send-pack.con commit Merge branch 'jk/misc-resolve-ref-unsafe-fixes' (a823e3a)
   1#include "builtin.h"
   2#include "config.h"
   3#include "commit.h"
   4#include "refs.h"
   5#include "pkt-line.h"
   6#include "sideband.h"
   7#include "run-command.h"
   8#include "remote.h"
   9#include "connect.h"
  10#include "send-pack.h"
  11#include "quote.h"
  12#include "transport.h"
  13#include "version.h"
  14#include "sha1-array.h"
  15#include "gpg-interface.h"
  16#include "cache.h"
  17
  18int option_parse_push_signed(const struct option *opt,
  19                             const char *arg, int unset)
  20{
  21        if (unset) {
  22                *(int *)(opt->value) = SEND_PACK_PUSH_CERT_NEVER;
  23                return 0;
  24        }
  25        switch (git_parse_maybe_bool(arg)) {
  26        case 1:
  27                *(int *)(opt->value) = SEND_PACK_PUSH_CERT_ALWAYS;
  28                return 0;
  29        case 0:
  30                *(int *)(opt->value) = SEND_PACK_PUSH_CERT_NEVER;
  31                return 0;
  32        }
  33        if (!strcasecmp("if-asked", arg)) {
  34                *(int *)(opt->value) = SEND_PACK_PUSH_CERT_IF_ASKED;
  35                return 0;
  36        }
  37        die("bad %s argument: %s", opt->long_name, arg);
  38}
  39
  40static void feed_object(const unsigned char *sha1, FILE *fh, int negative)
  41{
  42        if (negative && !has_sha1_file(sha1))
  43                return;
  44
  45        if (negative)
  46                putc('^', fh);
  47        fputs(sha1_to_hex(sha1), fh);
  48        putc('\n', fh);
  49}
  50
  51/*
  52 * Make a pack stream and spit it out into file descriptor fd
  53 */
  54static int pack_objects(int fd, struct ref *refs, struct oid_array *extra, struct send_pack_args *args)
  55{
  56        /*
  57         * The child becomes pack-objects --revs; we feed
  58         * the revision parameters to it via its stdin and
  59         * let its stdout go back to the other end.
  60         */
  61        const char *argv[] = {
  62                "pack-objects",
  63                "--all-progress-implied",
  64                "--revs",
  65                "--stdout",
  66                NULL,
  67                NULL,
  68                NULL,
  69                NULL,
  70                NULL,
  71                NULL,
  72        };
  73        struct child_process po = CHILD_PROCESS_INIT;
  74        FILE *po_in;
  75        int i;
  76        int rc;
  77
  78        i = 4;
  79        if (args->use_thin_pack)
  80                argv[i++] = "--thin";
  81        if (args->use_ofs_delta)
  82                argv[i++] = "--delta-base-offset";
  83        if (args->quiet || !args->progress)
  84                argv[i++] = "-q";
  85        if (args->progress)
  86                argv[i++] = "--progress";
  87        if (is_repository_shallow())
  88                argv[i++] = "--shallow";
  89        po.argv = argv;
  90        po.in = -1;
  91        po.out = args->stateless_rpc ? -1 : fd;
  92        po.git_cmd = 1;
  93        if (start_command(&po))
  94                die_errno("git pack-objects failed");
  95
  96        /*
  97         * We feed the pack-objects we just spawned with revision
  98         * parameters by writing to the pipe.
