, "%s %s %s\n",
 624                    sha1_to_hex(cmd->old_sha1), sha1_to_hex(cmd->new_sha1),
 625                    cmd->ref_name);
 626        state->cmd = cmd->next;
 627        if (bufp) {
 628                *bufp = state->buf.buf;
 629                *sizep = state->buf.len;
 630        }
 631        return 0;
 632}
 633
 634static int run_receive_hook(struct command *commands, const char *hook_name,
 635                            int skip_broken)
 636{
 637        struct receive_hook_feed_state state;
 638        int status;
 639
 640        strbuf_init(&state.buf, 0);
 641        state.cmd = commands;
 642        state.skip_broken = skip_broken;
 643        if (feed_receive_hook(&state, NULL, NULL))
 644                return 0;
 645        state.cmd = commands;
 646        status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
 647        strbuf_release(&state.buf);
 648        return status;
 649}
 650
 651static int run_update_hook(struct command *cmd)
 652{
 653        const char *argv[5];
 654        struct child_process proc = CHILD_PROCESS_INIT;
 655        int code;
 656
 657        argv[0] = find_hook("update");
 658        if (!argv[0])
 659                return 0;
 660
 661        argv[1] = cmd->ref_name;
 662        argv[2] = sha1_to_hex(cmd->old_sha1);
 663        argv[3] = sha1_to_hex(cmd->new_sha1);
 664        argv[4] = NULL;
 665
 666        proc.no_stdin = 1;
 667        proc.stdout_to_stderr = 1;
 668        proc.err = use_sideband ? -1 : 0;
 669        proc.argv = argv;
 670
 671        code = start_command(&proc);
 672        if (code)
 673                return code;
 674        if (use_sideband)
 675                copy_to_sideband(proc.err, -1, NULL);
 676        return finish_command(&proc);
 677}
 678
 679static int is_ref_checked_out(const char *ref)
 680{
 681        if (is_bare_repository())
 682                return 0;
 683
 684        if (!head_name)
 685                return 0;
 686        return !strcmp(head_name, ref);
 687}
 688
 689static char *refuse_unconfigured_deny_msg[] = {
 690        "By default, updating the current branch in a non-bare repository",
 691        "is denied, because it will make the index and work tree inconsistent",
 692        "with what you pushed, and will require 'git reset --hard' to match",
 693        "the work tree to HEAD.",
 694        "",
 695        "You can set 'receive.denyCurrentBranch' configuration variable to",
 696        "'ignore' or 'warn' in the remote repository to allow pushing into",
 697        "its current branch; however, this is not recommended unless you",
 698        "arranged to update its work tree to match what you pushed in some",
 699        "other way.",
 700        "",
 701        "To squelch this message and still keep the default behaviour, set",
 702        "'receive.denyCurrentBranch' configuration variable to 'refuse'."
 703};
 704
 705static void refuse_unconfigured_deny(void)
 706{
 707        int i;
 708        for (i = 0; i < ARRAY_SIZE(refuse_unconfigured_deny_msg); i++)
 709                rp_error("%s", refuse_unconfigured_deny_msg[i]);
 710}
 711
 712static char *refuse_unconfigured_deny_delete_current_msg[] = {
 713        "By default, deleting the current branch is denied, because the next",
 714        "'git clone' won't result in any file checked out, causing confusion.",
 715        "",
 716        "You can set 'receive.denyDeleteCurrent' configuration variable to",
 717        "'warn' or 'ignore' in the remote repository to allow deleting the",
 718        "current branch, with or without a warning message.",
 719        "",
 720        "To squelch this message, you can set it to 'refuse'."
 721};
 722
 723static void refuse_unconfigured_deny_delete_current(void)
 724{
 725        int i;
 726        for (i = 0;
 727             i < ARRAY_SIZE(refuse_unconfigured_deny_delete_current_msg);
 728             i++)
 729                rp_error("%s", refuse_unconfigured_deny_delete_current_msg[i]);
 730}
 731
 732static int command_singleton_iterator(void *cb_data, unsigned char sha1[20]);
 733static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
 734{
 735        static struct lock_file shallow_lock;
 736        struct sha1_array extra = SHA1_ARRAY_INIT;
 737        const char *alt_file;
 738        uint32_t mask = 1 << (cmd->index % 32);
 739        int i;
 740
 741        trace_printf_key(&trace_shallow,
 742                         "shallow: update_shallow_ref %s\n", cmd->ref_name);
 743        for (i = 0; i < si->shallow->nr; i++)
 744                if (si->used_shallow[i] &&
 745                    (si->used_shallow[i][cmd->index / 32] & mask) &&
 746                    !delayed_reachability_test(si, i))
 747                        sha1_array_append(&extra, si->shallow->sha1[i]);
 748
 749        setup_alternate_shallow(&shallow_lock, &alt_file, &extra);
 750        if (check_shallow_connected(command_singleton_iterator,
 751                                    0, cmd, alt_file)) {
 752                rollback_lock_file(&shallow_lock);
 753                sha1_array_clear(&extra);
 754                return -1;
 755        }
 756
 757        commit_lock_file(&shallow_lock);
 758
 759        /*
 760         * Make sure setup_alternate_shallow() for the next ref does
 761         * not lose these new roots..
