From 13228c30a6476456ee64eb7cefb7786d82fd2ca7 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Mon, 27 Feb 2017 04:25:40 -0500 Subject: [PATCH 1/9] interpret_branch_name(): handle auto-namelen for @{-1} The interpret_branch_name() function takes a ptr/len pair for the name, but you can pass "0" for "namelen", which will cause it to check the length with strlen(). However, before we do that auto-namelen magic, we call interpret_nth_prior_checkout(), which gets fed the bogus "0". This was broken by 8cd4249c4 (interpret_branch_name: always respect "namelen" parameter, 2014-01-15). Though to be fair to that commit, it was broken in the _opposite_ direction before, where we would always treat "name" as a string even if a length was passed. You can see the bug with "git log -g @{-1}". That code path always passes "0", and without this patch it cannot figure out which branch's reflog to show. We can fix it by a small reordering of the code. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- sha1_name.c | 3 ++- t/t0100-previous.sh | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/sha1_name.c b/sha1_name.c index 73a915ff1b..9b5d14b4bf 100644 --- a/sha1_name.c +++ b/sha1_name.c @@ -1263,11 +1263,12 @@ int interpret_branch_name(const char *name, int namelen, struct strbuf *buf) { char *at; const char *start; - int len = interpret_nth_prior_checkout(name, namelen, buf); + int len; if (!namelen) namelen = strlen(name); + len = interpret_nth_prior_checkout(name, namelen, buf); if (!len) { return len; /* syntax Ok, not enough switches */ } else if (len > 0) { diff --git a/t/t0100-previous.sh b/t/t0100-previous.sh index e0a6940232..58c0b7e9b6 100755 --- a/t/t0100-previous.sh +++ b/t/t0100-previous.sh @@ -56,5 +56,13 @@ test_expect_success 'merge @{-100} before checking out that many branches yet' ' test_must_fail git merge @{-100} ' +test_expect_success 'log -g @{-1}' ' + git checkout -b last_branch && + git checkout -b new_branch && + echo "last_branch@{0}" >expect && + git log -g --format=%gd @{-1} >actual && + test_cmp expect actual +' + test_done From e322b60d65a14578995839caa5f48f5426236fdf Mon Sep 17 00:00:00 2001 From: Jeff King Date: Thu, 2 Mar 2017 03:21:23 -0500 Subject: [PATCH 2/9] interpret_branch_name: move docstring to header file We generally put docstrings with function declarations, because it's the callers who need to know how the function works. Let's do so for interpret_branch_name(). Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- cache.h | 21 +++++++++++++++++++++ sha1_name.c | 21 --------------------- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/cache.h b/cache.h index 5c035dae57..81c59d4af4 100644 --- a/cache.h +++ b/cache.h @@ -1292,6 +1292,27 @@ extern char *oid_to_hex_r(char *out, const struct object_id *oid); extern char *sha1_to_hex(const unsigned char *sha1); /* static buffer result! */ extern char *oid_to_hex(const struct object_id *oid); /* same static buffer as sha1_to_hex */ +/* + * This reads short-hand syntax that not only evaluates to a commit + * object name, but also can act as if the end user spelled the name + * of the branch from the command line. + * + * - "@{-N}" finds the name of the Nth previous branch we were on, and + * places the name of the branch in the given buf and returns the + * number of characters parsed if successful. + * + * - "@{upstream}" finds the name of the other ref that + * is configured to merge with (missing defaults + * to the current branch), and places the name of the branch in the + * given buf and returns the number of characters parsed if + * successful. + * + * If the input is not of the accepted format, it returns a negative + * number to signal an error. + * + * If the input was ok but there are not N branch switches in the + * reflog, it returns 0. + */ extern int interpret_branch_name(const char *str, int len, struct strbuf *); extern int get_oid_mb(const char *str, struct object_id *oid); diff --git a/sha1_name.c b/sha1_name.c index 9b5d14b4bf..28865b3a1f 100644 --- a/sha1_name.c +++ b/sha1_name.c @@ -1238,27 +1238,6 @@ static int interpret_branch_mark(const char *name, int namelen, return len + at; } -/* - * This reads short-hand syntax that not only evaluates to a commit - * object name, but also can act as if the end user spelled the name - * of the branch from the command