  99         */
 100        po_in = xfdopen(po.in, "w");
 101        for (i = 0; i < extra->nr; i++)
 102                feed_object(extra->oid[i].hash, po_in, 1);
 103
 104        while (refs) {
 105                if (!is_null_oid(&refs->old_oid))
 106                        feed_object(refs->old_oid.hash, po_in, 1);
 107                if (!is_null_oid(&refs->new_oid))
 108                        feed_object(refs->new_oid.hash, po_in, 0);
 109                refs = refs->next;
 110        }
 111
 112        fflush(po_in);
 113        if (ferror(po_in))
 114                die_errno("error writing to pack-objects");
 115        fclose(po_in);
 116
 117        if (args->stateless_rpc) {
 118                char *buf = xmalloc(LARGE_PACKET_MAX);
 119                while (1) {
 120                        ssize_t n = xread(po.out, buf, LARGE_PACKET_MAX);
 121                        if (n <= 0)
 122                                break;
 123                        send_sideband(fd, -1, buf, n, LARGE_PACKET_MAX);
 124                }
 125                free(buf);
 126                close(po.out);
 127                po.out = -1;
 128        }
 129
 130        rc = finish_command(&po);
 131        if (rc) {
 132                /*
 133                 * For a normal non-zero exit, we assume pack-objects wrote
 134                 * something useful to stderr. For death by signal, though,
 135                 * we should mention it to the user. The exception is SIGPIPE
 136                 * (141), because that's a normal occurrence if the remote end
 137                 * hangs up (and we'll report that by trying to read the unpack
 138                 * status).
 139                 */
 140                if (rc > 128 && rc != 141)
 141                        error("pack-objects died of signal %d", rc - 128);
 142                return -1;
 143        }
 144        return 0;
 145}
 146
 147static int receive_unpack_status(int in)
 148{
 149        const char *line = packet_read_line(in, NULL);
 150        if (!skip_prefix(line, "unpack ", &line))
 151                return error(_("unable to parse remote unpack status: %s"), line);
 152        if (strcmp(line, "ok"))
 153                return error(_("remote unpack failed: %s"), line);
 154        return 0;
 155}
 156
 157static int receive_status(int in, struct ref *refs)
 158{
 159        struct ref *hint;
 160        int ret;
 161
 162        hint = NULL;
 163        ret = receive_unpack_status(in);
 164        while (1) {
 165                char *refname;
 166                char *msg;
 167                char *line = packet_read_line(in, NULL);
 168                if (!line)
 169                        break;
 170                if (!starts_with(line, "ok ") && !starts_with(line, "ng ")) {
 171                        error("invalid ref status from remote: %s", line);
 172                        ret = -1;
 173                        break;
 174                }
 175
 176                refname = line + 3;
 177                msg = strchr(refname, ' ');
 178                if (msg)
 179                        *msg++ = '\0';
 180
 181                /* first try searching at our hint, falling back to all refs */
 182                if (hint)
 183                        hint = find_ref_by_name(hint, refname);
 184                if (!hint)
 185                        hint = find_ref_by_name(refs, refname);
 186                if (!hint) {
 187                        warning("remote reported status on unknown ref: %s",
 188                                        refname);
 189                        continue;
 190                }
 191                if (hint->status != REF_STATUS_EXPECTING_REPORT) {
 192                        warning("remote reported status on unexpected ref: %s",
 193                                        refname);
 194                        continue;
 195                }
 196
 197                if (line[0] == 'o' && line[1] == 'k')
 198                        hint->status = REF_STATUS_OK;
 199                else {
 200                        hint->status = REF_STATUS_REMOTE_REJECT;
 201                        ret = -1;
 202                }