 762         */
 763        for (i = 0; i < extra.nr; i++)
 764                register_shallow(extra.sha1[i]);
 765
 766        si->shallow_ref[cmd->index] = 0;
 767        sha1_array_clear(&extra);
 768        return 0;
 769}
 770
 771/*
 772 * NEEDSWORK: we should consolidate various implementions of "are we
 773 * on an unborn branch?" test into one, and make the unified one more
 774 * robust. !get_sha1() based check used here and elsewhere would not
 775 * allow us to tell an unborn branch from corrupt ref, for example.
 776 * For the purpose of fixing "deploy-to-update does not work when
 777 * pushing into an empty repository" issue, this should suffice for
 778 * now.
 779 */
 780static int head_has_history(void)
 781{
 782        unsigned char sha1[20];
 783
 784        return !get_sha1("HEAD", sha1);
 785}
 786
 787static const char *push_to_deploy(unsigned char *sha1,
 788                                  struct argv_array *env,
 789                                  const char *work_tree)
 790{
 791        const char *update_refresh[] = {
 792                "update-index", "-q", "--ignore-submodules", "--refresh", NULL
 793        };
 794        const char *diff_files[] = {
 795                "diff-files", "--quiet", "--ignore-submodules", "--", NULL
 796        };
 797        const char *diff_index[] = {
 798                "diff-index", "--quiet", "--cached", "--ignore-submodules",
 799                NULL, "--", NULL
 800        };
 801        const char *read_tree[] = {
 802                "read-tree", "-u", "-m", NULL, NULL
 803        };
 804        struct child_process child = CHILD_PROCESS_INIT;
 805
 806        child.argv = update_refresh;
 807        child.env = env->argv;
 808        child.dir = work_tree;
 809        child.no_stdin = 1;
 810        child.stdout_to_stderr = 1;
 811        child.git_cmd = 1;
 812        if (run_command(&child))
 813                return "Up-to-date check failed";
 814
 815        /* run_command() does not clean up completely; reinitialize */
 816        child_process_init(&child);
 817        child.argv = diff_files;
 818        child.env = env->argv;
 819        child.dir = work_tree;
 820        child.no_stdin = 1;
 821        child.stdout_to_stderr = 1;
 822        child.git_cmd = 1;
 823        if (run_command(&child))
 824                return "Working directory has unstaged changes";
 825
 826        /* diff-index with either HEAD or an empty tree */
 827        diff_index[4] = head_has_history() ? "HEAD" : EMPTY_TREE_SHA1_HEX;
 828
 829        child_process_init(&child);
 830        child.argv = diff_index;
 831        child.env = env->argv;
 832        child.no_stdin = 1;
 833        child.no_stdout = 1;
 834        child.stdout_to_stderr = 0;
 835        child.git_cmd = 1;
 836        if (run_command(&child))
 837                return "Working directory has staged changes";
 838
 839        read_tree[3] = sha1_to_hex(sha1);
 840        child_process_init(&child);
 841        child.argv = read_tree;
 842        child.env = env->argv;
 843        child.dir = work_tree;
 844        child.no_stdin = 1;
 845        child.no_stdout = 1;
 846        child.stdout_to_stderr = 0;
 847        child.git_cmd = 1;
 848        if (run_command(&child))
 849                return "Could not update working tree to new HEAD";
 850
 851        return NULL;
 852}
 853
 854static const char *push_to_checkout_hook = "push-to-checkout";
 855
 856static const char *push_to_checkout(unsigned char *sha1,
 857                                    struct argv_array *env,
 858                                    const char *work_tree)
 859{
 860        argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
 861        if (run_hook_le(env->argv, push_to_checkout_hook,
 862                        sha1_to_hex(sha1), NULL))
 863                return "push-to-checkout hook declined";
 864        else
 865                return NULL;
 866}
 867
 868static const char *update_worktree(unsigned char *sha1)
 869{
 870        const char *retval;
 871        const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
 872        struct argv_array env = ARGV_ARRAY_INIT;
 873
 874        if (is_bare_repository())
 875                return "denyCurrentBranch = updateInstead needs a worktree";
 876
 877        argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
 878
 879        if (!find_hook(push_to_checkout_hook))
 880                retval = push_to_deploy(sha1, &env, work_tree);
 881        else
 882                retval = push_to_checkout(sha1, &env, work_tree);
 883
 884        argv_array_clear(&env);
 885        return retval;
 886}
 887
 888static const char *update(struct command *cmd, struct shallow_info *si)
 889{
 890        const char *name = cmd->ref_name;
 891        struct strbuf namespaced_name_buf = STRBUF_INIT;
 892        const char *namespaced_name, *ret;
 893        unsigned char *old_sha1 = cmd->old_sha1;
 894        unsigned char *new_sha1 = cmd->new_sha1;
 895
 896        /* only refs/... are allowed */
 897        if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
 898                rp_error("refusing to create funny ref '%s' remotely", name);
 899                return "funny refname";
 900        }
 901
 902        strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
 903        namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
 904
 905        if (is_ref_checked_out(namespaced_name)) {
 906                switch (deny_current_branch) {
 907                case DENY_IGNORE:
 908                        break;
 909                case DENY_WARN:
 910                        rp_warning("updating the current branch");
 911                        break;
 912                case DENY_REFUSE:
