builtin / receive-pack.con commit ref-filter: drop sprintf and strcpy calls (a5e03bf)
   1#include "builtin.h"
   2#include "lockfile.h"
   3#include "pack.h"
   4#include "refs.h"
   5#include "pkt-line.h"
   6#include "sideband.h"
   7#include "run-command.h"
   8#include "exec_cmd.h"
   9#include "commit.h"
  10#include "object.h"
  11#include "remote.h"
  12#include "connect.h"
  13#include "transport.h"
  14#include "string-list.h"
  15#include "sha1-array.h"
  16#include "connected.h"
  17#include "argv-array.h"
  18#include "version.h"
  19#include "tag.h"
  20#include "gpg-interface.h"
  21#include "sigchain.h"
  22#include "fsck.h"
  23
  24static const char receive_pack_usage[] = "git receive-pack <git-dir>";
  25
  26enum deny_action {
  27        DENY_UNCONFIGURED,
  28        DENY_IGNORE,
  29        DENY_WARN,
  30        DENY_REFUSE,
  31        DENY_UPDATE_INSTEAD
  32};
  33
  34static int deny_deletes;
  35static int deny_non_fast_forwards;
  36static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
  37static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
  38static int receive_fsck_objects = -1;
  39static int transfer_fsck_objects = -1;
  40static struct strbuf fsck_msg_types = STRBUF_INIT;
  41static int receive_unpack_limit = -1;
  42static int transfer_unpack_limit = -1;
  43static int advertise_atomic_push = 1;
  44static int unpack_limit = 100;
  45static int report_status;
  46static int use_sideband;
  47static int use_atomic;
  48static int quiet;
  49static int prefer_ofs_delta = 1;
  50static int auto_update_server_info;
  51static int auto_gc = 1;
  52static int fix_thin = 1;
  53static int stateless_rpc;
  54static const char *service_dir;
  55static const char *head_name;
  56static void *head_name_to_free;
  57static int sent_capabilities;
  58static int shallow_update;
  59static const char *alt_shallow_file;
  60static struct strbuf push_cert = STRBUF_INIT;
  61static unsigned char push_cert_sha1[20];
  62static struct signature_check sigcheck;
  63static const char *push_cert_nonce;
  64static const char *cert_nonce_seed;
  65
  66static const char *NONCE_UNSOLICITED = "UNSOLICITED";
  67static const char *NONCE_BAD = "BAD";
  68static const char *NONCE_MISSING = "MISSING";
  69static const char *NONCE_OK = "OK";
  70static const char *NONCE_SLOP = "SLOP";
  71static const char *nonce_status;
  72static long nonce_stamp_slop;
  73static unsigned long nonce_stamp_slop_limit;
  74static struct ref_transaction *transaction;
  75
  76static enum deny_action parse_deny_action(const char *var, const char *value)
  77{
  78        if (value) {
  79                if (!strcasecmp(value, "ignore"))
  80                        return DENY_IGNORE;
  81                if (!strcasecmp(value, "warn"))
  82                        return DENY_WARN;
  83                if (!strcasecmp(value, "refuse"))
  84                        return DENY_REFUSE;
  85                if (!strcasecmp(value, "updateinstead"))
  86                        return DENY_UPDATE_INSTEAD;
  87        }
  88        if (git_config_bool(var, value))
  89                return DENY_REFUSE;
  90        return DENY_IGNORE;
  91}
  92
  93static int receive_pack_config(const char *var, const char *value, void *cb)
  94{
  95        int status = parse_hide_refs_config(var, value, "receive");
  96
  97        if (status)
  98                return status;
  99
 100        if (strcmp(var, "receive.denydeletes") == 0) {
 101                deny_deletes = git_config_bool(var, value);
 102                return 0;
 103        }
 104
 105        if (strcmp(var, "receive.denynonfastforwards") == 0) {
 106                deny_non_fast_forwards = git_config_bool(var, value);
 107                return 0;
 108        }
 109
 110        if (strcmp(var, "receive.unpacklimit") == 0) {
 111                receive_unpack_limit = git_config_int(var, value);
 112                return 0;
 113        }
 114
 115        if (strcmp(var, "transfer.unpacklimit") == 0) {
 116                transfer_unpack_limit = git_config_int(var, value);
 117                return 0;
 118        }
 119
 120        if (strcmp(var, "receive.fsck.skiplist") == 0) {
 121                const char *path;
 122
 123                if (git_config_pathname(&path, var, value))
 124                        return 1;
 125                strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
 126                        fsck_msg_types.len ? ',' : '=', path);
 127                free((char *)path);
 128                return 0;
 129        }
 130
 131        if (skip_prefix(var, "receive.fsck.", &var)) {
 132                if (is_valid_msg_type(var, value))
 133                        strbuf_addf(&fsck_msg_types, "%c%s=%s",
 134                                fsck_msg_types.len ? ',' : '=', var, value);
 135                else
 136                        warning("Skipping unknown msg id '%s'", var);
 137                return 0;
 138        }
 139
 140        if (strcmp(var, "receive.fsckobjects") == 0) {
 141                receive_fsck_objects = git_config_bool(var, value);
 142                return 0;
 143        }
 144
 145        if (strcmp(var, "transfer.fsckobjects") == 0) {
 146                transfer_fsck_objects = git_config_bool(var, value);
 147                return 0;
 148        }
 149
 150        if (!strcmp(var, "receive.denycurrentbranch")) {
 151                deny_current_branch = parse_deny_action(var, value);
 152                return 0;
 153        }
 154
 155        if (strcmp(var, "receive.denydeletecurrent") == 0) {
 156                deny_delete_current = parse_deny_action(var, value);
 157                return 0;
 158        }
 159
 160        if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
 161                prefer_ofs_delta = git_config_bool(var, value);
 162                return 0;
 163        }
 164
 165        if (strcmp(var, "receive.updateserverinfo") == 0) {
 166                auto_update_server_info = git_config_bool(var, value);
 167                return 0;
 168        }
 169
 170        if (strcmp(var, "receive.autogc") == 0) {
 171                auto_gc = git_config_bool(var, value);
 172                return 0;
 173        }
 174
 175        if (strcmp(var, "receive.shallowupdate") == 0) {
 176                shallow_update = git_config_bool(var, value);
 177                return 0;
 178        }
 179
 180        if (strcmp(var, "receive.certnonceseed") == 0)
 181                return git_config_string(&cert_nonce_seed, var, value);
 182
 183        if (strcmp(var, "receive.certnonceslop") == 0) {
 184                nonce_stamp_slop_limit = git_config_ulong(var, value);
 185                return 0;
 186        }
 187
 188        if (strcmp(var, "receive.advertiseatomic") == 0) {
 189                advertise_atomic_push = git_config_bool(var, value);
 190                return 0;
 191        }
 192
 193        return git_default_config(var, value, cb);
 194}
 195
 196static void show_ref(const char *path, const unsigned char *sha1)
 197{
 198        if (ref_is_hidden(path))
 199                return;
 200
 201        if (sent_capabilities) {
 202                packet_write(1, "%s %s\n", sha1_to_hex(sha1), path);
 203        } else {
 204                struct strbuf cap = STRBUF_INIT;
 205
 206                strbuf_addstr(&cap,
 207                              "report-status delete-refs side-band-64k quiet");
 208                if (advertise_atomic_push)
 209                        strbuf_addstr(&cap, " atomic");
 210                if (prefer_ofs_delta)
 211                        strbuf_addstr(&cap, " ofs-delta");
 212                if (push_cert_nonce)
 213                        strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
 214                strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
 215                packet_write(1, "%s %s%c%s\n",
 216                             sha1_to_hex(sha1), path, 0, cap.buf);
 217                strbuf_release(&cap);
 218                sent_capabilities = 1;
 219        }
 220}
 221
 222static int show_ref_cb(const char *path, const struct object_id *oid, int flag, void *unused)
 223{
 224        path = strip_namespace(path);
 225        /*
 226         * Advertise refs outside our current namespace as ".have"
 227         * refs, so that the client can use them to minimize data
 228         * transfer but will otherwise ignore them. This happens to
 229         * cover ".have" that are thrown in by add_one_alternate_ref()
 230         * to mark histories that are complete in our alternates as
 231         * well.