 203                hint->remote_status = xstrdup_or_null(msg);
 204                /* start our next search from the next ref */
 205                hint = hint->next;
 206        }
 207        return ret;
 208}
 209
 210static int sideband_demux(int in, int out, void *data)
 211{
 212        int *fd = data, ret;
 213#ifdef NO_PTHREADS
 214        close(fd[1]);
 215#endif
 216        ret = recv_sideband("send-pack", fd[0], out);
 217        close(out);
 218        return ret;
 219}
 220
 221static int advertise_shallow_grafts_cb(const struct commit_graft *graft, void *cb)
 222{
 223        struct strbuf *sb = cb;
 224        if (graft->nr_parent == -1)
 225                packet_buf_write(sb, "shallow %s\n", oid_to_hex(&graft->oid));
 226        return 0;
 227}
 228
 229static void advertise_shallow_grafts_buf(struct strbuf *sb)
 230{
 231        if (!is_repository_shallow())
 232                return;
 233        for_each_commit_graft(advertise_shallow_grafts_cb, sb);
 234}
 235
 236#define CHECK_REF_NO_PUSH -1
 237#define CHECK_REF_STATUS_REJECTED -2
 238#define CHECK_REF_UPTODATE -3
 239static int check_to_send_update(const struct ref *ref, const struct send_pack_args *args)
 240{
 241        if (!ref->peer_ref && !args->send_mirror)
 242                return CHECK_REF_NO_PUSH;
 243
 244        /* Check for statuses set by set_ref_status_for_push() */
 245        switch (ref->status) {
 246        case REF_STATUS_REJECT_NONFASTFORWARD:
 247        case REF_STATUS_REJECT_ALREADY_EXISTS:
 248        case REF_STATUS_REJECT_FETCH_FIRST:
 249        case REF_STATUS_REJECT_NEEDS_FORCE:
 250        case REF_STATUS_REJECT_STALE:
 251        case REF_STATUS_REJECT_NODELETE:
 252                return CHECK_REF_STATUS_REJECTED;
 253        case REF_STATUS_UPTODATE:
 254                return CHECK_REF_UPTODATE;
 255        default:
 256                return 0;
 257        }
 258}
 259
 260/*
 261 * the beginning of the next line, or the end of buffer.
 262 *
 263 * NEEDSWORK: perhaps move this to git-compat-util.h or somewhere and
 264 * convert many similar uses found by "git grep -A4 memchr".
 265 */
 266static const char *next_line(const char *line, size_t len)
 267{
 268        const char *nl = memchr(line, '\n', len);
 269        if (!nl)
 270                return line + len; /* incomplete line */
 271        return nl + 1;
 272}
 273
 274static int generate_push_cert(struct strbuf *req_buf,
 275                              const struct ref *remote_refs,
 276                              struct send_pack_args *args,
 277                              const char *cap_string,
 278                              const char *push_cert_nonce)
 279{
 280        const struct ref *ref;
 281        struct string_list_item *item;
 282        char *signing_key = xstrdup(get_signing_key());
 283        const char *cp, *np;
 284        struct strbuf cert = STRBUF_INIT;
 285        int update_seen = 0;
 286
 287        strbuf_addstr(&cert, "certificate version 0.1\n");
 288        strbuf_addf(&cert, "pusher %s ", signing_key);
 289        datestamp(&cert);
 290        strbuf_addch(&cert, '\n');
 291        if (args->url && *args->url) {
 292                char *anon_url = transport_anonymize_url(args->url);
 293                strbuf_addf(&cert, "pushee %s\n", anon_url);
 294                free(anon_url);
 295        }
 296        if (push_cert_nonce[0])
 297                strbuf_addf(&cert, "nonce %s\n", push_cert_nonce);
 298        if (args->push_options)
 299                for_each_string_list_item(item, args->push_options)
 300                        strbuf_addf(&cert, "push-option %s\n", item->string);
 301        strbuf_addstr(&cert, "\n");
 302
 303        for (ref = remote_refs; ref; ref = ref->next) {
 304                if (check_to_send_update(ref, args) < 0)
 305                        continue;
 306                update_seen = 1;
 307                strbuf_addf(&cert, "%s %s %s\n",
 308                            oid_to_hex(&ref->old_oid),
 309                            oid_to_hex(&ref->new_oid),
 310                            ref->name);
 311        }
 312        if (!update_seen)
 313                goto free_return;
 314
 315        if (sign_buffer(&cert, &cert, signing_key))
