builtin / receive-pack.con commit t9003: become resilient to GETTEXT_POISON (f9b3242)
   1#include "builtin.h"
   2#include "lockfile.h"
   3#include "pack.h"
   4#include "refs.h"
   5#include "pkt-line.h"
   6#include "sideband.h"
   7#include "run-command.h"
   8#include "exec_cmd.h"
   9#include "commit.h"
  10#include "object.h"
  11#include "remote.h"
  12#include "connect.h"
  13#include "transport.h"
  14#include "string-list.h"
  15#include "sha1-array.h"
  16#include "connected.h"
  17#include "argv-array.h"
  18#include "version.h"
  19#include "tag.h"
  20#include "gpg-interface.h"
  21#include "sigchain.h"
  22#include "fsck.h"
  23
  24static const char * const receive_pack_usage[] = {
  25        N_("git receive-pack <git-dir>"),
  26        NULL
  27};
  28
  29enum deny_action {
  30        DENY_UNCONFIGURED,
  31        DENY_IGNORE,
  32        DENY_WARN,
  33        DENY_REFUSE,
  34        DENY_UPDATE_INSTEAD
  35};
  36
  37static int deny_deletes;
  38static int deny_non_fast_forwards;
  39static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
  40static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
  41static int receive_fsck_objects = -1;
  42static int transfer_fsck_objects = -1;
  43static struct strbuf fsck_msg_types = STRBUF_INIT;
  44static int receive_unpack_limit = -1;
  45static int transfer_unpack_limit = -1;
  46static int advertise_atomic_push = 1;
  47static int unpack_limit = 100;
  48static int report_status;
  49static int use_sideband;
  50static int use_atomic;
  51static int quiet;
  52static int prefer_ofs_delta = 1;
  53static int auto_update_server_info;
  54static int auto_gc = 1;
  55static int reject_thin;
  56static int stateless_rpc;
  57static const char *service_dir;
  58static const char *head_name;
  59static void *head_name_to_free;
  60static int sent_capabilities;
  61static int shallow_update;
  62static const char *alt_shallow_file;
  63static struct strbuf push_cert = STRBUF_INIT;
  64static unsigned char push_cert_sha1[20];
  65static struct signature_check sigcheck;
  66static const char *push_cert_nonce;
  67static const char *cert_nonce_seed;
  68
  69static const char *NONCE_UNSOLICITED = "UNSOLICITED";
  70static const char *NONCE_BAD = "BAD";
  71static const char *NONCE_MISSING = "MISSING";
  72static const char *NONCE_OK = "OK";
  73static const char *NONCE_SLOP = "SLOP";
  74static const char *nonce_status;
  75static long nonce_stamp_slop;
  76static unsigned long nonce_stamp_slop_limit;
  77static struct ref_transaction *transaction;
  78
  79static enum deny_action parse_deny_action(const char *var, const char *value)
  80{
  81        if (value) {
  82                if (!strcasecmp(value, "ignore"))
  83                        return DENY_IGNORE;
  84                if (!strcasecmp(value, "warn"))
  85                        return DENY_WARN;
  86                if (!strcasecmp(value, "refuse"))
  87                        return DENY_REFUSE;
  88                if (!strcasecmp(value, "updateinstead"))
  89                        return DENY_UPDATE_INSTEAD;
  90        }
  91        if (git_config_bool(var, value))
  92                return DENY_REFUSE;
  93        return DENY_IGNORE;
  94}
  95
  96static int receive_pack_config(const char *var, const char *value, void *cb)
  97{
  98        int status = parse_hide_refs_config(var, value, "receive");
  99
 100        if (status)
 101                return status;
 102
 103        if (strcmp(var, "receive.denydeletes") == 0) {
 104                deny_deletes = git_config_bool(var, value);
 105                return 0;
 106        }
 107
 108        if (strcmp(var, "receive.denynonfastforwards") == 0) {
 109                deny_non_fast_forwards = git_config_bool(var, value);
 110                return 0;
 111        }
 112
 113        if (strcmp(var, "receive.unpacklimit") == 0) {
 114                receive_unpack_limit = git_config_int(var, value);
 115                return 0;
 116        }
 117
 118        if (strcmp(var, "transfer.unpacklimit") == 0) {
 119                transfer_unpack_limit = git_config_int(var, value);
 120                return 0;
 121        }
 122
 123        if (strcmp(var, "receive.fsck.skiplist") == 0) {
 124                const char *path;
 125
 126                if (git_config_pathname(&path, var, value))
 127                        return 1;
 128                strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
 129                        fsck_msg_types.len ? ',' : '=', path);
 130                free((char *)path);
 131                return 0;
 132        }
 133
 134        if (skip_prefix(var, "receive.fsck.", &var)) {
 135                if (is_valid_msg_type(var, value))
 136                        strbuf_addf(&fsck_msg_types, "%c%s=%s",
 137                                fsck_msg_types.len ? ',' : '=', var, value);
 138                else
 139                        warning("Skipping unknown msg id '%s'", var);
 140                return 0;
 141        }
 142
 143        if (strcmp(var, "receive.fsckobjects") == 0) {
 144                receive_fsck_objects = git_config_bool(var, value);
 145                return 0;
 146        }
 147
 148        if (strcmp(var, "transfer.fsckobjects") == 0) {
 149                transfer_fsck_objects = git_config_bool(var, value);
 150                return 0;
 151        }
 152
 153        if (!strcmp(var, "receive.denycurrentbranch")) {
 154                deny_current_branch = parse_deny_action(var, value);
 155                return 0;
 156        }
 157
 158        if (strcmp(var, "receive.denydeletecurrent") == 0) {
 159                deny_delete_current = parse_deny_action(var, value);
 160                return 0;
 161        }
 162
 163        if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
 164                prefer_ofs_delta = git_config_bool(var, value);
 165                return 0;
 166        }
 167
 168        if (strcmp(var, "receive.updateserverinfo") == 0) {
 169                auto_update_server_info = git_config_bool(var, value);
 170                return 0;
 171        }
 172
 173        if (strcmp(var, "receive.autogc") == 0) {
 174                auto_gc = git_config_bool(var, value);
 175                return 0;
 176        }
 177
 178        if (strcmp(var, "receive.shallowupdate") == 0) {
 179                shallow_update = git_config_bool(var, value);
 180                return 0;
 181        }
 182
 183        if (strcmp(var, "receive.certnonceseed") == 0)
 184                return git_config_string(&cert_nonce_seed, var, value);
 185
 186        if (strcmp(var, "receive.certnonceslop") == 0) {
 187                nonce_stamp_slop_limit = git_config_ulong(var, value);
 188                return 0;
 189        }
 190
 191        if (strcmp(var, "receive.advertiseatomic") == 0) {
 192                advertise_atomic_push = git_config_bool(var, value);
 193                return 0;
 194        }
 195
 196        return git_default_config(var, value, cb);
 197}
 198
 199static void show_ref(const char *path, const unsigned char *sha1)
 200{
 201        if (sent_capabilities) {
 202                packet_write(1, "%s %s\n", sha1_to_hex(sha1), path);
 203        } else {
 204                struct strbuf cap = STRBUF_INIT;
 205
 206                strbuf_addstr(&cap,
 207                              "report-status delete-refs side-band-64k quiet");
 208                if (advertise_atomic_push)
 209                        strbuf_addstr(&cap, " atomic");
 210                if (prefer_ofs_delta)
 211                        strbuf_addstr(&cap, " ofs-delta");
 212                if (push_cert_nonce)
 213                        strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
 214                strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
 215                packet_write(1, "%s %s%c%s\n",
 216                             sha1_to_hex(sha1), path, 0, cap.buf);
 217                strbuf_release(&cap);
 218                sent_capabilities = 1;
 219        }
 220}
 221
 222static int show_ref_cb(const char *path_full, const struct object_id *oid,
 223                       int flag, void *unused)
 224{
 225        const char *path = strip_namespace(path_full);
 226
 227        if (ref_is_hidden(path, path_full))
 228                return 0;
 229
 230        /*
 231         * Advertise refs outside our current namespace as ".have"
 232         * refs, so that the client can use them to minimize data
 233         * transfer but will otherwise ignore them. This happens to
 234         * cover ".have" that are thrown in by add_one_alternate_ref()
 235         * to mark histories that are complete in our alternates as
 236         * well.
