From: Junio C Hamano <gitster@pobox.com>
To: Jeff King <peff@peff.net>
Cc: Han Young <hanyang.tony@bytedance.com>,
git@vger.kernel.org, karthik.188@gmail.com, ps@pks.im,
Han Young <hanyoung@protonmail.com>, Sigma <git@sigma-star.io>
Subject: Re: [PATCH v=2 1/1] files-backend: check symref name before update
Date: Mon, 06 Oct 2025 08:52:35 -0700 [thread overview]
Message-ID: <xmqqtt0cqb7g.fsf@gitster.g> (raw)
In-Reply-To: <20251006004639.GA1462753@coredump.intra.peff.net> (Jeff King's message of "Sun, 5 Oct 2025 20:46:39 -0400")
Jeff King <peff@peff.net> writes:
>> This leaves the readers wondering why refname_is_safe(), which has
>> no direct callers other than "git show-ref verify", is sufficient
>> for the purpose of this particular validation. All other callers of
>> refname_is_safe() seem to use it only as a sanity check combined
>> with other criteria.
>>
>> For example, refs.c::transaction_refname_valid() calls
>> refname_is_safe() as a small part of its validation, together with
>> check_refname_format(). It also refuses to touch anything that
>> satisfies is_pseudo_ref().
>
> Yes, if we wanted to add a check here, it should be doing the usual
> check for a syntactically valid refname and falling back to
> refname_is_safe() only for deletions.
>
> But I'm not sure if this check is that valuable. We are in
> split_symref_update(), which takes an update to some symref and splits
> it into an update to that symref's reflog and a real update to the
> underlying target ref. So we are not checking input to the transaction
> here, but the existing state of the symref on disk. And in theory we
> should have checked that target already when we wrote it.
Yes, it was Karthik, I think, who pointed out in the ealier round
that the set-up procedure used to demonstrate the issue indicated
that it was essentially a corrupt repository doing an unexpected
thing, and I tend to agree. What you wrote in the previous
paragraph matches the reason why I questioned "is this enough?"
> I do think there are also some gaps in our symref target checks (as well
> as a few other spots). I have a series to fix those that just needs a
> little bit of polishing, and hopefully can send out this coming week.
Thanks, looking forward to reading them.
prev parent reply other threads:[~2025-10-06 15:52 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-04 14:42 [PATCH v=2 0/1] files-backend: check symref name before update Han Young
2025-10-04 14:42 ` [PATCH v=2 1/1] " Han Young
2025-10-05 21:53 ` Junio C Hamano
2025-10-06 0:46 ` Jeff King
2025-10-06 15:52 ` Junio C Hamano [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqtt0cqb7g.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=git@sigma-star.io \
--cc=git@vger.kernel.org \
--cc=hanyang.tony@bytedance.com \
--cc=hanyoung@protonmail.com \
--cc=karthik.188@gmail.com \
--cc=peff@peff.net \
--cc=ps@pks.im \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.