builtin / receive-pack.con commit strbuf_setlen: don't write to strbuf_slopbuf (65961d5)
   1#include "builtin.h"
   2#include "config.h"
   3#include "lockfile.h"
   4#include "pack.h"
   5#include "refs.h"
   6#include "pkt-line.h"
   7#include "sideband.h"
   8#include "run-command.h"
   9#include "exec_cmd.h"
  10#include "commit.h"
  11#include "object.h"
  12#include "remote.h"
  13#include "connect.h"
  14#include "transport.h"
  15#include "string-list.h"
  16#include "sha1-array.h"
  17#include "connected.h"
  18#include "argv-array.h"
  19#include "version.h"
  20#include "tag.h"
  21#include "gpg-interface.h"
  22#include "sigchain.h"
  23#include "fsck.h"
  24#include "tmp-objdir.h"
  25#include "oidset.h"
  26
  27static const char * const receive_pack_usage[] = {
  28        N_("git receive-pack <git-dir>"),
  29        NULL
  30};
  31
  32enum deny_action {
  33        DENY_UNCONFIGURED,
  34        DENY_IGNORE,
  35        DENY_WARN,
  36        DENY_REFUSE,
  37        DENY_UPDATE_INSTEAD
  38};
  39
  40static int deny_deletes;
  41static int deny_non_fast_forwards;
  42static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
  43static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
  44static int receive_fsck_objects = -1;
  45static int transfer_fsck_objects = -1;
  46static struct strbuf fsck_msg_types = STRBUF_INIT;
  47static int receive_unpack_limit = -1;
  48static int transfer_unpack_limit = -1;
  49static int advertise_atomic_push = 1;
  50static int advertise_push_options;
  51static int unpack_limit = 100;
  52static off_t max_input_size;
  53static int report_status;
  54static int use_sideband;
  55static int use_atomic;
  56static int use_push_options;
  57static int quiet;
  58static int prefer_ofs_delta = 1;
  59static int auto_update_server_info;
  60static int auto_gc = 1;
  61static int reject_thin;
  62static int stateless_rpc;
  63static const char *service_dir;
  64static const char *head_name;
  65static void *head_name_to_free;
  66static int sent_capabilities;
  67static int shallow_update;
  68static const char *alt_shallow_file;
  69static struct strbuf push_cert = STRBUF_INIT;
  70static unsigned char push_cert_sha1[20];
  71static struct signature_check sigcheck;
  72static const char *push_cert_nonce;
  73static const char *cert_nonce_seed;
  74
  75static const char *NONCE_UNSOLICITED = "UNSOLICITED";
  76static const char *NONCE_BAD = "BAD";
  77static const char *NONCE_MISSING = "MISSING";
  78static const char *NONCE_OK = "OK";
  79static const char *NONCE_SLOP = "SLOP";
  80static const char *nonce_status;
  81static long nonce_stamp_slop;
  82static timestamp_t nonce_stamp_slop_limit;
  83static struct ref_transaction *transaction;
  84
  85static enum {
  86        KEEPALIVE_NEVER = 0,
  87        KEEPALIVE_AFTER_NUL,
  88        KEEPALIVE_ALWAYS
  89} use_keepalive;
  90static int keepalive_in_sec = 5;
  91
  92static struct tmp_objdir *tmp_objdir;
  93
  94static enum deny_action parse_deny_action(const char *var, const char *value)
  95{
  96        if (value) {
  97                if (!strcasecmp(value, "ignore"))
  98                        return DENY_IGNORE;
  99                if (!strcasecmp(value, "warn"))
 100                        return DENY_WARN;
 101                if (!strcasecmp(value, "refuse"))
 102                        return DENY_REFUSE;
 103                if (!strcasecmp(value, "updateinstead"))
 104                        return DENY_UPDATE_INSTEAD;
 105        }
 106        if (git_config_bool(var, value))
 107                return DENY_REFUSE;
 108        return DENY_IGNORE;
 109}
 110
 111static int receive_pack_config(const char *var, const char *value, void *cb)
 112{
 113        int status = parse_hide_refs_config(var, value, "receive");
 114
 115        if (status)
 116                return status;
 117
 118        if (strcmp(var, "receive.denydeletes") == 0) {
 119                deny_deletes = git_config_bool(var, value);
 120                return 0;
 121        }
 122
 123        if (strcmp(var, "receive.denynonfastforwards") == 0) {
 124                deny_non_fast_forwards = git_config_bool(var, value);
 125                return 0;
 126        }
 127
 128        if (strcmp(var, "receive.unpacklimit") == 0) {
 129                receive_unpack_limit = git_config_int(var, value);
 130                return 0;
 131        }
 132
 133        if (strcmp(var, "transfer.unpacklimit") == 0) {
 134                transfer_unpack_limit = git_config_int(var, value);
 135                return 0;
 136        }
 137
 138        if (strcmp(var, "receive.fsck.skiplist") == 0) {
 139                const char *path;
 140
 141                if (git_config_pathname(&path, var, value))
 142                        return 1;
 143                strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
 144                        fsck_msg_types.len ? ',' : '=', path);
 145                free((char *)path);
 146                return 0;
 147        }
 148
 149        if (skip_prefix(var, "receive.fsck.", &var)) {
 150                if (is_valid_msg_type(var, value))
 151                        strbuf_addf(&fsck_msg_types, "%c%s=%s",
 152                                fsck_msg_types.len ? ',' : '=', var, value);
 153                else
 154                        warning("Skipping unknown msg id '%s'", var);
 155                return 0;
 156        }
 157
 158        if (strcmp(var, "receive.fsckobjects") == 0) {
 159                receive_fsck_objects = git_config_bool(var, value);
 160                return 0;
 161        }
 162
 163        if (strcmp(var, "transfer.fsckobjects") == 0) {
 164                transfer_fsck_objects = git_config_bool(var, value);
 165                return 0;
 166        }
 167
 168        if (!strcmp(var, "receive.denycurrentbranch")) {
 169                deny_current_branch = parse_deny_action(var, value);
 170                return 0;
 171        }
 172
 173        if (strcmp(var, "receive.denydeletecurrent") == 0) {
 174                deny_delete_current = parse_deny_action(var, value);
 175                return 0;
 176        }
 177
 178        if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
 179                prefer_ofs_delta = git_config_bool(var, value);
 180                return 0;
 181        }
 182
 183        if (strcmp(var, "receive.updateserverinfo") == 0) {
 184                auto_update_server_info = git_config_bool(var, value);
 185                return 0;
 186        }
 187
 188        if (strcmp(var, "receive.autogc") == 0) {
 189                auto_gc = git_config_bool(var, value);
 190                return 0;
 191        }
 192
 193        if (strcmp(var, "receive.shallowupdate") == 0) {
 194                shallow_update = git_config_bool(var, value);
 195                return 0;
 196        }
 197
 198        if (strcmp(var, "receive.certnonceseed") == 0)
 199                return git_config_string(&cert_nonce_seed, var, value);
 200
 201        if (strcmp(var, "receive.certnonceslop") == 0) {
 202                nonce_stamp_slop_limit = git_config_ulong(var, value);
 203                return 0;
 204        }
 205
 206        if (strcmp(var, "receive.advertiseatomic") == 0) {
 207                advertise_atomic_push = git_config_bool(var, value);
 208                return 0;
 209        }
 210
 211        if (strcmp(var, "receive.advertisepushoptions") == 0) {
 212                advertise_push_options = git_config_bool(var, value);
 213                return 0;
 214        }
 215
 216        if (strcmp(var, "receive.keepalive") == 0) {
 217                keepalive_in_sec = git_config_int(var, value);
 218                return 0;
 219        }
 220
 221        if (strcmp(var, "receive.maxinputsize") == 0) {
 222                max_input_size = git_config_int64(var, value);
 223                return 0;
 224        }
 225
 226        return git_default_config(var, value, cb);
 227}
 228
 229static void show_ref(const char *path, const struct object_id *oid)
 230{
 231        if (sent_capabilities) {
 232                packet_write_fmt(1, "%s %s\n", oid_to_hex(oid), path);
 233        } else {
 234                struct strbuf cap = STRBUF_INIT;
 235
 236                strbuf_addstr(&cap,
 237                              "report-status delete-refs side-band-64k quiet");
 238                if (advertise_atomic_push)
 239                        strbuf_addstr(&cap, " atomic");
 240                if (prefer_ofs_delta)
 241                        strbuf_addstr(&cap, " ofs-delta");
 242                if (push_cert_nonce)
 243                        strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
 244                if (advertise_push_options)
 245                        strbuf_addstr(&cap, " push-options");
 246                strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
 247                packet_write_fmt(1, "%s %s%c%s\n",
 248                             oid_to_hex(oid), path, 0, cap.buf);
 249                strbuf_release(&cap);
 250                sent_capabilities = 1;
 251        }
 252}
 253
 254static int show_ref_cb(const char *path_full, const struct object_id *oid,
 255                       int flag, void *data)
 256{
 257        struct oidset *seen = data;
 258        const char *path = strip_namespace(path_full);
 259
 260        if (ref_is_hidden(path, path_full))
 261                return 0;
 262
 263        /*
 264         * Advertise refs outside our current namespace as ".have"
 265         * refs, so that the client can use them to minimize data
 266         * transfer but will otherwise ignore them.
