From: Jeff King <peff@peff.net>
To: "Carlos Martín Nieto" <cmn@elego.de>
Cc: git@vger.kernel.org, Albert Astals Cid <aacid@kde.org>
Subject: [PATCH 2/2] archive: loosen restrictions on remote object lookup
Date: Wed, 11 Jan 2012 14:42:32 -0500 [thread overview]
Message-ID: <20120111194232.GB12441@sigill.intra.peff.net> (raw)
In-Reply-To: <20120111193916.GA12333@sigill.intra.peff.net>
Initially, "git upload-archive" would feed the tree
specification from the remote side directly into get_sha1,
giving the remote user the full power of the object name
resolver. This was convenient, but it also meant that remote
users could fetch disconnected trees by their sha1s, which
violates the long-standing behavior of upload-pack not to
make such objects available.
Later, commit ee27ca4 tightened this to use dwim_ref instead
of get_sha1 for the remote case, allowing only the use of
actual refs. Unfortunately, this broke some existing use
cases, like fetching sub-trees with "$ref:subdir".
This patch loosens the restrictions to re-enable those use
cases. It does this by using get_sha1_with_context for the
object lookup, and checking that only allowable features
were used.
Signed-off-by: Jeff King <peff@peff.net>
---
archive.c | 34 ++++++++++++++-------
t/t5002-archive-resolution.sh | 66 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 89 insertions(+), 11 deletions(-)
create mode 100755 t/t5002-archive-resolution.sh
diff --git a/archive.c b/archive.c
index 164bbd0..a031bde 100644
--- a/archive.c
+++ b/archive.c
@@ -246,6 +246,25 @@ static void parse_pathspec_arg(const char **pathspec,
}
}
+static int check_object_context(int remote, const struct object_context *oc)
+{
+ /* For local requests, allow anything */
+ if (!remote)
+ return 1;
+ /*
+ * Otherwise, require that we accessed the object through a ref,
+ * but not have used any of the advanced features like looking in
+ * the reflog.
+ */
+ return oc->used_ref &&
+ !oc->used_reflog &&
+ !oc->used_index &&
+ !oc->used_nth_checkout &&
+ !oc->used_describe_name &&
+ !oc->used_oneline &&
+ !oc->used_raw_hex;
+}
+
static void parse_treeish_arg(const char **argv,
struct archiver_args *ar_args, const char *prefix,
int remote)
@@ -256,18 +275,11 @@ static void parse_treeish_arg(const char **argv,
struct tree *tree;
const struct commit *commit;
unsigned char sha1[20];
+ struct object_context oc;
- /* Remotes are only allowed to fetch actual refs */
- if (remote) {
- char *ref = NULL;
- if (!dwim_ref(name, strlen(name), sha1, &ref))
- die("no such ref: %s", name);
- free(ref);
- }
- else {
- if (get_sha1(name, sha1))
- die("Not a valid object name");
- }
+ if (get_sha1_with_context(name, sha1, &oc) ||
+ !check_object_context(remote, &oc))
+ die("Not a valid object name");
commit = lookup_commit_reference_gently(sha1, 1);
if (commit) {
diff --git a/t/t5002-archive-resolution.sh b/t/t5002-archive-resolution.sh
new file mode 100755
index 0000000..bf2b55c
--- /dev/null
+++ b/t/t5002-archive-resolution.sh
@@ -0,0 +1,66 @@
+#!/bin/sh
+
+test_description='test object resolution methods for local and remote archive'
+. ./test-lib.sh
+
+test_expect_success 'setup' '
+ echo a >a &&
+ git add . &&
+ git commit -m one &&
+ sha1_one=`git rev-parse HEAD` &&
+ mkdir subdir &&
+ echo b >subdir/b &&
+ git add . &&
+ git commit -m two &&
+ git checkout -b other &&
+ git checkout master
+'
+
+while read desc where what expect; do
+ cmd="git archive --format=tar -o result.tar"
+ test "$where" = "remote" && cmd="$cmd --remote=."