 232         */
 233        if (!path)
 234                path = ".have";
 235        show_ref(path, oid->hash);
 236        return 0;
 237}
 238
 239static void show_one_alternate_sha1(const unsigned char sha1[20], void *unused)
 240{
 241        show_ref(".have", sha1);
 242}
 243
 244static void collect_one_alternate_ref(const struct ref *ref, void *data)
 245{
 246        struct sha1_array *sa = data;
 247        sha1_array_append(sa, ref->old_sha1);
 248}
 249
 250static void write_head_info(void)
 251{
 252        struct sha1_array sa = SHA1_ARRAY_INIT;
 253
 254        for_each_alternate_ref(collect_one_alternate_ref, &sa);
 255        sha1_array_for_each_unique(&sa, show_one_alternate_sha1, NULL);
 256        sha1_array_clear(&sa);
 257        for_each_ref(show_ref_cb, NULL);
 258        if (!sent_capabilities)
 259                show_ref("capabilities^{}", null_sha1);
 260
 261        advertise_shallow_grafts(1);
 262
 263        /* EOF */
 264        packet_flush(1);
 265}
 266
 267struct command {
 268        struct command *next;
 269        const char *error_string;
 270        unsigned int skip_update:1,
 271                     did_not_exist:1;
 272        int index;
 273        unsigned char old_sha1[20];
 274        unsigned char new_sha1[20];
 275        char ref_name[FLEX_ARRAY]; /* more */
 276};
 277
 278static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
 279static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
 280
 281static void report_message(const char *prefix, const char *err, va_list params)
 282{
 283        int sz;
 284        char msg[4096];
 285
 286        sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
 287        sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
 288        if (sz > (sizeof(msg) - 1))
 289                sz = sizeof(msg) - 1;
 290        msg[sz++] = '\n';
 291
 292        if (use_sideband)
 293                send_sideband(1, 2, msg, sz, use_sideband);
 294        else
 295                xwrite(2, msg, sz);
 296}
 297
 298static void rp_warning(const char *err, ...)
 299{
 300        va_list params;
 301        va_start(params, err);
 302        report_message("warning: ", err, params);
 303        va_end(params);
 304}
 305
 306static void rp_error(const char *err, ...)
 307{
 308        va_list params;
 309        va_start(params, err);
 310        report_message("error: ", err, params);
 311        va_end(params);
 312}
 313
 314static int copy_to_sideband(int in, int out, void *arg)
 315{
 316        char data[128];
 317        while (1) {
 318                ssize_t sz = xread(in, data, sizeof(data));
 319                if (sz <= 0)
 320                        break;
 321                send_sideband(1, 2, data, sz, use_sideband);
 322        }
 323        close(in);
 324        return 0;
 325}
 326
 327#define HMAC_BLOCK_SIZE 64
 328
 329static void hmac_sha1(unsigned char *out,
 330                      const char *key_in, size_t key_len,
 331                      const char *text, size_t text_len)
 332{
 333        unsigned char key[HMAC_BLOCK_SIZE];
 334        unsigned char k_ipad[HMAC_BLOCK_SIZE];
 335        unsigned char k_opad[HMAC_BLOCK_SIZE];
 336        int i;
 337        git_SHA_CTX ctx;
 338
 339        /* RFC 2104 2. (1) */
 340        memset(key, '\0', HMAC_BLOCK_SIZE);
 341        if (HMAC_BLOCK_SIZE < key_len) {
 342                git_SHA1_Init(&ctx);
 343                git_SHA1_Update(&ctx, key_in, key_len);
 344                git_SHA1_Final(key, &ctx);
 345        } else {
 346                memcpy(key, key_in, key_len);
 347        }
 348
 349        /* RFC 2104 2. (2) & (5) */
 350        for (i = 0; i < sizeof(key); i++) {
 351                k_ipad[i] = key[i] ^ 0x36;
 352                k_opad[i] = key[i] ^ 0x5c;
 353        }
 354
 355        /* RFC 2104 2. (3) & (4) */
 356        git_SHA1_Init(&ctx);
 357        git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
 358        git_SHA1_Update(&ctx, text, text_len);
 359        git_SHA1_Final(out, &ctx);
 360
 361        /* RFC 2104 2. (6) & (7) */
 362        git_SHA1_Init(&ctx);
 363        git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
 364        git_SHA1_Update(&ctx, out, 20);
 365        git_SHA1_Final(out, &ctx);
 366}
 367
 368static char *prepare_push_cert_nonce(const char *path, unsigned long stamp)
 369{
 370        struct strbuf buf = STRBUF_INIT;
 371        unsigned char sha1[20];
 372
 373        strbuf_addf(&buf, "%s:%lu", path, stamp);
 374        hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));;
 375        strbuf_release(&buf);
 376
 377        /* RFC 2104 5. HMAC-SHA1-80 */
 378        strbuf_addf(&buf, "%lu-%.*s", stamp, 20, sha1_to_hex(sha1));
 379        return strbuf_detach(&buf, NULL);
 380}
 381
 382/*
 383 * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
 384 * after dropping "_commit" from its name and possibly moving it out
 385 * of commit.c
 386 */
 387static char *find_header(const char *msg, size_t len, const char *key)
 388{
 389        int key_len = strlen(key);
 390        const char *line = msg;
 391
 392        while (line && line < msg + len) {
 393                const char *eol = strchrnul(line, '\n');
 394
 395                if ((msg + len <= eol) || line == eol)
 396                        return NULL;
 397                if (line + key_len < eol &&
 398                    !memcmp(line, key, key_len) && line[key_len] == ' ') {
 399                        int offset = key_len + 1;
 400                        return xmemdupz(line + offset, (eol - line) - offset);
 401                }
 402                line = *eol ? eol + 1 : NULL;
 403        }
 404        return NULL;
 405}
 406
 407static const char *check_nonce(const char *buf, size_t len)
 408{
 409        char *nonce = find_header(buf, len, "nonce");
 410        unsigned long stamp, ostamp;
 411        char *bohmac, *expect = NULL;
 412        const char *retval = NONCE_BAD;
 413
 414        if (!nonce) {
 415                retval = NONCE_MISSING;
 416                goto leave;
 417        } else if (!push_cert_nonce) {
 418                retval = NONCE_UNSOLICITED;
 419                goto leave;
 420        } else if (!strcmp(push_cert_nonce, nonce)) {
 421                retval = NONCE_OK;
 422                goto leave;
 423        }
 424
 425        if (!stateless_rpc) {
 426                /* returned nonce MUST match what we gave out earlier */
 427                retval = NONCE_BAD;
 428                goto leave;
 429        }
 430
 431        /*
 432         * In stateless mode, we may be receiving a nonce issued by
 433         * another instance of the server that serving the same
 434         * repository, and the timestamps may not match, but the
 435         * nonce-seed and dir should match, so we can recompute and
 436         * report the time slop.
 437         *
 438         * In addition, when a nonce issued by another instance has
 439         * timestamp within receive.certnonceslop seconds, we pretend
 440         * as if we issued that nonce when reporting to the hook.
 441         */
 442
 443        /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
 444        if (*nonce <= '0' || '9' < *nonce) {
 445                retval = NONCE_BAD;
 446                goto leave;
 447        }
 448        stamp = strtoul(nonce, &bohmac, 10);
 449        if (bohmac == nonce || bohmac[0] != '-') {
 450                retval = NONCE_BAD;
 451                goto leave;
 452        }
 453
 454        expect = prepare_push_cert_nonce(service_dir, stamp);
 455        if (strcmp(expect, nonce)) {
 456                /* Not what we would have signed earlier */
 457                retval = NONCE_BAD;
 458                goto leave;
 459        }
 460
 461        /*
 462         * By how many seconds is this nonce stale?  Negative value
 463         * would mean it was issued by another server with its clock
 464         * skewed in the future.