 267         */
 268        if (!path) {
 269                if (oidset_insert(seen, oid))
 270                        return 0;
 271                path = ".have";
 272        } else {
 273                oidset_insert(seen, oid);
 274        }
 275        show_ref(path, oid);
 276        return 0;
 277}
 278
 279static void show_one_alternate_ref(const char *refname,
 280                                   const struct object_id *oid,
 281                                   void *data)
 282{
 283        struct oidset *seen = data;
 284
 285        if (oidset_insert(seen, oid))
 286                return;
 287
 288        show_ref(".have", oid);
 289}
 290
 291static void write_head_info(void)
 292{
 293        static struct oidset seen = OIDSET_INIT;
 294
 295        for_each_ref(show_ref_cb, &seen);
 296        for_each_alternate_ref(show_one_alternate_ref, &seen);
 297        oidset_clear(&seen);
 298        if (!sent_capabilities)
 299                show_ref("capabilities^{}", &null_oid);
 300
 301        advertise_shallow_grafts(1);
 302
 303        /* EOF */
 304        packet_flush(1);
 305}
 306
 307struct command {
 308        struct command *next;
 309        const char *error_string;
 310        unsigned int skip_update:1,
 311                     did_not_exist:1;
 312        int index;
 313        struct object_id old_oid;
 314        struct object_id new_oid;
 315        char ref_name[FLEX_ARRAY]; /* more */
 316};
 317
 318static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
 319static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
 320
 321static void report_message(const char *prefix, const char *err, va_list params)
 322{
 323        int sz;
 324        char msg[4096];
 325
 326        sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
 327        sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
 328        if (sz > (sizeof(msg) - 1))
 329                sz = sizeof(msg) - 1;
 330        msg[sz++] = '\n';
 331
 332        if (use_sideband)
 333                send_sideband(1, 2, msg, sz, use_sideband);
 334        else
 335                xwrite(2, msg, sz);
 336}
 337
 338static void rp_warning(const char *err, ...)
 339{
 340        va_list params;
 341        va_start(params, err);
 342        report_message("warning: ", err, params);
 343        va_end(params);
 344}
 345
 346static void rp_error(const char *err, ...)
 347{
 348        va_list params;
 349        va_start(params, err);
 350        report_message("error: ", err, params);
 351        va_end(params);
 352}
 353
 354static int copy_to_sideband(int in, int out, void *arg)
 355{
 356        char data[128];
 357        int keepalive_active = 0;
 358
 359        if (keepalive_in_sec <= 0)
 360                use_keepalive = KEEPALIVE_NEVER;
 361        if (use_keepalive == KEEPALIVE_ALWAYS)
 362                keepalive_active = 1;
 363
 364        while (1) {
 365                ssize_t sz;
 366
 367                if (keepalive_active) {
 368                        struct pollfd pfd;
 369                        int ret;
 370
 371                        pfd.fd = in;
 372                        pfd.events = POLLIN;
 373                        ret = poll(&pfd, 1, 1000 * keepalive_in_sec);
 374
 375                        if (ret < 0) {
 376                                if (errno == EINTR)
 377                                        continue;
 378                                else
 379                                        break;
 380                        } else if (ret == 0) {
 381                                /* no data; send a keepalive packet */
 382                                static const char buf[] = "0005\1";
 383                                write_or_die(1, buf, sizeof(buf) - 1);
 384                                continue;
 385                        } /* else there is actual data to read */
 386                }
 387
 388                sz = xread(in, data, sizeof(data));
 389                if (sz <= 0)
 390                        break;
 391
 392                if (use_keepalive == KEEPALIVE_AFTER_NUL && !keepalive_active) {
 393                        const char *p = memchr(data, '\0', sz);
 394                        if (p) {
 395                                /*
 396                                 * The NUL tells us to start sending keepalives. Make
 397                                 * sure we send any other data we read along
 398                                 * with it.
 399                                 */
 400                                keepalive_active = 1;
 401                                send_sideband(1, 2, data, p - data, use_sideband);
 402                                send_sideband(1, 2, p + 1, sz - (p - data + 1), use_sideband);
 403                                continue;
 404                        }
 405                }
 406
 407                /*
 408                 * Either we're not looking for a NUL signal, or we didn't see
 409                 * it yet; just pass along the data.
 410                 */
 411                send_sideband(1, 2, data, sz, use_sideband);
 412        }
 413        close(in);
 414        return 0;
 415}
 416
 417#define HMAC_BLOCK_SIZE 64
 418
 419static void hmac_sha1(unsigned char *out,
 420                      const char *key_in, size_t key_len,
 421                      const char *text, size_t text_len)
 422{
 423        unsigned char key[HMAC_BLOCK_SIZE];
 424        unsigned char k_ipad[HMAC_BLOCK_SIZE];
 425        unsigned char k_opad[HMAC_BLOCK_SIZE];
 426        int i;
 427        git_SHA_CTX ctx;
 428
 429        /* RFC 2104 2. (1) */
 430        memset(key, '\0', HMAC_BLOCK_SIZE);
 431        if (HMAC_BLOCK_SIZE < key_len) {
 432                git_SHA1_Init(&ctx);
 433                git_SHA1_Update(&ctx, key_in, key_len);
 434                git_SHA1_Final(key, &ctx);
 435        } else {
 436                memcpy(key, key_in, key_len);
 437        }
 438
 439        /* RFC 2104 2. (2) & (5) */
 440        for (i = 0; i < sizeof(key); i++) {
 441                k_ipad[i] = key[i] ^ 0x36;
 442                k_opad[i] = key[i] ^ 0x5c;
 443        }
 444
 445        /* RFC 2104 2. (3) & (4) */
 446        git_SHA1_Init(&ctx);
 447        git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
 448        git_SHA1_Update(&ctx, text, text_len);
 449        git_SHA1_Final(out, &ctx);
 450
 451        /* RFC 2104 2. (6) & (7) */
 452        git_SHA1_Init(&ctx);
 453        git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
 454        git_SHA1_Update(&ctx, out, 20);
 455        git_SHA1_Final(out, &ctx);
 456}
 457
 458static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
 459{
 460        struct strbuf buf = STRBUF_INIT;
 461        unsigned char sha1[20];
 462
 463        strbuf_addf(&buf, "%s:%"PRItime, path, stamp);
 464        hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));;
 465        strbuf_release(&buf);
 466
 467        /* RFC 2104 5. HMAC-SHA1-80 */
 468        strbuf_addf(&buf, "%"PRItime"-%.*s", stamp, 20, sha1_to_hex(sha1));
 469        return strbuf_detach(&buf, NULL);
 470}
 471
 472/*
 473 * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
 474 * after dropping "_commit" from its name and possibly moving it out
 475 * of commit.c
 476 */
 477static char *find_header(const char *msg, size_t len, const char *key,
 478                         const char **next_line)
 479{
 480        int key_len = strlen(key);
 481        const char *line = msg;
 482
 483        while (line && line < msg + len) {
 484                const char *eol = strchrnul(line, '\n');
 485
 486                if ((msg + len <= eol) || line == eol)
 487                        return NULL;
 488                if (line + key_len < eol &&
 489                    !memcmp(line, key, key_len) && line[key_len] == ' ') {
 490                        int offset = key_len + 1;
 491                        if (next_line)
 492                                *next_line = *eol ? eol + 1 : eol;
 493                        return xmemdupz(line + offset, (eol - line) - offset);
 494                }
 495                line = *eol ? eol + 1 : NULL;
 496        }
 497        return NULL;
 498}
 499
 500static const char *check_nonce(const char *buf, size_t len)
 501{
 502        char *nonce = find_header(buf, len, "nonce", NULL);
 503        timestamp_t stamp, ostamp;
 504        char *bohmac, *expect = NULL;
 505        const char *retval = NONCE_BAD;
 506
 507        if (!nonce) {
 508                retval = NONCE_MISSING;
 509                goto leave;
 510        } else if (!push_cert_nonce) {
 511                retval = NONCE_UNSOLICITED;
 512                goto leave;
 513        } else if (!strcmp(push_cert_nonce, nonce)) {
 514                retval = NONCE_OK;
 515                goto leave;
 516        }
 517
 518        if (!stateless_rpc) {
 519                /* returned nonce MUST match what we gave out earlier */
 520                retval = NONCE_BAD;
 521                goto leave;
 522        }
 523
 524        /*
 525         * In stateless mode, we may be receiving a nonce issued by
 526         * another instance of the server that serving the same
 527         * repository, and the timestamps may not match, but the
 528         * nonce-seed and dir should match, so we can recompute and
 529         * report the time slop.
