From: Michael Haggerty <mhagger@alum.mit.edu>
To: Ronnie Sahlberg <sahlberg@google.com>
Cc: Junio C Hamano <gitster@pobox.com>,
Jonathan Nieder <jrnieder@gmail.com>,
"git@vger.kernel.org" <git@vger.kernel.org>
Subject: Re: [PATCH v20 43/48] refs.c: move the check for valid refname to lock_ref_sha1_basic
Date: Fri, 22 Aug 2014 14:41:05 +0200 [thread overview]
Message-ID: <53F73A61.1010606@alum.mit.edu> (raw)
In-Reply-To: <CAL=YDWkfMMqYdOVWfBJkMncPnm8GwMdd1q4ipD_Y_r-nBet+2w@mail.gmail.com>
On 08/20/2014 11:47 PM, Ronnie Sahlberg wrote:
> [...]
> Since we already display broken/unresolvable refs, I think the most
> consistent path is to also allow showing the refs broken/illegal-names
> too in the list. (when DO_FOR_EACH_INCLUDE_BROKEN is specified)
> Of course, an end user could fix this by deleting the file but since
> it is easy to add the special casing to 'git branch -D' to handle this
> case I think this would be more userfriendly since then the user can
> use git branch -D regardless of the reason why the ref is broken.
My concern with this idea is that some code relies on at least some of
the reference name constraints for its proper functioning; for example,
* The ref caching code would likely be confused by ill-formed refnames
like "refs/heads//foo" or "/refs/heads/foo" or "refs/heads/foo/". (I
understand that such references cannot exist as loose refs, but they
could be represented in the packed-refs file.)
* Any code that might try to read or write a loose reference would
likely be confused by "refs/heads//foo" or "refs/heads/./foo" or
"refs/heads/../foo" or "/refs/heads/foo" or "refs/heads/foo/". On
Windows there might also be problems with "refs/heads\foo" or
"d:refs/heads/foo" or "prn:refs/heads/foo" or "//refs/heads/foo".
* The locking code could easily be confused by a reference named
"refs/heads/foo.lock".
So to the extent that we loosen the checks on refnames when they are
read, we would have to re-vet any code that touches them to make sure
that it doesn't break in a horrible (and possibly security-compromising)
way. This is why I would prefer to quarantine broken reference names in
the smallest possible part of the code.
I *think* that the biggest problems would be related to reference names
that do not map straightforwardly to relative filenames, so an
alternative would be to do some minimal checks in any case, but make it
possible to turn off the stricter checks (those that mostly exist to
make reference expression parsing possible) when necessary.
Michael
--
Michael Haggerty
mhagger@alum.mit.edu
next prev parent reply other threads:[~2014-08-22 12:48 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-20 14:42 [PATCH v20 00/48] Use ref transactions Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 01/48] refs.c: remove ref_transaction_rollback Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 02/48] refs.c: ref_transaction_commit should not free the transaction Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 03/48] refs.c: constify the sha arguments for ref_transaction_create|delete|update Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 04/48] refs.c: allow passing NULL to ref_transaction_free Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 05/48] refs.c: add a strbuf argument to ref_transaction_commit for error logging Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 06/48] lockfile.c: add a new public function unable_to_lock_message Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 07/48] lockfile.c: make lock_file return a meaningful errno on failurei Ronnie Sahlberg
2014-07-08 11:47 ` Michael Haggerty
2014-06-20 14:42 ` [PATCH v20 08/48] refs.c: add an err argument to repack_without_refs Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 09/48] refs.c: make sure log_ref_setup returns a meaningful errno Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 10/48] refs.c: verify_lock should set errno to something meaningful Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 11/48] refs.c: make remove_empty_directories always set errno to something sane Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 12/48] refs.c: commit_packed_refs to return a meaningful errno on failure Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 13/48] refs.c: make resolve_ref_unsafe set errno to something meaningful on error Ronnie Sahlberg
2014-06-26 9:54 ` Karsten Blees
2014-06-20 14:42 ` [PATCH v20 14/48] refs.c: log_ref_write should try to return meaningful errno Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 15/48] refs.c: make ref_update_reject_duplicates take a strbuf argument for errors Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 16/48] refs.c: make update_ref_write update a strbuf on failure Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 17/48] update-ref: use err argument to get error from ref_transaction_commit Ronnie Sahlberg
2014-06-20 14:42 ` [PATCH v20 18/48] refs.c: remove the onerr argument to ref_transaction_commit Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 19/48] refs.c: change ref_transaction_update() to do error checking and return status Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 20/48] refs.c: change ref_transaction_create " Ronnie Sahlberg