 465         */
 466        ostamp = strtoul(push_cert_nonce, NULL, 10);
 467        nonce_stamp_slop = (long)ostamp - (long)stamp;
 468
 469        if (nonce_stamp_slop_limit &&
 470            labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
 471                /*
 472                 * Pretend as if the received nonce (which passes the
 473                 * HMAC check, so it is not a forged by third-party)
 474                 * is what we issued.
 475                 */
 476                free((void *)push_cert_nonce);
 477                push_cert_nonce = xstrdup(nonce);
 478                retval = NONCE_OK;
 479        } else {
 480                retval = NONCE_SLOP;
 481        }
 482
 483leave:
 484        free(nonce);
 485        free(expect);
 486        return retval;
 487}
 488
 489static void prepare_push_cert_sha1(struct child_process *proc)
 490{
 491        static int already_done;
 492
 493        if (!push_cert.len)
 494                return;
 495
 496        if (!already_done) {
 497                struct strbuf gpg_output = STRBUF_INIT;
 498                struct strbuf gpg_status = STRBUF_INIT;
 499                int bogs /* beginning_of_gpg_sig */;
 500
 501                already_done = 1;
 502                if (write_sha1_file(push_cert.buf, push_cert.len, "blob", push_cert_sha1))
 503                        hashclr(push_cert_sha1);
 504
 505                memset(&sigcheck, '\0', sizeof(sigcheck));
 506                sigcheck.result = 'N';
 507
 508                bogs = parse_signature(push_cert.buf, push_cert.len);
 509                if (verify_signed_buffer(push_cert.buf, bogs,
 510                                         push_cert.buf + bogs, push_cert.len - bogs,
 511                                         &gpg_output, &gpg_status) < 0) {
 512                        ; /* error running gpg */
 513                } else {
 514                        sigcheck.payload = push_cert.buf;
 515                        sigcheck.gpg_output = gpg_output.buf;
 516                        sigcheck.gpg_status = gpg_status.buf;
 517                        parse_gpg_output(&sigcheck);
 518                }
 519
 520                strbuf_release(&gpg_output);
 521                strbuf_release(&gpg_status);
 522                nonce_status = check_nonce(push_cert.buf, bogs);
 523        }
 524        if (!is_null_sha1(push_cert_sha1)) {
 525                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
 526                                 sha1_to_hex(push_cert_sha1));
 527                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
 528                                 sigcheck.signer ? sigcheck.signer : "");
 529                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
 530                                 sigcheck.key ? sigcheck.key : "");
 531                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
 532                                 sigcheck.result);
 533                if (push_cert_nonce) {
 534                        argv_array_pushf(&proc->env_array,
 535                                         "GIT_PUSH_CERT_NONCE=%s",
 536                                         push_cert_nonce);
 537                        argv_array_pushf(&proc->env_array,
 538                                         "GIT_PUSH_CERT_NONCE_STATUS=%s",
 539                                         nonce_status);
 540                        if (nonce_status == NONCE_SLOP)
 541                                argv_array_pushf(&proc->env_array,
 542                                                 "GIT_PUSH_CERT_NONCE_SLOP=%ld",
 543                                                 nonce_stamp_slop);
 544                }
 545        }
 546}
 547
 548typedef int (*feed_fn)(void *, const char **, size_t *);
 549static int run_and_feed_hook(const char *hook_name, feed_fn feed, void *feed_state)
 550{
 551        struct child_process proc = CHILD_PROCESS_INIT;
 552        struct async muxer;
 553        const char *argv[2];
 554        int code;
 555
 556        argv[0] = find_hook(hook_name);
 557        if (!argv[0])
 558                return 0;
 559
 560        argv[1] = NULL;
 561
 562        proc.argv = argv;
 563        proc.in = -1;
 564        proc.stdout_to_stderr = 1;
 565
 566        if (use_sideband) {
 567                memset(&muxer, 0, sizeof(muxer));
 568                muxer.proc = copy_to_sideband;
 569                muxer.in = -1;
 570                code = start_async(&muxer);
 571                if (code)
 572                        return code;
 573                proc.err = muxer.in;
 574        }
 575
 576        prepare_push_cert_sha1(&proc);
 577
 578        code = start_command(&proc);
 579        if (code) {
 580                if (use_sideband)
 581                        finish_async(&muxer);
 582                return code;
 583        }
 584
 585        sigchain_push(SIGPIPE, SIG_IGN);
 586
 587        while (1) {
 588                const char *buf;
 589                size_t n;
 590                if (feed(feed_state, &buf, &n))
 591                        break;
 592                if (write_in_full(proc.in, buf, n) != n)
 593                        break;
 594        }
 595        close(proc.in);
 596        if (use_sideband)
 597                finish_async(&muxer);
 598
 599        sigchain_pop(SIGPIPE);
 600
 601        return finish_command(&proc);
 602}
 603
 604struct receive_hook_feed_state {
 605        struct command *cmd;
 606        int skip_broken;
 607        struct strbuf buf;
 608};
 609
 610static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
 611{
 612        struct receive_hook_feed_state *state = state_;
 613        struct command *cmd = state->cmd;
 614
 615        while (cmd &&
 616               state->skip_broken && (cmd->error_string || cmd->did_not_exist))
 617                cmd = cmd->next;
 618        if (!cmd)
 619                return -1; /* EOF */
 620        strbuf_reset(&state->buf);
 621        strbuf_addf(&state->buf, "%s %s %s\n",
 622                    sha1_to_hex(cmd->old_sha1), sha1_to_hex(cmd->new_sha1),
 623                    cmd->ref_name);
 624        state->cmd = cmd->next;
 625        if (bufp) {
 626                *bufp = state->buf.buf;
 627                *sizep = state->buf.len;
 628        }
 629        return 0;
 630}
 631
 632static int run_receive_hook(struct command *commands, const char *hook_name,
 633                            int skip_broken)
 634{
 635        struct receive_hook_feed_state state;
 636        int status;
 637
 638        strbuf_init(&state.buf, 0);
 639        state.cmd = commands;
 640        state.skip_broken = skip_broken;
 641        if (feed_receive_hook(&state, NULL, NULL))
 642                return 0;
 643        state.cmd = commands;
 644        status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
 645        strbuf_release(&state.buf);
 646        return status;
 647}
 648
 649static int run_update_hook(struct command *cmd)
 650{
 651        const char *argv[5];
 652        struct child_process proc = CHILD_PROCESS_INIT;
 653        int code;
 654
 655        argv[0] = find_hook("update");
 656        if (!argv[0])
 657                return 0;
 658
 659        argv[1] = cmd->ref_name;
 660        argv[2] = sha1_to_hex(cmd->old_sha1);
 661        argv[3] = sha1_to_hex(cmd->new_sha1);
 662        argv[4] = NULL;
 663
 664        proc.no_stdin = 1;
 665        proc.stdout_to_stderr = 1;
 666        proc.err = use_sideband ? -1 : 0;
 667        proc.argv = argv;
 668
 669        code = start_command(&proc);
 670        if (code)
 671                return code;
 672        if (use_sideband)
 673                copy_to_sideband(proc.err, -1, NULL);
 674        return finish_command(&proc);
 675}
 676
 677static int is_ref_checked_out(const char *ref)
 678{
 679        if (is_bare_repository())
 680                return 0;
 681
 682        if (!head_name)
 683                return 0;
 684        return !strcmp(head_name, ref);
 685}
 686
 687static char *refuse_unconfigured_deny_msg[] = {
 688        "By default, updating the current branch in a non-bare repository",
 689        "is denied, because it will make the index and work tree inconsistent",
 690        "with what you pushed, and will require 'git reset --hard' to match",
 691        "the work tree to HEAD.",
 692        "",
 693        "You can set 'receive.denyCurrentBranch' configuration variable to",
 694        "'ignore' or 'warn' in the remote repository to allow pushing into",
 695        "its current branch; however, this is not recommended unless you",
 696        "arranged to update its work tree to match what you pushed in some",
 697        "other way.",
 698        "",
 699        "To squelch this message and still keep the default behaviour, set",
 700        "'receive.denyCurrentBranch' configuration variable to 'refuse'."