 530         *
 531         * In addition, when a nonce issued by another instance has
 532         * timestamp within receive.certnonceslop seconds, we pretend
 533         * as if we issued that nonce when reporting to the hook.
 534         */
 535
 536        /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
 537        if (*nonce <= '0' || '9' < *nonce) {
 538                retval = NONCE_BAD;
 539                goto leave;
 540        }
 541        stamp = parse_timestamp(nonce, &bohmac, 10);
 542        if (bohmac == nonce || bohmac[0] != '-') {
 543                retval = NONCE_BAD;
 544                goto leave;
 545        }
 546
 547        expect = prepare_push_cert_nonce(service_dir, stamp);
 548        if (strcmp(expect, nonce)) {
 549                /* Not what we would have signed earlier */
 550                retval = NONCE_BAD;
 551                goto leave;
 552        }
 553
 554        /*
 555         * By how many seconds is this nonce stale?  Negative value
 556         * would mean it was issued by another server with its clock
 557         * skewed in the future.
 558         */
 559        ostamp = parse_timestamp(push_cert_nonce, NULL, 10);
 560        nonce_stamp_slop = (long)ostamp - (long)stamp;
 561
 562        if (nonce_stamp_slop_limit &&
 563            labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
 564                /*
 565                 * Pretend as if the received nonce (which passes the
 566                 * HMAC check, so it is not a forged by third-party)
 567                 * is what we issued.
 568                 */
 569                free((void *)push_cert_nonce);
 570                push_cert_nonce = xstrdup(nonce);
 571                retval = NONCE_OK;
 572        } else {
 573                retval = NONCE_SLOP;
 574        }
 575
 576leave:
 577        free(nonce);
 578        free(expect);
 579        return retval;
 580}
 581
 582/*
 583 * Return 1 if there is no push_cert or if the push options in push_cert are
 584 * the same as those in the argument; 0 otherwise.
 585 */
 586static int check_cert_push_options(const struct string_list *push_options)
 587{
 588        const char *buf = push_cert.buf;
 589        int len = push_cert.len;
 590
 591        char *option;
 592        const char *next_line;
 593        int options_seen = 0;
 594
 595        int retval = 1;
 596
 597        if (!len)
 598                return 1;
 599
 600        while ((option = find_header(buf, len, "push-option", &next_line))) {
 601                len -= (next_line - buf);
 602                buf = next_line;
 603                options_seen++;
 604                if (options_seen > push_options->nr
 605                    || strcmp(option,
 606                              push_options->items[options_seen - 1].string)) {
 607                        retval = 0;
 608                        goto leave;
 609                }
 610                free(option);
 611        }
 612
 613        if (options_seen != push_options->nr)
 614                retval = 0;
 615
 616leave:
 617        free(option);
 618        return retval;
 619}
 620
 621static void prepare_push_cert_sha1(struct child_process *proc)
 622{
 623        static int already_done;
 624
 625        if (!push_cert.len)
 626                return;
 627
 628        if (!already_done) {
 629                struct strbuf gpg_output = STRBUF_INIT;
 630                struct strbuf gpg_status = STRBUF_INIT;
 631                int bogs /* beginning_of_gpg_sig */;
 632
 633                already_done = 1;
 634                if (write_sha1_file(push_cert.buf, push_cert.len, "blob", push_cert_sha1))
 635                        hashclr(push_cert_sha1);
 636
 637                memset(&sigcheck, '\0', sizeof(sigcheck));
 638                sigcheck.result = 'N';
 639
 640                bogs = parse_signature(push_cert.buf, push_cert.len);
 641                if (verify_signed_buffer(push_cert.buf, bogs,
 642                                         push_cert.buf + bogs, push_cert.len - bogs,
 643                                         &gpg_output, &gpg_status) < 0) {
 644                        ; /* error running gpg */
 645                } else {
 646                        sigcheck.payload = push_cert.buf;
 647                        sigcheck.gpg_output = gpg_output.buf;
 648                        sigcheck.gpg_status = gpg_status.buf;
 649                        parse_gpg_output(&sigcheck);
 650                }
 651
 652                strbuf_release(&gpg_output);
 653                strbuf_release(&gpg_status);
 654                nonce_status = check_nonce(push_cert.buf, bogs);
 655        }
 656        if (!is_null_sha1(push_cert_sha1)) {
 657                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
 658                                 sha1_to_hex(push_cert_sha1));
 659                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
 660                                 sigcheck.signer ? sigcheck.signer : "");
 661                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
 662                                 sigcheck.key ? sigcheck.key : "");
 663                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
 664                                 sigcheck.result);
 665                if (push_cert_nonce) {
 666                        argv_array_pushf(&proc->env_array,
 667                                         "GIT_PUSH_CERT_NONCE=%s",
 668                                         push_cert_nonce);
 669                        argv_array_pushf(&proc->env_array,
 670                                         "GIT_PUSH_CERT_NONCE_STATUS=%s",
 671                                         nonce_status);
 672                        if (nonce_status == NONCE_SLOP)
 673                                argv_array_pushf(&proc->env_array,
 674                                                 "GIT_PUSH_CERT_NONCE_SLOP=%ld",
 675                                                 nonce_stamp_slop);
 676                }
 677        }
 678}
 679
 680struct receive_hook_feed_state {
 681        struct command *cmd;
 682        int skip_broken;
 683        struct strbuf buf;
 684        const struct string_list *push_options;
 685};
 686
 687typedef int (*feed_fn)(void *, const char **, size_t *);
 688static int run_and_feed_hook(const char *hook_name, feed_fn feed,
 689                             struct receive_hook_feed_state *feed_state)
 690{
 691        struct child_process proc = CHILD_PROCESS_INIT;
 692        struct async muxer;
 693        const char *argv[2];
 694        int code;
 695
 696        argv[0] = find_hook(hook_name);
 697        if (!argv[0])
 698                return 0;
 699
 700        argv[1] = NULL;
 701
 702        proc.argv = argv;
 703        proc.in = -1;
 704        proc.stdout_to_stderr = 1;
 705        if (feed_state->push_options) {
 706                int i;
 707                for (i = 0; i < feed_state->push_options->nr; i++)
 708                        argv_array_pushf(&proc.env_array,
 709                                "GIT_PUSH_OPTION_%d=%s", i,
 710                                feed_state->push_options->items[i].string);
 711                argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT=%d",
 712                                 feed_state->push_options->nr);
 713        } else
 714                argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT");
 715
 716        if (tmp_objdir)
 717                argv_array_pushv(&proc.env_array, tmp_objdir_env(tmp_objdir));
 718
 719        if (use_sideband) {
 720                memset(&muxer, 0, sizeof(muxer));
 721                muxer.proc = copy_to_sideband;
 722                muxer.in = -1;
 723                code = start_async(&muxer);
 724                if (code)
 725                        return code;
 726                proc.err = muxer.in;
 727        }
 728
 729        prepare_push_cert_sha1(&proc);
 730
 731        code = start_command(&proc);
 732        if (code) {
 733                if (use_sideband)
 734                        finish_async(&muxer);
 735                return code;
 736        }
 737
 738        sigchain_push(SIGPIPE, SIG_IGN);
 739
 740        while (1) {
 741                const char *buf;
 742                size_t n;
 743                if (feed(feed_state, &buf, &n))
 744                        break;
 745                if (write_in_full(proc.in, buf, n) != n)
 746                        break;
 747        }
 748        close(proc.in);
 749        if (use_sideband)
 750                finish_async(&muxer);
 751
 752        sigchain_pop(SIGPIPE);
 753
 754        return finish_command(&proc);
 755}
 756
 757static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
 758{
 759        struct receive_hook_feed_state *state = state_;
 760        struct command *cmd = state->cmd;
 761
 762        while (cmd &&
 763               state->skip_broken && (cmd->error_string || cmd->did_not_exist))
 764                cmd = cmd->next;
 765        if (!cmd)
 766                return -1; /* EOF */
 767        strbuf_reset(&state->buf);
 768        strbuf_addf(&state->buf, "%s %s %s\n",
 769                    oid_to_hex(&cmd->old_oid), oid_to_hex(&cmd->new_oid),
 770                    cmd->ref_name);
 771        state->cmd = cmd->next;
 772        if (bufp) {
 773                *bufp = state->buf.buf;
 774                *sizep = state->buf.len;
 775        }
 776        return 0;
 777}
 778
 779static int run_receive_hook(struct command *commands,