 316                die(_("failed to sign the push certificate"));
 317
 318        packet_buf_write(req_buf, "push-cert%c%s", 0, cap_string);
 319        for (cp = cert.buf; cp < cert.buf + cert.len; cp = np) {
 320                np = next_line(cp, cert.buf + cert.len - cp);
 321                packet_buf_write(req_buf,
 322                                 "%.*s", (int)(np - cp), cp);
 323        }
 324        packet_buf_write(req_buf, "push-cert-end\n");
 325
 326free_return:
 327        free(signing_key);
 328        strbuf_release(&cert);
 329        return update_seen;
 330}
 331
 332
 333static int atomic_push_failure(struct send_pack_args *args,
 334                               struct ref *remote_refs,
 335                               struct ref *failing_ref)
 336{
 337        struct ref *ref;
 338        /* Mark other refs as failed */
 339        for (ref = remote_refs; ref; ref = ref->next) {
 340                if (!ref->peer_ref && !args->send_mirror)
 341                        continue;
 342
 343                switch (ref->status) {
 344                case REF_STATUS_EXPECTING_REPORT:
 345                        ref->status = REF_STATUS_ATOMIC_PUSH_FAILED;
 346                        continue;
 347                default:
 348                        break; /* do nothing */
 349                }
 350        }
 351        return error("atomic push failed for ref %s. status: %d\n",
 352                     failing_ref->name, failing_ref->status);
 353}
 354
 355#define NONCE_LEN_LIMIT 256
 356
 357static void reject_invalid_nonce(const char *nonce, int len)
 358{
 359        int i = 0;
 360
 361        if (NONCE_LEN_LIMIT <= len)
 362                die("the receiving end asked to sign an invalid nonce <%.*s>",
 363                    len, nonce);
 364
 365        for (i = 0; i < len; i++) {
 366                int ch = nonce[i] & 0xFF;
 367                if (isalnum(ch) ||
 368                    ch == '-' || ch == '.' ||
 369                    ch == '/' || ch == '+' ||
 370                    ch == '=' || ch == '_')
 371                        continue;
 372                die("the receiving end asked to sign an invalid nonce <%.*s>",
 373                    len, nonce);
 374        }
 375}
 376
 377int send_pack(struct send_pack_args *args,
 378              int fd[], struct child_process *conn,
 379              struct ref *remote_refs,
 380              struct oid_array *extra_have)
 381{
 382        int in = fd[0];
 383        int out = fd[1];
 384        struct strbuf req_buf = STRBUF_INIT;
 385        struct strbuf cap_buf = STRBUF_INIT;
 386        struct ref *ref;
 387        int need_pack_data = 0;
 388        int allow_deleting_refs = 0;
 389        int status_report = 0;
 390        int use_sideband = 0;
 391        int quiet_supported = 0;
 392        int agent_supported = 0;
 393        int use_atomic = 0;
 394        int atomic_supported = 0;
 395        int use_push_options = 0;
 396        int push_options_supported = 0;
 397        unsigned cmds_sent = 0;
 398        int ret;
 399        struct async demux;
 400        const char *push_cert_nonce = NULL;
 401
 402        /* Does the other end support the reporting? */
 403        if (server_supports("report-status"))
 404                status_report = 1;
 405        if (server_supports("delete-refs"))
 406                allow_deleting_refs = 1;
 407        if (server_supports("ofs-delta"))
 408                args->use_ofs_delta = 1;
 409        if (server_supports("side-band-64k"))
 410                use_sideband = 1;
 411        if (server_supports("quiet"))
 412                quiet_supported = 1;
 413        if (server_supports("agent"))
 414                agent_supported = 1;
 415        if (server_supports("no-thin"))
 416                args->use_thin_pack = 0;
 417        if (server_supports("atomic"))
 418                atomic_supported = 1;
 419        if (server_supports("push-options"))
 420                push_options_supported = 1;
 421
 422        if (args->push_cert != SEND_PACK_PUSH_CERT_NEVER) {
 423                int len;
 424                push_cert_nonce = server_feature_value("push-cert", &len);
