From: Jeff King <peff@peff.net>
To: git@vger.kernel.org
Cc: Junio C Hamano <gitster@pobox.com>
Subject: [PATCH 3/3] upload-pack: load non-tip "want" objects from disk
Date: Sat, 16 Mar 2013 06:28:30 -0400 [thread overview]
Message-ID: <20130316102830.GC29533@sigill.intra.peff.net> (raw)
In-Reply-To: <20130316102428.GA29358@sigill.intra.peff.net>
It is a long-time security feature that upload-pack will not
serve any "want" lines that do not correspond to the tip of
one of our refs. Traditionally, this was enforced by
checking the objects in the in-memory hash; they should have
been loaded and received the OUR_REF flag during the
advertisement.
The stateless-rpc mode, however, has a race condition here:
one process advertises, and another receives the want lines,
so the refs may have changed in the interim. To address
this, commit 051e400 added a new verification mode; if the
object is not OUR_REF, we set a "has_non_tip" flag, and then
later verify that the requested objects are reachable from
our current tips.
However, we still die immediately when the object is not in
our in-memory hash, and at this point we should only have
loaded our tip objects. So the check_non_tip code path does
not ever actually trigger, as any non-tip objects would
have already caused us to die.
We can fix that by using parse_object instead of
lookup_object, which will load the object from disk if it
has not already been loaded.
We still need to check that parse_object does not return
NULL, though, as it is possible we do not have the object
at all. A more appropriate error message would be "no such
object" rather than "not our ref"; however, we do not want
to leak information about what objects are or are not in
the object database, so we continue to use the same "not
our ref" message that would be produced by an unreachable
object.
Signed-off-by: Jeff King <peff@peff.net>
---
upload-pack.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/upload-pack.c b/upload-pack.c
index 41736ec..948cfff 100644
--- a/upload-pack.c
+++ b/upload-pack.c
@@ -638,8 +638,8 @@ static void receive_needs(void)
if (parse_feature_request(features, "include-tag"))
use_include_tag = 1;
- o = lookup_object(sha1_buf);
- if (!o || !parse_object(o->sha1))
+ o = parse_object(sha1_buf);
+ if (!o)
die("git upload-pack: not our ref %s",
sha1_to_hex(sha1_buf));
if (!(o->flags & WANTED)) {
--
1.8.2.rc2.7.gef06216
next prev parent reply other threads:[~2013-03-16 10:29 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-16 10:24 [PATCH 0/3] fix unparsed object access in upload-pack Jeff King
2013-03-16 10:25 ` [PATCH 1/3] upload-pack: drop lookup-before-parse optimization Jeff King
2013-03-16 10:27 ` [PATCH 2/3] upload-pack: make sure "want" objects are parsed Jeff King
2013-03-16 10:28 ` Jeff King [this message]
2013-03-17 5:16 ` [PATCH 0/3] fix unparsed object access in upload-pack Junio C Hamano
2013-03-17 5:40 ` Jeff King
2013-03-17 6:17 ` Junio C Hamano
2013-03-17 8:47 ` Jeff King
2013-03-17 16:38 ` René Scharfe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130316102830.GC29533@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).