 701};
 702
 703static void refuse_unconfigured_deny(void)
 704{
 705        int i;
 706        for (i = 0; i < ARRAY_SIZE(refuse_unconfigured_deny_msg); i++)
 707                rp_error("%s", refuse_unconfigured_deny_msg[i]);
 708}
 709
 710static char *refuse_unconfigured_deny_delete_current_msg[] = {
 711        "By default, deleting the current branch is denied, because the next",
 712        "'git clone' won't result in any file checked out, causing confusion.",
 713        "",
 714        "You can set 'receive.denyDeleteCurrent' configuration variable to",
 715        "'warn' or 'ignore' in the remote repository to allow deleting the",
 716        "current branch, with or without a warning message.",
 717        "",
 718        "To squelch this message, you can set it to 'refuse'."
 719};
 720
 721static void refuse_unconfigured_deny_delete_current(void)
 722{
 723        int i;
 724        for (i = 0;
 725             i < ARRAY_SIZE(refuse_unconfigured_deny_delete_current_msg);
 726             i++)
 727                rp_error("%s", refuse_unconfigured_deny_delete_current_msg[i]);
 728}
 729
 730static int command_singleton_iterator(void *cb_data, unsigned char sha1[20]);
 731static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
 732{
 733        static struct lock_file shallow_lock;
 734        struct sha1_array extra = SHA1_ARRAY_INIT;
 735        const char *alt_file;
 736        uint32_t mask = 1 << (cmd->index % 32);
 737        int i;
 738
 739        trace_printf_key(&trace_shallow,
 740                         "shallow: update_shallow_ref %s\n", cmd->ref_name);
 741        for (i = 0; i < si->shallow->nr; i++)
 742                if (si->used_shallow[i] &&
 743                    (si->used_shallow[i][cmd->index / 32] & mask) &&
 744                    !delayed_reachability_test(si, i))
 745                        sha1_array_append(&extra, si->shallow->sha1[i]);
 746
 747        setup_alternate_shallow(&shallow_lock, &alt_file, &extra);
 748        if (check_shallow_connected(command_singleton_iterator,
 749                                    0, cmd, alt_file)) {
 750                rollback_lock_file(&shallow_lock);
 751                sha1_array_clear(&extra);
 752                return -1;
 753        }
 754
 755        commit_lock_file(&shallow_lock);
 756
 757        /*
 758         * Make sure setup_alternate_shallow() for the next ref does
 759         * not lose these new roots..
 760         */
 761        for (i = 0; i < extra.nr; i++)
 762                register_shallow(extra.sha1[i]);
 763
 764        si->shallow_ref[cmd->index] = 0;
 765        sha1_array_clear(&extra);
 766        return 0;
 767}
 768
 769/*
 770 * NEEDSWORK: we should consolidate various implementions of "are we
 771 * on an unborn branch?" test into one, and make the unified one more
 772 * robust. !get_sha1() based check used here and elsewhere would not
 773 * allow us to tell an unborn branch from corrupt ref, for example.
 774 * For the purpose of fixing "deploy-to-update does not work when
 775 * pushing into an empty repository" issue, this should suffice for
 776 * now.
 777 */
 778static int head_has_history(void)
 779{
 780        unsigned char sha1[20];
 781
 782        return !get_sha1("HEAD", sha1);
 783}
 784
 785static const char *push_to_deploy(unsigned char *sha1,
 786                                  struct argv_array *env,
 787                                  const char *work_tree)
 788{
 789        const char *update_refresh[] = {
 790                "update-index", "-q", "--ignore-submodules", "--refresh", NULL
 791        };
 792        const char *diff_files[] = {
 793                "diff-files", "--quiet", "--ignore-submodules", "--", NULL
 794        };
 795        const char *diff_index[] = {
 796                "diff-index", "--quiet", "--cached", "--ignore-submodules",
 797                NULL, "--", NULL
 798        };
 799        const char *read_tree[] = {
 800                "read-tree", "-u", "-m", NULL, NULL
 801        };
 802        struct child_process child = CHILD_PROCESS_INIT;
 803
 804        child.argv = update_refresh;
 805        child.env = env->argv;
 806        child.dir = work_tree;
 807        child.no_stdin = 1;
 808        child.stdout_to_stderr = 1;
 809        child.git_cmd = 1;
 810        if (run_command(&child))
 811                return "Up-to-date check failed";
 812
 813        /* run_command() does not clean up completely; reinitialize */
 814        child_process_init(&child);
 815        child.argv = diff_files;
 816        child.env = env->argv;
 817        child.dir = work_tree;
 818        child.no_stdin = 1;
 819        child.stdout_to_stderr = 1;
 820        child.git_cmd = 1;
 821        if (run_command(&child))
 822                return "Working directory has unstaged changes";
 823
 824        /* diff-index with either HEAD or an empty tree */
 825        diff_index[4] = head_has_history() ? "HEAD" : EMPTY_TREE_SHA1_HEX;
 826
 827        child_process_init(&child);
 828        child.argv = diff_index;
 829        child.env = env->argv;
 830        child.no_stdin = 1;
 831        child.no_stdout = 1;
 832        child.stdout_to_stderr = 0;
 833        child.git_cmd = 1;
 834        if (run_command(&child))
 835                return "Working directory has staged changes";
 836
 837        read_tree[3] = sha1_to_hex(sha1);
 838        child_process_init(&child);
 839        child.argv = read_tree;
 840        child.env = env->argv;
 841        child.dir = work_tree;
 842        child.no_stdin = 1;
 843        child.no_stdout = 1;
 844        child.stdout_to_stderr = 0;
 845        child.git_cmd = 1;
 846        if (run_command(&child))
 847                return "Could not update working tree to new HEAD";
 848
 849        return NULL;
 850}
 851
 852static const char *push_to_checkout_hook = "push-to-checkout";
 853
 854static const char *push_to_checkout(unsigned char *sha1,
 855                                    struct argv_array *env,
 856                                    const char *work_tree)
 857{
 858        argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
 859        if (run_hook_le(env->argv, push_to_checkout_hook,
 860                        sha1_to_hex(sha1), NULL))
 861                return "push-to-checkout hook declined";
 862        else
 863                return NULL;
 864}
 865
 866static const char *update_worktree(unsigned char *sha1)
 867{
 868        const char *retval;
 869        const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
 870        struct argv_array env = ARGV_ARRAY_INIT;
 871
 872        if (is_bare_repository())
 873                return "denyCurrentBranch = updateInstead needs a worktree";
 874
 875        argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
 876
 877        if (!find_hook(push_to_checkout_hook))
 878                retval = push_to_deploy(sha1, &env, work_tree);
 879        else
 880                retval = push_to_checkout(sha1, &env, work_tree);
 881
 882        argv_array_clear(&env);
 883        return retval;
 884}
 885
 886static const char *update(struct command *cmd, struct shallow_info *si)
 887{
 888        const char *name = cmd->ref_name;
 889        struct strbuf namespaced_name_buf = STRBUF_INIT;
 890        const char *namespaced_name, *ret;
 891        unsigned char *old_sha1 = cmd->old_sha1;
 892        unsigned char *new_sha1 = cmd->new_sha1;
 893
 894        /* only refs/... are allowed */
 895        if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
 896                rp_error("refusing to create funny ref '%s' remotely", name);
 897                return "funny refname";
 898        }
 899
 900        strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
 901        namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
 902
 903        if (is_ref_checked_out(namespaced_name)) {
 904                switch (deny_current_branch) {
 905                case DENY_IGNORE:
 906                        break;
 907                case DENY_WARN:
 908                        rp_warning("updating the current branch");
 909                        break;
 910                case DENY_REFUSE:
 911                case DENY_UNCONFIGURED:
 912                        rp_error("refusing to update checked out branch: %s", name);
 913                        if (deny_current_branch == DENY_UNCONFIGURED)
 914                                refuse_unconfigured_deny();
 915                        return "branch is currently checked out";
 916                case DENY_UPDATE_INSTEAD:
 917                        ret = update_worktree(new_sha1);
 918                        if (ret)
 919                                return ret;
 920                        break;
 921                }
 922        }
 923
 924        if (!is_null_sha1(new_sha1) && !has_sha1_file(new_sha1)) {
 925                error("unpack should have generated %s, "
 926                      "but I can't find it!", sha1_to_hex(new_sha1));
 927                return "bad pack";
 928        }
 929