 237         */
 238        if (!path)
 239                path = ".have";
 240        show_ref(path, oid->hash);
 241        return 0;
 242}
 243
 244static void show_one_alternate_sha1(const unsigned char sha1[20], void *unused)
 245{
 246        show_ref(".have", sha1);
 247}
 248
 249static void collect_one_alternate_ref(const struct ref *ref, void *data)
 250{
 251        struct sha1_array *sa = data;
 252        sha1_array_append(sa, ref->old_oid.hash);
 253}
 254
 255static void write_head_info(void)
 256{
 257        struct sha1_array sa = SHA1_ARRAY_INIT;
 258
 259        for_each_alternate_ref(collect_one_alternate_ref, &sa);
 260        sha1_array_for_each_unique(&sa, show_one_alternate_sha1, NULL);
 261        sha1_array_clear(&sa);
 262        for_each_ref(show_ref_cb, NULL);
 263        if (!sent_capabilities)
 264                show_ref("capabilities^{}", null_sha1);
 265
 266        advertise_shallow_grafts(1);
 267
 268        /* EOF */
 269        packet_flush(1);
 270}
 271
 272struct command {
 273        struct command *next;
 274        const char *error_string;
 275        unsigned int skip_update:1,
 276                     did_not_exist:1;
 277        int index;
 278        unsigned char old_sha1[20];
 279        unsigned char new_sha1[20];
 280        char ref_name[FLEX_ARRAY]; /* more */
 281};
 282
 283static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
 284static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
 285
 286static void report_message(const char *prefix, const char *err, va_list params)
 287{
 288        int sz;
 289        char msg[4096];
 290
 291        sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
 292        sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
 293        if (sz > (sizeof(msg) - 1))
 294                sz = sizeof(msg) - 1;
 295        msg[sz++] = '\n';
 296
 297        if (use_sideband)
 298                send_sideband(1, 2, msg, sz, use_sideband);
 299        else
 300                xwrite(2, msg, sz);
 301}
 302
 303static void rp_warning(const char *err, ...)
 304{
 305        va_list params;
 306        va_start(params, err);
 307        report_message("warning: ", err, params);
 308        va_end(params);
 309}
 310
 311static void rp_error(const char *err, ...)
 312{
 313        va_list params;
 314        va_start(params, err);
 315        report_message("error: ", err, params);
 316        va_end(params);
 317}
 318
 319static int copy_to_sideband(int in, int out, void *arg)
 320{
 321        char data[128];
 322        while (1) {
 323                ssize_t sz = xread(in, data, sizeof(data));
 324                if (sz <= 0)
 325                        break;
 326                send_sideband(1, 2, data, sz, use_sideband);
 327        }
 328        close(in);
 329        return 0;
 330}
 331
 332#define HMAC_BLOCK_SIZE 64
 333
 334static void hmac_sha1(unsigned char *out,
 335                      const char *key_in, size_t key_len,
 336                      const char *text, size_t text_len)
 337{
 338        unsigned char key[HMAC_BLOCK_SIZE];
 339        unsigned char k_ipad[HMAC_BLOCK_SIZE];
 340        unsigned char k_opad[HMAC_BLOCK_SIZE];
 341        int i;
 342        git_SHA_CTX ctx;
 343
 344        /* RFC 2104 2. (1) */
 345        memset(key, '\0', HMAC_BLOCK_SIZE);
 346        if (HMAC_BLOCK_SIZE < key_len) {
 347                git_SHA1_Init(&ctx);
 348                git_SHA1_Update(&ctx, key_in, key_len);
 349                git_SHA1_Final(key, &ctx);
 350        } else {
 351                memcpy(key, key_in, key_len);
 352        }
 353
 354        /* RFC 2104 2. (2) & (5) */
 355        for (i = 0; i < sizeof(key); i++) {
 356                k_ipad[i] = key[i] ^ 0x36;
 357                k_opad[i] = key[i] ^ 0x5c;
 358        }
 359
 360        /* RFC 2104 2. (3) & (4) */
 361        git_SHA1_Init(&ctx);
 362        git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
 363        git_SHA1_Update(&ctx, text, text_len);
 364        git_SHA1_Final(out, &ctx);
 365
 366        /* RFC 2104 2. (6) & (7) */
 367        git_SHA1_Init(&ctx);
 368        git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
 369        git_SHA1_Update(&ctx, out, 20);
 370        git_SHA1_Final(out, &ctx);
 371}
 372
 373static char *prepare_push_cert_nonce(const char *path, unsigned long stamp)
 374{
 375        struct strbuf buf = STRBUF_INIT;
 376        unsigned char sha1[20];
 377
 378        strbuf_addf(&buf, "%s:%lu", path, stamp);
 379        hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));;
 380        strbuf_release(&buf);
 381
 382        /* RFC 2104 5. HMAC-SHA1-80 */
 383        strbuf_addf(&buf, "%lu-%.*s", stamp, 20, sha1_to_hex(sha1));
 384        return strbuf_detach(&buf, NULL);
 385}
 386
 387/*
 388 * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
 389 * after dropping "_commit" from its name and possibly moving it out
 390 * of commit.c
 391 */
 392static char *find_header(const char *msg, size_t len, const char *key)
 393{
 394        int key_len = strlen(key);
 395        const char *line = msg;
 396
 397        while (line && line < msg + len) {
 398                const char *eol = strchrnul(line, '\n');
 399
 400                if ((msg + len <= eol) || line == eol)
 401                        return NULL;
 402                if (line + key_len < eol &&
 403                    !memcmp(line, key, key_len) && line[key_len] == ' ') {
 404                        int offset = key_len + 1;
 405                        return xmemdupz(line + offset, (eol - line) - offset);
 406                }
 407                line = *eol ? eol + 1 : NULL;
 408        }
 409        return NULL;
 410}
 411
 412static const char *check_nonce(const char *buf, size_t len)
 413{
 414        char *nonce = find_header(buf, len, "nonce");
 415        unsigned long stamp, ostamp;
 416        char *bohmac, *expect = NULL;
 417        const char *retval = NONCE_BAD;
 418
 419        if (!nonce) {
 420                retval = NONCE_MISSING;
 421                goto leave;
 422        } else if (!push_cert_nonce) {
 423                retval = NONCE_UNSOLICITED;
 424                goto leave;
 425        } else if (!strcmp(push_cert_nonce, nonce)) {
 426                retval = NONCE_OK;
 427                goto leave;
 428        }
 429
 430        if (!stateless_rpc) {
 431                /* returned nonce MUST match what we gave out earlier */
 432                retval = NONCE_BAD;
 433                goto leave;
 434        }
 435
 436        /*
 437         * In stateless mode, we may be receiving a nonce issued by
 438         * another instance of the server that serving the same
 439         * repository, and the timestamps may not match, but the
 440         * nonce-seed and dir should match, so we can recompute and
 441         * report the time slop.
 442         *
 443         * In addition, when a nonce issued by another instance has
 444         * timestamp within receive.certnonceslop seconds, we pretend
 445         * as if we issued that nonce when reporting to the hook.
