From: Michael Haggerty <mhagger@alum.mit.edu>
Date: Wed, 27 Apr 2016 10:40:39 +0000 (+0200)
Subject: refname_is_safe(): insist that the refname already be normalized
X-Git-Tag: v2.10.0-rc0~98^2~25
X-Git-Url: https://git.lorimer.id.au/gitweb.git/diff_plain/e40f355?hp=35db25c65f6f77c153ef2b1183ea7821236201c8

refname_is_safe(): insist that the refname already be normalized

The reference name is going to be compared to other reference names, so
it should be in its normalized form.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---

diff --git a/refs.c b/refs.c
index ca0280f7eb..b18d9959af 100644
--- a/refs.c
+++ b/refs.c
@@ -125,14 +125,19 @@ int refname_is_safe(const char *refname)
 	if (skip_prefix(refname, "refs/", &rest)) {
 		char *buf;
 		int result;
+		size_t restlen = strlen(rest);
+
+		/* rest must not be empty, or start or end with "/" */
+		if (!restlen || *rest == '/' || rest[restlen - 1] == '/')
+			return 0;
 
 		/*
 		 * Does the refname try to escape refs/?
 		 * For example: refs/foo/../bar is safe but refs/foo/../../bar
 		 * is not.
 		 */
-		buf = xmallocz(strlen(rest));
-		result = !normalize_path_copy(buf, rest);
+		buf = xmallocz(restlen);
+		result = !normalize_path_copy(buf, rest) && !strcmp(buf, rest);
 		free(buf);
 		return result;
 	}