 425                if (push_cert_nonce) {
 426                        reject_invalid_nonce(push_cert_nonce, len);
 427                        push_cert_nonce = xmemdupz(push_cert_nonce, len);
 428                } else if (args->push_cert == SEND_PACK_PUSH_CERT_ALWAYS) {
 429                        die(_("the receiving end does not support --signed push"));
 430                } else if (args->push_cert == SEND_PACK_PUSH_CERT_IF_ASKED) {
 431                        warning(_("not sending a push certificate since the"
 432                                  " receiving end does not support --signed"
 433                                  " push"));
 434                }
 435        }
 436
 437        if (!remote_refs) {
 438                fprintf(stderr, "No refs in common and none specified; doing nothing.\n"
 439                        "Perhaps you should specify a branch such as 'master'.\n");
 440                return 0;
 441        }
 442        if (args->atomic && !atomic_supported)
 443                die(_("the receiving end does not support --atomic push"));
 444
 445        use_atomic = atomic_supported && args->atomic;
 446
 447        if (args->push_options && !push_options_supported)
 448                die(_("the receiving end does not support push options"));
 449
 450        use_push_options = push_options_supported && args->push_options;
 451
 452        if (status_report)
 453                strbuf_addstr(&cap_buf, " report-status");
 454        if (use_sideband)
 455                strbuf_addstr(&cap_buf, " side-band-64k");
 456        if (quiet_supported && (args->quiet || !args->progress))
 457                strbuf_addstr(&cap_buf, " quiet");
 458        if (use_atomic)
 459                strbuf_addstr(&cap_buf, " atomic");
 460        if (use_push_options)
 461                strbuf_addstr(&cap_buf, " push-options");
 462        if (agent_supported)
 463                strbuf_addf(&cap_buf, " agent=%s", git_user_agent_sanitized());
 464
 465        /*
 466         * NEEDSWORK: why does delete-refs have to be so specific to
 467         * send-pack machinery that set_ref_status_for_push() cannot
 468         * set this bit for us???
 469         */
 470        for (ref = remote_refs; ref; ref = ref->next)
 471                if (ref->deletion && !allow_deleting_refs)
 472                        ref->status = REF_STATUS_REJECT_NODELETE;
 473
 474        if (!args->dry_run)
 475                advertise_shallow_grafts_buf(&req_buf);
 476
 477        if (!args->dry_run && push_cert_nonce)
 478                cmds_sent = generate_push_cert(&req_buf, remote_refs, args,
 479                                               cap_buf.buf, push_cert_nonce);
 480
 481        /*
 482         * Clear the status for each ref and see if we need to send
 483         * the pack data.
 484         */
 485        for (ref = remote_refs; ref; ref = ref->next) {
 486                switch (check_to_send_update(ref, args)) {
 487                case 0: /* no error */
 488                        break;
 489                case CHECK_REF_STATUS_REJECTED:
 490                        /*
 491                         * When we know the server would reject a ref update if
 492                         * we were to send it and we're trying to send the refs
 493                         * atomically, abort the whole operation.
 494                         */
 495                        if (use_atomic) {
 496                                strbuf_release(&req_buf);
 497                                strbuf_release(&cap_buf);
 498                                return atomic_push_failure(args, remote_refs, ref);
 499                        }
 500                        /* else fallthrough */
 501                default:
 502                        continue;
 503                }
 504                if (!ref->deletion)
 505                        need_pack_data = 1;
 506
 507                if (args->dry_run || !status_report)
 508                        ref->status = REF_STATUS_OK;
 509                else
 510                        ref->status = REF_STATUS_EXPECTING_REPORT;
 511        }
 512
 513        /*
 514         * Finally, tell the other end!