 446         */
 447
 448        /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
 449        if (*nonce <= '0' || '9' < *nonce) {
 450                retval = NONCE_BAD;
 451                goto leave;
 452        }
 453        stamp = strtoul(nonce, &bohmac, 10);
 454        if (bohmac == nonce || bohmac[0] != '-') {
 455                retval = NONCE_BAD;
 456                goto leave;
 457        }
 458
 459        expect = prepare_push_cert_nonce(service_dir, stamp);
 460        if (strcmp(expect, nonce)) {
 461                /* Not what we would have signed earlier */
 462                retval = NONCE_BAD;
 463                goto leave;
 464        }
 465
 466        /*
 467         * By how many seconds is this nonce stale?  Negative value
 468         * would mean it was issued by another server with its clock
 469         * skewed in the future.
 470         */
 471        ostamp = strtoul(push_cert_nonce, NULL, 10);
 472        nonce_stamp_slop = (long)ostamp - (long)stamp;
 473
 474        if (nonce_stamp_slop_limit &&
 475            labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
 476                /*
 477                 * Pretend as if the received nonce (which passes the
 478                 * HMAC check, so it is not a forged by third-party)
 479                 * is what we issued.
 480                 */
 481                free((void *)push_cert_nonce);
 482                push_cert_nonce = xstrdup(nonce);
 483                retval = NONCE_OK;
 484        } else {
 485                retval = NONCE_SLOP;
 486        }
 487
 488leave:
 489        free(nonce);
 490        free(expect);
 491        return retval;
 492}
 493
 494static void prepare_push_cert_sha1(struct child_process *proc)
 495{
 496        static int already_done;
 497
 498        if (!push_cert.len)
 499                return;
 500
 501        if (!already_done) {
 502                struct strbuf gpg_output = STRBUF_INIT;
 503                struct strbuf gpg_status = STRBUF_INIT;
 504                int bogs /* beginning_of_gpg_sig */;
 505
 506                already_done = 1;
 507                if (write_sha1_file(push_cert.buf, push_cert.len, "blob", push_cert_sha1))
 508                        hashclr(push_cert_sha1);
 509
 510                memset(&sigcheck, '\0', sizeof(sigcheck));
 511                sigcheck.result = 'N';
 512
 513                bogs = parse_signature(push_cert.buf, push_cert.len);
 514                if (verify_signed_buffer(push_cert.buf, bogs,
 515                                         push_cert.buf + bogs, push_cert.len - bogs,
 516                                         &gpg_output, &gpg_status) < 0) {
 517                        ; /* error running gpg */
 518                } else {
 519                        sigcheck.payload = push_cert.buf;
 520                        sigcheck.gpg_output = gpg_output.buf;
 521                        sigcheck.gpg_status = gpg_status.buf;
 522                        parse_gpg_output(&sigcheck);
 523                }
 524
 525                strbuf_release(&gpg_output);
 526                strbuf_release(&gpg_status);
 527                nonce_status = check_nonce(push_cert.buf, bogs);
 528        }
 529        if (!is_null_sha1(push_cert_sha1)) {
 530                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
 531                                 sha1_to_hex(push_cert_sha1));
 532                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
 533                                 sigcheck.signer ? sigcheck.signer : "");
 534                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
 535                                 sigcheck.key ? sigcheck.key : "");
 536                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
 537                                 sigcheck.result);
 538                if (push_cert_nonce) {
 539                        argv_array_pushf(&proc->env_array,
 540                                         "GIT_PUSH_CERT_NONCE=%s",
 541                                         push_cert_nonce);
 542                        argv_array_pushf(&proc->env_array,
 543                                         "GIT_PUSH_CERT_NONCE_STATUS=%s",
 544                                         nonce_status);
 545                        if (nonce_status == NONCE_SLOP)
 546                                argv_array_pushf(&proc->env_array,
 547                                                 "GIT_PUSH_CERT_NONCE_SLOP=%ld",
 548                                                 nonce_stamp_slop);
 549                }
 550        }
 551}
 552
 553typedef int (*feed_fn)(void *, const char **, size_t *);
 554static int run_and_feed_hook(const char *hook_name, feed_fn feed, void *feed_state)
 555{
 556        struct child_process proc = CHILD_PROCESS_INIT;
 557        struct async muxer;
 558        const char *argv[2];
 559        int code;
 560
 561        argv[0] = find_hook(hook_name);
 562        if (!argv[0])
 563                return 0;
 564
 565        argv[1] = NULL;
 566
 567        proc.argv = argv;
 568        proc.in = -1;
 569        proc.stdout_to_stderr = 1;
 570
 571        if (use_sideband) {
 572                memset(&muxer, 0, sizeof(muxer));
 573                muxer.proc = copy_to_sideband;
 574                muxer.in = -1;
 575                code = start_async(&muxer);
 576                if (code)
 577                        return code;
 578                proc.err = muxer.in;
 579        }
 580
 581        prepare_push_cert_sha1(&proc);
 582
 583        code = start_command(&proc);
 584        if (code) {
 585                if (use_sideband)
 586                        finish_async(&muxer);
 587                return code;
 588        }
 589
 590        sigchain_push(SIGPIPE, SIG_IGN);
 591
 592        while (1) {
 593                const char *buf;
 594                size_t n;
 595                if (feed(feed_state, &buf, &n))
 596                        break;
 597                if (write_in_full(proc.in, buf, n) != n)
 598                        break;
 599        }
 600        close(proc.in);
 601        if (use_sideband)
 602                finish_async(&muxer);
 603
 604        sigchain_pop(SIGPIPE);
 605
 606        return finish_command(&proc);
 607}
 608
 609struct receive_hook_feed_state {
 610        struct command *cmd;
 611        int skip_broken;
 612        struct strbuf buf;
 613};
 614
 615static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
 616{
 617        struct receive_hook_feed_state *state = state_;
 618        struct command *cmd = state->cmd;
 619
 620        while (cmd &&
 621               state->skip_broken && (cmd->error_string || cmd->did_not_exist))
 622                cmd = cmd->next;
 623        if (!cmd)
 624                return -1; /* EOF */
 625        strbuf_reset(&state->buf);
 626        strbuf_addf(&state->buf, "%s %s %s\n",
 627                    sha1_to_hex(cmd->old_sha1), sha1_to_hex(cmd->new_sha1),
 628                    cmd->ref_name);
 629        state->cmd = cmd->next;
 630        if (bufp) {
 631                *bufp = state->buf.buf;
 632                *sizep = state->buf.len;
 633        }
 634        return 0;
 635}
 636
 637static int run_receive_hook(struct command *commands, const char *hook_name,
 638                            int skip_broken)
 639{
 640        struct receive_hook_feed_state state;
 641        int status;
 642
 643        strbuf_init(&state.buf, 0);
 644        state.cmd = commands;
 645        state.skip_broken = skip_broken;
 646        if (feed_receive_hook(&state, NULL, NULL))
 647                return 0;
 648        state.cmd = commands;
 649        status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
 650        strbuf_release(&state.buf);
 651        return status;
 652}
 653
 654static int run_update_hook(struct command *cmd)
 655{
 656        const char *argv[5];
 657        struct child_process proc = CHILD_PROCESS_INIT;
 658        int code;
 659
 660        argv[0] = find_hook("update");
 661        if (!argv[0])
 662                return 0;
 663
 664        argv[1] = cmd->ref_name;
 665        argv[2] = sha1_to_hex(cmd->old_sha1);
 666        argv[3] = sha1_to_hex(cmd->new_sha1);
 667        argv[4] = NULL;
 668
 669        proc.no_stdin = 1;
 670        proc.stdout_to_stderr = 1;
 671        proc.err = use_sideband ? -1 : 0;
 672        proc.argv = argv;
 673
 674        code = start_command(&proc);
 675        if (code)
 676                return code;
 677        if (use_sideband)
 678                copy_to_sideband(proc.err, -1, NULL);
 679        return finish_command(&proc);
 680}
 681
 682static int is_ref_checked_out(const char *ref)
 683{
 684        if (is_bare_repository())
 685                return 0;
 686
 687        if (!head_name)
 688                return 0;
 689        return !strcmp(head_name, ref);
 690}
 691
 692static char *refuse_unconfigured_deny_msg[] = {
 693        "By default, updating the current branch in a non-bare repository",
 694        "is denied, because it will make the index and work tree inconsistent",
 695        "with what you pushed, and will require 'git reset --hard' to match",
 696        "the work tree to HEAD.",
 697        "",
 698        "You can set 'receive.denyCurrentBranch' configuration variable to",
 699        "'ignore' or 'warn' in the remote repository to allow pushing into",
 700        "its current branch; however, this is not recommended unless you",
 701        "arranged to update its work tree to match what you pushed in some",
 702        "other way.",
 703        "",
 704        "To squelch this message and still keep the default behaviour, set",
 705        "'receive.denyCurrentBranch' configuration variable to 'refuse'."