 913                case DENY_UNCONFIGURED:
 914                        rp_error("refusing to update checked out branch: %s", name);
 915                        if (deny_current_branch == DENY_UNCONFIGURED)
 916                                refuse_unconfigured_deny();
 917                        return "branch is currently checked out";
 918                case DENY_UPDATE_INSTEAD:
 919                        ret = update_worktree(new_sha1);
 920                        if (ret)
 921                                return ret;
 922                        break;
 923                }
 924        }
 925
 926        if (!is_null_sha1(new_sha1) && !has_sha1_file(new_sha1)) {
 927                error("unpack should have generated %s, "
 928                      "but I can't find it!", sha1_to_hex(new_sha1));
 929                return "bad pack";
 930        }
 931
 932        if (!is_null_sha1(old_sha1) && is_null_sha1(new_sha1)) {
 933                if (deny_deletes && starts_with(name, "refs/heads/")) {
 934                        rp_error("denying ref deletion for %s", name);
 935                        return "deletion prohibited";
 936                }
 937
 938                if (head_name && !strcmp(namespaced_name, head_name)) {
 939                        switch (deny_delete_current) {
 940                        case DENY_IGNORE:
 941                                break;
 942                        case DENY_WARN:
 943                                rp_warning("deleting the current branch");
 944                                break;
 945                        case DENY_REFUSE:
 946                        case DENY_UNCONFIGURED:
 947                        case DENY_UPDATE_INSTEAD:
 948                                if (deny_delete_current == DENY_UNCONFIGURED)
 949                                        refuse_unconfigured_deny_delete_current();
 950                                rp_error("refusing to delete the current branch: %s", name);
 951                                return "deletion of the current branch prohibited";
 952                        default:
 953                                return "Invalid denyDeleteCurrent setting";
 954                        }
 955                }
 956        }
 957
 958        if (deny_non_fast_forwards && !is_null_sha1(new_sha1) &&
 959            !is_null_sha1(old_sha1) &&
 960            starts_with(name, "refs/heads/")) {
 961                struct object *old_object, *new_object;
 962                struct commit *old_commit, *new_commit;
 963
 964                old_object = parse_object(old_sha1);
 965                new_object = parse_object(new_sha1);
 966
 967                if (!old_object || !new_object ||
 968                    old_object->type != OBJ_COMMIT ||
 969                    new_object->type != OBJ_COMMIT) {
 970                        error("bad sha1 objects for %s", name);
 971                        return "bad ref";
 972                }
 973                old_commit = (struct commit *)old_object;
 974                new_commit = (struct commit *)new_object;
 975                if (!in_merge_bases(old_commit, new_commit)) {
 976                        rp_error("denying non-fast-forward %s"
 977                                 " (you should pull first)", name);
 978                        return "non-fast-forward";
 979                }
 980        }
 981        if (run_update_hook(cmd)) {
 982                rp_error("hook declined to update %s", name);
 983                return "hook declined";
 984        }
 985
 986        if (is_null_sha1(new_sha1)) {
 987                struct strbuf err = STRBUF_INIT;
 988                if (!parse_object(old_sha1)) {
 989                        old_sha1 = NULL;
 990                        if (ref_exists(name)) {
 991                                rp_warning("Allowing deletion of corrupt ref.");
 992                        } else {
 993                                rp_warning("Deleting a non-existent ref.");
 994                                cmd->did_not_exist = 1;
 995                        }
 996                }
 997                if (ref_transaction_delete(transaction,
 998                                           namespaced_name,
 999                                           old_sha1,
1000                                           0, "push", &err)) {
1001                        rp_error("%s", err.buf);
1002                        strbuf_release(&err);
1003                        return "failed to delete";
1004                }
1005                strbuf_release(&err);
1006                return NULL; /* good */
1007        }
1008        else {
1009                struct strbuf err = STRBUF_INIT;
1010                if (shallow_update && si->shallow_ref[cmd->index] &&
1011                    update_shallow_ref(cmd, si))
1012                        return "shallow error";
1013
1014                if (ref_transaction_update(transaction,
1015                                           namespaced_name,
1016                                           new_sha1, old_sha1,
1017                                           0, "push",
1018                                           &err)) {
1019                        rp_error("%s", err.buf);
1020                        strbuf_release(&err);
1021
1022                        return "failed to update ref";
1023                }
1024                strbuf_release(&err);
1025
1026                return NULL; /* good */
1027        }
1028}
1029
1030static void run_update_post_hook(struct command *commands)
1031{
1032        struct command *cmd;
1033        int argc;
1034        struct child_process proc = CHILD_PROCESS_INIT;
1035        const char *hook;
1036