2014-07-08 11:48 ` Michael Haggerty
2014-07-14 17:44 ` Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 21/48] refs.c: update ref_transaction_delete to check for error " Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 22/48] refs.c: make ref_transaction_begin take an err argument Ronnie Sahlberg
2014-07-08 11:53 ` Michael Haggerty
2014-07-14 17:45 ` Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 23/48] refs.c: add transaction.status and track OPEN/CLOSED/ERROR Ronnie Sahlberg
2014-07-08 12:00 ` Michael Haggerty
2014-07-14 17:55 ` Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 24/48] tag.c: use ref transactions when doing updates Ronnie Sahlberg
2014-07-08 12:33 ` Michael Haggerty
2014-06-20 14:43 ` [PATCH v20 25/48] replace.c: use the ref transaction functions for updates Ronnie Sahlberg
2014-07-08 12:35 ` Michael Haggerty
2014-07-14 21:19 ` Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 26/48] commit.c: use ref transactions " Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 27/48] sequencer.c: use ref transactions for all ref updates Ronnie Sahlberg
2014-07-08 12:23 ` Michael Haggerty
2014-07-14 22:20 ` Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 28/48] fast-import.c: change update_branch to use ref transactions Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 29/48] branch.c: use ref transaction for all ref updates Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 30/48] refs.c: change update_ref to use a transaction Ronnie Sahlberg
2014-07-08 12:54 ` Michael Haggerty
2014-07-14 18:49 ` Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 31/48] receive-pack.c: use a reference transaction for updating the refs Ronnie Sahlberg
2014-07-08 13:20 ` Michael Haggerty
2014-07-14 18:51 ` Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 32/48] fast-import.c: use a ref transaction when dumping tags Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 33/48] walker.c: use ref transaction for ref updates Ronnie Sahlberg
2014-07-08 13:33 ` Michael Haggerty
2014-07-14 18:05 ` Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 34/48] refs.c: make lock_ref_sha1 static Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 35/48] refs.c: remove the update_ref_lock function Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 36/48] refs.c: remove the update_ref_write function Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 37/48] refs.c: remove lock_ref_sha1 Ronnie Sahlberg
2014-07-08 13:38 ` Michael Haggerty
2014-06-20 14:43 ` [PATCH v20 38/48] refs.c: make prune_ref use a transaction to delete the ref Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 39/48] refs.c: make delete_ref use a transaction Ronnie Sahlberg
2014-07-08 13:52 ` Michael Haggerty
2014-07-14 20:50 ` Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 40/48] refs.c: add an err argument to delete_ref_loose Ronnie Sahlberg
2014-07-08 14:19 ` Michael Haggerty
2014-07-16 18:53 ` Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 41/48] refs.c: pass the ref log message to _create/delete/update instead of _commit Ronnie Sahlberg
2014-07-08 14:39 ` Michael Haggerty
2014-06-20 14:43 ` [PATCH v20 42/48] refs.c: pass NULL as *flags to read_ref_full Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 43/48] refs.c: move the check for valid refname to lock_ref_sha1_basic Ronnie Sahlberg
2014-07-08 15:02 ` Michael Haggerty
2014-07-15 16:40 ` Ronnie Sahlberg
2014-07-15 18:07 ` Jonathan Nieder
2014-07-15 18:04 ` Jonathan Nieder
2014-07-15 18:34 ` Junio C Hamano
2014-07-15 19:35 ` Ronnie Sahlberg
2014-07-15 19:34 ` Ronnie Sahlberg
2014-07-15 20:58 ` Ronnie Sahlberg
2014-08-20 14:52 ` Michael Haggerty
2014-08-20 16:28 ` Ronnie Sahlberg
2014-08-20 17:49 ` Jonathan Nieder
2014-08-20 17:55 ` Ronnie Sahlberg
2014-08-20 18:34 ` Michael Haggerty
2014-08-21 19:42 ` Ronnie Sahlberg
2014-08-20 19:45 ` Junio C Hamano
2014-08-20 20:11 ` Michael Haggerty
2014-08-20 21:24 ` Junio C Hamano
2014-08-20 21:47 ` Ronnie Sahlberg
2014-08-22 12:41 ` Michael Haggerty [this message]
2014-06-20 14:43 ` [PATCH v20 44/48] refs.c: call lock_ref_sha1_basic directly from commit Ronnie Sahlberg
2014-07-08 15:07 ` Michael Haggerty
2014-06-20 14:43 ` [PATCH v20 45/48] refs.c: pass a skip list to name_conflict_fn Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 46/48] refs.c: propagate any errno==ENOTDIR from _commit back to the callers Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 47/48] fetch.c: change s_update_ref to use a ref transaction Ronnie Sahlberg
2014-06-20 14:43 ` [PATCH v20 48/48] refs.c: make write_ref_sha1 static Ronnie Sahlberg
2014-07-08 16:29 ` [PATCH v20 00/48] Use ref transactions Michael Haggerty
2014-07-08 18:48 ` Junio C Hamano
2014-07-09 5:02 ` Jeff King
2014-07-14 16:16 ` Ronnie Sahlberg
2014-07-14 15:03 ` Ronnie Sahlberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53F73A61.1010606@alum.mit.edu \
--to=mhagger@alum.mit.edu \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=jrnieder@gmail.com \
--cc=sahlberg@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).