 706};
 707
 708static void refuse_unconfigured_deny(void)
 709{
 710        int i;
 711        for (i = 0; i < ARRAY_SIZE(refuse_unconfigured_deny_msg); i++)
 712                rp_error("%s", refuse_unconfigured_deny_msg[i]);
 713}
 714
 715static char *refuse_unconfigured_deny_delete_current_msg[] = {
 716        "By default, deleting the current branch is denied, because the next",
 717        "'git clone' won't result in any file checked out, causing confusion.",
 718        "",
 719        "You can set 'receive.denyDeleteCurrent' configuration variable to",
 720        "'warn' or 'ignore' in the remote repository to allow deleting the",
 721        "current branch, with or without a warning message.",
 722        "",
 723        "To squelch this message, you can set it to 'refuse'."
 724};
 725
 726static void refuse_unconfigured_deny_delete_current(void)
 727{
 728        int i;
 729        for (i = 0;
 730             i < ARRAY_SIZE(refuse_unconfigured_deny_delete_current_msg);
 731             i++)
 732                rp_error("%s", refuse_unconfigured_deny_delete_current_msg[i]);
 733}
 734
 735static int command_singleton_iterator(void *cb_data, unsigned char sha1[20]);
 736static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
 737{
 738        static struct lock_file shallow_lock;
 739        struct sha1_array extra = SHA1_ARRAY_INIT;
 740        const char *alt_file;
 741        uint32_t mask = 1 << (cmd->index % 32);
 742        int i;
 743
 744        trace_printf_key(&trace_shallow,
 745                         "shallow: update_shallow_ref %s\n", cmd->ref_name);
 746        for (i = 0; i < si->shallow->nr; i++)
 747                if (si->used_shallow[i] &&
 748                    (si->used_shallow[i][cmd->index / 32] & mask) &&
 749                    !delayed_reachability_test(si, i))
 750                        sha1_array_append(&extra, si->shallow->sha1[i]);
 751
 752        setup_alternate_shallow(&shallow_lock, &alt_file, &extra);
 753        if (check_shallow_connected(command_singleton_iterator,
 754                                    0, cmd, alt_file)) {
 755                rollback_lock_file(&shallow_lock);
 756                sha1_array_clear(&extra);
 757                return -1;
 758        }
 759
 760        commit_lock_file(&shallow_lock);
 761
 762        /*
 763         * Make sure setup_alternate_shallow() for the next ref does
 764         * not lose these new roots..
 765         */
 766        for (i = 0; i < extra.nr; i++)
 767                register_shallow(extra.sha1[i]);
 768
 769        si->shallow_ref[cmd->index] = 0;
 770        sha1_array_clear(&extra);
 771        return 0;
 772}
 773
 774/*
 775 * NEEDSWORK: we should consolidate various implementions of "are we
 776 * on an unborn branch?" test into one, and make the unified one more
 777 * robust. !get_sha1() based check used here and elsewhere would not
 778 * allow us to tell an unborn branch from corrupt ref, for example.
 779 * For the purpose of fixing "deploy-to-update does not work when
 780 * pushing into an empty repository" issue, this should suffice for
 781 * now.
 782 */
 783static int head_has_history(void)
 784{
 785        unsigned char sha1[20];
 786
 787        return !get_sha1("HEAD", sha1);
 788}
 789
 790static const char *push_to_deploy(unsigned char *sha1,
 791                                  struct argv_array *env,
 792                                  const char *work_tree)
 793{
 794        const char *update_refresh[] = {
 795                "update-index", "-q", "--ignore-submodules", "--refresh", NULL
 796        };
 797        const char *diff_files[] = {
 798                "diff-files", "--quiet", "--ignore-submodules", "--", NULL
 799        };
 800        const char *diff_index[] = {
 801                "diff-index", "--quiet", "--cached", "--ignore-submodules",
 802                NULL, "--", NULL
 803        };
 804        const char *read_tree[] = {
 805                "read-tree", "-u", "-m", NULL, NULL
 806        };
 807        struct child_process child = CHILD_PROCESS_INIT;
 808
 809        child.argv = update_refresh;
 810        child.env = env->argv;
 811        child.dir = work_tree;
 812        child.no_stdin = 1;
 813        child.stdout_to_stderr = 1;
 814        child.git_cmd = 1;
 815        if (run_command(&child))
 816                return "Up-to-date check failed";
 817
 818        /* run_command() does not clean up completely; reinitialize */
 819        child_process_init(&child);
 820        child.argv = diff_files;
 821        child.env = env->argv;
 822        child.dir = work_tree;
 823        child.no_stdin = 1;
 824        child.stdout_to_stderr = 1;
 825        child.git_cmd = 1;
 826        if (run_command(&child))
 827                return "Working directory has unstaged changes";
 828
 829        /* diff-index with either HEAD or an empty tree */
 830        diff_index[4] = head_has_history() ? "HEAD" : EMPTY_TREE_SHA1_HEX;
 831
 832        child_process_init(&child);
 833        child.argv = diff_index;
 834        child.env = env->argv;
 835        child.no_stdin = 1;
 836        child.no_stdout = 1;
 837        child.stdout_to_stderr = 0;
 838        child.git_cmd = 1;
 839        if (run_command(&child))
 840                return "Working directory has staged changes";
 841
 842        read_tree[3] = sha1_to_hex(sha1);
 843        child_process_init(&child);
 844        child.argv = read_tree;
 845        child.env = env->argv;
 846        child.dir = work_tree;
 847        child.no_stdin = 1;
 848        child.no_stdout = 1;
 849        child.stdout_to_stderr = 0;
 850        child.git_cmd = 1;
 851        if (run_command(&child))
 852                return "Could not update working tree to new HEAD";
 853
 854        return NULL;
 855}
 856
 857static const char *push_to_checkout_hook = "push-to-checkout";
 858
 859static const char *push_to_checkout(unsigned char *sha1,
 860                                    struct argv_array *env,
 861                                    const char *work_tree)
 862{
 863        argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
 864        if (run_hook_le(env->argv, push_to_checkout_hook,
 865                        sha1_to_hex(sha1), NULL))
 866                return "push-to-checkout hook declined";
 867        else
 868                return NULL;
 869}
 870
 871static const char *update_worktree(unsigned char *sha1)
 872{
 873        const char *retval;
 874        const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
 875        struct argv_array env = ARGV_ARRAY_INIT;
 876
 877        if (is_bare_repository())
 878                return "denyCurrentBranch = updateInstead needs a worktree";
 879
 880        argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
 881
 882        if (!find_hook(push_to_checkout_hook))
 883                retval = push_to_deploy(sha1, &env, work_tree);
 884        else
 885                retval = push_to_checkout(sha1, &env, work_tree);
 886
 887        argv_array_clear(&env);
 888        return retval;
 889}
 890
 891static const char *update(struct command *cmd, struct shallow_info *si)
 892{
 893        const char *name = cmd->ref_name;
 894        struct strbuf namespaced_name_buf = STRBUF_INIT;
 895        const char *namespaced_name, *ret;
 896        unsigned char *old_sha1 = cmd->old_sha1;
 897        unsigned char *new_sha1 = cmd->new_sha1;
 898
 899        /* only refs/... are allowed */
 900        if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
 901                rp_error("refusing to create funny ref '%s' remotely", name);
 902                return "funny refname";
 903        }
 904
 905        strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
 906        namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
 907
 908        if (is_ref_checked_out(namespaced_name)) {
 909                switch (deny_current_branch) {
 910                case DENY_IGNORE:
 911                        break;
 912                case DENY_WARN:
 913                        rp_warning("updating the current branch");
 914                        break;
 915                case DENY_REFUSE:
 916                case DENY_UNCONFIGURED:
 917                        rp_error("refusing to update checked out branch: %s", name);
 918                        if (deny_current_branch == DENY_UNCONFIGURED)
 919                                refuse_unconfigured_deny();
 920                        return "branch is currently checked out";
 921                case DENY_UPDATE_INSTEAD:
 922                        ret = update_worktree(new_sha1);
 923                        if (ret)
 924                                return ret;
 925                        break;
 926                }
 927        }
 928
 929        if (!is_null_sha1(new_sha1) && !has_sha1_file(new_sha1)) {
 930                error("unpack should have generated %s, "
 931                      "but I can't find it!", sha1_to_hex(new_sha1));
 932                return "bad pack";
 933        }
 934
 935        if (!is_null_sha1(old_sha1) && is_null_sha1(new_sha1)) {
 936                if (deny_deletes && starts_with(name, "refs/heads/")) {
 937                        rp_error("denying ref deletion for %s", name);
 938                        return "deletion prohibited";
 939                }
 940
 941                if (head_name && !strcmp(namespaced_name, head_name)) {
 942                        switch (deny_delete_current) {
 943                        case DENY_IGNORE:
 944                                break;
 945                        case DENY_WARN:
 946                                rp_warning("deleting the current branch");
 947                                break;
 948                        case DENY_REFUSE:
 949                        case DENY_UNCONFIGURED:
 950                        case DENY_UPDATE_INSTEAD:
 951                                if (deny_delete_current == DENY_UNCONFIGURED)
 952                                        refuse_unconfigured_deny_delete_current();
 953                                rp_error("refusing to delete the current branch: %s", name);
 954                                return "deletion of the current branch prohibited";
 955                        default:
 956                                return "Invalid denyDeleteCurrent setting";
 957                        }
 958                }
 959        }
 960
 961        if (deny_non_fast_forwards && !is_null_sha1(new_sha1) &&
 962            !is_null_sha1(old_sha1) &&
 963            starts_with(name, "refs/heads/")) {
 964                struct object *old_object, *new_object;
 965                struct commit *old_commit, *new_commit;
 966
 967                old_object = parse_object(old_sha1);
 968                new_object = parse_object(new_sha1);
 969
 970                if (!old_object || !new_object ||
 971                    old_object->type != OBJ_COMMIT ||
 972                    new_object->type != OBJ_COMMIT) {
 973                        error("bad sha1 objects for %s", name);
 974                        return "bad ref";
 975                }
 976                old_commit = (struct commit *)old_object;
 977                new_commit = (struct commit *)new_object;
 978                if (!in_merge_bases(old_commit, new_commit)) {
 979                        rp_error("denying non-fast-forward %s"
 980                                 " (you should pull first)", name);
 981                        return "non-fast-forward";
 982                }
 983        }
 984        if (run_update_hook(cmd)) {
 985                rp_error("hook declined to update %s", name);
 986                return "hook declined";
 987        }
 988
 989        if (is_null_sha1(new_sha1)) {
 990                struct strbuf err = STRBUF_INIT;
 991                if (!parse_object(old_sha1)) {
 992                        old_sha1 = NULL;
 993                        if (ref_exists(name)) {
 994                                rp_warning("Allowing deletion of corrupt ref.");
 995                        } else {
 996                                rp_warning("Deleting a non-existent ref.");
 997                                cmd->did_not_exist = 1;
 998                        }
 999                }
1000                if (ref_transaction_delete(transaction,
1001                                           namespaced_name,
1002                                           old_sha1,
1003                                           0, "push", &err)) {
1004                        rp_error("%s", err.buf);
1005                        strbuf_release(&err);
1006                        return "failed to delete";
1007                }
1008                strbuf_release(&err);
1009                return NULL; /* good */
1010        }
1011        else {
1012                struct strbuf err = STRBUF_INIT;
1013                if (shallow_update && si->shallow_ref[cmd->index] &&
1014                    update_shallow_ref(cmd, si))
1015                        return "shallow error";
1016
1017                if (ref_transaction_update(transaction,
1018                                           namespaced_name,
1019                                           new_sha1, old_sha1,
1020                                           0, "push",
1021                                           &err)) {
1022                        rp_error("%s", err.buf);
1023                        strbuf_release(&err);
1024
1025                        return "failed to update ref";
1026                }
1027                strbuf_release(&err);
1028
1029                return NULL; /* good */
1030        }
1031}
1032
1033static void run_update_post_hook(struct command *commands)
1034{
1035        struct command *cmd;
1036        int argc;
1037        struct child_process proc = CHILD_PROCESS_INIT;
1038        const char *hook;
1039
1040        hook = find_hook("post-update");
1041        for (argc = 0, cmd = commands; cmd; cmd = cmd->next) {
1042                if (cmd->error_string || cmd->did_not_exist)
1043                        continue;
1044                argc++;
1045        }
1046        if (!argc || !hook)
1047                return;
1048
1049        argv_array_push(&proc.args, hook);
1050        for (cmd = commands; cmd; cmd = cmd->next) {
1051                if (cmd->error_string || cmd->did_not_exist)
1052                        continue;
1053                argv_array_push(&proc.args, cmd->ref_name);
1054        }
1055
1056        proc.no_stdin = 1;
1057        proc.stdout_to_stderr = 1;
1058        proc.err = use_sideband ? -1 : 0;
1059
1060        if (!start_command(&proc)) {
1061                if (use_sideband)
1062                        copy_to_sideband(proc.err, -1, NULL);
1063                finish_command(&proc);
1064        }
1065}
1066
1067static void check_aliased_update(struct command *cmd, struct string_list *list)
1068{
1069        struct strbuf buf = STRBUF_INIT;
1070        const char *dst_name;
1071        struct string_list_item *item;
1072        struct command *dst_cmd;
1073        unsigned char sha1[GIT_SHA1_RAWSZ];
1074        char cmd_oldh[GIT_SHA1_HEXSZ + 1],
1075             cmd_newh[GIT_SHA1_HEXSZ + 1],
1076             dst_oldh[GIT_SHA1_HEXSZ + 1],
1077             dst_newh[GIT_SHA1_HEXSZ + 1];
1078        int flag;
1079
1080        strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1081        dst_name = resolve_ref_unsafe(buf.buf, 0, sha1, &flag);
1082        strbuf_release(&buf);
1083
1084        if (!(flag & REF_ISSYMREF))
1085                return;
1086
1087        if (!dst_name) {
1088                rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1089                cmd->skip_update = 1;
1090                cmd->error_string = "broken symref";
1091                return;
1092        }
1093        dst_name = strip_namespace(dst_name);
1094
1095        if ((item = string_list_lookup(list, dst_name)) == NULL)
1096                return;
1097
1098        cmd->skip_update = 1;
1099
1100        dst_cmd = (struct command *) item->util;
1101
1102        if (!hashcmp(cmd->old_sha1, dst_cmd->old_sha1) &&
1103            !hashcmp(cmd->new_sha1, dst_cmd->new_sha1))
1104                return;
1105
1106        dst_cmd->skip_update = 1;
1107
1108        find_unique_abbrev_r(cmd_oldh, cmd->old_sha1, DEFAULT_ABBREV);
1109        find_unique_abbrev_r(cmd_newh, cmd->new_sha1, DEFAULT_ABBREV);
1110        find_unique_abbrev_r(dst_oldh, dst_cmd->old_sha1, DEFAULT_ABBREV);
1111        find_unique_abbrev_r(dst_newh, dst_cmd->new_sha1, DEFAULT_ABBREV);
1112        rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1113                 " its target '%s' (%s..%s)",
1114                 cmd->ref_name, cmd_oldh, cmd_newh,
1115                 dst_cmd->ref_name, dst_oldh, dst_newh);
1116
1117        cmd->error_string = dst_cmd->error_string =
1118                "inconsistent aliased update";
1119}
1120
1121static void check_aliased_updates(struct command *commands)
1122{
1123        struct command *cmd;
1124        struct string_list ref_list = STRING_LIST_INIT_NODUP;
1125
1126        for (cmd = commands; cmd; cmd = cmd->next) {
