From bf8b1e04ffa3bb6c64bb8ae50ec825b128ef957d Mon Sep 17 00:00:00 2001 From: Jeff King Date: Sat, 4 Mar 2023 05:26:14 -0500 Subject: [PATCH 1/5] bundle: let "-" mean stdin for reading operations For writing, "bundle create -" indicates that the bundle should be written to stdout. But there's no matching handling of "-" for reading operations. This is inconsistent, and a little inflexible (though one can always use "/dev/stdin" on systems that support it). However, it's easy to change. Once upon a time, the bundle-reading code required a seekable descriptor, but that was fixed long ago in e9ee84cf28b (bundle: allowing to read from an unseekable fd, 2011-10-13). So we just need to handle "-" explicitly when opening the file. We _could_ do this by handling "-" in read_bundle_header(), which the reading functions all call already. But that is probably a bad idea. It's also used by low-level code like the transport functions, and we may want to be more careful there. We do not know that stdin is even available to us, and certainly we would not want to get confused by a configured URL that happens to point to "-". So instead, let's add a helper to builtin/bundle.c. Since both the bundle code and some of the callers refer to the bundle by name for error messages, let's use the string "" to make the output a bit nicer to read. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- builtin/bundle.c | 26 ++++++++++++++++++++++---- t/t6020-bundle-misc.sh | 15 +++++++++++++++ 2 files changed, 37 insertions(+), 4 deletions(-) diff --git a/builtin/bundle.c b/builtin/bundle.c index acceef6200..02dab1cfa0 100644 --- a/builtin/bundle.c +++ b/builtin/bundle.c @@ -107,6 +107,23 @@ static int cmd_bundle_create(int argc, const char **argv, const char *prefix) { return ret; } +/* + * Similar to read_bundle_header(), but handle "-" as stdin. + */ +static int open_bundle(const char *path, struct bundle_header *header, + const char **name) +{ + if (!strcmp(path, "-")) { + if (name) + *name = ""; + return read_bundle_header_fd(0, header, ""); + } + + if (name) + *name = path; + return read_bundle_header(path, header); +} + static int cmd_bundle_verify(int argc, const char **argv, const char *prefix) { struct bundle_header header = BUNDLE_HEADER_INIT; int bundle_fd = -1; @@ -118,12 +135,13 @@ static int cmd_bundle_verify(int argc, const char **argv, const char *prefix) { OPT_END() }; char *bundle_file; + const char *name; argc = parse_options_cmd_bundle(argc, argv, prefix, builtin_bundle_verify_usage, options, &bundle_file); /* bundle internals use argv[1] as further parameters */ - if ((bundle_fd = read_bundle_header(bundle_file, &header)) < 0) { + if ((bundle_fd = open_bundle(bundle_file, &header, &name)) < 0) { ret = 1; goto cleanup; } @@ -134,7 +152,7 @@ static int cmd_bundle_verify(int argc, const char **argv, const char *prefix) { goto cleanup; } - fprintf(stderr, _("%s is okay\n"), bundle_file); + fprintf(stderr, _("%s is okay\n"), name); ret = 0; cleanup: free(bundle_file); @@ -155,7 +173,7 @@ static int cmd_bundle_list_heads(int argc, const char **argv, const char *prefix builtin_bundle_list_heads_usage, options, &bundle_file); /* bundle internals use argv[1] as further parameters */ - if ((bundle_fd = read_bundle_header(bundle_file, &header)) < 0) { + if ((bundle_fd = open_bundle(bundle_file, &header, NULL)) < 0) { ret = 1; goto cleanup; } @@ -185,7 +203,7 @@ static int cmd_bundle_unbundle(int argc, const char **argv, const char *prefix) builtin_bundle_unbundle_usage, options, &bundle_file); /* bundle internals use argv[1] as further parameters */ - if ((bundle_fd = read_bundle_header(bundle_file, &header)) < 0) { + if ((bundle_fd = open_bundle(bundle_file, &header, NULL)) < 0) { ret = 1; goto cleanup; } diff --git a/t/t6020-bundle-misc.sh b/t/t6020-bundle-misc.sh index 3a1cf30b1d..063e8ce6b4 100755 --- a/t/t6020-bundle-misc.sh +++ b/t/t6020-bundle-misc.sh @@ -566,4 +566,19 @@ test_expect_success 'cloning from filtered bundle has useful error' ' grep "cannot clone from filtered bundle" err ' +test_expect_success 'read bundle over stdin' ' + git bundle create some.bundle HEAD && + + git bundle verify - err && + grep " is okay" err && + + git bundle list-heads some.bundle >expect && + git bundle list-heads - actual && + test_cmp expect actual && + + git bundle unbundle some.bundle >expect && + git bundle unbundle - actual && + test_cmp expect actual +' + test_done From ef3b291a5f19d7e3b7f4cc4524003e50d40614f7 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Sat, 4 Mar 2023 05:26:40 -0500 Subject: [PATCH 2/5] bundle: document handling of "-" as stdin We have always allowed "bundle create -" to write to stdout, but it was never documented. And a recent patch let reading operations like "bundle list-heads -" read from stdin. Let's document all of these cases. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- Documentation/git-bundle.txt | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Documentation/git-bundle.txt b/Documentation/git-bundle.txt index 18a022b4b4..d19f4cf2b3 100644 --- a/Documentation/git-bundle.txt +++ b/Documentation/git-bundle.txt @@ -66,7 +66,7 @@ create [options] :: Used to create a bundle named 'file'. This requires the '' arguments to define the bundle contents. 'options' contains the options specific to the 'git bundle create' - subcommand. + subcommand. If 'file' is `-`, the bundle is written to stdout. verify :: Used to check that a bundle file is valid and will apply @@ -77,12 +77,13 @@ verify :: Finally, information about additional capabilities, such as "object filter", is printed. See "Capabilities" in linkgit:gitformat-bundle[5] for more information. The exit code is zero for success, but will - be nonzero if the bundle file is invalid. + be nonzero if the bundle file is invalid. If 'file' is `-`, the + bundle is read from stdin. list-heads :: Lists the references defined in the bundle. If followed by a list of references, only references matching those given are - printed out. + printed out. If 'file' is `-`, the bundle is read from stdin. unbundle :: Passes the objects in the bundle to 'git index-pack' @@ -90,6 +91,7 @@ unbundle :: defined references. If a list of references is given, only references matching those in the list are printed. This command is really plumbing, intended to be called only by 'git fetch'. + If 'file' is `-`, the bundle is read from stdin. :: A list of arguments, acceptable to 'git rev-parse' and From a8bfa99d443d3c461217db4924f8eca24caa055a Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Sat, 4 Mar 2023 05:27:56 -0500 Subject: [PATCH 3/5] bundle: don't blindly apply prefix_filename() to "-" A user can specify a filename to a command from the command line, either as the value given to a command line option, or a command line argument. When it is given as a relative filename, in the user's mind, it is relative to the directory "git" was started from, but by the time the filename is used, "git" would almost always have chdir()'ed up to the root level of the working tree. The given filename, if it is relative, needs to be prefixed with the path to the current directory, and it typically is done by calling prefix_filename() helper function. For commands that can also take "-" to use the standard input or the standard output, however, this needs to be done with care. "git bundle create" uses the next word on the command line as the output filename, and can take "-" to mean "write to the standard output". It blindly called prefix_filename(), so running it in a subdirectory did not quite work as expected. Introduce a new helper, prefix_filename_except_for_dash(), and use it to help "git bundle create" codepath. Reported-by: Michael Henry Helped-by: Jeff King Signed-off-by: Junio C Hamano Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- abspath.c | 7 +++++++ builtin/bundle.c | 2 +- cache.h | 3 +++ t/t6020-bundle-misc.sh | 11 +++++++++++ 4 files changed, 22 insertions(+), 1 deletion(-) diff --git a/abspath.c b/abspath.c index 39e06b5848..9a81c5525b 100644 --- a/abspath.c +++ b/abspath.c @@ -280,3 +280,10 @@ char *prefix_filename(const char *pfx, const char *arg) #endif return strbuf_detach(&path, NULL); } + +char *prefix_filename_except_for_dash(const char *pfx, const char *arg) +{ + if (!strcmp(arg, "-")) + return xstrdup(arg); + return prefix_filename(pfx, arg); +} diff --git a/builtin/bundle.c b/builtin/bundle.c index 02dab1cfa0..eca39b64bf 100644 --- a/builtin/bundle.c +++ b/builtin/bundle.c @@ -59,7 +59,7 @@ static int parse_options_cmd_bundle(int argc, PARSE_OPT_STOP_AT_NON_OPTION); if (!argc) usage_msg_opt(_("need a argument"), usagestr, options); - *bundle_file = prefix_filename(prefix, argv[0]); + *bundle_file = prefix_filename_except_for_dash(prefix, argv[0]); return argc; } diff --git a/cache.h b/cache.h index fcf49706ad..d21b19a402 100644 --- a/cache.h +++ b/cache.h @@ -634,6 +634,9 @@ char *prefix_path_gently(const char *prefix, int len, int *remaining, const char */ char *prefix_filename(const char *prefix, const char *path); +/* Likewise, but