 780                            const char *hook_name,
 781                            int skip_broken,
 782                            const struct string_list *push_options)
 783{
 784        struct receive_hook_feed_state state;
 785        int status;
 786
 787        strbuf_init(&state.buf, 0);
 788        state.cmd = commands;
 789        state.skip_broken = skip_broken;
 790        if (feed_receive_hook(&state, NULL, NULL))
 791                return 0;
 792        state.cmd = commands;
 793        state.push_options = push_options;
 794        status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
 795        strbuf_release(&state.buf);
 796        return status;
 797}
 798
 799static int run_update_hook(struct command *cmd)
 800{
 801        const char *argv[5];
 802        struct child_process proc = CHILD_PROCESS_INIT;
 803        int code;
 804
 805        argv[0] = find_hook("update");
 806        if (!argv[0])
 807                return 0;
 808
 809        argv[1] = cmd->ref_name;
 810        argv[2] = oid_to_hex(&cmd->old_oid);
 811        argv[3] = oid_to_hex(&cmd->new_oid);
 812        argv[4] = NULL;
 813
 814        proc.no_stdin = 1;
 815        proc.stdout_to_stderr = 1;
 816        proc.err = use_sideband ? -1 : 0;
 817        proc.argv = argv;
 818
 819        code = start_command(&proc);
 820        if (code)
 821                return code;
 822        if (use_sideband)
 823                copy_to_sideband(proc.err, -1, NULL);
 824        return finish_command(&proc);
 825}
 826
 827static int is_ref_checked_out(const char *ref)
 828{
 829        if (is_bare_repository())
 830                return 0;
 831
 832        if (!head_name)
 833                return 0;
 834        return !strcmp(head_name, ref);
 835}
 836
 837static char *refuse_unconfigured_deny_msg =
 838        N_("By default, updating the current branch in a non-bare repository\n"
 839           "is denied, because it will make the index and work tree inconsistent\n"
 840           "with what you pushed, and will require 'git reset --hard' to match\n"
 841           "the work tree to HEAD.\n"
 842           "\n"
 843           "You can set the 'receive.denyCurrentBranch' configuration variable\n"
 844           "to 'ignore' or 'warn' in the remote repository to allow pushing into\n"
 845           "its current branch; however, this is not recommended unless you\n"
 846           "arranged to update its work tree to match what you pushed in some\n"
 847           "other way.\n"
 848           "\n"
 849           "To squelch this message and still keep the default behaviour, set\n"
 850           "'receive.denyCurrentBranch' configuration variable to 'refuse'.");
 851
 852static void refuse_unconfigured_deny(void)
 853{
 854        rp_error("%s", _(refuse_unconfigured_deny_msg));
 855}
 856
 857static char *refuse_unconfigured_deny_delete_current_msg =
 858        N_("By default, deleting the current branch is denied, because the next\n"
 859           "'git clone' won't result in any file checked out, causing confusion.\n"
 860           "\n"
 861           "You can set 'receive.denyDeleteCurrent' configuration variable to\n"
 862           "'warn' or 'ignore' in the remote repository to allow deleting the\n"
 863           "current branch, with or without a warning message.\n"
 864           "\n"
 865           "To squelch this message, you can set it to 'refuse'.");
 866
 867static void refuse_unconfigured_deny_delete_current(void)
 868{
 869        rp_error("%s", _(refuse_unconfigured_deny_delete_current_msg));
 870}
 871
 872static int command_singleton_iterator(void *cb_data, unsigned char sha1[20]);
 873static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
 874{
 875        static struct lock_file shallow_lock;
 876        struct oid_array extra = OID_ARRAY_INIT;
 877        struct check_connected_options opt = CHECK_CONNECTED_INIT;
 878        uint32_t mask = 1 << (cmd->index % 32);
 879        int i;
 880
 881        trace_printf_key(&trace_shallow,
 882                         "shallow: update_shallow_ref %s\n", cmd->ref_name);
 883        for (i = 0; i < si->shallow->nr; i++)
 884                if (si->used_shallow[i] &&
 885                    (si->used_shallow[i][cmd->index / 32] & mask) &&
 886                    !delayed_reachability_test(si, i))
 887                        oid_array_append(&extra, &si->shallow->oid[i]);
 888
 889        opt.env = tmp_objdir_env(tmp_objdir);
 890        setup_alternate_shallow(&shallow_lock, &opt.shallow_file, &extra);
 891        if (check_connected(command_singleton_iterator, cmd, &opt)) {
 892                rollback_lock_file(&shallow_lock);
 893                oid_array_clear(&extra);
 894                return -1;
 895        }
 896
 897        commit_lock_file(&shallow_lock);
 898
 899        /*
 900         * Make sure setup_alternate_shallow() for the next ref does
 901         * not lose these new roots..
 902         */
 903        for (i = 0; i < extra.nr; i++)
 904                register_shallow(&extra.oid[i]);
 905
 906        si->shallow_ref[cmd->index] = 0;
 907        oid_array_clear(&extra);
 908        return 0;
 909}
 910
 911/*
 912 * NEEDSWORK: we should consolidate various implementions of "are we
 913 * on an unborn branch?" test into one, and make the unified one more
 914 * robust. !get_sha1() based check used here and elsewhere would not
 915 * allow us to tell an unborn branch from corrupt ref, for example.
 916 * For the purpose of fixing "deploy-to-update does not work when
 917 * pushing into an empty repository" issue, this should suffice for
 918 * now.
 919 */
 920static int head_has_history(void)
 921{
 922        unsigned char sha1[20];
 923
 924        return !get_sha1("HEAD", sha1);
 925}
 926
 927static const char *push_to_deploy(unsigned char *sha1,
 928                                  struct argv_array *env,
 929                                  const char *work_tree)
 930{
 931        const char *update_refresh[] = {
 932                "update-index", "-q", "--ignore-submodules", "--refresh", NULL
 933        };
 934        const char *diff_files[] = {
 935                "diff-files", "--quiet", "--ignore-submodules", "--", NULL
 936        };
 937        const char *diff_index[] = {
 938                "diff-index", "--quiet", "--cached", "--ignore-submodules",
 939                NULL, "--", NULL
 940        };
 941        const char *read_tree[] = {
 942                "read-tree", "-u", "-m", NULL, NULL
 943        };
 944        struct child_process child = CHILD_PROCESS_INIT;
 945
 946        child.argv = update_refresh;
 947        child.env = env->argv;
 948        child.dir = work_tree;
 949        child.no_stdin = 1;
 950        child.stdout_to_stderr = 1;
 951        child.git_cmd = 1;
 952        if (run_command(&child))
 953                return "Up-to-date check failed";
 954
 955        /* run_command() does not clean up completely; reinitialize */
 956        child_process_init(&child);
 957        child.argv = diff_files;
 958        child.env = env->argv;
 959        child.dir = work_tree;
 960        child.no_stdin = 1;
 961        child.stdout_to_stderr = 1;
 962        child.git_cmd = 1;
 963        if (run_command(&child))
 964                return "Working directory has unstaged changes";
 965
 966        /* diff-index with either HEAD or an empty tree */
 967        diff_index[4] = head_has_history() ? "HEAD" : EMPTY_TREE_SHA1_HEX;
 968
 969        child_process_init(&child);
 970        child.argv = diff_index;
 971        child.env = env->argv;
 972        child.no_stdin = 1;
 973        child.no_stdout = 1;
 974        child.stdout_to_stderr = 0;
 975        child.git_cmd = 1;
 976        if (run_command(&child))
 977                return "Working directory has staged changes";
 978
 979        read_tree[3] = sha1_to_hex(sha1);
 980        child_process_init(&child);
 981        child.argv = read_tree;
 982        child.env = env->argv;
 983        child.dir = work_tree;
 984        child.no_stdin = 1;
 985        child.no_stdout = 1;
 986        child.stdout_to_stderr = 0;
 987        child.git_cmd = 1;
 988        if (run_command(&child))
 989                return "Could not update working tree to new HEAD";
 990
 991        return NULL;
 992}
 993
 994static const char *push_to_checkout_hook = "push-to-checkout";
 995
 996static const char *push_to_checkout(unsigned char *sha1,
 997                                    struct argv_array *env,
 998                                    const char *work_tree)
 999{
1000        argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
1001        if (run_hook_le(env->argv, push_to_checkout_hook,
1002                        sha1_to_hex(sha1), NULL))
1003                return "push-to-checkout hook declined";
1004        else
1005                return NULL;
1006}
1007
1008static const char *update_worktree(unsigned char *sha1)
1009{
1010        const char *retval;
1011        const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
1012        struct argv_array env = ARGV_ARRAY_INIT;
1013
1014        if (is_bare_repository())
1015                return "denyCurrentBranch = updateInstead needs a worktree";
1016
1017        argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
1018
1019        if (!find_hook(push_to_checkout_hook))
1020                retval = push_to_deploy(sha1, &env, work_tree);
1021        else
1022                retval = push_to_checkout(sha1, &env, work_tree);
1023