1127                struct string_list_item *item =
1128                        string_list_append(&ref_list, cmd->ref_name);
1129                item->util = (void *)cmd;
1130        }
1131        string_list_sort(&ref_list);
1132
1133        for (cmd = commands; cmd; cmd = cmd->next) {
1134                if (!cmd->error_string)
1135                        check_aliased_update(cmd, &ref_list);
1136        }
1137
1138        string_list_clear(&ref_list, 0);
1139}
1140
1141static int command_singleton_iterator(void *cb_data, unsigned char sha1[20])
1142{
1143        struct command **cmd_list = cb_data;
1144        struct command *cmd = *cmd_list;
1145
1146        if (!cmd || is_null_sha1(cmd->new_sha1))
1147                return -1; /* end of list */
1148        *cmd_list = NULL; /* this returns only one */
1149        hashcpy(sha1, cmd->new_sha1);
1150        return 0;
1151}
1152
1153static void set_connectivity_errors(struct command *commands,
1154                                    struct shallow_info *si)
1155{
1156        struct command *cmd;
1157
1158        for (cmd = commands; cmd; cmd = cmd->next) {
1159                struct command *singleton = cmd;
1160                if (shallow_update && si->shallow_ref[cmd->index])
1161                        /* to be checked in update_shallow_ref() */
1162                        continue;
1163                if (!check_everything_connected(command_singleton_iterator,
1164                                                0, &singleton))
1165                        continue;
1166                cmd->error_string = "missing necessary objects";
1167        }
1168}
1169
1170struct iterate_data {
1171        struct command *cmds;
1172        struct shallow_info *si;
1173};
1174
1175static int iterate_receive_command_list(void *cb_data, unsigned char sha1[20])
1176{
1177        struct iterate_data *data = cb_data;
1178        struct command **cmd_list = &data->cmds;
1179        struct command *cmd = *cmd_list;
1180
1181        for (; cmd; cmd = cmd->next) {
1182                if (shallow_update && data->si->shallow_ref[cmd->index])
1183                        /* to be checked in update_shallow_ref() */
1184                        continue;
1185                if (!is_null_sha1(cmd->new_sha1) && !cmd->skip_update) {
1186                        hashcpy(sha1, cmd->new_sha1);
1187                        *cmd_list = cmd->next;
1188                        return 0;
1189                }
1190        }
1191        *cmd_list = NULL;
1192        return -1; /* end of list */
1193}
1194
1195static void reject_updates_to_hidden(struct command *commands)
1196{
1197        struct strbuf refname_full = STRBUF_INIT;
1198        size_t prefix_len;
1199        struct command *cmd;
1200
1201        strbuf_addstr(&refname_full, get_git_namespace());
1202        prefix_len = refname_full.len;
1203
1204        for (cmd = commands; cmd; cmd = cmd->next) {
1205                if (cmd->error_string)
1206                        continue;
1207
1208                strbuf_setlen(&refname_full, prefix_len);
1209                strbuf_addstr(&refname_full, cmd->ref_name);
1210
1211                if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1212                        continue;
1213                if (is_null_sha1(cmd->new_sha1))
1214                        cmd->error_string = "deny deleting a hidden ref";
1215                else
1216                        cmd->error_string = "deny updating a hidden ref";
1217        }
1218
1219        strbuf_release(&refname_full);
1220}
1221
1222static int should_process_cmd(struct command *cmd)
1223{
1224        return !cmd->error_string && !cmd->skip_update;
1225}
1226
1227static void warn_if_skipped_connectivity_check(struct command *commands,
1228                                               struct shallow_info *si)
1229{
1230        struct command *cmd;
1231        int checked_connectivity = 1;
1232
1233        for (cmd = commands; cmd; cmd = cmd->next) {
1234                if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1235                        error("BUG: connectivity check has not been run on ref %s",
1236                              cmd->ref_name);
1237                        checked_connectivity = 0;
1238                }
1239        }
1240        if (!checked_connectivity)
1241                die("BUG: connectivity check skipped???");
1242}
1243
1244static void execute_commands_non_atomic(struct command *commands,
1245                                        struct shallow_info *si)
1246{
1247        struct command *cmd;
1248        struct strbuf err = STRBUF_INIT;
1249
1250        for (cmd = commands; cmd; cmd = cmd->next) {
1251                if (!should_process_cmd(cmd))
1252                        continue;
1253
1254                transaction = ref_transaction_begin(&err);
1255                if (!transaction) {
1256                        rp_error("%s", err.buf);
1257                        strbuf_reset(&err);
1258                        cmd->error_string = "transaction failed to start";
1259                        continue;
1260                }
1261
1262                cmd->error_string = update(cmd, si);
1263
1264                if (!cmd->error_string
1265                    && ref_transaction_commit(transaction, &err)) {
1266                        rp_error("%s", err.buf);
1267                        strbuf_reset(&err);
1268                        cmd->error_string = "failed to update ref";
1269                }
1270                ref_transaction_free(transaction);
1271        }
1272        strbuf_release(&err);
1273}
1274
1275static void execute_commands_atomic(struct command *commands,
1276                                        struct shallow_info *si)
1277{
1278        struct command *cmd;
1279        struct strbuf err = STRBUF_INIT;
1280        const char *reported_error = "atomic push failure";
1281
1282        transaction = ref_transaction_begin(&err);
1283        if (!transaction) {
1284                rp_error("%s", err.buf);
1285                strbuf_reset(&err);
1286                reported_error = "transaction failed to start";
1287                goto failure;
1288        }
1289
1290        for (cmd = commands; cmd; cmd = cmd->next) {
1291                if (!should_process_cmd(cmd))
1292                        continue;
1293
1294                cmd->error_string = update(cmd, si);
1295
1296                if (cmd->error_string)
1297                        goto failure;
1298        }
1299
1300        if (ref_transaction_commit(transaction, &err)) {
1301                rp_error("%s", err.buf);
1302                reported_error = "atomic transaction failed";
1303                goto failure;
1304        }
1305        goto cleanup;
1306
1307failure:
1308        for (cmd = commands; cmd; cmd = cmd->next)
1309                if (!cmd->error_string)
1310                        cmd->error_string = reported_error;
1311
1312cleanup:
1313        ref_transaction_free(transaction);
1314        strbuf_release(&err);
1315}
1316
1317static void execute_commands(struct command *commands,
1318                             const char *unpacker_error,
1319                             struct shallow_info *si)
1320{
1321        struct command *cmd;
1322        unsigned char sha1[20];
1323        struct iterate_data data;
1324
1325        if (unpacker_error) {
1326                for (cmd = commands; cmd; cmd = cmd->next)
1327                        cmd->error_string = "unpacker error";
1328                return;
1329        }
1330
1331        data.cmds = commands;
1332        data.si = si;
1333        if (check_everything_connected(iterate_receive_command_list, 0, &data))
1334                set_connectivity_errors(commands, si);
1335
1336        reject_updates_to_hidden(commands);
1337
1338        if (run_receive_hook(commands, "pre-receive", 0)) {
1339                for (cmd = commands; cmd; cmd = cmd->next) {
1340                        if (!cmd->error_string)
1341                                cmd->error_string = "pre-receive hook declined";
1342                }
1343                return;
1344        }
1345
1346        check_aliased_updates(commands);
1347
1348        free(head_name_to_free);
1349        head_name = head_name_to_free = resolve_refdup("HEAD", 0, sha1, NULL);
1350
1351        if (use_atomic)
1352                execute_commands_atomic(commands, si);
1353        else
1354                execute_commands_non_atomic(commands, si);
1355
1356        if (shallow_update)
1357                warn_if_skipped_connectivity_check(commands, si);
1358}
1359