line. - * - * - "@{-N}" finds the name of the Nth previous branch we were on, and - * places the name of the branch in the given buf and returns the - * number of characters parsed if successful. - * - * - "@{upstream}" finds the name of the other ref that - * is configured to merge with (missing defaults - * to the current branch), and places the name of the branch in the - * given buf and returns the number of characters parsed if - * successful. - * - * If the input is not of the accepted format, it returns a negative - * number to signal an error. - * - * If the input was ok but there are not N branch switches in the - * reflog, it returns 0. - */ int interpret_branch_name(const char *name, int namelen, struct strbuf *buf) { char *at; From 311fc74826ac91cd6f6ea932460f88c475bbb310 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Thu, 2 Mar 2017 03:21:27 -0500 Subject: [PATCH 3/9] strbuf_branchname: drop return value The return value from strbuf_branchname() is confusing and useless: it's 0 if the whole name was consumed by an @-mark, but otherwise is the length of the original name we fed. No callers actually look at the return value, so let's just get rid of it. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- sha1_name.c | 5 +---- strbuf.h | 2 +- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/sha1_name.c b/sha1_name.c index 28865b3a1f..4c1e91184b 100644 --- a/sha1_name.c +++ b/sha1_name.c @@ -1279,17 +1279,14 @@ int interpret_branch_name(const char *name, int namelen, struct strbuf *buf) return -1; } -int strbuf_branchname(struct strbuf *sb, const char *name) +void strbuf_branchname(struct strbuf *sb, const char *name) { int len = strlen(name); int used = interpret_branch_name(name, len, sb); - if (used == len) - return 0; if (used < 0) used = 0; strbuf_add(sb, name + used, len - used); - return len; } int strbuf_check_branch_ref(struct strbuf *sb, const char *name) diff --git a/strbuf.h b/strbuf.h index 2262b12683..3bcde39183 100644 --- a/strbuf.h +++ b/strbuf.h @@ -562,7 +562,7 @@ static inline void strbuf_complete_line(struct strbuf *sb) strbuf_complete(sb, '\n'); } -extern int strbuf_branchname(struct strbuf *sb, const char *name); +extern void strbuf_branchname(struct strbuf *sb, const char *name); extern int strbuf_check_branch_ref(struct strbuf *sb, const char *name); extern void strbuf_addstr_urlencode(struct strbuf *, const char *, From 0705fe202dd30009e2033e96a17cb12299bf5ab3 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Thu, 2 Mar 2017 03:21:30 -0500 Subject: [PATCH 4/9] strbuf_branchname: add docstring This function and its companion, strbuf_check_branch_ref(), did not have their purpose or semantics explained. Let's do so. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- strbuf.h | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/strbuf.h b/strbuf.h index 3bcde39183..2c40f1fdb2 100644 --- a/strbuf.h +++ b/strbuf.h @@ -562,7 +562,22 @@ static inline void strbuf_complete_line(struct strbuf *sb) strbuf_complete(sb, '\n'); } +/* + * Copy "name" to "sb", expanding any special @-marks as handled by + * interpret_branch_name(). The result is a non-qualified branch name + * (so "foo" or "origin/master" instead of "refs/heads/foo" or + * "refs/remotes/origin/master"). + * + * Note that the resulting name may not be a syntactically valid refname. + */ extern void strbuf_branchname(struct strbuf *sb, const char *name); + +/* + * Like strbuf_branchname() above, but confirm that the result is + * syntactically valid to be used as a local branch name in refs/heads/. + * + * The return value is "0" if the result is valid, and "-1" otherwise. + */ extern int strbuf_check_branch_ref(struct strbuf *sb, const char *name); extern void strbuf_addstr_urlencode(struct strbuf *, const char *, From 0e9f62dab9fcce57279751bba47718d3f8baf3c8 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Thu, 2 Mar 2017 03:23:01 -0500 Subject: [PATCH 5/9] interpret_branch_name: allow callers to restrict expansions The interpret_branch_name() function converts names like @{-1} and @{upstream} into branch names. The expanded ref names are not fully qualified, and may be outside of the refs/heads/ namespace (e.g., "@" expands to "HEAD", and "@{upstream}" is likely to be in "refs/remotes/"). This is OK for callers like dwim_ref() which are primarily interested in resolving