path=="-" always yields "-" */ +char *prefix_filename_except_for_dash(const char *prefix, const char *path); + int check_filename(const char *prefix, const char *name); void verify_filename(const char *prefix, const char *name, diff --git a/t/t6020-bundle-misc.sh b/t/t6020-bundle-misc.sh index 063e8ce6b4..7fc39660f1 100755 --- a/t/t6020-bundle-misc.sh +++ b/t/t6020-bundle-misc.sh @@ -581,4 +581,15 @@ test_expect_success 'read bundle over stdin' ' test_cmp expect actual ' +test_expect_success 'send a bundle to standard output' ' + git bundle create - --all HEAD >bundle-one && + mkdir -p down && + git -C down bundle create - --all HEAD >bundle-two && + git bundle verify bundle-one && + git bundle verify bundle-two && + git ls-remote bundle-one >expect && + git ls-remote bundle-two >actual && + test_cmp expect actual +' + test_done From 7ce4088ab78e06fc5c4ae42fc75b65a48bf7b3ff Mon Sep 17 00:00:00 2001 From: Jeff King Date: Sat, 4 Mar 2023 05:31:22 -0500 Subject: [PATCH 4/5] parse-options: consistently allocate memory in fix_filename() When handling OPT_FILENAME(), we have to stick the "prefix" (if any) in front of the filename to make up for the fact that Git has chdir()'d to the top of the repository. We can do this with prefix_filename(), but there are a few special cases we handle ourselves. Unfortunately the memory allocation is inconsistent here; if we do make it to prefix_filename(), we'll allocate a string which the caller must free to avoid a leak. But if we hit our special cases, we'll return the string as-is, and a caller which tries to free it will crash. So there's no way to win. Let's consistently allocate, so that callers can do the right thing. There are now three cases to care about in the function (and hence a three-armed if/else): 1. we got a NULL input (and should leave it as NULL, though arguably this is the sign of a bug; let's keep the status quo for now and we can pick at that scab later) 2. we hit a special case that means we leave the name intact; we should duplicate the string. This includes our special "-" matching. Prior to this patch, it also included empty prefixes and absolute filenames. But we can observe that prefix_filename() already handles these, so we don't need to detect them. 3. everything else goes to prefix_filename() I've dropped the "const" from the "char **file" parameter to indicate that we're allocating, though in practice it's not really important. This is all being shuffled through a void pointer via opt->value before it hits code which ever looks at the string. And it's even a bit weird, because we are really taking _in_ a const string and using the same out-parameter for a non-const string. A better function signature would be: static char *fix_filename(const char *prefix, const char *file); but that would mean the caller dereferences the double-pointer (and the NULL check is currently handled inside this function). So I took the path of least-change here. Note that we have to fix several callers in this commit, too, or we'll break the leak-checking tests. These are "new" leaks in the sense that they are now triggered by the test suite, but these spots have always been leaky when Git is run in a subdirectory of the repository. I fixed all of the cases that trigger with GIT_TEST_PASSING_SANITIZE_LEAK. There may be others in scripts that have other leaks, but we can fix them later along with those other leaks (and again, you _couldn't_ fix them before this patch, so this is the necessary first step). Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- builtin/archive.c | 3 ++- builtin/checkout.c | 3 ++- builtin/reset.c | 4 +++- builtin/tag.c | 4 +++- parse-options.c | 14 ++++++++------ t/helper/test-parse-pathspec-file.c | 3 ++- 6 files changed, 20 insertions(+), 11 deletions(-) diff --git a/builtin/archive.c b/builtin/archive.c index f094390ee0..d0a583ea95 100644 --- a/builtin/archive.c +++ b/builtin/archive.c @@ -81,7 +81,7 @@ static int run_remote_archiver(int argc, const char **argv, int cmd_archive(int argc, const char **argv, const char *prefix) { const char *exec = "git-upload-archive"; - const char *output = NULL; + char *output = NULL; const char *remote = NULL; struct option local_opts[] = { OPT_FILENAME('o', "output", &output, @@ -106,5 +106,6 @@ int cmd_archive(int argc, const char **argv, const char *prefix) setvbuf(stderr, NULL, _IOLBF, BUFSIZ); + UNLEAK(output); return write_archive(argc, argv, prefix, the_repository, output, 0); } diff --git a/builtin/checkout.c b/builtin/checkout.c index 