1360static struct command **queue_command(struct command **tail,
1361                                      const char *line,
1362                                      int linelen)
1363{
1364        unsigned char old_sha1[20], new_sha1[20];
1365        struct command *cmd;
1366        const char *refname;
1367        int reflen;
1368
1369        if (linelen < 83 ||
1370            line[40] != ' ' ||
1371            line[81] != ' ' ||
1372            get_sha1_hex(line, old_sha1) ||
1373            get_sha1_hex(line + 41, new_sha1))
1374                die("protocol error: expected old/new/ref, got '%s'", line);
1375
1376        refname = line + 82;
1377        reflen = linelen - 82;
1378        cmd = xcalloc(1, st_add3(sizeof(struct command), reflen, 1));
1379        hashcpy(cmd->old_sha1, old_sha1);
1380        hashcpy(cmd->new_sha1, new_sha1);
1381        memcpy(cmd->ref_name, refname, reflen);
1382        cmd->ref_name[reflen] = '\0';
1383        *tail = cmd;
1384        return &cmd->next;
1385}
1386
1387static void queue_commands_from_cert(struct command **tail,
1388                                     struct strbuf *push_cert)
1389{
1390        const char *boc, *eoc;
1391
1392        if (*tail)
1393                die("protocol error: got both push certificate and unsigned commands");
1394
1395        boc = strstr(push_cert->buf, "\n\n");
1396        if (!boc)
1397                die("malformed push certificate %.*s", 100, push_cert->buf);
1398        else
1399                boc += 2;
1400        eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1401
1402        while (boc < eoc) {
1403                const char *eol = memchr(boc, '\n', eoc - boc);
1404                tail = queue_command(tail, boc, eol ? eol - boc : eoc - eol);
1405                boc = eol ? eol + 1 : eoc;
1406        }
1407}
1408
1409static struct command *read_head_info(struct sha1_array *shallow)
1410{
1411        struct command *commands = NULL;
1412        struct command **p = &commands;
1413        for (;;) {
1414                char *line;
1415                int len, linelen;
1416
1417                line = packet_read_line(0, &len);
1418                if (!line)
1419                        break;
1420
1421                if (len == 48 && starts_with(line, "shallow ")) {
1422                        unsigned char sha1[20];
1423                        if (get_sha1_hex(line + 8, sha1))
1424                                die("protocol error: expected shallow sha, got '%s'",
1425                                    line + 8);
1426                        sha1_array_append(shallow, sha1);
1427                        continue;
1428                }
1429
1430                linelen = strlen(line);
1431                if (linelen < len) {
1432                        const char *feature_list = line + linelen + 1;
1433                        if (parse_feature_request(feature_list, "report-status"))
1434                                report_status = 1;
1435                        if (parse_feature_request(feature_list, "side-band-64k"))
1436                                use_sideband = LARGE_PACKET_MAX;
1437                        if (parse_feature_request(feature_list, "quiet"))
1438                                quiet = 1;
1439                        if (advertise_atomic_push
1440                            && parse_feature_request(feature_list, "atomic"))
1441                                use_atomic = 1;
1442                }
1443
1444                if (!strcmp(line, "push-cert")) {
1445                        int true_flush = 0;
1446                        char certbuf[1024];
1447
1448                        for (;;) {
1449                                len = packet_read(0, NULL, NULL,
1450                                                  certbuf, sizeof(certbuf), 0);
1451                                if (!len) {
1452                                        true_flush = 1;
1453                                        break;
1454                                }
1455                                if (!strcmp(certbuf, "push-cert-end\n"))
1456                                        break; /* end of cert */
1457                                strbuf_addstr(&push_cert, certbuf);
1458                        }
1459
1460                        if (true_flush)
1461                                break;
1462                        continue;
1463                }
1464
1465                p = queue_command(p, line, linelen);
1466        }
1467
1468        if (push_cert.len)
1469                queue_commands_from_cert(p, &push_cert);
1470
1471        return commands;
1472}
1473
1474static const char *parse_pack_header(struct pack_header *hdr)
1475{
1476        switch (read_pack_header(0, hdr)) {
1477        case PH_ERROR_EOF:
1478                return "eof before pack header was fully read";
1479
1480        case PH_ERROR_PACK_SIGNATURE:
1481                return "protocol error (pack signature mismatch detected)";
1482
1483        case PH_ERROR_PROTOCOL:
1484                return "protocol error (pack version unsupported)";
1485
1486        default:
1487                return "unknown error in parse_pack_header";
1488
1489        case 0:
1490                return NULL;
1491        }
1492}
1493
1494static const char *pack_lockfile;
1495
1496static const char *unpack(int err_fd, struct shallow_info *si)
1497{
1498        struct pack_header hdr;
1499        const char *hdr_err;
1500        int status;
1501        char hdr_arg[38];
1502        struct child_process child = CHILD_PROCESS_INIT;
1503        int fsck_objects = (receive_fsck_objects >= 0
1504                            ? receive_fsck_objects
1505                            : transfer_fsck_objects >= 0
1506                            ? transfer_fsck_objects
1507                            : 0);
1508
1509        hdr_err = parse_pack_header(&hdr);
1510        if (hdr_err) {
1511                if (err_fd > 0)
1512                        close(err_fd);
1513                return hdr_err;
1514        }
1515        snprintf(hdr_arg, sizeof(hdr_arg),
1516                        "--pack_header=%"PRIu32",%"PRIu32,
1517                        ntohl(hdr.hdr_version), ntohl(hdr.hdr_entries));
1518
1519        if (si->nr_ours || si->nr_theirs) {
1520                alt_shallow_file = setup_temporary_shallow(si->shallow);
1521                argv_array_push(&child.args, "--shallow-file");
1522                argv_array_push(&child.args, alt_shallow_file);
1523        }
1524
1525        if (ntohl(hdr.hdr_entries) < unpack_limit) {
1526                argv_array_pushl(&child.args, "unpack-objects", hdr_arg, NULL);
1527                if (quiet)
1528                        argv_array_push(&child.args, "-q");
1529                if (fsck_objects)
1530                        argv_array_pushf(&child.args, "--strict%s",
1531                                fsck_msg_types.buf);
1532                child.no_stdout = 1;
1533                child.err = err_fd;
1534                child.git_cmd = 1;
1535                status = run_command(&child);
1536                if (status)
1537                        return "unpack-objects abnormal exit";
1538        } else {
1539                char hostname[256];
1540
1541                argv_array_pushl(&child.args, "index-pack",
1542                                 "--stdin", hdr_arg, NULL);
1543
1544                if (gethostname(hostname, sizeof(hostname)))
1545                        xsnprintf(hostname, sizeof(hostname), "localhost");
1546                argv_array_pushf(&child.args,
1547                                 "--keep=receive-pack %"PRIuMAX" on %s",
1548                                 (uintmax_t)getpid(),
1549                                 hostname);
1550
1551                if (fsck_objects)
1552                        argv_array_pushf(&child.args, "--strict%s",
1553                                fsck_msg_types.buf);
1554                if (!reject_thin)
1555                        argv_array_push(&child.args, "--fix-thin");
1556                child.out = -1;
1557                child.err = err_fd;
1558                child.git_cmd = 1;
1559                status = start_command(&child);
1560                if (status)
1561                        return "index-pack fork failed";
1562                pack_lockfile = index_pack_lockfile(child.out);
1563                close(child.out);
1564                status = finish_command(&child);
1565                if (status)
1566                        return "index-pack abnormal exit";
1567                reprepare_packed_git();
1568        }