1024        argv_array_clear(&env);
1025        return retval;
1026}
1027
1028static const char *update(struct command *cmd, struct shallow_info *si)
1029{
1030        const char *name = cmd->ref_name;
1031        struct strbuf namespaced_name_buf = STRBUF_INIT;
1032        static char *namespaced_name;
1033        const char *ret;
1034        struct object_id *old_oid = &cmd->old_oid;
1035        struct object_id *new_oid = &cmd->new_oid;
1036
1037        /* only refs/... are allowed */
1038        if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
1039                rp_error("refusing to create funny ref '%s' remotely", name);
1040                return "funny refname";
1041        }
1042
1043        strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
1044        free(namespaced_name);
1045        namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
1046
1047        if (is_ref_checked_out(namespaced_name)) {
1048                switch (deny_current_branch) {
1049                case DENY_IGNORE:
1050                        break;
1051                case DENY_WARN:
1052                        rp_warning("updating the current branch");
1053                        break;
1054                case DENY_REFUSE:
1055                case DENY_UNCONFIGURED:
1056                        rp_error("refusing to update checked out branch: %s", name);
1057                        if (deny_current_branch == DENY_UNCONFIGURED)
1058                                refuse_unconfigured_deny();
1059                        return "branch is currently checked out";
1060                case DENY_UPDATE_INSTEAD:
1061                        ret = update_worktree(new_oid->hash);
1062                        if (ret)
1063                                return ret;
1064                        break;
1065                }
1066        }
1067
1068        if (!is_null_oid(new_oid) && !has_object_file(new_oid)) {
1069                error("unpack should have generated %s, "
1070                      "but I can't find it!", oid_to_hex(new_oid));
1071                return "bad pack";
1072        }
1073
1074        if (!is_null_oid(old_oid) && is_null_oid(new_oid)) {
1075                if (deny_deletes && starts_with(name, "refs/heads/")) {
1076                        rp_error("denying ref deletion for %s", name);
1077                        return "deletion prohibited";
1078                }
1079
1080                if (head_name && !strcmp(namespaced_name, head_name)) {
1081                        switch (deny_delete_current) {
1082                        case DENY_IGNORE:
1083                                break;
1084                        case DENY_WARN:
1085                                rp_warning("deleting the current branch");
1086                                break;
1087                        case DENY_REFUSE:
1088                        case DENY_UNCONFIGURED:
1089                        case DENY_UPDATE_INSTEAD:
1090                                if (deny_delete_current == DENY_UNCONFIGURED)
1091                                        refuse_unconfigured_deny_delete_current();
1092                                rp_error("refusing to delete the current branch: %s", name);
1093                                return "deletion of the current branch prohibited";
1094                        default:
1095                                return "Invalid denyDeleteCurrent setting";
1096                        }
1097                }
1098        }
1099
1100        if (deny_non_fast_forwards && !is_null_oid(new_oid) &&
1101            !is_null_oid(old_oid) &&
1102            starts_with(name, "refs/heads/")) {
1103                struct object *old_object, *new_object;
1104                struct commit *old_commit, *new_commit;
1105
1106                old_object = parse_object(old_oid);
1107                new_object = parse_object(new_oid);
1108
1109                if (!old_object || !new_object ||
1110                    old_object->type != OBJ_COMMIT ||
1111                    new_object->type != OBJ_COMMIT) {
1112                        error("bad sha1 objects for %s", name);
1113                        return "bad ref";
1114                }
1115                old_commit = (struct commit *)old_object;
1116                new_commit = (struct commit *)new_object;
1117                if (!in_merge_bases(old_commit, new_commit)) {
1118                        rp_error("denying non-fast-forward %s"
1119                                 " (you should pull first)", name);
1120                        return "non-fast-forward";
1121                }
1122        }
1123        if (run_update_hook(cmd)) {
1124                rp_error("hook declined to update %s", name);
1125                return "hook declined";
1126        }
1127
1128        if (is_null_oid(new_oid)) {
1129                struct strbuf err = STRBUF_INIT;
1130                if (!parse_object(old_oid)) {
1131                        old_oid = NULL;
1132                        if (ref_exists(name)) {
1133                                rp_warning("Allowing deletion of corrupt ref.");
1134                        } else {
1135                                rp_warning("Deleting a non-existent ref.");
1136                                cmd->did_not_exist = 1;
1137                        }
1138                }
1139                if (ref_transaction_delete(transaction,
1140                                           namespaced_name,
1141                                           old_oid->hash,
1142                                           0, "push", &err)) {
1143                        rp_error("%s", err.buf);
1144                        strbuf_release(&err);
1145                        return "failed to delete";
1146                }
1147                strbuf_release(&err);
1148                return NULL; /* good */
1149        }
1150        else {
1151                struct strbuf err = STRBUF_INIT;
1152                if (shallow_update && si->shallow_ref[cmd->index] &&
1153                    update_shallow_ref(cmd, si))
1154                        return "shallow error";
1155
1156                if (ref_transaction_update(transaction,
1157                                           namespaced_name,
1158                                           new_oid->hash, old_oid->hash,
1159                                           0, "push",
1160                                           &err)) {
1161                        rp_error("%s", err.buf);
1162                        strbuf_release(&err);
1163
1164                        return "failed to update ref";
1165                }
1166                strbuf_release(&err);
1167
1168                return NULL; /* good */
1169        }
1170}
1171
1172static void run_update_post_hook(struct command *commands)
1173{
1174        struct command *cmd;
1175        struct child_process proc = CHILD_PROCESS_INIT;
1176        const char *hook;
1177
1178        hook = find_hook("post-update");
1179        if (!hook)
1180                return;
1181
1182        for (cmd = commands; cmd; cmd = cmd->next) {
1183                if (cmd->error_string || cmd->did_not_exist)
1184                        continue;
1185                if (!proc.args.argc)
1186                        argv_array_push(&proc.args, hook);
1187                argv_array_push(&proc.args, cmd->ref_name);
1188        }
1189        if (!proc.args.argc)
1190                return;
1191
1192        proc.no_stdin = 1;
1193        proc.stdout_to_stderr = 1;
1194        proc.err = use_sideband ? -1 : 0;
1195
1196        if (!start_command(&proc)) {
1197                if (use_sideband)
1198                        copy_to_sideband(proc.err, -1, NULL);
1199                finish_command(&proc);
1200        }
1201}
1202
1203static void check_aliased_update(struct command *cmd, struct string_list *list)
1204{
1205        struct strbuf buf = STRBUF_INIT;
1206        const char *dst_name;
1207        struct string_list_item *item;
1208        struct command *dst_cmd;
1209        unsigned char sha1[GIT_MAX_RAWSZ];
1210        int flag;
1211
1212        strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1213        dst_name = resolve_ref_unsafe(buf.buf, 0, sha1, &flag);
1214        strbuf_release(&buf);
1215
1216        if (!(flag & REF_ISSYMREF))
1217                return;
1218
1219        if (!dst_name) {
1220                rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1221                cmd->skip_update = 1;
1222                cmd->error_string = "broken symref";
1223                return;
1224        }
1225        dst_name = strip_namespace(dst_name);
1226
1227        if ((item = string_list_lookup(list, dst_name)) == NULL)
1228                return;
1229
1230        cmd->skip_update = 1;
1231
1232        dst_cmd = (struct command *) item->util;
1233
1234        if (!oidcmp(&cmd->old_oid, &dst_cmd->old_oid) &&
1235            !oidcmp(&cmd->new_oid, &dst_cmd->new_oid))
1236                return;
1237
1238        dst_cmd->skip_update = 1;
1239
1240        rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1241                 " its target '%s' (%s..%s)",
1242                 cmd->ref_name,
1243                 find_unique_abbrev(cmd->old_oid.hash, DEFAULT_ABBREV),
1244                 find_unique_abbrev(cmd->new_oid.hash, DEFAULT_ABBREV),
1245                 dst_cmd->ref_name,
1246                 find_unique_abbrev(dst_cmd->old_oid.hash, DEFAULT_ABBREV),
1247                 find_unique_abbrev(dst_cmd->new_oid.hash, DEFAULT_ABBREV));
1248