1037        hook = find_hook("post-update");
1038        for (argc = 0, cmd = commands; cmd; cmd = cmd->next) {
1039                if (cmd->error_string || cmd->did_not_exist)
1040                        continue;
1041                argc++;
1042        }
1043        if (!argc || !hook)
1044                return;
1045
1046        argv_array_push(&proc.args, hook);
1047        for (cmd = commands; cmd; cmd = cmd->next) {
1048                if (cmd->error_string || cmd->did_not_exist)
1049                        continue;
1050                argv_array_push(&proc.args, cmd->ref_name);
1051        }
1052
1053        proc.no_stdin = 1;
1054        proc.stdout_to_stderr = 1;
1055        proc.err = use_sideband ? -1 : 0;
1056
1057        if (!start_command(&proc)) {
1058                if (use_sideband)
1059                        copy_to_sideband(proc.err, -1, NULL);
1060                finish_command(&proc);
1061        }
1062}
1063
1064static void check_aliased_update(struct command *cmd, struct string_list *list)
1065{
1066        struct strbuf buf = STRBUF_INIT;
1067        const char *dst_name;
1068        struct string_list_item *item;
1069        struct command *dst_cmd;
1070        unsigned char sha1[GIT_SHA1_RAWSZ];
1071        char cmd_oldh[GIT_SHA1_HEXSZ + 1],
1072             cmd_newh[GIT_SHA1_HEXSZ + 1],
1073             dst_oldh[GIT_SHA1_HEXSZ + 1],
1074             dst_newh[GIT_SHA1_HEXSZ + 1];
1075        int flag;
1076
1077        strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1078        dst_name = resolve_ref_unsafe(buf.buf, 0, sha1, &flag);
1079        strbuf_release(&buf);
1080
1081        if (!(flag & REF_ISSYMREF))
1082                return;
1083
1084        dst_name = strip_namespace(dst_name);
1085        if (!dst_name) {
1086                rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1087                cmd->skip_update = 1;
1088                cmd->error_string = "broken symref";
1089                return;
1090        }
1091
1092        if ((item = string_list_lookup(list, dst_name)) == NULL)
1093                return;
1094
1095        cmd->skip_update = 1;
1096
1097        dst_cmd = (struct command *) item->util;
1098
1099        if (!hashcmp(cmd->old_sha1, dst_cmd->old_sha1) &&
1100            !hashcmp(cmd->new_sha1, dst_cmd->new_sha1))
1101                return;
1102
1103        dst_cmd->skip_update = 1;
1104
1105        find_unique_abbrev_r(cmd_oldh, cmd->old_sha1, DEFAULT_ABBREV);
1106        find_unique_abbrev_r(cmd_newh, cmd->new_sha1, DEFAULT_ABBREV);
1107        find_unique_abbrev_r(dst_oldh, dst_cmd->old_sha1, DEFAULT_ABBREV);
1108        find_unique_abbrev_r(dst_newh, dst_cmd->new_sha1, DEFAULT_ABBREV);
1109        rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1110                 " its target '%s' (%s..%s)",
1111                 cmd->ref_name, cmd_oldh, cmd_newh,
1112                 dst_cmd->ref_name, dst_oldh, dst_newh);
1113
1114        cmd->error_string = dst_cmd->error_string =
1115                "inconsistent aliased update";
1116}
1117
1118static void check_aliased_updates(struct command *commands)
1119{
1120        struct command *cmd;
1121        struct string_list ref_list = STRING_LIST_INIT_NODUP;
1122
1123        for (cmd = commands; cmd; cmd = cmd->next) {
1124                struct string_list_item *item =
1125                        string_list_append(&ref_list, cmd->ref_name);
1126                item->util = (void *)cmd;
1127        }
1128        string_list_sort(&ref_list);
1129
1130        for (cmd = commands; cmd; cmd = cmd->next) {
1131                if (!cmd->error_string)
1132                        check_aliased_update(cmd, &ref_list);
1133        }
1134
1135        string_list_clear(&ref_list, 0);
1136}
1137
1138static int command_singleton_iterator(void *cb_data, unsigned char sha1[20])
1139{
1140        struct command **cmd_list = cb_data;
1141        struct command *cmd = *cmd_list;
1142
1143        if (!cmd || is_null_sha1(cmd->new_sha1))
1144                return -1; /* end of list */
1145        *cmd_list = NULL; /* this returns only one */
1146        hashcpy(sha1, cmd->new_sha1);
1147        return 0;
1148}
1149
1150static void set_connectivity_errors(struct command *commands,
1151                                    struct shallow_info *si)
1152{
1153        struct command *cmd;
1154
1155        for (cmd = commands; cmd; cmd = cmd->next) {
1156                struct command *singleton = cmd;
1157                if (shallow_update && si->shallow_ref[cmd->index])
1158                        /* to be checked in update_shallow_ref() */
1159                        continue;
1160                if (!check_everything_connected(command_singleton_iterator,
1161                                                0, &singleton))
1162                        continue;
1163                cmd->error_string = "missing necessary objects";
1164        }
1165}
1166
1167struct iterate_data {
1168        struct command *cmds;
1169        struct shallow_info *si;
1170};
1171
1172static int iterate_receive_command_list(void *cb_data, unsigned char sha1[20])
1173{
1174        struct iterate_data *data = cb_data;
1175        struct command **cmd_list = &data->cmds;
1176        struct command *cmd = *cmd_list;
1177
1178        for (; cmd; cmd = cmd->next) {
1179                if (shallow_update && data->si->shallow_ref[cmd->index])
1180                        /* to be checked in update_shallow_ref() */
1181                        continue;
1182                if (!is_null_sha1(cmd->new_sha1) && !cmd->skip_update) {
1183                        hashcpy(sha1, cmd->new_sha1);
1184                        *cmd_list = cmd->next;
1185                        return 0;
1186                }
