From: Michael Haggerty <mhagger@alum.mit.edu>
To: Ronnie Sahlberg <sahlberg@google.com>,
Jonathan Nieder <jrnieder@gmail.com>
Cc: "git@vger.kernel.org" <git@vger.kernel.org>
Subject: Re: [PATCH v20 43/48] refs.c: move the check for valid refname to lock_ref_sha1_basic
Date: Wed, 20 Aug 2014 16:52:50 +0200 [thread overview]
Message-ID: <53F4B642.7020002@alum.mit.edu> (raw)
In-Reply-To: <CAL=YDWmc2gkw=8YavWHyLUAD4du7saPrKzPKT+dsCfdZJz1EiA@mail.gmail.com>
On 07/15/2014 10:58 PM, Ronnie Sahlberg wrote:
> On Tue, Jul 15, 2014 at 12:34 PM, Ronnie Sahlberg <sahlberg@google.com> wrote:
>> On Tue, Jul 15, 2014 at 11:04 AM, Jonathan Nieder <jrnieder@gmail.com> wrote:
>>> Michael Haggerty wrote:
>>>
>>>> So...I like the idea of enforcing refname checks at the lowest level
>>>> possible, but I think that the change you propose is too abrupt. I
>>>> think it needs either more careful analysis showing that it won't hurt
>>>> anybody, or some kind of tooling or non-strict mode that people can use
>>>> to fix their repositories.
>>>
>>> The recovery code has been broken for a while, so I don't see harm
>>> in this change.
>>>
>>> How to take care of the recovery use case is another question. FWIW I
>>> also would prefer if "git update-ref -d" or "git branch -D" could be
>>> used to delete corrupt refs instead of having to use fsck (since a
>>> fsck run can take a while), but that's a question for a later series.
>>>
>>> In an ideal world, the low-level functions would allow *reading* and
>>> *deleting* poorly named refs (even without any special flag) but not
>>> creating them. Is that doable?
>>
>> That should be doable. Ill add these repairs as 3-4 new patches at the
>> end of the current patch series.
>>
>>> The main complication I can see is
>>> iteration: would iteration skip poorly named refs and warn, or would
>>> something more complicated be needed?
I think we can get away with not including broken refnames when
iterating. After all, the main goal of tolerating them is to let them
be deleted, right? Then as long as iteration is not needed to implement
the command "git update-ref -d", it seems to me that it is OK if
iterating over a reference with a broken name causes a die().
>> Right now, "git branch" will error and abort right away when it
>> finds the first bad ref. I haven't checked the exact spot it does this
>> yet but I suspect it is when building the ref-cache.
>> I will solve the cases for create and delete for now.
>>
>>
>> What/how to handle iterables will require more thought.
>> Right now, since these refs will be filtered out and never end up in
>> ref-cache, either from loose refs or from packed refs
>> it does mean that anyone that uses an iterator is guaranteed to only
>> get refs with valid names passed back to them.
>> We would need to audit all code that uses iterators and make sure it
>> can handle the case where the callback is suddenly
>> invoked with a bad refname.
>>
>>>
>>> Thanks,
>>> Jonathan
>
> The following seems to do the trick to allow deleting a bad ref. We
> would need something for the iterator too.
> Since this touches the same areas that my ~100 other ref transaction
> patches that are queued up do, I
> would like to wait applying this patch until once the next few series
> are finished and merged.
> (to avoid having to do a lot of rebases and fix legio of merge
> conflicts that this would introduce in my branches).
>
>
> Treat this as an approximation on what the fix to repair git branch -D
> will look like once the time comes.
I'm a little worried that abandoning *all* refname checks could open us
up to somehow trying to delete a "reference" with a name like
"../../../../etc/passwd". Either such names have to be prohibited
somehow, or we have to be very sure that they can only come from trusted
sources.
Michael
--
Michael Haggerty
mhagger@alum.mit.edu
next prev parent reply other threads:[~2014-08-20 14:53 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-20 14:42 [PATCH v20 00/48] Use ref transactions Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 01/48] refs.c: remove ref_transaction_rollback Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 02/48] refs.c: ref_transaction_commit should not free the transaction Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 03/48] refs.c: constify the sha arguments for ref_transaction_create|delete|update Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 04/48] refs.c: allow passing NULL to ref_transaction_free Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 05/48] refs.c: add a strbuf argument to ref_transaction_commit for error logging Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 06/48] lockfile.c: add a new public function unable_to_lock_message Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 07/48] lockfile.c: make lock_file return a meaningful errno on failurei Ronnie Sahlberg
2014-07-08 11:47 ` Michael Haggerty
2014-06-20 14:42 ` [PATCH v20 08/48] refs.c: add an err argument to repack_without_refs Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 09/48] refs.c: make sure log_ref_setup returns a meaningful errno Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 10/48] refs.c: verify_lock should set errno to something meaningful Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 11/48] refs.c: make remove_empty_directories always set errno to something sane Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 12/48] refs.c: commit_packed_refs to return a meaningful errno on failure Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 13/48] refs.c: make resolve_ref_unsafe set errno to something meaningful on error Ronnie Sahlberg
2014-06-26 9:54 ` Karsten Blees