the resulting name, no matter where it is. But callers like "git branch" treat the result as a branch name in refs/heads/. When we expand to a ref outside that namespace, the results are very confusing (e.g., "git branch @" tries to create refs/heads/HEAD, which is nonsense). Callers can't know from the returned string how the expansion happened (e.g., did the user really ask for a branch named "HEAD", or did we do a bogus expansion?). One fix would be to return some out-parameters describing the types of expansion that occurred. This has the benefit that the caller can generate precise error messages ("I understood @{upstream} to mean origin/master, but that is a remote tracking branch, so you cannot create it as a local name"). However, out-parameters make the function interface somewhat cumbersome. Instead, let's do the opposite: let the caller tell us which elements to expand. That's easier to pass in, and none of the callers give more precise error messages than "@{upstream} isn't a valid branch name" anyway (which should be sufficient). The strbuf_branchname() function needs a similar parameter, as most of the callers access interpret_branch_name() through it. We can break the callers down into two groups: 1. Callers that are happy with any kind of ref in the result. We pass "0" here, so they continue to work without restrictions. This includes merge_name(), the reflog handling in add_pending_object_with_path(), and substitute_branch_name(). This last is what powers dwim_ref(). 2. Callers that have funny corner cases (mostly in git-branch and git-checkout). These need to make use of the new parameter, but I've left them as "0" in this patch, and will address them individually in follow-on patches. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- builtin/branch.c | 2 +- builtin/checkout.c | 2 +- builtin/merge.c | 2 +- cache.h | 11 +++++++- refs.c | 2 +- revision.c | 2 +- sha1_name.c | 68 ++++++++++++++++++++++++++++++++-------------- strbuf.h | 6 +++- 8 files changed, 68 insertions(+), 27 deletions(-) diff --git a/builtin/branch.c b/builtin/branch.c index 475707528a..5aab33ab58 100644 --- a/builtin/branch.c +++ b/builtin/branch.c @@ -215,7 +215,7 @@ static int delete_branches(int argc, const char **argv, int force, int kinds, char *target = NULL; int flags = 0; - strbuf_branchname(&bname, argv[i]); + strbuf_branchname(&bname, argv[i], 0); free(name); name = mkpathdup(fmt, bname.buf); diff --git a/builtin/checkout.c b/builtin/checkout.c index 512492aad9..711a923530 100644 --- a/builtin/checkout.c +++ b/builtin/checkout.c @@ -452,7 +452,7 @@ static void setup_branch_path(struct branch_info *branch) { struct strbuf buf = STRBUF_INIT; - strbuf_branchname(&buf, branch->name); + strbuf_branchname(&buf, branch->name, 0); if (strcmp(buf.buf, branch->name)) branch->name = xstrdup(buf.buf); strbuf_splice(&buf, 0, 0, "refs/heads/", 11); diff --git a/builtin/merge.c b/builtin/merge.c index b65eeaa87d..84375db714 100644 --- a/builtin/merge.c +++ b/builtin/merge.c @@ -434,7 +434,7 @@ static void merge_name(const char *remote, struct strbuf *msg) char *found_ref; int len, early; - strbuf_branchname(&bname, remote); + strbuf_branchname(&bname, remote, 0); remote = bname.buf; memset(branch_head, 0, sizeof(branch_head)); diff --git a/cache.h b/cache.h index 81c59d4af4..7aea88534d 100644 --- a/cache.h +++ b/cache.h @@ -1312,8 +1312,17 @@ extern char *oid_to_hex(const struct object_id *oid); /* same static buffer as s * * If the input was ok but there are not N branch switches in the * reflog, it returns 0. + * + * If "allowed" is non-zero, it is a treated as a bitfield of allowable + * expansions: local branches ("refs/heads/"), remote branches + * ("refs/remotes/"), or "HEAD". If no "allowed" bits are set, any expansion is + * allowed, even ones to refs outside of those namespaces. */ -extern int interpret_branch_name(const char *str, int len, struct strbuf *); +#define INTERPRET_BRANCH_LOCAL (1<<0) +#define INTERPRET_BRANCH_REMOTE (1<<1) +#define INTERPRET_BRANCH_HEAD (1<<2) +extern int interpret_branch_name(const char *str, int len, struct strbuf *, + unsigned allowed); extern int get_oid_mb(const char *str, struct object_id *oid); extern int validate_headref(const char *ref); diff --git a/refs.c b/refs.c index 9bd0bc177b..da847f6901 100644 --- a/refs.c +++ b/refs.c @@ -404,7 +404,7 @@ int refname_match(const char *abbrev_name, const char *full_name) static char *substitute_branch_name(const char **string, int *len) { struct strbuf buf = STRBUF_INIT; - int ret = interpret_branch_name(*string, *len, &buf); + int ret = interpret_branch_name(*string, *len, &buf, 0); if (ret == *len) { size_t size; diff --git a/revision.c b/revision.c index b37dbec378..771d079f6e 100644 --- a/revision.c +++ b/revision.c @@ -147,7 +147,7 @@ static void add_pending_object_with_path(struct rev_info *revs, revs->no_walk = 0; if (revs->reflog_info && obj->type == OBJ_COMMIT) { struct strbuf buf = STRBUF_INIT; - int len = interpret_branch_name(name, 0, &buf); + int len = interpret_branch_name(name, 0, &buf, 0); int st; if (0 < len && name[len] && buf.len) diff --git a/sha1_name.c b/sha1_name.c index 4c1e91184b..7f754b60c4 100644 --- a/sha1_name.c +++ b/sha1_name.c @@ -1176,7 +1176,8 @@ static int interpret_empty_at(const char *name, int namelen, int len, struct str return 1; } -static int reinterpret(const char *name, int namelen, int len, struct strbuf *buf) +static int reinterpret(const char *name, int namelen, int len, + struct strbuf *buf, unsigned allowed) { /* we have extra data, which might need further processing */ struct strbuf tmp = STRBUF_INIT; @@ -1184,7 +1185,7 @@ static int reinterpret(const char *name, int namelen, int len, struct strbuf *bu int ret; strbuf_add(buf, name + len, namelen - len); - ret = interpret_branch_name(buf->buf, buf->len, &tmp); + ret = interpret_branch_name(buf->buf, buf->len, &tmp, allowed); /* that data was not interpreted, remove our cruft */ if (ret < 0) { strbuf_setlen(buf, used); @@ -1205,11 +1206,27 @@ static void set_shortened_ref(struct strbuf *buf, const char *ref) free(s); } +static int branch_interpret_allowed(const char *refname, unsigned allowed) +{ + if (!allowed) + return 1; + + if ((allowed & INTERPRET_BRANCH_LOCAL) && + starts_with(refname, "refs/heads/")) + return 1; + if ((allowed & INTERPRET_BRANCH_REMOTE) && + starts_with(refname, "refs/remotes/")) + return 1; + + return 0; +} + static int interpret_branch_mark(const char *name, int namelen, int at, struct strbuf *buf, int (*get_mark)(const char *, int), const char *(*get_data)(struct branch *, - struct strbuf *)) + struct strbuf *), + unsigned allowed) { int len; struct branch *branch; @@ -1234,11 +1251,15 @@ static int interpret_branch_mark(const char *name, int namelen, if (!value) die("%s", err.buf); + if (!branch_interpret_allowed(value, allowed)) + return -1; + set_shortened_ref(buf, value); return len + at; } -int interpret_branch_name(const char *name, int namelen, struct strbuf *buf) +int interpret_branch_name(const char *name, int namelen, struct strbuf *buf, + unsigned allowed) { char *at; const char *start; @@ -1247,31 +1268,38 @@ int interpret_branch_name(const char *name, int namelen, struct strbuf *buf) if (!namelen) namelen = strlen(name); - len = interpret_nth_prior_checkout(name, namelen, buf); - if (!len) { - return len; /* syntax Ok, not enough switches */ - } else if (len > 0) { - if (len == namelen) - return len; /* consumed all */ - else - return reinterpret(name, namelen, len, buf); + if (!allowed || (allowed & INTERPRET_BRANCH_LOCAL)) { + len = interpret_nth_prior_checkout(name, namelen, buf); + if (!len) { + return len; /* syntax Ok, not enough switches */ + } else if (len > 0) { + if (len == namelen) + return len; /* consumed all */ + else + return reinterpret(name, namelen, len, buf, allowed); + } } for (start = name; (at = memchr(start, '@', namelen - (start - name))); start = at + 1) { - len = interpret_empty_at(name, namelen, at - name, buf); - if (len > 0) - return reinterpret(name, namelen, len, buf); + if (!allowed || (allowed & INTERPRET_BRANCH_HEAD)) { + len = interpret_empty_at(name, namelen, at - name, buf); + if (len > 0) + return reinterpret(name, namelen, len, buf, + allowed); + } len = interpret_branch_mark(name, namelen, at - name, buf, - upstream_mark, branch_get_upstream); + upstream_mark, branch_get_upstream, + allowed); if (len > 0) return len; len = interpret_branch_mark(name, namelen, at - name, buf, - push_mark, branch_get_push); + push_mark, branch_get_push, + allowed); if (len > 0) return len; } @@ -1279,10 +1307,10 @@ int interpret_branch_name(const char *name, int namelen, struct strbuf *buf) return -1; } -void