+ cmd="$cmd $what"
+
+ if test "$expect" = "deny"; then
+ test_expect_success "archive $desc ($where, should deny)" "
+ test_must_fail $cmd
+ "
+ else
+ test_expect_success "archive $desc ($where, should work)" '
+ '"$cmd"' &&
+ for i in '"$expect"'; do
+ echo "$i:`basename $i`"
+ done >expect &&
+ rm -rf result &&
+ mkdir result &&
+ (cd result &&
+ tar xf ../result.tar &&
+ for i in `find * -type f`; do
+ echo "$i:`cat $i`"
+ done >../actual
+ ) &&
+ test_cmp expect actual
+ '
+ fi
+done <<EOF
+ref local master a subdir/b
+ref remote master a subdir/b
+parent local master^ a
+parent remote master^ a
+tree local master^{tree} a subdir/b
+tree remote master^{tree} a subdir/b
+subtree local master:subdir b
+subtree remote master:subdir b
+sha1 local $sha1_one a
+sha1 remote $sha1_one deny
+reflog local master@{1} a
+reflog remote master@{1} deny
+oneline local :/one a
+oneline remote :/one deny
+oneline-ref local master^{/one} a
+oneline-ref remote master^{/one} deny
+nth-checkout local @{-1} a subdir/b
+nth-checkout remote @{-1} deny
+EOF
+
+test_done
--
1.7.9.rc0.33.gd3c17
next prev parent reply other threads:[~2012-01-11 19:42 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-10 21:18 [BUG] git archive broken in 1.7.8.1 Albert Astals Cid
2012-01-10 21:33 ` Carlos Martín Nieto
2012-01-10 22:05 ` Albert Astals Cid
2012-01-10 22:50 ` Carlos Martín Nieto
2012-01-10 23:21 ` Jeff King
2012-01-11 12:12 ` [PATCH] archive: re-allow HEAD:Documentation on a remote invocation Carlos Martín Nieto
2012-01-11 19:39 ` Jeff King
2012-01-11 19:42 ` [PATCH 1/2] get_sha1_with_context: report features used in resolution Jeff King
2012-01-12 2:36 ` Junio C Hamano
2012-01-12 2:51 ` Jeff King
2012-01-11 19:42 ` Jeff King [this message]
2013-05-29 12:05 ` [PATCH 2/2] archive: loosen restrictions on remote object lookup Ian Harvey
2013-06-05 16:38 ` Jeff King
2013-06-05 22:35 ` [RFC/PATCH 0/4] real reachability checks for upload-archive Jeff King
2013-06-05 22:37 ` [PATCH 1/4] clear parsed flag when we free tree buffers Jeff King
2013-06-06 17:55 ` Junio C Hamano
2013-06-05 22:39 ` [PATCH 2/4] upload-archive: restrict remote objects with reachability check Jeff King
2013-06-05 22:40 ` [PATCH 3/4] list-objects: optimize "revs->blob_objects = 0" case Jeff King
2013-06-05 22:40 ` [PATCH 4/4] archive: ignore blob objects when checking reachability Jeff King
2013-06-06 7:57 ` Michael Haggerty
2013-06-07 0:50 ` Eric Sunshine
2013-06-06 17:27 ` [RFC/PATCH 0/4] real reachability checks for upload-archive Junio C Hamano
2012-01-12 2:46 ` [PATCH] archive: re-allow HEAD:Documentation on a remote invocation Junio C Hamano
2012-01-12 2:54 ` Jeff King
2012-01-12 2:59 ` Jeff King
2012-01-12 3:03 ` Junio C Hamano
2012-01-12 3:10 ` Jeff King
2012-01-12 3:20 ` Junio C Hamano
2012-01-10 23:01 ` [BUG] git archive broken in 1.7.8.1 Allan Wind
2012-01-11 12:51 ` Carlos Martín Nieto
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120111194232.GB12441@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=aacid@kde.org \
--cc=cmn@elego.de \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).