 930        if (!is_null_sha1(old_sha1) && is_null_sha1(new_sha1)) {
 931                if (deny_deletes && starts_with(name, "refs/heads/")) {
 932                        rp_error("denying ref deletion for %s", name);
 933                        return "deletion prohibited";
 934                }
 935
 936                if (head_name && !strcmp(namespaced_name, head_name)) {
 937                        switch (deny_delete_current) {
 938                        case DENY_IGNORE:
 939                                break;
 940                        case DENY_WARN:
 941                                rp_warning("deleting the current branch");
 942                                break;
 943                        case DENY_REFUSE:
 944                        case DENY_UNCONFIGURED:
 945                        case DENY_UPDATE_INSTEAD:
 946                                if (deny_delete_current == DENY_UNCONFIGURED)
 947                                        refuse_unconfigured_deny_delete_current();
 948                                rp_error("refusing to delete the current branch: %s", name);
 949                                return "deletion of the current branch prohibited";
 950                        default:
 951                                return "Invalid denyDeleteCurrent setting";
 952                        }
 953                }
 954        }
 955
 956        if (deny_non_fast_forwards && !is_null_sha1(new_sha1) &&
 957            !is_null_sha1(old_sha1) &&
 958            starts_with(name, "refs/heads/")) {
 959                struct object *old_object, *new_object;
 960                struct commit *old_commit, *new_commit;
 961
 962                old_object = parse_object(old_sha1);
 963                new_object = parse_object(new_sha1);
 964
 965                if (!old_object || !new_object ||
 966                    old_object->type != OBJ_COMMIT ||
 967                    new_object->type != OBJ_COMMIT) {
 968                        error("bad sha1 objects for %s", name);
 969                        return "bad ref";
 970                }
 971                old_commit = (struct commit *)old_object;
 972                new_commit = (struct commit *)new_object;
 973                if (!in_merge_bases(old_commit, new_commit)) {
 974                        rp_error("denying non-fast-forward %s"
 975                                 " (you should pull first)", name);
 976                        return "non-fast-forward";
 977                }
 978        }
 979        if (run_update_hook(cmd)) {
 980                rp_error("hook declined to update %s", name);
 981                return "hook declined";
 982        }
 983
 984        if (is_null_sha1(new_sha1)) {
 985                struct strbuf err = STRBUF_INIT;
 986                if (!parse_object(old_sha1)) {
 987                        old_sha1 = NULL;
 988                        if (ref_exists(name)) {
 989                                rp_warning("Allowing deletion of corrupt ref.");
 990                        } else {
 991                                rp_warning("Deleting a non-existent ref.");
 992                                cmd->did_not_exist = 1;
 993                        }
 994                }
 995                if (ref_transaction_delete(transaction,
 996                                           namespaced_name,
 997                                           old_sha1,
 998                                           0, "push", &err)) {
 999                        rp_error("%s", err.buf);
1000                        strbuf_release(&err);
1001                        return "failed to delete";
1002                }
1003                strbuf_release(&err);
1004                return NULL; /* good */
1005        }
1006        else {
1007                struct strbuf err = STRBUF_INIT;
1008                if (shallow_update && si->shallow_ref[cmd->index] &&
1009                    update_shallow_ref(cmd, si))
1010                        return "shallow error";
1011
1012                if (ref_transaction_update(transaction,
1013                                           namespaced_name,
1014                                           new_sha1, old_sha1,
1015                                           0, "push",
1016                                           &err)) {
1017                        rp_error("%s", err.buf);
1018                        strbuf_release(&err);
1019
1020                        return "failed to update ref";
1021                }
1022                strbuf_release(&err);
1023
1024                return NULL; /* good */
1025        }
1026}
1027
1028static void run_update_post_hook(struct command *commands)
1029{
1030        struct command *cmd;
1031        int argc;
1032        const char **argv;
1033        struct child_process proc = CHILD_PROCESS_INIT;
1034        const char *hook;
1035
1036        hook = find_hook("post-update");
1037        for (argc = 0, cmd = commands; cmd; cmd = cmd->next) {
1038                if (cmd->error_string || cmd->did_not_exist)
1039                        continue;
1040                argc++;
1041        }
1042        if (!argc || !hook)
1043                return;
1044
1045        argv = xmalloc(sizeof(*argv) * (2 + argc));
1046        argv[0] = hook;
1047
1048        for (argc = 1, cmd = commands; cmd; cmd = cmd->next) {
1049                if (cmd->error_string || cmd->did_not_exist)
1050                        continue;
1051                argv[argc] = xstrdup(cmd->ref_name);
1052                argc++;
1053        }
1054        argv[argc] = NULL;
1055
1056        proc.no_stdin = 1;
1057        proc.stdout_to_stderr = 1;
1058        proc.err = use_sideband ? -1 : 0;
1059        proc.argv = argv;
1060
1061        if (!start_command(&proc)) {
1062                if (use_sideband)
1063                        copy_to_sideband(proc.err, -1, NULL);
1064                finish_command(&proc);
1065        }
1066}
1067
1068static void check_aliased_update(struct command *cmd, struct string_list *list)
1069{
1070        struct strbuf buf = STRBUF_INIT;
1071        const char *dst_name;
1072        struct string_list_item *item;
1073        struct command *dst_cmd;
1074        unsigned char sha1[20];
1075        char cmd_oldh[41], cmd_newh[41], dst_oldh[41], dst_newh[41];
1076        int flag;
1077
1078        strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1079        dst_name = resolve_ref_unsafe(buf.buf, 0, sha1, &flag);
1080        strbuf_release(&buf);
1081
1082        if (!(flag & REF_ISSYMREF))
1083                return;
1084
1085        dst_name = strip_namespace(dst_name);
1086        if (!dst_name) {
1087                rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1088                cmd->skip_update = 1;
1089                cmd->error_string = "broken symref";
1090                return;
1091        }
1092
1093        if ((item = string_list_lookup(list, dst_name)) == NULL)
1094                return;
1095
1096        cmd->skip_update = 1;
1097
1098        dst_cmd = (struct command *) item->util;
1099
1100        if (!hashcmp(cmd->old_sha1, dst_cmd->old_sha1) &&
1101            !hashcmp(cmd->new_sha1, dst_cmd->new_sha1))
1102                return;
1103
1104        dst_cmd->skip_update = 1;
1105
1106        strcpy(cmd_oldh, find_unique_abbrev(cmd->old_sha1, DEFAULT_ABBREV));
1107        strcpy(cmd_newh, find_unique_abbrev(cmd->new_sha1, DEFAULT_ABBREV));
1108        strcpy(dst_oldh, find_unique_abbrev(dst_cmd->old_sha1, DEFAULT_ABBREV));
1109        strcpy(dst_newh, find_unique_abbrev(dst_cmd->new_sha1, DEFAULT_ABBREV));
1110        rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1111                 " its target '%s' (%s..%s)",
1112                 cmd->ref_name, cmd_oldh, cmd_newh,
1113                 dst_cmd->ref_name, dst_oldh, dst_newh);
1114
1115        cmd->error_string = dst_cmd->error_string =
1116                "inconsistent aliased update";
1117}
1118
1119static void check_aliased_updates(struct command *commands)
1120{
1121        struct command *cmd;
1122        struct string_list ref_list = STRING_LIST_INIT_NODUP;
1123
1124        for (cmd = commands; cmd; cmd = cmd->next) {
1125                struct string_list_item *item =
1126                        string_list_append(&ref_list, cmd->ref_name);
1127                item->util = (void *)cmd;
1128        }
1129        string_list_sort(&ref_list);
1130
1131        for (cmd = commands; cmd; cmd = cmd->next) {
1132                if (!cmd->error_string)
1133                        check_aliased_update(cmd, &ref_list);
1134        }
1135
1136        string_list_clear(&ref_list, 0);
1137}
1138
1139static int command_singleton_iterator(void *cb_data, unsigned char sha1[20])
1140{
1141        struct command **cmd_list = cb_data;
1142        struct command *cmd = *cmd_list;
1143
1144        if (!cmd || is_null_sha1(cmd->new_sha1))
1145                return -1; /* end of list */
1146        *cmd_list = NULL; /* this returns only one */
1147        hashcpy(sha1, cmd->new_sha1);
1148        return 0;
1149}
1150
1151static void set_connectivity_errors(struct command *commands,
