From: Michael Haggerty <mhagger@alum.mit.edu>
To: Jeff King <peff@peff.net>
Cc: "Junio C Hamano" <gitster@pobox.com>,
"Nguyễn Thái Ngọc Duy" <pclouds@gmail.com>,
"Stefan Beller" <sbeller@google.com>,
"Ævar Arnfjörð Bjarmason" <avarab@gmail.com>,
"David Turner" <novalis@novalis.org>,
"Brandon Williams" <bmwill@google.com>,
git@vger.kernel.org
Subject: Re: [PATCH v2 29/29] read_packed_refs(): die if `packed-refs` contains bogus data
Date: Sat, 1 Jul 2017 20:15:20 +0200 [thread overview]
Message-ID: <9d988f17-ca61-d855-c950-2b20617ce48d@alum.mit.edu> (raw)
In-Reply-To: <20170623195845.pz7rdyqocjqu5edp@sigill.intra.peff.net>
On 06/23/2017 09:58 PM, Jeff King wrote:
> On Fri, Jun 23, 2017 at 09:01:47AM +0200, Michael Haggerty wrote:
>
>> The old code ignored any lines that it didn't understand. This is
>> dangerous. Instead, `die()` if the `packed-refs` file contains any
>> lines that we don't know how to handle.
>
> This seems like a big improvement. Is it worth adding a test for a
> corrupted file?
That's a good idea. While I'm at it, I'll distinguish between
unterminated lines and lines that are invalid for other reasons, because
the error message should differ for these cases.
> I assume this isn't something you saw in the wild, but just a deficiency
> you noticed while reading the code.
Correct, I've never seen this problem in the wild. Though, since Git
would have covered up the problem while it existed and obliterated it at
the next `pack-refs`, it's the kind of thing that would be easy to
overlook and hard to prove afterwards.
> I suspect this laxness may have been what allowed us to add the optional
> peeled values long ago. But I think I'd rather see us be more strict and
> notice corruption or nonsense rather than quietly ignoring (especially
> because an operation like "git pack-refs" would then overwrite it,
> dropping whatever entries we didn't understand).
That's an interesting consideration. I suppose we could plan in some way
to extend the `packed-refs` format in a backwards-transparent fashion,
if there is ever an extension that old versions of git would be free to
ignore, while leaving the format strict enough that genuine corruption
would be unlikely to be overlooked. For example, we could reserve one or
more special characters which, when they appear at the beginning of a
line, mean that the line should be ignored.
But such an extension would only be practical if other Git
implementations are similarly lax. But libgit2 is currently strict about
rejecting unrecognized lines, so such an extension couldn't be
backwards-compatible with old versions of libgit2. So it doesn't seem
very useful.
Michael
next prev parent reply other threads:[~2017-07-01 18:15 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-23 7:01 [PATCH v2 00/29] Create a reference backend for packed refs Michael Haggerty
2017-06-23 7:01 ` [PATCH v2 01/29] t1408: add a test of stale packed refs covered by loose refs Michael Haggerty
2017-06-23 18:59 ` Jeff King
2017-06-23 20:22 ` Junio C Hamano
2017-06-23 7:01 ` [PATCH v2 02/29] add_packed_ref(): teach function to overwrite existing refs Michael Haggerty
2017-06-23 7:01 ` [PATCH v2 03/29] packed_ref_store: new struct Michael Haggerty
2017-06-23 7:01 ` [PATCH v2 04/29] packed_ref_store: move `packed_refs_path` here Michael Haggerty
2017-06-23 7:01 ` [PATCH v2 05/29] packed_ref_store: move `packed_refs_lock` member here Michael Haggerty