1249        cmd->error_string = dst_cmd->error_string =
1250                "inconsistent aliased update";
1251}
1252
1253static void check_aliased_updates(struct command *commands)
1254{
1255        struct command *cmd;
1256        struct string_list ref_list = STRING_LIST_INIT_NODUP;
1257
1258        for (cmd = commands; cmd; cmd = cmd->next) {
1259                struct string_list_item *item =
1260                        string_list_append(&ref_list, cmd->ref_name);
1261                item->util = (void *)cmd;
1262        }
1263        string_list_sort(&ref_list);
1264
1265        for (cmd = commands; cmd; cmd = cmd->next) {
1266                if (!cmd->error_string)
1267                        check_aliased_update(cmd, &ref_list);
1268        }
1269
1270        string_list_clear(&ref_list, 0);
1271}
1272
1273static int command_singleton_iterator(void *cb_data, unsigned char sha1[20])
1274{
1275        struct command **cmd_list = cb_data;
1276        struct command *cmd = *cmd_list;
1277
1278        if (!cmd || is_null_oid(&cmd->new_oid))
1279                return -1; /* end of list */
1280        *cmd_list = NULL; /* this returns only one */
1281        hashcpy(sha1, cmd->new_oid.hash);
1282        return 0;
1283}
1284
1285static void set_connectivity_errors(struct command *commands,
1286                                    struct shallow_info *si)
1287{
1288        struct command *cmd;
1289
1290        for (cmd = commands; cmd; cmd = cmd->next) {
1291                struct command *singleton = cmd;
1292                struct check_connected_options opt = CHECK_CONNECTED_INIT;
1293
1294                if (shallow_update && si->shallow_ref[cmd->index])
1295                        /* to be checked in update_shallow_ref() */
1296                        continue;
1297
1298                opt.env = tmp_objdir_env(tmp_objdir);
1299                if (!check_connected(command_singleton_iterator, &singleton,
1300                                     &opt))
1301                        continue;
1302
1303                cmd->error_string = "missing necessary objects";
1304        }
1305}
1306
1307struct iterate_data {
1308        struct command *cmds;
1309        struct shallow_info *si;
1310};
1311
1312static int iterate_receive_command_list(void *cb_data, unsigned char sha1[20])
1313{
1314        struct iterate_data *data = cb_data;
1315        struct command **cmd_list = &data->cmds;
1316        struct command *cmd = *cmd_list;
1317
1318        for (; cmd; cmd = cmd->next) {
1319                if (shallow_update && data->si->shallow_ref[cmd->index])
1320                        /* to be checked in update_shallow_ref() */
1321                        continue;
1322                if (!is_null_oid(&cmd->new_oid) && !cmd->skip_update) {
1323                        hashcpy(sha1, cmd->new_oid.hash);
1324                        *cmd_list = cmd->next;
1325                        return 0;
1326                }
1327        }
1328        *cmd_list = NULL;
1329        return -1; /* end of list */
1330}
1331
1332static void reject_updates_to_hidden(struct command *commands)
1333{
1334        struct strbuf refname_full = STRBUF_INIT;
1335        size_t prefix_len;
1336        struct command *cmd;
1337
1338        strbuf_addstr(&refname_full, get_git_namespace());
1339        prefix_len = refname_full.len;
1340
1341        for (cmd = commands; cmd; cmd = cmd->next) {
1342                if (cmd->error_string)
1343                        continue;
1344
1345                strbuf_setlen(&refname_full, prefix_len);
1346                strbuf_addstr(&refname_full, cmd->ref_name);
1347
1348                if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1349                        continue;
1350                if (is_null_oid(&cmd->new_oid))
1351                        cmd->error_string = "deny deleting a hidden ref";
1352                else
1353                        cmd->error_string = "deny updating a hidden ref";
1354        }
1355
1356        strbuf_release(&refname_full);
1357}
1358
1359static int should_process_cmd(struct command *cmd)
1360{
1361        return !cmd->error_string && !cmd->skip_update;
1362}
1363
1364static void warn_if_skipped_connectivity_check(struct command *commands,
1365                                               struct shallow_info *si)
1366{
1367        struct command *cmd;
1368        int checked_connectivity = 1;
1369
1370        for (cmd = commands; cmd; cmd = cmd->next) {
1371                if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1372                        error("BUG: connectivity check has not been run on ref %s",
1373                              cmd->ref_name);
1374                        checked_connectivity = 0;
1375                }
1376        }
1377        if (!checked_connectivity)
1378                die("BUG: connectivity check skipped???");
1379}
1380
1381static void execute_commands_non_atomic(struct command *commands,
1382                                        struct shallow_info *si)
1383{
1384        struct command *cmd;
1385        struct strbuf err = STRBUF_INIT;
1386
1387        for (cmd = commands; cmd; cmd = cmd->next) {
1388                if (!should_process_cmd(cmd))
1389                        continue;
1390
1391                transaction = ref_transaction_begin(&err);
1392                if (!transaction) {
1393                        rp_error("%s", err.buf);
1394                        strbuf_reset(&err);
1395                        cmd->error_string = "transaction failed to start";
1396                        continue;
1397                }
1398
1399                cmd->error_string = update(cmd, si);
1400
1401                if (!cmd->error_string
1402                    && ref_transaction_commit(transaction, &err)) {
1403                        rp_error("%s", err.buf);
1404                        strbuf_reset(&err);
1405                        cmd->error_string = "failed to update ref";
1406                }
1407                ref_transaction_free(transaction);
1408        }
1409        strbuf_release(&err);
1410}
1411
1412static void execute_commands_atomic(struct command *commands,
1413                                        struct shallow_info *si)
1414{
1415        struct command *cmd;
1416        struct strbuf err = STRBUF_INIT;
1417        const char *reported_error = "atomic push failure";
1418
1419        transaction = ref_transaction_begin(&err);
1420        if (!transaction) {
1421                rp_error("%s", err.buf);
1422                strbuf_reset(&err);
1423                reported_error = "transaction failed to start";
1424                goto failure;
1425        }
1426
1427        for (cmd = commands; cmd; cmd = cmd->next) {
1428                if (!should_process_cmd(cmd))
1429                        continue;
1430
1431                cmd->error_string = update(cmd, si);
1432
1433                if (cmd->error_string)
1434                        goto failure;
1435        }
1436
1437        if (ref_transaction_commit(transaction, &err)) {
1438                rp_error("%s", err.buf);
1439                reported_error = "atomic transaction failed";
1440                goto failure;
1441        }
1442        goto cleanup;
1443
1444failure:
1445        for (cmd = commands; cmd; cmd = cmd->next)
1446                if (!cmd->error_string)
1447                        cmd->error_string = reported_error;
1448
1449cleanup:
1450        ref_transaction_free(transaction);
1451        strbuf_release(&err);
1452}
1453
1454static void execute_commands(struct command *commands,
1455                             const char *unpacker_error,
1456                             struct shallow_info *si,
1457                             const struct string_list *push_options)
1458{
1459        struct check_connected_options opt = CHECK_CONNECTED_INIT;
1460        struct command *cmd;
1461        struct object_id oid;
1462        struct iterate_data data;
1463        struct async muxer;
1464        int err_fd = 0;
1465
1466        if (unpacker_error) {
1467                for (cmd = commands; cmd; cmd = cmd->next)
1468                        cmd->error_string = "unpacker error";
1469                return;
1470        }
1471
1472        if (use_sideband) {
1473                memset(&muxer, 0, sizeof(muxer));
1474                muxer.proc = copy_to_sideband;
1475                muxer.in = -1;
1476                if (!start_async(&muxer))
1477                        err_fd = muxer.in;
1478                /* ...else, continue without relaying sideband */
1479        }
1480
1481        data.cmds = commands;
1482        data.si = si;
1483        opt.err_fd = err_fd;
1484        opt.progress = err_fd && !quiet;
1485        opt.env = tmp_objdir_env(tmp_objdir);
1486        if (check_connected(iterate_receive_command_list, &data, &opt))
1487                set_connectivity_errors(commands, si);
1488
1489        if (use_sideband)
1490                finish_async(&muxer);
1491
1492        reject_updates_to_hidden(commands);
1493
1494        if (run_receive_hook(commands, "pre-receive", 0, push_options)) {
1495                for (cmd = commands; cmd; cmd = cmd->next) {
1496                        if (!cmd->error_string)
1497                                cmd->error_string = "pre-receive hook declined";
1498                }
1499                return;
1500        }
1501
1502        /*
1503         * Now we'll start writing out refs, which means the objects need
1504         * to be in their final positions so that other processes can see them.