1569        return NULL;
1570}
1571
1572static const char *unpack_with_sideband(struct shallow_info *si)
1573{
1574        struct async muxer;
1575        const char *ret;
1576
1577        if (!use_sideband)
1578                return unpack(0, si);
1579
1580        memset(&muxer, 0, sizeof(muxer));
1581        muxer.proc = copy_to_sideband;
1582        muxer.in = -1;
1583        if (start_async(&muxer))
1584                return NULL;
1585
1586        ret = unpack(muxer.in, si);
1587
1588        finish_async(&muxer);
1589        return ret;
1590}
1591
1592static void prepare_shallow_update(struct command *commands,
1593                                   struct shallow_info *si)
1594{
1595        int i, j, k, bitmap_size = (si->ref->nr + 31) / 32;
1596
1597        ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1598        assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1599
1600        si->need_reachability_test =
1601                xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1602        si->reachable =
1603                xcalloc(si->shallow->nr, sizeof(*si->reachable));
1604        si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1605
1606        for (i = 0; i < si->nr_ours; i++)
1607                si->need_reachability_test[si->ours[i]] = 1;
1608
1609        for (i = 0; i < si->shallow->nr; i++) {
1610                if (!si->used_shallow[i])
1611                        continue;
1612                for (j = 0; j < bitmap_size; j++) {
1613                        if (!si->used_shallow[i][j])
1614                                continue;
1615                        si->need_reachability_test[i]++;
1616                        for (k = 0; k < 32; k++)
1617                                if (si->used_shallow[i][j] & (1U << k))
1618                                        si->shallow_ref[j * 32 + k]++;
1619                }
1620
1621                /*
1622                 * true for those associated with some refs and belong
1623                 * in "ours" list aka "step 7 not done yet"
1624                 */
1625                si->need_reachability_test[i] =
1626                        si->need_reachability_test[i] > 1;
1627        }
1628
1629        /*
1630         * keep hooks happy by forcing a temporary shallow file via
1631         * env variable because we can't add --shallow-file to every
1632         * command. check_everything_connected() will be done with
1633         * true .git/shallow though.
1634         */
1635        setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1636}
1637
1638static void update_shallow_info(struct command *commands,
1639                                struct shallow_info *si,
1640                                struct sha1_array *ref)
1641{
1642        struct command *cmd;
1643        int *ref_status;
1644        remove_nonexistent_theirs_shallow(si);
1645        if (!si->nr_ours && !si->nr_theirs) {
1646                shallow_update = 0;
1647                return;
1648        }
1649
1650        for (cmd = commands; cmd; cmd = cmd->next) {
1651                if (is_null_sha1(cmd->new_sha1))
1652                        continue;
1653                sha1_array_append(ref, cmd->new_sha1);
1654                cmd->index = ref->nr - 1;
1655        }
1656        si->ref = ref;
1657
1658        if (shallow_update) {
1659                prepare_shallow_update(commands, si);
1660                return;
1661        }
1662
1663        ALLOC_ARRAY(ref_status, ref->nr);
1664        assign_shallow_commits_to_refs(si, NULL, ref_status);
1665        for (cmd = commands; cmd; cmd = cmd->next) {
1666                if (is_null_sha1(cmd->new_sha1))
1667                        continue;
1668                if (ref_status[cmd->index]) {
1669                        cmd->error_string = "shallow update not allowed";
1670                        cmd->skip_update = 1;
1671                }
1672        }
1673        free(ref_status);
1674}
1675
1676static void report(struct command *commands, const char *unpack_status)
1677{
1678        struct command *cmd;
1679        struct strbuf buf = STRBUF_INIT;
1680
1681        packet_buf_write(&buf, "unpack %s\n",
1682                         unpack_status ? unpack_status : "ok");
1683        for (cmd = commands; cmd; cmd = cmd->next) {
1684                if (!cmd->error_string)
1685                        packet_buf_write(&buf, "ok %s\n",
1686                                         cmd->ref_name);
1687                else
1688                        packet_buf_write(&buf, "ng %s %s\n",
1689                                         cmd->ref_name, cmd->error_string);
1690        }
1691        packet_buf_flush(&buf);
1692
1693        if (use_sideband)
1694                send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1695        else
1696                write_or_die(1, buf.buf, buf.len);
1697        strbuf_release(&buf);
1698}
1699
1700static int delete_only(struct command *commands)
1701{
1702        struct command *cmd;
1703        for (cmd = commands; cmd; cmd = cmd->next) {
1704                if (!is_null_sha1(cmd->new_sha1))
1705                        return 0;
1706        }
1707        return 1;
1708}
1709
1710int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1711{
1712        int advertise_refs = 0;
1713        struct command *commands;
1714        struct sha1_array shallow = SHA1_ARRAY_INIT;
1715        struct sha1_array ref = SHA1_ARRAY_INIT;
1716        struct shallow_info si;
1717
1718        struct option options[] = {
1719                OPT__QUIET(&quiet, N_("quiet")),
1720                OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1721                OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1722                OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1723                OPT_END()
1724        };
1725
1726        packet_trace_identity("receive-pack");
1727
1728        argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1729
1730        if (argc > 1)
1731                usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1732        if (argc == 0)
1733                usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1734
1735        service_dir = argv[0];
1736
1737        setup_path();
1738
1739        if (!enter_repo(service_dir, 0))
1740                die("'%s' does not appear to be a git repository", service_dir);
1741
1742        git_config(receive_pack_config, NULL);
1743        if (cert_nonce_seed)
1744                push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1745
1746        if (0 <= transfer_unpack_limit)
1747                unpack_limit = transfer_unpack_limit;
1748        else if (0 <= receive_unpack_limit)
1749                unpack_limit = receive_unpack_limit;
1750
1751        if (advertise_refs || !stateless_rpc) {
1752                write_head_info();
1753        }
1754        if (advertise_refs)
1755                return 0;
1756
1757        if ((commands = read_head_info(&shallow)) != NULL) {
1758                const char *unpack_status = NULL;
1759
1760                prepare_shallow_info(&si, &shallow);
1761                if (!si.nr_ours && !si.nr_theirs)
1762                        shallow_update = 0;
1763                if (!delete_only(commands)) {
1764                        unpack_status = unpack_with_sideband(&si);
1765                        update_shallow_info(commands, &si, &ref);
1766                }
1767                execute_commands(commands, unpack_status, &si);
1768                if (pack_lockfile)
1769                        unlink_or_warn(pack_lockfile);
1770                if (report_status)
1771                        report(commands, unpack_status);
1772                run_receive_hook(commands, "post-receive", 1);
1773                run_update_post_hook(commands);
1774                if (auto_gc) {
1775                        const char *argv_gc_auto[] = {
1776                                "gc", "--auto", "--quiet", NULL,
1777                        };
1778                        int opt = RUN_GIT_CMD | RUN_COMMAND_STDOUT_TO_STDERR;
1779                        close_all_packs();
1780                        run_command_v_opt(argv_gc_auto, opt);
1781                }
1782                if (auto_update_server_info)
1783                        update_server_info(0);
1784                clear_shallow_info(&si);
1785        }
1786        if (use_sideband)
1787                packet_flush(1);
1788        sha1_array_clear(&shallow);
1789        sha1_array_clear(&ref);
1790        free((void *)push_cert_nonce);
1791        return 0;
1792}