2014-06-20 14:42 ` [PATCH v20 14/48] refs.c: log_ref_write should try to return meaningful errno Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 15/48] refs.c: make ref_update_reject_duplicates take a strbuf argument for errors Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 16/48] refs.c: make update_ref_write update a strbuf on failure Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 17/48] update-ref: use err argument to get error from ref_transaction_commit Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 18/48] refs.c: remove the onerr argument to ref_transaction_commit Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 19/48] refs.c: change ref_transaction_update() to do error checking and return status Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 20/48] refs.c: change ref_transaction_create " Ronnie Sahlberg
2014-07-08 11:48 ` Michael Haggerty
2014-07-14 17:44 ` Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 21/48] refs.c: update ref_transaction_delete to check for error " Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 22/48] refs.c: make ref_transaction_begin take an err argument Ronnie Sahlberg
2014-07-08 11:53 ` Michael Haggerty
2014-07-14 17:45 ` Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 23/48] refs.c: add transaction.status and track OPEN/CLOSED/ERROR Ronnie Sahlberg
2014-07-08 12:00 ` Michael Haggerty
2014-07-14 17:55 ` Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 24/48] tag.c: use ref transactions when doing updates Ronnie Sahlberg
2014-07-08 12:33 ` Michael Haggerty
2014-06-20 14:43 ` [PATCH v20 25/48] replace.c: use the ref transaction functions for updates Ronnie Sahlberg
2014-07-08 12:35 ` Michael Haggerty
2014-07-14 21:19 ` Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 26/48] commit.c: use ref transactions " Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 27/48] sequencer.c: use ref transactions for all ref updates Ronnie Sahlberg
2014-07-08 12:23 ` Michael Haggerty
2014-07-14 22:20 ` Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 28/48] fast-import.c: change update_branch to use ref transactions Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 29/48] branch.c: use ref transaction for all ref updates Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 30/48] refs.c: change update_ref to use a transaction Ronnie Sahlberg
2014-07-08 12:54 ` Michael Haggerty
2014-07-14 18:49 ` Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 31/48] receive-pack.c: use a reference transaction for updating the refs Ronnie Sahlberg
2014-07-08 13:20 ` Michael Haggerty
2014-07-14 18:51 ` Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 32/48] fast-import.c: use a ref transaction when dumping tags Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 33/48] walker.c: use ref transaction for ref updates Ronnie Sahlberg
2014-07-08 13:33 ` Michael Haggerty
2014-07-14 18:05 ` Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 34/48] refs.c: make lock_ref_sha1 static Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 35/48] refs.c: remove the update_ref_lock function Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 36/48] refs.c: remove the update_ref_write function Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 37/48] refs.c: remove lock_ref_sha1 Ronnie Sahlberg
2014-07-08 13:38 ` Michael Haggerty
2014-06-20 14:43 ` [PATCH v20 38/48] refs.c: make prune_ref use a transaction to delete the ref Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 39/48] refs.c: make delete_ref use a transaction Ronnie Sahlberg
2014-07-08 13:52 ` Michael Haggerty
2014-07-14 20:50 ` Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 40/48] refs.c: add an err argument to delete_ref_loose Ronnie Sahlberg
2014-07-08 14:19 ` Michael Haggerty
2014-07-16 18:53 ` Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 41/48] refs.c: pass the ref log message to _create/delete/update instead of _commit Ronnie Sahlberg
2014-07-08 14:39 ` Michael Haggerty
2014-06-20 14:43 ` [PATCH v20 42/48] refs.c: pass NULL as *flags to read_ref_full Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 43/48] refs.c: move the check for valid refname to lock_ref_sha1_basic Ronnie Sahlberg
2014-07-08 15:02 ` Michael Haggerty
2014-07-15 16:40 ` Ronnie Sahlberg
2014-07-15 18:07 ` Jonathan Nieder
2014-07-15 18:04 ` Jonathan Nieder
2014-07-15 18:34 ` Junio C Hamano
2014-07-15 19:35 ` Ronnie Sahlberg
2014-07-15 19:34 ` Ronnie Sahlberg
2014-07-15 20:58 ` Ronnie Sahlberg
2014-08-20 14:52 ` Michael Haggerty [this message]
2014-08-20 16:28 ` Ronnie Sahlberg
2014-08-20 17:49 ` Jonathan Nieder
2014-08-20 17:55 ` Ronnie Sahlberg
2014-08-20 18:34 ` Michael Haggerty
2014-08-21 19:42 ` Ronnie Sahlberg
2014-08-20 19:45 ` Junio C Hamano
2014-08-20 20:11 ` Michael Haggerty
2014-08-20 21:24 ` Junio C Hamano
2014-08-20 21:47 ` Ronnie Sahlberg
2014-08-22 12:41 ` Michael Haggerty
2014-06-20 14:43 ` [PATCH v20 44/48] refs.c: call lock_ref_sha1_basic directly from commit Ronnie Sahlberg
2014-07-08 15:07 ` Michael Haggerty
2014-06-20 14:43 ` [PATCH v20 45/48] refs.c: pass a skip list to name_conflict_fn Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 46/48] refs.c: propagate any errno==ENOTDIR from _commit back to the callers Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 47/48] fetch.c: change s_update_ref to use a ref transaction Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 48/48] refs.c: make write_ref_sha1 static Ronnie Sahlberg
2014-07-08 16:29 ` [PATCH v20 00/48] Use ref transactions Michael Haggerty
2014-07-08 18:48 ` Junio C Hamano
2014-07-09 5:02 ` Jeff King
2014-07-14 16:16 ` Ronnie Sahlberg
2014-07-14 15:03 ` Ronnie Sahlberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53F4B642.7020002@alum.mit.edu \
--to=mhagger@alum.mit.edu \
--cc=git@vger.kernel.org \
--cc=jrnieder@gmail.com \
--cc=sahlberg@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).