[PATCH] receive-pack: fix updateInstead with core.worktree

[PATCH] receive-pack: fix updateInstead with core.worktree

[Alyssa Ross]

This used to work, but when push_to_checkout() started being called
before push_to_deploy(), push_to_checkout()'s side effect of adding
GIT_WORK_TREE to the same environment that would be used by
push_to_deploy() wasn't taken into account.  Fix by only mutating the
environment for push_to_commit(), rather than the shared environment.

Fixes: a8cc594333 ("hooks: fix an obscure TOCTOU "did we just run a hook?" race")
Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 builtin/receive-pack.c |  2 +-
 t/t5516-fetch-push.sh  | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/builtin/receive-pack.c b/builtin/receive-pack.c
index c7b2818f20..7ee157532d 100644
--- a/builtin/receive-pack.c
+++ b/builtin/receive-pack.c
@@ -1460,8 +1460,8 @@ static const char *push_to_checkout(unsigned char *hash,
 
 	opt.invoked_hook = invoked_hook;
 
-	strvec_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
 	strvec_pushv(&opt.env, env->v);
+	strvec_pushf(&opt.env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
 	strvec_push(&opt.args, hash_to_hex(hash));
 	if (run_hooks_opt(the_repository, push_to_checkout_hook, &opt))
 		return "push-to-checkout hook declined";
diff --git a/t/t5516-fetch-push.sh b/t/t5516-fetch-push.sh
index 117cfa051f..f51fb11a6d 100755
--- a/t/t5516-fetch-push.sh
+++ b/t/t5516-fetch-push.sh
@@ -1791,6 +1791,17 @@ test_expect_success 'updateInstead with push-to-checkout hook' '
 	)
 '
 
+test_expect_success 'denyCurrentBranch and core.worktree' '
+	test_when_finished "rm -fr cloned cloned.git" &&
+	git clone --separate-git-dir cloned.git . cloned &&
+	git --git-dir cloned.git config receive.denyCurrentBranch updateInstead &&
+	git --git-dir cloned.git config core.worktree "$PWD/cloned" &&
+        test_commit raspberry &&
+	git push cloned.git HEAD:main &&
+	test_path_exists cloned/raspberry.t &&
+	test_must_fail git push --delete cloned.git main
+'
+
 test_expect_success 'denyCurrentBranch and worktrees' '
 	test_when_finished "rm -fr cloned && git worktree remove --force new-wt" &&
 	git worktree add new-wt &&

base-commit: aec3f587505a472db67e9462d0702e7d463a449d
-- 
2.53.0

Re: [PATCH] receive-pack: fix updateInstead with core.worktree

[Kristoffer Haugsbakk]

On Fri, May 22, 2026, at 17:44, Alyssa Ross wrote:
> This used to work, but when push_to_checkout() started being called
> before push_to_deploy(), push_to_checkout()'s side effect of adding
> GIT_WORK_TREE to the same environment that would be used by
> push_to_deploy() wasn't taken into account.  Fix by only mutating the
> environment for push_to_commit(), rather than the shared environment.
>
> Fixes: a8cc594333 ("hooks: fix an obscure TOCTOU "did we just run a hook?" race")

This project doesn’t use `Fixes` trailers.[1] Mentions of commits go in
the commit message body (outside the trailers) using `git log -1
--format-reference <cmt>`.

The Linux project has uses for this structured information since there
is a lot of backporting of bugfixes. But I haven’t heard of a need for
that in this project.

🔗 1: https://lore.kernel.org/git/72839071-153f-4306-a705-3be0dc203109@app.fastmail.com/

> Signed-off-by: Alyssa Ross <hi@alyssa.is>
> ---
>[snip]

Re: [PATCH] receive-pack: fix updateInstead with core.worktree

[Junio C Hamano]

Alyssa Ross <hi@alyssa.is> writes:

> This used to work, but when push_to_checkout() started being called
> before push_to_deploy(), ...

We tend to try describing where things started breaking a bit more
precisely.  The above seems to say that you know that in the past
push_to__checkout() was not called before push_to_deploy(), and it
no longer is the case these days?  Can you spell out in what commit
that change happened (refer to the commit using the "git show -s
--pretty=reference" format)?  I.e.

	... but when X started doing Y at a8cc5943 (hooks: fix an
	obscure TOCTOU "did we just run a hook?" race, 2022-03-07),
	<<this bad thing>> started to happen.

It isn't really we are exercising "checkout" and "deploy" both at
the same time, but an old commit started to always call _checkout
only to see if that actually invokes the hook, and if it didn't,
then call _deploy.  The intent still is to use either one of these,
but as you exactly identified what is wrong in the current code, the
call to _checkout that is only done to probe if it is used at all
started to contaminate the environment with that commit.

So this change ...

> -	strvec_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
>  	strvec_pushv(&opt.env, env->v);
> +	strvec_pushf(&opt.env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
>  	strvec_push(&opt.args, hash_to_hex(hash));

... looks like absolutely the right thing to do.  And ...

>  	if (run_hooks_opt(the_repository, push_to_checkout_hook, &opt))
>  		return "push-to-checkout hook declined";
> diff --git a/t/t5516-fetch-push.sh b/t/t5516-fetch-push.sh
> index 117cfa051f..f51fb11a6d 100755
> --- a/t/t5516-fetch-push.sh
> +++ b/t/t5516-fetch-push.sh
> @@ -1791,6 +1791,17 @@ test_expect_success 'updateInstead with push-to-checkout hook' '
>  	)
>  '
>  
> +test_expect_success 'denyCurrentBranch and core.worktree' '
> +	test_when_finished "rm -fr cloned cloned.git" &&
> +	git clone --separate-git-dir cloned.git . cloned &&
> +	git --git-dir cloned.git config receive.denyCurrentBranch updateInstead &&
> +	git --git-dir cloned.git config core.worktree "$PWD/cloned" &&
> +        test_commit raspberry &&
> +	git push cloned.git HEAD:main &&
> +	test_path_exists cloned/raspberry.t &&
> +	test_must_fail git push --delete cloned.git main
> +'

... a test that protects similar breakage in the future is also
excellent.

>  test_expect_success 'denyCurrentBranch and worktrees' '
>  	test_when_finished "rm -fr cloned && git worktree remove --force new-wt" &&
>  	git worktree add new-wt &&
>
> base-commit: aec3f587505a472db67e9462d0702e7d463a449d