1152                                    struct shallow_info *si)
1153{
1154        struct command *cmd;
1155
1156        for (cmd = commands; cmd; cmd = cmd->next) {
1157                struct command *singleton = cmd;
1158                if (shallow_update && si->shallow_ref[cmd->index])
1159                        /* to be checked in update_shallow_ref() */
1160                        continue;
1161                if (!check_everything_connected(command_singleton_iterator,
1162                                                0, &singleton))
1163                        continue;
1164                cmd->error_string = "missing necessary objects";
1165        }
1166}
1167
1168struct iterate_data {
1169        struct command *cmds;
1170        struct shallow_info *si;
1171};
1172
1173static int iterate_receive_command_list(void *cb_data, unsigned char sha1[20])
1174{
1175        struct iterate_data *data = cb_data;
1176        struct command **cmd_list = &data->cmds;
1177        struct command *cmd = *cmd_list;
1178
1179        for (; cmd; cmd = cmd->next) {
1180                if (shallow_update && data->si->shallow_ref[cmd->index])
1181                        /* to be checked in update_shallow_ref() */
1182                        continue;
1183                if (!is_null_sha1(cmd->new_sha1) && !cmd->skip_update) {
1184                        hashcpy(sha1, cmd->new_sha1);
1185                        *cmd_list = cmd->next;
1186                        return 0;
1187                }
1188        }
1189        *cmd_list = NULL;
1190        return -1; /* end of list */
1191}
1192
1193static void reject_updates_to_hidden(struct command *commands)
1194{
1195        struct command *cmd;
1196
1197        for (cmd = commands; cmd; cmd = cmd->next) {
1198                if (cmd->error_string || !ref_is_hidden(cmd->ref_name))
1199                        continue;
1200                if (is_null_sha1(cmd->new_sha1))
1201                        cmd->error_string = "deny deleting a hidden ref";
1202                else
1203                        cmd->error_string = "deny updating a hidden ref";
1204        }
1205}
1206
1207static int should_process_cmd(struct command *cmd)
1208{
1209        return !cmd->error_string && !cmd->skip_update;
1210}
1211
1212static void warn_if_skipped_connectivity_check(struct command *commands,
1213                                               struct shallow_info *si)
1214{
1215        struct command *cmd;
1216        int checked_connectivity = 1;
1217
1218        for (cmd = commands; cmd; cmd = cmd->next) {
1219                if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1220                        error("BUG: connectivity check has not been run on ref %s",
1221                              cmd->ref_name);
1222                        checked_connectivity = 0;
1223                }
1224        }
1225        if (!checked_connectivity)
1226                die("BUG: connectivity check skipped???");
1227}
1228
1229static void execute_commands_non_atomic(struct command *commands,
1230                                        struct shallow_info *si)
1231{
1232        struct command *cmd;
1233        struct strbuf err = STRBUF_INIT;
1234
1235        for (cmd = commands; cmd; cmd = cmd->next) {
1236                if (!should_process_cmd(cmd))
1237                        continue;
1238
1239                transaction = ref_transaction_begin(&err);
1240                if (!transaction) {
1241                        rp_error("%s", err.buf);
1242                        strbuf_reset(&err);
1243                        cmd->error_string = "transaction failed to start";
1244                        continue;
1245                }
1246
1247                cmd->error_string = update(cmd, si);
1248
1249                if (!cmd->error_string
1250                    && ref_transaction_commit(transaction, &err)) {
1251                        rp_error("%s", err.buf);
1252                        strbuf_reset(&err);
1253                        cmd->error_string = "failed to update ref";
1254                }
1255                ref_transaction_free(transaction);
1256        }
1257        strbuf_release(&err);
1258}
1259
1260static void execute_commands_atomic(struct command *commands,
1261                                        struct shallow_info *si)
1262{
1263        struct command *cmd;
1264        struct strbuf err = STRBUF_INIT;
1265        const char *reported_error = "atomic push failure";
1266
1267        transaction = ref_transaction_begin(&err);
1268        if (!transaction) {
1269                rp_error("%s", err.buf);
1270                strbuf_reset(&err);
1271                reported_error = "transaction failed to start";
1272                goto failure;
1273        }
1274
1275        for (cmd = commands; cmd; cmd = cmd->next) {
1276                if (!should_process_cmd(cmd))
1277                        continue;
1278
1279                cmd->error_string = update(cmd, si);
1280
1281                if (cmd->error_string)
1282                        goto failure;
1283        }
1284
1285        if (ref_transaction_commit(transaction, &err)) {
1286                rp_error("%s", err.buf);
1287                reported_error = "atomic transaction failed";
1288                goto failure;
1289        }
1290        goto cleanup;
1291
1292failure:
1293        for (cmd = commands; cmd; cmd = cmd->next)
1294                if (!cmd->error_string)
1295                        cmd->error_string = reported_error;
1296
1297cleanup:
1298        ref_transaction_free(transaction);
1299        strbuf_release(&err);
1300}
1301
1302static void execute_commands(struct command *commands,
1303                             const char *unpacker_error,
1304                             struct shallow_info *si)
1305{
1306        struct command *cmd;
1307        unsigned char sha1[20];
1308        struct iterate_data data;
1309
1310        if (unpacker_error) {
1311                for (cmd = commands; cmd; cmd = cmd->next)
1312                        cmd->error_string = "unpacker error";
1313                return;
1314        }
1315
1316        data.cmds = commands;
1317        data.si = si;
1318        if (check_everything_connected(iterate_receive_command_list, 0, &data))
1319                set_connectivity_errors(commands, si);
1320
1321        reject_updates_to_hidden(commands);
1322
1323        if (run_receive_hook(commands, "pre-receive", 0)) {
1324                for (cmd = commands; cmd; cmd = cmd->next) {
1325                        if (!cmd->error_string)
1326                                cmd->error_string = "pre-receive hook declined";
1327                }
1328                return;
1329        }
1330
1331        check_aliased_updates(commands);
1332
1333        free(head_name_to_free);
1334        head_name = head_name_to_free = resolve_refdup("HEAD", 0, sha1, NULL);
1335
1336        if (use_atomic)
1337                execute_commands_atomic(commands, si);
1338        else
1339                execute_commands_non_atomic(commands, si);
1340
1341        if (shallow_update)
1342                warn_if_skipped_connectivity_check(commands, si);
1343}
1344
1345static struct command **queue_command(struct command **tail,
1346                                      const char *line,
1347                                      int linelen)
1348{
1349        unsigned char old_sha1[20], new_sha1[20];
1350        struct command *cmd;
1351        const char *refname;
1352        int reflen;
1353
1354        if (linelen < 83 ||
1355            line[40] != ' ' ||
1356            line[81] != ' ' ||
1357            get_sha1_hex(line, old_sha1) ||
1358            get_sha1_hex(line + 41, new_sha1))
1359                die("protocol error: expected old/new/ref, got '%s'", line);
1360
1361        refname = line + 82;
1362        reflen = linelen - 82;
1363        cmd = xcalloc(1, sizeof(struct command) + reflen + 1);
1364        hashcpy(cmd->old_sha1, old_sha1);
1365        hashcpy(cmd->new_sha1, new_sha1);
1366        memcpy(cmd->ref_name, refname, reflen);
1367        cmd->ref_name[reflen] = '\0';
1368        *tail = cmd;
1369        return &cmd->next;
1370}
1371
1372static void queue_commands_from_cert(struct command **tail,
1373                                     struct strbuf *push_cert)
1374{
1375        const char *boc, *eoc;
1376
1377        if (*tail)
1378                die("protocol error: got both push certificate and unsigned commands");
1379
1380        boc = strstr(push_cert->buf, "\n\n");
1381        if (!boc)
1382                die("malformed push certificate %.*s", 100, push_cert->buf);
1383        else
1384                boc += 2;
1385        eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1386
1387        while (boc < eoc) {
1388                const char *eol = memchr(boc, '\n', eoc - boc);
1389                tail = queue_command(tail, boc, eol ? eol - boc : eoc - eol);
1390                boc = eol ? eol + 1 : eoc;
1391        }
1392}
1393
1394static struct command *read_head_info(struct sha1_array *shallow)
1395{