1187        }
1188        *cmd_list = NULL;
1189        return -1; /* end of list */
1190}
1191
1192static void reject_updates_to_hidden(struct command *commands)
1193{
1194        struct strbuf refname_full = STRBUF_INIT;
1195        size_t prefix_len;
1196        struct command *cmd;
1197
1198        strbuf_addstr(&refname_full, get_git_namespace());
1199        prefix_len = refname_full.len;
1200
1201        for (cmd = commands; cmd; cmd = cmd->next) {
1202                if (cmd->error_string)
1203                        continue;
1204
1205                strbuf_setlen(&refname_full, prefix_len);
1206                strbuf_addstr(&refname_full, cmd->ref_name);
1207
1208                if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1209                        continue;
1210                if (is_null_sha1(cmd->new_sha1))
1211                        cmd->error_string = "deny deleting a hidden ref";
1212                else
1213                        cmd->error_string = "deny updating a hidden ref";
1214        }
1215
1216        strbuf_release(&refname_full);
1217}
1218
1219static int should_process_cmd(struct command *cmd)
1220{
1221        return !cmd->error_string && !cmd->skip_update;
1222}
1223
1224static void warn_if_skipped_connectivity_check(struct command *commands,
1225                                               struct shallow_info *si)
1226{
1227        struct command *cmd;
1228        int checked_connectivity = 1;
1229
1230        for (cmd = commands; cmd; cmd = cmd->next) {
1231                if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1232                        error("BUG: connectivity check has not been run on ref %s",
1233                              cmd->ref_name);
1234                        checked_connectivity = 0;
1235                }
1236        }
1237        if (!checked_connectivity)
1238                die("BUG: connectivity check skipped???");
1239}
1240
1241static void execute_commands_non_atomic(struct command *commands,
1242                                        struct shallow_info *si)
1243{
1244        struct command *cmd;
1245        struct strbuf err = STRBUF_INIT;
1246
1247        for (cmd = commands; cmd; cmd = cmd->next) {
1248                if (!should_process_cmd(cmd))
1249                        continue;
1250
1251                transaction = ref_transaction_begin(&err);
1252                if (!transaction) {
1253                        rp_error("%s", err.buf);
1254                        strbuf_reset(&err);
1255                        cmd->error_string = "transaction failed to start";
1256                        continue;
1257                }
1258
1259                cmd->error_string = update(cmd, si);
1260
1261                if (!cmd->error_string
1262                    && ref_transaction_commit(transaction, &err)) {
1263                        rp_error("%s", err.buf);
1264                        strbuf_reset(&err);
1265                        cmd->error_string = "failed to update ref";
1266                }
1267                ref_transaction_free(transaction);
1268        }
1269        strbuf_release(&err);
1270}
1271
1272static void execute_commands_atomic(struct command *commands,
1273                                        struct shallow_info *si)
1274{
1275        struct command *cmd;
1276        struct strbuf err = STRBUF_INIT;
1277        const char *reported_error = "atomic push failure";
1278
1279        transaction = ref_transaction_begin(&err);
1280        if (!transaction) {
1281                rp_error("%s", err.buf);
1282                strbuf_reset(&err);
1283                reported_error = "transaction failed to start";
1284                goto failure;
1285        }
1286
1287        for (cmd = commands; cmd; cmd = cmd->next) {
1288                if (!should_process_cmd(cmd))
1289                        continue;
1290
1291                cmd->error_string = update(cmd, si);
1292
1293                if (cmd->error_string)
1294                        goto failure;
1295        }
1296
1297        if (ref_transaction_commit(transaction, &err)) {
1298                rp_error("%s", err.buf);
1299                reported_error = "atomic transaction failed";
1300                goto failure;
1301        }
1302        goto cleanup;
1303
1304failure:
1305        for (cmd = commands; cmd; cmd = cmd->next)
1306                if (!cmd->error_string)
1307                        cmd->error_string = reported_error;
1308
1309cleanup:
1310        ref_transaction_free(transaction);
1311        strbuf_release(&err);
1312}
1313
1314static void execute_commands(struct command *commands,
1315                             const char *unpacker_error,
1316                             struct shallow_info *si)
1317{
1318        struct command *cmd;
1319        unsigned char sha1[20];
1320        struct iterate_data data;
1321
1322        if (unpacker_error) {
1323                for (cmd = commands; cmd; cmd = cmd->next)
1324                        cmd->error_string = "unpacker error";
1325                return;
1326        }
1327
1328        data.cmds = commands;
1329        data.si = si;
1330        if (check_everything_connected(iterate_receive_command_list, 0, &data))
1331                set_connectivity_errors(commands, si);
1332
1333        reject_updates_to_hidden(commands);
1334
1335        if (run_receive_hook(commands, "pre-receive", 0)) {
1336                for (cmd = commands; cmd; cmd = cmd->next) {
1337                        if (!cmd->error_string)
1338                                cmd->error_string = "pre-receive hook declined";
1339                }
1340                return;
1341        }
1342
1343        check_aliased_updates(commands);
1344