3fa29a08ee..6875dc60c4 100644 --- a/builtin/checkout.c +++ b/builtin/checkout.c @@ -74,7 +74,7 @@ struct checkout_opts { const char *ignore_unmerged_opt; int ignore_unmerged; int pathspec_file_nul; - const char *pathspec_from_file; + char *pathspec_from_file; const char *new_branch; const char *new_branch_force; @@ -1872,6 +1872,7 @@ int cmd_checkout(int argc, const char **argv, const char *prefix) options, checkout_usage, &new_branch_info); branch_info_release(&new_branch_info); clear_pathspec(&opts.pathspec); + free(opts.pathspec_from_file); FREE_AND_NULL(options); return ret; } diff --git a/builtin/reset.c b/builtin/reset.c index d2e0185e55..28083387cb 100644 --- a/builtin/reset.c +++ b/builtin/reset.c @@ -316,7 +316,8 @@ int cmd_reset(int argc, const char **argv, const char *prefix) int reset_type = NONE, update_ref_status = 0, quiet = 0; int no_refresh = 0; int patch_mode = 0, pathspec_file_nul = 0, unborn; - const char *rev, *pathspec_from_file = NULL; + const char *rev; + char *pathspec_from_file = NULL; struct object_id oid; struct pathspec pathspec; int intent_to_add = 0; @@ -486,5 +487,6 @@ int cmd_reset(int argc, const char **argv, const char *prefix) if (!pathspec.nr) remove_branch_state(the_repository, 0); + free(pathspec_from_file); return update_ref_status; } diff --git a/builtin/tag.c b/builtin/tag.c index d428c45dc8..ccefcbd716 100644 --- a/builtin/tag.c +++ b/builtin/tag.c @@ -433,7 +433,8 @@ int cmd_tag(int argc, const char **argv, const char *prefix) int create_reflog = 0; int annotate = 0, force = 0; int cmdmode = 0, create_tag_object = 0; - const char *msgfile = NULL, *keyid = NULL; + char *msgfile = NULL; + const char *keyid = NULL; struct msg_arg msg = { .buf = STRBUF_INIT }; struct ref_transaction *transaction; struct strbuf err = STRBUF_INIT; @@ -643,5 +644,6 @@ int cmd_tag(int argc, const char **argv, const char *prefix) strbuf_release(&reflog_msg); strbuf_release(&msg.buf); strbuf_release(&err); + free(msgfile); return ret; } diff --git a/parse-options.c b/parse-options.c index a1ec932f0f..70f827a073 100644 --- a/parse-options.c +++ b/parse-options.c @@ -59,12 +59,14 @@ static enum parse_opt_result get_arg(struct parse_opt_ctx_t *p, return 0; } -static void fix_filename(const char *prefix, const char **file) +static void fix_filename(const char *prefix, char **file) { - if (!file || !*file || !prefix || is_absolute_path(*file) - || !strcmp("-", *file)) - return; - *file = prefix_filename(prefix, *file); + if (!file || !*file) + ; /* leave as NULL */ + else if (!strcmp("-", *file)) + *file = xstrdup(*file); + else + *file = prefix_filename(prefix, *file); } static enum parse_opt_result opt_command_mode_error( @@ -177,7 +179,7 @@ static enum parse_opt_result get_value(struct parse_opt_ctx_t *p, err = get_arg(p, opt, flags, (const char **)opt->value); if (!err) - fix_filename(p->prefix, (const char **)opt->value); + fix_filename(p->prefix, (char **)opt->value); return err; case OPTION_CALLBACK: diff --git a/t/helper/test-parse-pathspec-file.c b/t/helper/test-parse-pathspec-file.c index b3e08cef4b..71d2131fba 100644 --- a/t/helper/test-parse-pathspec-file.c +++ b/t/helper/test-parse-pathspec-file.c @@ -6,7 +6,7 @@ int cmd__parse_pathspec_file(int argc, const char **argv) { struct pathspec pathspec; - const char *pathspec_from_file = NULL; + char *pathspec_from_file = NULL; int pathspec_file_nul = 0, i; static const char *const usage[] = { @@ -29,5 +29,6 @@ int cmd__parse_pathspec_file(int argc, const char **argv) printf("%s\n", pathspec.items[i].original); clear_pathspec(&pathspec); + free(pathspec_from_file); return 0; } From 0bbe10313e0b61812082d47431e8648f9df48f15 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Sat, 4 Mar 2023 05:31:47 -0500 Subject: [PATCH 5/5] parse-options: use prefix_filename_except_for_dash() helper Since our fix_filename()'s only remaining special case is handling "-", we can use the newly-minted helper function that handles this already. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- parse-options.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/parse-options.c b/parse-options.c index 70f827a073..46fe30ddd4 100644 --- a/parse-options.c +++ b/parse-options.c @@ -63,10 +63,8 @@ static void fix_filename(const char *prefix, char **file) { if (!file || !*file) ; /* leave as NULL */ - else if (!strcmp("-", *file)) - *file = xstrdup(*file); else - *file = prefix_filename(prefix, *file); + *file = prefix_filename_except_for_dash(prefix, *file); } static enum parse_opt_result opt_command_mode_error(