1396        struct command *commands = NULL;
1397        struct command **p = &commands;
1398        for (;;) {
1399                char *line;
1400                int len, linelen;
1401
1402                line = packet_read_line(0, &len);
1403                if (!line)
1404                        break;
1405
1406                if (len == 48 && starts_with(line, "shallow ")) {
1407                        unsigned char sha1[20];
1408                        if (get_sha1_hex(line + 8, sha1))
1409                                die("protocol error: expected shallow sha, got '%s'",
1410                                    line + 8);
1411                        sha1_array_append(shallow, sha1);
1412                        continue;
1413                }
1414
1415                linelen = strlen(line);
1416                if (linelen < len) {
1417                        const char *feature_list = line + linelen + 1;
1418                        if (parse_feature_request(feature_list, "report-status"))
1419                                report_status = 1;
1420                        if (parse_feature_request(feature_list, "side-band-64k"))
1421                                use_sideband = LARGE_PACKET_MAX;
1422                        if (parse_feature_request(feature_list, "quiet"))
1423                                quiet = 1;
1424                        if (advertise_atomic_push
1425                            && parse_feature_request(feature_list, "atomic"))
1426                                use_atomic = 1;
1427                }
1428
1429                if (!strcmp(line, "push-cert")) {
1430                        int true_flush = 0;
1431                        char certbuf[1024];
1432
1433                        for (;;) {
1434                                len = packet_read(0, NULL, NULL,
1435                                                  certbuf, sizeof(certbuf), 0);
1436                                if (!len) {
1437                                        true_flush = 1;
1438                                        break;
1439                                }
1440                                if (!strcmp(certbuf, "push-cert-end\n"))
1441                                        break; /* end of cert */
1442                                strbuf_addstr(&push_cert, certbuf);
1443                        }
1444
1445                        if (true_flush)
1446                                break;
1447                        continue;
1448                }
1449
1450                p = queue_command(p, line, linelen);
1451        }
1452
1453        if (push_cert.len)
1454                queue_commands_from_cert(p, &push_cert);
1455
1456        return commands;
1457}
1458
1459static const char *parse_pack_header(struct pack_header *hdr)
1460{
1461        switch (read_pack_header(0, hdr)) {
1462        case PH_ERROR_EOF:
1463                return "eof before pack header was fully read";
1464
1465        case PH_ERROR_PACK_SIGNATURE:
1466                return "protocol error (pack signature mismatch detected)";
1467
1468        case PH_ERROR_PROTOCOL:
1469                return "protocol error (pack version unsupported)";
1470
1471        default:
1472                return "unknown error in parse_pack_header";
1473
1474        case 0:
1475                return NULL;
1476        }
1477}
1478
1479static const char *pack_lockfile;
1480
1481static const char *unpack(int err_fd, struct shallow_info *si)
1482{
1483        struct pack_header hdr;
1484        const char *hdr_err;
1485        int status;
1486        char hdr_arg[38];
1487        struct child_process child = CHILD_PROCESS_INIT;
1488        int fsck_objects = (receive_fsck_objects >= 0
1489                            ? receive_fsck_objects
1490                            : transfer_fsck_objects >= 0
1491                            ? transfer_fsck_objects
1492                            : 0);
1493
1494        hdr_err = parse_pack_header(&hdr);
1495        if (hdr_err) {
1496                if (err_fd > 0)
1497                        close(err_fd);
1498                return hdr_err;
1499        }
1500        snprintf(hdr_arg, sizeof(hdr_arg),
1501                        "--pack_header=%"PRIu32",%"PRIu32,
1502                        ntohl(hdr.hdr_version), ntohl(hdr.hdr_entries));
1503
1504        if (si->nr_ours || si->nr_theirs) {
1505                alt_shallow_file = setup_temporary_shallow(si->shallow);
1506                argv_array_push(&child.args, "--shallow-file");
1507                argv_array_push(&child.args, alt_shallow_file);
1508        }
1509
1510        if (ntohl(hdr.hdr_entries) < unpack_limit) {
1511                argv_array_pushl(&child.args, "unpack-objects", hdr_arg, NULL);
1512                if (quiet)
1513                        argv_array_push(&child.args, "-q");
1514                if (fsck_objects)
1515                        argv_array_pushf(&child.args, "--strict%s",
1516                                fsck_msg_types.buf);
1517                child.no_stdout = 1;
1518                child.err = err_fd;
1519                child.git_cmd = 1;
1520                status = run_command(&child);
1521                if (status)
1522                        return "unpack-objects abnormal exit";
1523        } else {
1524                int s;
1525                char keep_arg[256];
1526
1527                s = sprintf(keep_arg, "--keep=receive-pack %"PRIuMAX" on ", (uintmax_t) getpid());
1528                if (gethostname(keep_arg + s, sizeof(keep_arg) - s))
1529                        strcpy(keep_arg + s, "localhost");
1530
1531                argv_array_pushl(&child.args, "index-pack",
1532                                 "--stdin", hdr_arg, keep_arg, NULL);
1533                if (fsck_objects)
1534                        argv_array_pushf(&child.args, "--strict%s",
1535                                fsck_msg_types.buf);
1536                if (fix_thin)
1537                        argv_array_push(&child.args, "--fix-thin");
1538                child.out = -1;
1539                child.err = err_fd;
1540                child.git_cmd = 1;
1541                status = start_command(&child);
1542                if (status)
1543                        return "index-pack fork failed";
1544                pack_lockfile = index_pack_lockfile(child.out);
1545                close(child.out);
1546                status = finish_command(&child);
1547                if (status)
1548                        return "index-pack abnormal exit";
1549                reprepare_packed_git();
1550        }
1551        return NULL;
1552}
1553
1554static const char *unpack_with_sideband(struct shallow_info *si)
1555{
1556        struct async muxer;
1557        const char *ret;
1558
1559        if (!use_sideband)
1560                return unpack(0, si);
1561
1562        memset(&muxer, 0, sizeof(muxer));
1563        muxer.proc = copy_to_sideband;
1564        muxer.in = -1;
1565        if (start_async(&muxer))
1566                return NULL;
1567
1568        ret = unpack(muxer.in, si);
1569
1570        finish_async(&muxer);
1571        return ret;
1572}
1573
1574static void prepare_shallow_update(struct command *commands,
1575                                   struct shallow_info *si)
1576{
1577        int i, j, k, bitmap_size = (si->ref->nr + 31) / 32;
1578
1579        si->used_shallow = xmalloc(sizeof(*si->used_shallow) *
1580                                   si->shallow->nr);
1581        assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1582
1583        si->need_reachability_test =
1584                xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1585        si->reachable =
1586                xcalloc(si->shallow->nr, sizeof(*si->reachable));
1587        si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1588
1589        for (i = 0; i < si->nr_ours; i++)
1590                si->need_reachability_test[si->ours[i]] = 1;
1591
1592        for (i = 0; i < si->shallow->nr; i++) {
1593                if (!si->used_shallow[i])
1594                        continue;
1595                for (j = 0; j < bitmap_size; j++) {
1596                        if (!si->used_shallow[i][j])
1597                                continue;
1598                        si->need_reachability_test[i]++;
1599                        for (k = 0; k < 32; k++)
1600                                if (si->used_shallow[i][j] & (1 << k))
1601                                        si->shallow_ref[j * 32 + k]++;
1602                }
1603
1604                /*
1605                 * true for those associated with some refs and belong
1606                 * in "ours" list aka "step 7 not done yet"
1607                 */
1608                si->need_reachability_test[i] =
1609                        si->need_reachability_test[i] > 1;
1610        }
1611
1612        /*
1613         * keep hooks happy by forcing a temporary shallow file via
1614         * env variable because we can't add --shallow-file to every
1615         * command. check_everything_connected() will be done with
1616         * true .git/shallow though.