1505         */
1506        if (tmp_objdir_migrate(tmp_objdir) < 0) {
1507                for (cmd = commands; cmd; cmd = cmd->next) {
1508                        if (!cmd->error_string)
1509                                cmd->error_string = "unable to migrate objects to permanent storage";
1510                }
1511                return;
1512        }
1513        tmp_objdir = NULL;
1514
1515        check_aliased_updates(commands);
1516
1517        free(head_name_to_free);
1518        head_name = head_name_to_free = resolve_refdup("HEAD", 0, oid.hash, NULL);
1519
1520        if (use_atomic)
1521                execute_commands_atomic(commands, si);
1522        else
1523                execute_commands_non_atomic(commands, si);
1524
1525        if (shallow_update)
1526                warn_if_skipped_connectivity_check(commands, si);
1527}
1528
1529static struct command **queue_command(struct command **tail,
1530                                      const char *line,
1531                                      int linelen)
1532{
1533        struct object_id old_oid, new_oid;
1534        struct command *cmd;
1535        const char *refname;
1536        int reflen;
1537        const char *p;
1538
1539        if (parse_oid_hex(line, &old_oid, &p) ||
1540            *p++ != ' ' ||
1541            parse_oid_hex(p, &new_oid, &p) ||
1542            *p++ != ' ')
1543                die("protocol error: expected old/new/ref, got '%s'", line);
1544
1545        refname = p;
1546        reflen = linelen - (p - line);
1547        FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
1548        oidcpy(&cmd->old_oid, &old_oid);
1549        oidcpy(&cmd->new_oid, &new_oid);
1550        *tail = cmd;
1551        return &cmd->next;
1552}
1553
1554static void queue_commands_from_cert(struct command **tail,
1555                                     struct strbuf *push_cert)
1556{
1557        const char *boc, *eoc;
1558
1559        if (*tail)
1560                die("protocol error: got both push certificate and unsigned commands");
1561
1562        boc = strstr(push_cert->buf, "\n\n");
1563        if (!boc)
1564                die("malformed push certificate %.*s", 100, push_cert->buf);
1565        else
1566                boc += 2;
1567        eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1568
1569        while (boc < eoc) {
1570                const char *eol = memchr(boc, '\n', eoc - boc);
1571                tail = queue_command(tail, boc, eol ? eol - boc : eoc - boc);
1572                boc = eol ? eol + 1 : eoc;
1573        }
1574}
1575
1576static struct command *read_head_info(struct oid_array *shallow)
1577{
1578        struct command *commands = NULL;
1579        struct command **p = &commands;
1580        for (;;) {
1581                char *line;
1582                int len, linelen;
1583
1584                line = packet_read_line(0, &len);
1585                if (!line)
1586                        break;
1587
1588                if (len > 8 && starts_with(line, "shallow ")) {
1589                        struct object_id oid;
1590                        if (get_oid_hex(line + 8, &oid))
1591                                die("protocol error: expected shallow sha, got '%s'",
1592                                    line + 8);
1593                        oid_array_append(shallow, &oid);
1594                        continue;
1595                }
1596
1597                linelen = strlen(line);
1598                if (linelen < len) {
1599                        const char *feature_list = line + linelen + 1;
1600                        if (parse_feature_request(feature_list, "report-status"))
1601                                report_status = 1;
1602                        if (parse_feature_request(feature_list, "side-band-64k"))
1603                                use_sideband = LARGE_PACKET_MAX;
1604                        if (parse_feature_request(feature_list, "quiet"))
1605                                quiet = 1;
1606                        if (advertise_atomic_push
1607                            && parse_feature_request(feature_list, "atomic"))
1608                                use_atomic = 1;
1609                        if (advertise_push_options
1610                            && parse_feature_request(feature_list, "push-options"))
1611                                use_push_options = 1;
1612                }
1613
1614                if (!strcmp(line, "push-cert")) {
1615                        int true_flush = 0;
1616                        char certbuf[1024];
1617
1618                        for (;;) {
1619                                len = packet_read(0, NULL, NULL,
1620                                                  certbuf, sizeof(certbuf), 0);
1621                                if (!len) {
1622                                        true_flush = 1;
1623                                        break;
1624                                }
1625                                if (!strcmp(certbuf, "push-cert-end\n"))
1626                                        break; /* end of cert */
1627                                strbuf_addstr(&push_cert, certbuf);
1628                        }
1629
1630                        if (true_flush)
1631                                break;
1632                        continue;
1633                }
1634
1635                p = queue_command(p, line, linelen);
1636        }
1637
1638        if (push_cert.len)
1639                queue_commands_from_cert(p, &push_cert);
1640
1641        return commands;
1642}
1643
1644static void read_push_options(struct string_list *options)
1645{
1646        while (1) {
1647                char *line;
1648                int len;
1649
1650                line = packet_read_line(0, &len);
1651
1652                if (!line)
1653                        break;
1654
1655                string_list_append(options, line);
1656        }
1657}
1658
1659static const char *parse_pack_header(struct pack_header *hdr)
1660{
1661        switch (read_pack_header(0, hdr)) {
1662        case PH_ERROR_EOF:
1663                return "eof before pack header was fully read";
1664
1665        case PH_ERROR_PACK_SIGNATURE:
1666                return "protocol error (pack signature mismatch detected)";
1667
1668        case PH_ERROR_PROTOCOL:
1669                return "protocol error (pack version unsupported)";
1670
1671        default:
1672                return "unknown error in parse_pack_header";
1673
1674        case 0:
1675                return NULL;
1676        }
1677}
1678
1679static const char *pack_lockfile;
1680
1681static void push_header_arg(struct argv_array *args, struct pack_header *hdr)
1682{
1683        argv_array_pushf(args, "--pack_header=%"PRIu32",%"PRIu32,
1684                        ntohl(hdr->hdr_version), ntohl(hdr->hdr_entries));
1685}
1686
1687static const char *unpack(int err_fd, struct shallow_info *si)
1688{
1689        struct pack_header hdr;
1690        const char *hdr_err;
1691        int status;
1692        struct child_process child = CHILD_PROCESS_INIT;
1693        int fsck_objects = (receive_fsck_objects >= 0
1694                            ? receive_fsck_objects
1695                            : transfer_fsck_objects >= 0
1696                            ? transfer_fsck_objects
1697                            : 0);
1698
1699        hdr_err = parse_pack_header(&hdr);
1700        if (hdr_err) {
1701                if (err_fd > 0)
1702                        close(err_fd);
1703                return hdr_err;
1704        }
1705
1706        if (si->nr_ours || si->nr_theirs) {
1707                alt_shallow_file = setup_temporary_shallow(si->shallow);
1708                argv_array_push(&child.args, "--shallow-file");
1709                argv_array_push(&child.args, alt_shallow_file);
1710        }
1711
1712        tmp_objdir = tmp_objdir_create();
1713        if (!tmp_objdir) {
1714                if (err_fd > 0)
1715                        close(err_fd);
1716                return "unable to create temporary object directory";
1717        }
1718        child.env = tmp_objdir_env(tmp_objdir);
1719
1720        /*
1721         * Normally we just pass the tmp_objdir environment to the child
1722         * processes that do the heavy lifting, but we may need to see these
1723         * objects ourselves to set up shallow information.