1345        free(head_name_to_free);
1346        head_name = head_name_to_free = resolve_refdup("HEAD", 0, sha1, NULL);
1347
1348        if (use_atomic)
1349                execute_commands_atomic(commands, si);
1350        else
1351                execute_commands_non_atomic(commands, si);
1352
1353        if (shallow_update)
1354                warn_if_skipped_connectivity_check(commands, si);
1355}
1356
1357static struct command **queue_command(struct command **tail,
1358                                      const char *line,
1359                                      int linelen)
1360{
1361        unsigned char old_sha1[20], new_sha1[20];
1362        struct command *cmd;
1363        const char *refname;
1364        int reflen;
1365
1366        if (linelen < 83 ||
1367            line[40] != ' ' ||
1368            line[81] != ' ' ||
1369            get_sha1_hex(line, old_sha1) ||
1370            get_sha1_hex(line + 41, new_sha1))
1371                die("protocol error: expected old/new/ref, got '%s'", line);
1372
1373        refname = line + 82;
1374        reflen = linelen - 82;
1375        cmd = xcalloc(1, st_add3(sizeof(struct command), reflen, 1));
1376        hashcpy(cmd->old_sha1, old_sha1);
1377        hashcpy(cmd->new_sha1, new_sha1);
1378        memcpy(cmd->ref_name, refname, reflen);
1379        cmd->ref_name[reflen] = '\0';
1380        *tail = cmd;
1381        return &cmd->next;
1382}
1383
1384static void queue_commands_from_cert(struct command **tail,
1385                                     struct strbuf *push_cert)
1386{
1387        const char *boc, *eoc;
1388
1389        if (*tail)
1390                die("protocol error: got both push certificate and unsigned commands");
1391
1392        boc = strstr(push_cert->buf, "\n\n");
1393        if (!boc)
1394                die("malformed push certificate %.*s", 100, push_cert->buf);
1395        else
1396                boc += 2;
1397        eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1398
1399        while (boc < eoc) {
1400                const char *eol = memchr(boc, '\n', eoc - boc);
1401                tail = queue_command(tail, boc, eol ? eol - boc : eoc - eol);
1402                boc = eol ? eol + 1 : eoc;
1403        }
1404}
1405
1406static struct command *read_head_info(struct sha1_array *shallow)
1407{
1408        struct command *commands = NULL;
1409        struct command **p = &commands;
1410        for (;;) {
1411                char *line;
1412                int len, linelen;
1413
1414                line = packet_read_line(0, &len);
1415                if (!line)
1416                        break;
1417
1418                if (len == 48 && starts_with(line, "shallow ")) {
1419                        unsigned char sha1[20];
1420                        if (get_sha1_hex(line + 8, sha1))
1421                                die("protocol error: expected shallow sha, got '%s'",
1422                                    line + 8);
1423                        sha1_array_append(shallow, sha1);
1424                        continue;
1425                }
1426
1427                linelen = strlen(line);
1428                if (linelen < len) {
1429                        const char *feature_list = line + linelen + 1;
1430                        if (parse_feature_request(feature_list, "report-status"))
1431                                report_status = 1;
1432                        if (parse_feature_request(feature_list, "side-band-64k"))
1433                                use_sideband = LARGE_PACKET_MAX;
1434                        if (parse_feature_request(feature_list, "quiet"))
1435                                quiet = 1;
1436                        if (advertise_atomic_push
1437                            && parse_feature_request(feature_list, "atomic"))
1438                                use_atomic = 1;
1439                }
1440
1441                if (!strcmp(line, "push-cert")) {
1442                        int true_flush = 0;
1443                        char certbuf[1024];
1444
1445                        for (;;) {
1446                                len = packet_read(0, NULL, NULL,
1447                                                  certbuf, sizeof(certbuf), 0);
1448                                if (!len) {
1449                                        true_flush = 1;
1450                                        break;
1451                                }
1452                                if (!strcmp(certbuf, "push-cert-end\n"))
1453                                        break; /* end of cert */
1454                                strbuf_addstr(&push_cert, certbuf);
1455                        }
1456
1457                        if (true_flush)
1458                                break;
1459                        continue;
1460                }
1461
1462                p = queue_command(p, line, linelen);
1463        }
1464
1465        if (push_cert.len)
1466                queue_commands_from_cert(p, &push_cert);
1467
1468        return commands;
1469}
1470
1471static const char *parse_pack_header(struct pack_header *hdr)
1472{
1473        switch (read_pack_header(0, hdr)) {
1474        case PH_ERROR_EOF:
1475                return "eof before pack header was fully read";
1476
1477        case PH_ERROR_PACK_SIGNATURE:
1478                return "protocol error (pack signature mismatch detected)";
1479
1480        case PH_ERROR_PROTOCOL:
1481                return "protocol error (pack version unsupported)";
1482
1483        default:
1484                return "unknown error in parse_pack_header";
1485
1486        case 0:
1487                return NULL;
1488        }
1489}
1490
1491static const char *pack_lockfile;
1492