1617         */
1618        setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1619}
1620
1621static void update_shallow_info(struct command *commands,
1622                                struct shallow_info *si,
1623                                struct sha1_array *ref)
1624{
1625        struct command *cmd;
1626        int *ref_status;
1627        remove_nonexistent_theirs_shallow(si);
1628        if (!si->nr_ours && !si->nr_theirs) {
1629                shallow_update = 0;
1630                return;
1631        }
1632
1633        for (cmd = commands; cmd; cmd = cmd->next) {
1634                if (is_null_sha1(cmd->new_sha1))
1635                        continue;
1636                sha1_array_append(ref, cmd->new_sha1);
1637                cmd->index = ref->nr - 1;
1638        }
1639        si->ref = ref;
1640
1641        if (shallow_update) {
1642                prepare_shallow_update(commands, si);
1643                return;
1644        }
1645
1646        ref_status = xmalloc(sizeof(*ref_status) * ref->nr);
1647        assign_shallow_commits_to_refs(si, NULL, ref_status);
1648        for (cmd = commands; cmd; cmd = cmd->next) {
1649                if (is_null_sha1(cmd->new_sha1))
1650                        continue;
1651                if (ref_status[cmd->index]) {
1652                        cmd->error_string = "shallow update not allowed";
1653                        cmd->skip_update = 1;
1654                }
1655        }
1656        free(ref_status);
1657}
1658
1659static void report(struct command *commands, const char *unpack_status)
1660{
1661        struct command *cmd;
1662        struct strbuf buf = STRBUF_INIT;
1663
1664        packet_buf_write(&buf, "unpack %s\n",
1665                         unpack_status ? unpack_status : "ok");
1666        for (cmd = commands; cmd; cmd = cmd->next) {
1667                if (!cmd->error_string)
1668                        packet_buf_write(&buf, "ok %s\n",
1669                                         cmd->ref_name);
1670                else
1671                        packet_buf_write(&buf, "ng %s %s\n",
1672                                         cmd->ref_name, cmd->error_string);
1673        }
1674        packet_buf_flush(&buf);
1675
1676        if (use_sideband)
1677                send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1678        else
1679                write_or_die(1, buf.buf, buf.len);
1680        strbuf_release(&buf);
1681}
1682
1683static int delete_only(struct command *commands)
1684{
1685        struct command *cmd;
1686        for (cmd = commands; cmd; cmd = cmd->next) {
1687                if (!is_null_sha1(cmd->new_sha1))
1688                        return 0;
1689        }
1690        return 1;
1691}
1692
1693int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1694{
1695        int advertise_refs = 0;
1696        int i;
1697        struct command *commands;
1698        struct sha1_array shallow = SHA1_ARRAY_INIT;
1699        struct sha1_array ref = SHA1_ARRAY_INIT;
1700        struct shallow_info si;
1701
1702        packet_trace_identity("receive-pack");
1703
1704        argv++;
1705        for (i = 1; i < argc; i++) {
1706                const char *arg = *argv++;
1707
1708                if (*arg == '-') {
1709                        if (!strcmp(arg, "--quiet")) {
1710                                quiet = 1;
1711                                continue;
1712                        }
1713
1714                        if (!strcmp(arg, "--advertise-refs")) {
1715                                advertise_refs = 1;
1716                                continue;
1717                        }
1718                        if (!strcmp(arg, "--stateless-rpc")) {
1719                                stateless_rpc = 1;
1720                                continue;
1721                        }
1722                        if (!strcmp(arg, "--reject-thin-pack-for-testing")) {
1723                                fix_thin = 0;
1724                                continue;
1725                        }
1726
1727                        usage(receive_pack_usage);
1728                }
1729                if (service_dir)
1730                        usage(receive_pack_usage);
1731                service_dir = arg;
1732        }
1733        if (!service_dir)
1734                usage(receive_pack_usage);
1735
1736        setup_path();
1737
1738        if (!enter_repo(service_dir, 0))
1739                die("'%s' does not appear to be a git repository", service_dir);
1740
1741        git_config(receive_pack_config, NULL);
1742        if (cert_nonce_seed)
1743                push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1744
1745        if (0 <= transfer_unpack_limit)
1746                unpack_limit = transfer_unpack_limit;
1747        else if (0 <= receive_unpack_limit)
1748                unpack_limit = receive_unpack_limit;
1749
1750        if (advertise_refs || !stateless_rpc) {
1751                write_head_info();
1752        }
1753        if (advertise_refs)
1754                return 0;
1755
1756        if ((commands = read_head_info(&shallow)) != NULL) {
1757                const char *unpack_status = NULL;
1758
1759                prepare_shallow_info(&si, &shallow);
1760                if (!si.nr_ours && !si.nr_theirs)
1761                        shallow_update = 0;
1762                if (!delete_only(commands)) {
1763                        unpack_status = unpack_with_sideband(&si);
1764                        update_shallow_info(commands, &si, &ref);
1765                }
1766                execute_commands(commands, unpack_status, &si);
1767                if (pack_lockfile)
1768                        unlink_or_warn(pack_lockfile);
1769                if (report_status)
1770                        report(commands, unpack_status);
1771                run_receive_hook(commands, "post-receive", 1);
1772                run_update_post_hook(commands);
1773                if (auto_gc) {
1774                        const char *argv_gc_auto[] = {
1775                                "gc", "--auto", "--quiet", NULL,
1776                        };
1777                        int opt = RUN_GIT_CMD | RUN_COMMAND_STDOUT_TO_STDERR;
1778                        run_command_v_opt(argv_gc_auto, opt);
1779                }
1780                if (auto_update_server_info)
1781                        update_server_info(0);
1782                clear_shallow_info(&si);
1783        }
1784        if (use_sideband)
1785                packet_flush(1);
1786        sha1_array_clear(&shallow);
1787        sha1_array_clear(&ref);
1788        free((void *)push_cert_nonce);
1789        return 0;
1790}