1724         */
1725        tmp_objdir_add_as_alternate(tmp_objdir);
1726
1727        if (ntohl(hdr.hdr_entries) < unpack_limit) {
1728                argv_array_push(&child.args, "unpack-objects");
1729                push_header_arg(&child.args, &hdr);
1730                if (quiet)
1731                        argv_array_push(&child.args, "-q");
1732                if (fsck_objects)
1733                        argv_array_pushf(&child.args, "--strict%s",
1734                                fsck_msg_types.buf);
1735                if (max_input_size)
1736                        argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1737                                (uintmax_t)max_input_size);
1738                child.no_stdout = 1;
1739                child.err = err_fd;
1740                child.git_cmd = 1;
1741                status = run_command(&child);
1742                if (status)
1743                        return "unpack-objects abnormal exit";
1744        } else {
1745                char hostname[HOST_NAME_MAX + 1];
1746
1747                argv_array_pushl(&child.args, "index-pack", "--stdin", NULL);
1748                push_header_arg(&child.args, &hdr);
1749
1750                if (xgethostname(hostname, sizeof(hostname)))
1751                        xsnprintf(hostname, sizeof(hostname), "localhost");
1752                argv_array_pushf(&child.args,
1753                                 "--keep=receive-pack %"PRIuMAX" on %s",
1754                                 (uintmax_t)getpid(),
1755                                 hostname);
1756
1757                if (!quiet && err_fd)
1758                        argv_array_push(&child.args, "--show-resolving-progress");
1759                if (use_sideband)
1760                        argv_array_push(&child.args, "--report-end-of-input");
1761                if (fsck_objects)
1762                        argv_array_pushf(&child.args, "--strict%s",
1763                                fsck_msg_types.buf);
1764                if (!reject_thin)
1765                        argv_array_push(&child.args, "--fix-thin");
1766                if (max_input_size)
1767                        argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1768                                (uintmax_t)max_input_size);
1769                child.out = -1;
1770                child.err = err_fd;
1771                child.git_cmd = 1;
1772                status = start_command(&child);
1773                if (status)
1774                        return "index-pack fork failed";
1775                pack_lockfile = index_pack_lockfile(child.out);
1776                close(child.out);
1777                status = finish_command(&child);
1778                if (status)
1779                        return "index-pack abnormal exit";
1780                reprepare_packed_git();
1781        }
1782        return NULL;
1783}
1784
1785static const char *unpack_with_sideband(struct shallow_info *si)
1786{
1787        struct async muxer;
1788        const char *ret;
1789
1790        if (!use_sideband)
1791                return unpack(0, si);
1792
1793        use_keepalive = KEEPALIVE_AFTER_NUL;
1794        memset(&muxer, 0, sizeof(muxer));
1795        muxer.proc = copy_to_sideband;
1796        muxer.in = -1;
1797        if (start_async(&muxer))
1798                return NULL;
1799
1800        ret = unpack(muxer.in, si);
1801
1802        finish_async(&muxer);
1803        return ret;
1804}
1805
1806static void prepare_shallow_update(struct command *commands,
1807                                   struct shallow_info *si)
1808{
1809        int i, j, k, bitmap_size = DIV_ROUND_UP(si->ref->nr, 32);
1810
1811        ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1812        assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1813
1814        si->need_reachability_test =
1815                xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1816        si->reachable =
1817                xcalloc(si->shallow->nr, sizeof(*si->reachable));
1818        si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1819
1820        for (i = 0; i < si->nr_ours; i++)
1821                si->need_reachability_test[si->ours[i]] = 1;
1822
1823        for (i = 0; i < si->shallow->nr; i++) {
1824                if (!si->used_shallow[i])
1825                        continue;
1826                for (j = 0; j < bitmap_size; j++) {
1827                        if (!si->used_shallow[i][j])
1828                                continue;
1829                        si->need_reachability_test[i]++;
1830                        for (k = 0; k < 32; k++)
1831                                if (si->used_shallow[i][j] & (1U << k))
1832                                        si->shallow_ref[j * 32 + k]++;
1833                }
1834
1835                /*
1836                 * true for those associated with some refs and belong
1837                 * in "ours" list aka "step 7 not done yet"
1838                 */
1839                si->need_reachability_test[i] =
1840                        si->need_reachability_test[i] > 1;
1841        }
1842
1843        /*
1844         * keep hooks happy by forcing a temporary shallow file via
1845         * env variable because we can't add --shallow-file to every
1846         * command. check_everything_connected() will be done with
1847         * true .git/shallow though.
1848         */
1849        setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1850}
1851
1852static void update_shallow_info(struct command *commands,
1853                                struct shallow_info *si,
1854                                struct oid_array *ref)
1855{
1856        struct command *cmd;
1857        int *ref_status;
1858        remove_nonexistent_theirs_shallow(si);
1859        if (!si->nr_ours && !si->nr_theirs) {
1860                shallow_update = 0;
1861                return;
1862        }
1863
1864        for (cmd = commands; cmd; cmd = cmd->next) {
1865                if (is_null_oid(&cmd->new_oid))
1866                        continue;
1867                oid_array_append(ref, &cmd->new_oid);
1868                cmd->index = ref->nr - 1;
1869        }
1870        si->ref = ref;
1871
1872        if (shallow_update) {
1873                prepare_shallow_update(commands, si);
1874                return;
1875        }
1876
1877        ALLOC_ARRAY(ref_status, ref->nr);
1878        assign_shallow_commits_to_refs(si, NULL, ref_status);
1879        for (cmd = commands; cmd; cmd = cmd->next) {
1880                if (is_null_oid(&cmd->new_oid))
1881                        continue;
1882                if (ref_status[cmd->index]) {
1883                        cmd->error_string = "shallow update not allowed";
1884                        cmd->skip_update = 1;
1885                }
1886        }
1887        free(ref_status);
1888}
1889
1890static void report(struct command *commands, const char *unpack_status)
1891{
1892        struct command *cmd;
1893        struct strbuf buf = STRBUF_INIT;
1894
1895        packet_buf_write(&buf, "unpack %s\n",
1896                         unpack_status ? unpack_status : "ok");
1897        for (cmd = commands; cmd; cmd = cmd->next) {
1898                if (!cmd->error_string)
1899                        packet_buf_write(&buf, "ok %s\n",
1900                                         cmd->ref_name);
1901                else
1902                        packet_buf_write(&buf, "ng %s %s\n",
1903                                         cmd->ref_name, cmd->error_string);
1904        }
1905        packet_buf_flush(&buf);
1906
1907        if (use_sideband)
1908                send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1909        else
1910                write_or_die(1, buf.buf, buf.len);
1911        strbuf_release(&buf);
1912}
1913
1914static int delete_only(struct command *commands)
1915{
1916        struct command *cmd;
1917        for (cmd = commands; cmd; cmd = cmd->next) {
1918                if (!is_null_oid(&cmd->new_oid))
1919                        return 0;
1920        }
1921        return 1;
1922}
1923
1924int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1925{
1926        int advertise_refs = 0;
1927        struct command *commands;
1928        struct oid_array shallow = OID_ARRAY_INIT;
1929        struct oid_array ref = OID_ARRAY_INIT;
1930        struct shallow_info si;
1931
1932        struct option options[] = {
1933                OPT__QUIET(&quiet, N_("quiet")),
1934                OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1935                OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1936                OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1937                OPT_END()
1938        };
1939
1940        packet_trace_identity("receive-pack");
1941
1942        argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1943
1944        if (argc > 1)
1945                usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1946        if (argc == 0)
1947                usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1948
1949        service_dir = argv[0];
1950
1951        setup_path();
1952
1953        if (!enter_repo(service_dir, 0))
1954                die("'%s' does not appear to be a git repository", service_dir);
1955
1956        git_config(receive_pack_config, NULL);
1957        if (cert_nonce_seed)
1958                push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1959
1960        if (0 <= transfer_unpack_limit)
1961                unpack_limit = transfer_unpack_limit;
1962        else if (0 <= receive_unpack_limit)
1963                unpack_limit = receive_unpack_limit;
1964
1965        if (advertise_refs || !stateless_rpc) {
1966                write_head_info();
1967        }
1968        if (advertise_refs)
1969                return 0;
1970
1971        if ((commands = read_head_info(&shallow)) != NULL) {
1972                const char *unpack_status = NULL;
1973                struct string_list push_options = STRING_LIST_INIT_DUP;
1974
1975                if (use_push_options)
1976                        read_push_options(&push_options);
1977                if (!check_cert_push_options(&push_options)) {
1978                        struct command *cmd;
1979                        for (cmd = commands; cmd; cmd = cmd->next)
1980                                cmd->error_string = "inconsistent push options";
1981                }
1982
1983                prepare_shallow_info(&si, &shallow);
1984                if (!si.nr_ours && !si.nr_theirs)
1985                        shallow_update = 0;
1986                if (!delete_only(commands)) {
1987                        unpack_status = unpack_with_sideband(&si);
1988                        update_shallow_info(commands, &si, &ref);
1989                }
1990                use_keepalive = KEEPALIVE_ALWAYS;
1991                execute_commands(commands, unpack_status, &si,
1992                                 &push_options);
1993                if (pack_lockfile)
1994                        unlink_or_warn(pack_lockfile);
1995                if (report_status)
1996                        report(commands, unpack_status);
1997                run_receive_hook(commands, "post-receive", 1,
1998                                 &push_options);
1999                run_update_post_hook(commands);
2000                string_list_clear(&push_options, 0);
2001                if (auto_gc) {
2002                        const char *argv_gc_auto[] = {
2003                                "gc", "--auto", "--quiet", NULL,
2004                        };
2005                        struct child_process proc = CHILD_PROCESS_INIT;
2006
2007                        proc.no_stdin = 1;
2008                        proc.stdout_to_stderr = 1;
2009                        proc.err = use_sideband ? -1 : 0;
2010                        proc.git_cmd = 1;
2011                        proc.argv = argv_gc_auto;
2012
2013                        close_all_packs();
2014                        if (!start_command(&proc)) {
2015                                if (use_sideband)
2016                                        copy_to_sideband(proc.err, -1, NULL);
2017                                finish_command(&proc);
2018                        }
2019                }
2020                if (auto_update_server_info)
2021                        update_server_info(0);
2022                clear_shallow_info(&si);
2023        }
2024        if (use_sideband)
2025                packet_flush(1);
2026        oid_array_clear(&shallow);
2027        oid_array_clear(&ref);
2028        free((void *)push_cert_nonce);
2029        return 0;
2030}