1493static const char *unpack(int err_fd, struct shallow_info *si)
1494{
1495        struct pack_header hdr;
1496        const char *hdr_err;
1497        int status;
1498        char hdr_arg[38];
1499        struct child_process child = CHILD_PROCESS_INIT;
1500        int fsck_objects = (receive_fsck_objects >= 0
1501                            ? receive_fsck_objects
1502                            : transfer_fsck_objects >= 0
1503                            ? transfer_fsck_objects
1504                            : 0);
1505
1506        hdr_err = parse_pack_header(&hdr);
1507        if (hdr_err) {
1508                if (err_fd > 0)
1509                        close(err_fd);
1510                return hdr_err;
1511        }
1512        snprintf(hdr_arg, sizeof(hdr_arg),
1513                        "--pack_header=%"PRIu32",%"PRIu32,
1514                        ntohl(hdr.hdr_version), ntohl(hdr.hdr_entries));
1515
1516        if (si->nr_ours || si->nr_theirs) {
1517                alt_shallow_file = setup_temporary_shallow(si->shallow);
1518                argv_array_push(&child.args, "--shallow-file");
1519                argv_array_push(&child.args, alt_shallow_file);
1520        }
1521
1522        if (ntohl(hdr.hdr_entries) < unpack_limit) {
1523                argv_array_pushl(&child.args, "unpack-objects", hdr_arg, NULL);
1524                if (quiet)
1525                        argv_array_push(&child.args, "-q");
1526                if (fsck_objects)
1527                        argv_array_pushf(&child.args, "--strict%s",
1528                                fsck_msg_types.buf);
1529                child.no_stdout = 1;
1530                child.err = err_fd;
1531                child.git_cmd = 1;
1532                status = run_command(&child);
1533                if (status)
1534                        return "unpack-objects abnormal exit";
1535        } else {
1536                char hostname[256];
1537
1538                argv_array_pushl(&child.args, "index-pack",
1539                                 "--stdin", hdr_arg, NULL);
1540
1541                if (gethostname(hostname, sizeof(hostname)))
1542                        xsnprintf(hostname, sizeof(hostname), "localhost");
1543                argv_array_pushf(&child.args,
1544                                 "--keep=receive-pack %"PRIuMAX" on %s",
1545                                 (uintmax_t)getpid(),
1546                                 hostname);
1547
1548                if (fsck_objects)
1549                        argv_array_pushf(&child.args, "--strict%s",
1550                                fsck_msg_types.buf);
1551                if (fix_thin)
1552                        argv_array_push(&child.args, "--fix-thin");
1553                child.out = -1;
1554                child.err = err_fd;
1555                child.git_cmd = 1;
1556                status = start_command(&child);
1557                if (status)
1558                        return "index-pack fork failed";
1559                pack_lockfile = index_pack_lockfile(child.out);
1560                close(child.out);
1561                status = finish_command(&child);
1562                if (status)
1563                        return "index-pack abnormal exit";
1564                reprepare_packed_git();
1565        }
1566        return NULL;
1567}
1568
1569static const char *unpack_with_sideband(struct shallow_info *si)
1570{
1571        struct async muxer;
1572        const char *ret;
1573
1574        if (!use_sideband)
1575                return unpack(0, si);
1576
1577        memset(&muxer, 0, sizeof(muxer));
1578        muxer.proc = copy_to_sideband;
1579        muxer.in = -1;
1580        if (start_async(&muxer))
1581                return NULL;
1582
1583        ret = unpack(muxer.in, si);
1584
1585        finish_async(&muxer);
1586        return ret;
1587}
1588
1589static void prepare_shallow_update(struct command *commands,
1590                                   struct shallow_info *si)
1591{
1592        int i, j, k, bitmap_size = (si->ref->nr + 31) / 32;
1593
1594        ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1595        assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1596
1597        si->need_reachability_test =
1598                xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1599        si->reachable =
1600                xcalloc(si->shallow->nr, sizeof(*si->reachable));
1601        si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1602
1603        for (i = 0; i < si->nr_ours; i++)
1604                si->need_reachability_test[si->ours[i]] = 1;
1605
1606        for (i = 0; i < si->shallow->nr; i++) {
1607                if (!si->used_shallow[i])
1608                        continue;
1609                for (j = 0; j < bitmap_size; j++) {
1610                        if (!si->used_shallow[i][j])
1611                                continue;
1612                        si->need_reachability_test[i]++;
1613                        for (k = 0; k < 32; k++)
1614                                if (si->used_shallow[i][j] & (1U << k))
1615                                        si->shallow_ref[j * 32 + k]++;
1616                }
1617
1618                /*
1619                 * true for those associated with some refs and belong
1620                 * in "ours" list aka "step 7 not done yet"
1621                 */
1622                si->need_reachability_test[i] =
1623                        si->need_reachability_test[i] > 1;
1624        }
1625
1626        /*
1627         * keep hooks happy by forcing a temporary shallow file via
1628         * env variable because we can't add --shallow-file to every
1629         * command. check_everything_connected() will be done with
1630         * true .git/shallow though.