2017-06-23 7:01 ` [PATCH v2 06/29] clear_packed_ref_cache(): take a `packed_ref_store *` parameter Michael Haggerty
2017-06-23 7:01 ` [PATCH v2 07/29] validate_packed_ref_cache(): " Michael Haggerty
2017-06-23 7:01 ` [PATCH v2 08/29] get_packed_ref_cache(): " Michael Haggerty
2017-06-23 7:01 ` [PATCH v2 09/29] get_packed_refs(): " Michael Haggerty
2017-06-23 7:01 ` [PATCH v2 10/29] add_packed_ref(): " Michael Haggerty
2017-06-23 7:01 ` [PATCH v2 11/29] lock_packed_refs(): " Michael Haggerty
2017-06-23 7:01 ` [PATCH v2 12/29] commit_packed_refs(): " Michael Haggerty
2017-06-23 7:01 ` [PATCH v2 13/29] rollback_packed_refs(): " Michael Haggerty
2017-06-23 7:01 ` [PATCH v2 14/29] get_packed_ref(): " Michael Haggerty
2017-06-23 7:01 ` [PATCH v2 15/29] repack_without_refs(): " Michael Haggerty
2017-06-23 7:01 ` [PATCH v2 16/29] packed_peel_ref(): new function, extracted from `files_peel_ref()` Michael Haggerty
2017-06-23 7:01 ` [PATCH v2 17/29] packed_ref_store: support iteration Michael Haggerty
2017-06-23 19:12 ` Jeff King
2017-06-23 7:01 ` [PATCH v2 18/29] packed_read_raw_ref(): new function, replacing `resolve_packed_ref()` Michael Haggerty
2017-06-23 7:01 ` [PATCH v2 19/29] packed-backend: new module for handling packed references Michael Haggerty
2017-06-23 19:35 ` Jeff King
2017-06-23 19:46 ` Stefan Beller
2017-06-23 21:20 ` Junio C Hamano
2017-06-23 7:01 ` [PATCH v2 20/29] packed_ref_store: make class into a subclass of `ref_store` Michael Haggerty
2017-06-23 19:40 ` Jeff King
2017-06-23 7:01 ` [PATCH v2 21/29] commit_packed_refs(): report errors rather than dying Michael Haggerty
2017-06-23 7:01 ` [PATCH v2 22/29] commit_packed_refs(): use a staging file separate from the lockfile Michael Haggerty
2017-06-23 19:46 ` Jeff King
2017-06-24 11:43 ` Michael Haggerty
2017-06-24 11:57 ` Jeff King
2017-06-23 7:01 ` [PATCH v2 23/29] packed_refs_lock(): function renamed from lock_packed_refs() Michael Haggerty
2017-06-23 7:01 ` [PATCH v2 24/29] packed_refs_lock(): report errors via a `struct strbuf *err` Michael Haggerty
2017-06-23 7:01 ` [PATCH v2 25/29] packed_refs_unlock(), packed_refs_is_locked(): new functions Michael Haggerty
2017-06-23 7:01 ` [PATCH v2 26/29] clear_packed_ref_cache(): don't protest if the lock is held Michael Haggerty
2017-06-23 19:49 ` Jeff King
2017-06-23 7:01 ` [PATCH v2 27/29] commit_packed_refs(): remove call to `packed_refs_unlock()` Michael Haggerty
2017-06-23 19:51 ` Jeff King
2017-06-23 7:01 ` [PATCH v2 28/29] repack_without_refs(): don't lock or unlock the packed refs Michael Haggerty
2017-06-23 19:56 ` Jeff King
2017-07-01 17:11 ` Michael Haggerty
2017-06-23 7:01 ` [PATCH v2 29/29] read_packed_refs(): die if `packed-refs` contains bogus data Michael Haggerty
2017-06-23 19:58 ` Jeff King
2017-07-01 18:15 ` Michael Haggerty [this message]
2017-06-23 19:01 ` [PATCH v2 00/29] Create a reference backend for packed refs Jeff King
2017-06-23 20:00 ` Jeff King
2017-06-23 21:47 ` Junio C Hamano
2017-06-24 1:11 ` Jeff King
2017-06-24 11:14 ` Michael Haggerty
2017-06-23 20:24 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9d988f17-ca61-d855-c950-2b20617ce48d@alum.mit.edu \
--to=mhagger@alum.mit.edu \
--cc=avarab@gmail.com \
--cc=bmwill@google.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=novalis@novalis.org \
--cc=pclouds@gmail.com \
--cc=peff@peff.net \
--cc=sbeller@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).