 515         */
 516        for (ref = remote_refs; ref; ref = ref->next) {
 517                char *old_hex, *new_hex;
 518
 519                if (args->dry_run || push_cert_nonce)
 520                        continue;
 521
 522                if (check_to_send_update(ref, args) < 0)
 523                        continue;
 524
 525                old_hex = oid_to_hex(&ref->old_oid);
 526                new_hex = oid_to_hex(&ref->new_oid);
 527                if (!cmds_sent) {
 528                        packet_buf_write(&req_buf,
 529                                         "%s %s %s%c%s",
 530                                         old_hex, new_hex, ref->name, 0,
 531                                         cap_buf.buf);
 532                        cmds_sent = 1;
 533                } else {
 534                        packet_buf_write(&req_buf, "%s %s %s",
 535                                         old_hex, new_hex, ref->name);
 536                }
 537        }
 538
 539        if (use_push_options) {
 540                struct string_list_item *item;
 541
 542                packet_buf_flush(&req_buf);
 543                for_each_string_list_item(item, args->push_options)
 544                        packet_buf_write(&req_buf, "%s", item->string);
 545        }
 546
 547        if (args->stateless_rpc) {
 548                if (!args->dry_run && (cmds_sent || is_repository_shallow())) {
 549                        packet_buf_flush(&req_buf);
 550                        send_sideband(out, -1, req_buf.buf, req_buf.len, LARGE_PACKET_MAX);
 551                }
 552        } else {
 553                write_or_die(out, req_buf.buf, req_buf.len);
 554                packet_flush(out);
 555        }
 556        strbuf_release(&req_buf);
 557        strbuf_release(&cap_buf);
 558
 559        if (use_sideband && cmds_sent) {
 560                memset(&demux, 0, sizeof(demux));
 561                demux.proc = sideband_demux;
 562                demux.data = fd;
 563                demux.out = -1;
 564                demux.isolate_sigpipe = 1;
 565                if (start_async(&demux))
 566                        die("send-pack: unable to fork off sideband demultiplexer");
 567                in = demux.out;
 568        }
 569
 570        if (need_pack_data && cmds_sent) {
 571                if (pack_objects(out, remote_refs, extra_have, args) < 0) {
 572                        for (ref = remote_refs; ref; ref = ref->next)
 573                                ref->status = REF_STATUS_NONE;
 574                        if (args->stateless_rpc)
 575                                close(out);
 576                        if (git_connection_is_socket(conn))
 577                                shutdown(fd[0], SHUT_WR);
 578
 579                        /*
 580                         * Do not even bother with the return value; we know we
 581                         * are failing, and just want the error() side effects.
 582                         */
 583                        if (status_report)
 584                                receive_unpack_status(in);
 585
 586                        if (use_sideband) {
 587                                close(demux.out);
 588                                finish_async(&demux);
 589                        }
 590                        fd[1] = -1;
 591                        return -1;
 592                }
 593                if (!args->stateless_rpc)
 594                        /* Closed by pack_objects() via start_command() */
 595                        fd[1] = -1;
 596        }
 597        if (args->stateless_rpc && cmds_sent)
 598                packet_flush(out);
 599
 600        if (status_report && cmds_sent)
 601                ret = receive_status(in, remote_refs);
 602        else
 603                ret = 0;
 604        if (args->stateless_rpc)
 605                packet_flush(out);
 606
 607        if (use_sideband && cmds_sent) {
 608                close(demux.out);
 609                if (finish_async(&demux)) {
 610                        error("error in sideband demultiplexer");
 611                        ret = -1;
 612                }
 613        }
 614
 615        if (ret < 0)
 616                return ret;
 617
 618        if (args->porcelain)
 619                return 0;
 620
 621        for (ref = remote_refs; ref; ref = ref->next) {
 622                switch (ref->status) {
 623                case REF_STATUS_NONE:
 624                case REF_STATUS_UPTODATE:
 625                case REF_STATUS_OK:
 626                        break;
 627                default:
 628                        return -1;
 629                }
 630        }
 631        return 0;
 632}