1631         */
1632        setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1633}
1634
1635static void update_shallow_info(struct command *commands,
1636                                struct shallow_info *si,
1637                                struct sha1_array *ref)
1638{
1639        struct command *cmd;
1640        int *ref_status;
1641        remove_nonexistent_theirs_shallow(si);
1642        if (!si->nr_ours && !si->nr_theirs) {
1643                shallow_update = 0;
1644                return;
1645        }
1646
1647        for (cmd = commands; cmd; cmd = cmd->next) {
1648                if (is_null_sha1(cmd->new_sha1))
1649                        continue;
1650                sha1_array_append(ref, cmd->new_sha1);
1651                cmd->index = ref->nr - 1;
1652        }
1653        si->ref = ref;
1654
1655        if (shallow_update) {
1656                prepare_shallow_update(commands, si);
1657                return;
1658        }
1659
1660        ALLOC_ARRAY(ref_status, ref->nr);
1661        assign_shallow_commits_to_refs(si, NULL, ref_status);
1662        for (cmd = commands; cmd; cmd = cmd->next) {
1663                if (is_null_sha1(cmd->new_sha1))
1664                        continue;
1665                if (ref_status[cmd->index]) {
1666                        cmd->error_string = "shallow update not allowed";
1667                        cmd->skip_update = 1;
1668                }
1669        }
1670        free(ref_status);
1671}
1672
1673static void report(struct command *commands, const char *unpack_status)
1674{
1675        struct command *cmd;
1676        struct strbuf buf = STRBUF_INIT;
1677
1678        packet_buf_write(&buf, "unpack %s\n",
1679                         unpack_status ? unpack_status : "ok");
1680        for (cmd = commands; cmd; cmd = cmd->next) {
1681                if (!cmd->error_string)
1682                        packet_buf_write(&buf, "ok %s\n",
1683                                         cmd->ref_name);
1684                else
1685                        packet_buf_write(&buf, "ng %s %s\n",
1686                                         cmd->ref_name, cmd->error_string);
1687        }
1688        packet_buf_flush(&buf);
1689
1690        if (use_sideband)
1691                send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1692        else
1693                write_or_die(1, buf.buf, buf.len);
1694        strbuf_release(&buf);
1695}
1696
1697static int delete_only(struct command *commands)
1698{
1699        struct command *cmd;
1700        for (cmd = commands; cmd; cmd = cmd->next) {
1701                if (!is_null_sha1(cmd->new_sha1))
1702                        return 0;
1703        }
1704        return 1;
1705}
1706
1707int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1708{
1709        int advertise_refs = 0;
1710        int i;
1711        struct command *commands;
1712        struct sha1_array shallow = SHA1_ARRAY_INIT;
1713        struct sha1_array ref = SHA1_ARRAY_INIT;
1714        struct shallow_info si;
1715
1716        packet_trace_identity("receive-pack");
1717
1718        argv++;
1719        for (i = 1; i < argc; i++) {
1720                const char *arg = *argv++;
1721
1722                if (*arg == '-') {
1723                        if (!strcmp(arg, "--quiet")) {
1724                                quiet = 1;
1725                                continue;
1726                        }
1727
1728                        if (!strcmp(arg, "--advertise-refs")) {
1729                                advertise_refs = 1;
1730                                continue;
1731                        }
1732                        if (!strcmp(arg, "--stateless-rpc")) {
1733                                stateless_rpc = 1;
1734                                continue;
1735                        }
1736                        if (!strcmp(arg, "--reject-thin-pack-for-testing")) {
1737                                fix_thin = 0;
1738                                continue;
1739                        }
1740
1741                        usage(receive_pack_usage);
1742                }
1743                if (service_dir)
1744                        usage(receive_pack_usage);
1745                service_dir = arg;
1746        }
1747        if (!service_dir)
1748                usage(receive_pack_usage);
1749
1750        setup_path();
1751
1752        if (!enter_repo(service_dir, 0))
1753                die("'%s' does not appear to be a git repository", service_dir);
1754
1755        git_config(receive_pack_config, NULL);
1756        if (cert_nonce_seed)
1757                push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1758
1759        if (0 <= transfer_unpack_limit)
1760                unpack_limit = transfer_unpack_limit;
1761        else if (0 <= receive_unpack_limit)
1762                unpack_limit = receive_unpack_limit;
1763
1764        if (advertise_refs || !stateless_rpc) {
1765                write_head_info();
1766        }
1767        if (advertise_refs)
1768                return 0;
1769
1770        if ((commands = read_head_info(&shallow)) != NULL) {
1771                const char *unpack_status = NULL;
1772
1773                prepare_shallow_info(&si, &shallow);
1774                if (!si.nr_ours && !si.nr_theirs)
1775                        shallow_update = 0;
1776                if (!delete_only(commands)) {
1777                        unpack_status = unpack_with_sideband(&si);
1778                        update_shallow_info(commands, &si, &ref);
1779                }
1780                execute_commands(commands, unpack_status, &si);
1781                if (pack_lockfile)
1782                        unlink_or_warn(pack_lockfile);
1783                if (report_status)
1784                        report(commands, unpack_status);
1785                run_receive_hook(commands, "post-receive", 1);
1786                run_update_post_hook(commands);
1787                if (auto_gc) {
1788                        const char *argv_gc_auto[] = {
1789                                "gc", "--auto", "--quiet", NULL,
1790                        };
1791                        int opt = RUN_GIT_CMD | RUN_COMMAND_STDOUT_TO_STDERR;
1792                        close_all_packs();
1793                        run_command_v_opt(argv_gc_auto, opt);
1794                }
1795                if (auto_update_server_info)
1796                        update_server_info(0);
1797                clear_shallow_info(&si);
1798        }
1799        if (use_sideband)
1800                packet_flush(1);
1801        sha1_array_clear(&shallow);
1802        sha1_array_clear(&ref);
1803        free((void *)push_cert_nonce);
1804        return 0;
1805}