strbuf_branchname(struct strbuf *sb, const char *name) +void strbuf_branchname(struct strbuf *sb, const char *name, unsigned allowed) { int len = strlen(name); - int used = interpret_branch_name(name, len, sb); + int used = interpret_branch_name(name, len, sb, allowed); if (used < 0) used = 0; @@ -1291,7 +1319,7 @@ void strbuf_branchname(struct strbuf *sb, const char *name) int strbuf_check_branch_ref(struct strbuf *sb, const char *name) { - strbuf_branchname(sb, name); + strbuf_branchname(sb, name, 0); if (name[0] == '-') return -1; strbuf_splice(sb, 0, 0, "refs/heads/", 11); diff --git a/strbuf.h b/strbuf.h index 2c40f1fdb2..4d225ffe51 100644 --- a/strbuf.h +++ b/strbuf.h @@ -569,8 +569,12 @@ static inline void strbuf_complete_line(struct strbuf *sb) * "refs/remotes/origin/master"). * * Note that the resulting name may not be a syntactically valid refname. + * + * If "allowed" is non-zero, restrict the set of allowed expansions. See + * interpret_branch_name() for details. */ -extern void strbuf_branchname(struct strbuf *sb, const char *name); +extern void strbuf_branchname(struct strbuf *sb, const char *name, + unsigned allowed); /* * Like strbuf_branchname() above, but confirm that the result is From a356e8e2a724012c8120bfa69133b6118b1565f4 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Thu, 2 Mar 2017 03:23:06 -0500 Subject: [PATCH 6/9] t3204: test git-branch @-expansion corner cases git-branch feeds the branch names from the command line to strbuf_branchname(), but we do not yet tell that function which kinds of expansions should be allowed. Let's create a set of tests that cover both the allowed and disallowed cases. That shows off some breakages where we currently create or delete the wrong ref (and will make sure that we do not break any cases that _should_ be working when we do add more restrictions). Note that we check branch creation and deletion, but do not bother with renames. Those follow the same code path as creation. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- t/t3204-branch-name-interpretation.sh | 123 ++++++++++++++++++++++++++ 1 file changed, 123 insertions(+) create mode 100755 t/t3204-branch-name-interpretation.sh diff --git a/t/t3204-branch-name-interpretation.sh b/t/t3204-branch-name-interpretation.sh new file mode 100755 index 0000000000..e671a7a644 --- /dev/null +++ b/t/t3204-branch-name-interpretation.sh @@ -0,0 +1,123 @@ +#!/bin/sh + +test_description='interpreting exotic branch name arguments + +Branch name arguments are usually names which are taken to be inside of +refs/heads/, but we interpret some magic syntax like @{-1}, @{upstream}, etc. +This script aims to check the behavior of those corner cases. +' +. ./test-lib.sh + +expect_branch() { + git log -1 --format=%s "$1" >actual && + echo "$2" >expect && + test_cmp expect actual +} + +expect_deleted() { + test_must_fail git rev-parse --verify "$1" +} + +test_expect_success 'set up repo' ' + test_commit one && + test_commit two && + git remote add origin foo.git +' + +test_expect_success 'update branch via @{-1}' ' + git branch previous one && + + git checkout previous && + git checkout master && + + git branch -f @{-1} two && + expect_branch previous two +' + +test_expect_success 'update branch via local @{upstream}' ' + git branch local one && + git branch --set-upstream-to=local && + + git branch -f @{upstream} two && + expect_branch local two +' + +test_expect_failure 'disallow updating branch via remote @{upstream}' ' + git update-ref refs/remotes/origin/remote one && + git branch --set-upstream-to=origin/remote && + + test_must_fail git branch -f @{upstream} two +' + +test_expect_success 'create branch with pseudo-qualified name' ' + git branch refs/heads/qualified two && + expect_branch refs/heads/refs/heads/qualified two +' + +test_expect_success 'delete branch via @{-1}' ' + git branch previous-del && + + git checkout previous-del && + git checkout master && + + git branch -D @{-1} && + expect_deleted previous-del +' + +test_expect_success 'delete branch via local @{upstream}' ' + git branch local-del && + git branch --set-upstream-to=local-del && + + git branch -D @{upstream} && + expect_deleted local-del +' + +test_expect_success 'delete branch via remote @{upstream}' ' + git update-ref refs/remotes/origin/remote-del two && + git branch --set-upstream-to=origin/remote-del && + + git branch -r -D @{upstream} && + expect_deleted origin/remote-del +' + +# Note that we create two oddly named local branches here. We want to make +# sure that we do not accidentally delete either of them, even if +# shorten_unambiguous_ref() tweaks the name to avoid ambiguity. +test_expect_failure 'delete @{upstream} expansion matches -r option' ' + git update-ref refs/remotes/origin/remote-del two && + git branch --set-upstream-to=origin/remote-del && + git update-ref refs/heads/origin/remote-del two && + git update-ref refs/heads/remotes/origin/remote-del two && + + test_must_fail git branch -D @{upstream} && + expect_branch refs/heads/origin/remote-del two && + expect_branch refs/heads/remotes/origin/remote-del two +' + +test_expect_failure 'disallow deleting remote branch via @{-1}' ' + git update-ref refs/remotes/origin/previous one && + + git checkout -b origin/previous two && + git checkout master && + + test_must_fail git branch -r -D @{-1} && + expect_branch refs/remotes/origin/previous one && + expect_branch refs/heads/origin/previous two +' + +# The thing we are testing here is that "@" is the real branch refs/heads/@, +# and not refs/heads/HEAD. These tests should not imply that refs/heads/@ is a +# sane thing, but it _is_ technically allowed for now. If we disallow it, these +# can be switched to test_must_fail. +test_expect_failure 'create branch named "@"' ' + git branch -f @ one && + expect_branch refs/heads/@ one +' + +test_expect_failure 'delete branch named "@"' ' + git update-ref refs/heads/@ two && + git branch -D @ && + expect_deleted refs/heads/@ +' + +test_done From 6b145e016aaf512d0026cbd2c78fa28476f043b4 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Thu, 2 Mar 2017 03:23:10 -0500 Subject: [PATCH 7/9] branch: restrict @-expansions when deleting We use strbuf_branchname() to expand the branch name from the command line, so you can delete the branch given by @{-1}, for example. However, we allow other nonsense like "@", and we do not respect our "-r" flag (so we may end up deleting an oddly-named local ref instead of a remote one). We can fix this by passing the appropriate "allowed" flag to strbuf_branchname(). Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- builtin/branch.c | 5 ++++- t/t3204-branch-name-interpretation.sh | 6 +++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/builtin/branch.c b/builtin/branch.c index 5aab33ab58..0c924612eb 100644 --- a/builtin/branch.c +++ b/builtin/branch.c @@ -190,17 +190,20 @@ static int delete_branches(int argc, const char **argv, int force, int kinds, int ret = 0; int remote_branch = 0; struct strbuf bname = STRBUF_INIT; + unsigned allowed_interpret; switch (kinds) { case FILTER_REFS_REMOTES: fmt = "refs/remotes/%s"; /* For subsequent UI messages */ remote_branch = 1; + allowed_interpret = INTERPRET_BRANCH_REMOTE; force = 1; break; case FILTER_REFS_BRANCHES: fmt = "refs/heads/%s"; + allowed_interpret = INTERPRET_BRANCH_LOCAL; break; default: die(_("cannot use -a with -d")); @@ -215,7 +218,7 @@ static int delete_branches(int argc, const char **argv, int force, int kinds, char *target = NULL; int flags = 0; - strbuf_branchname(&bname, argv[i], 0); + strbuf_branchname(&bname, argv[i], allowed_interpret); free(name); name = mkpathdup(fmt, bname.buf); diff --git a/t/t3204-branch-name-interpretation.sh b/t/t3204-branch-name-interpretation.sh index e671a7a644..4f4af1fb46 100755 --- a/t/t3204-branch-name-interpretation.sh +++ b/t/t3204-branch-name-interpretation.sh @@ -83,7 +83,7 @@ test_expect_success 'delete branch via remote @{upstream}' ' # Note that we create two oddly named local branches here. We want to make # sure that we do not accidentally delete either of them, even if # shorten_unambiguous_ref() tweaks the name to avoid ambiguity. -test_expect_failure 'delete @{upstream} expansion matches -r option' ' +test_expect_success 'delete @{upstream} expansion matches -r option' ' git update-ref refs/remotes/origin/remote-del two && git branch --set-upstream-to=origin/remote-del && git update-ref refs/heads/origin/remote-del two && @@ -94,7 +94,7 @@ test_expect_failure 'delete @{upstream} expansion matches -r option' ' expect_branch refs/heads/remotes/origin/remote-del two ' -test_expect_failure 'disallow deleting remote branch via @{-1}' ' +test_expect_success 'disallow deleting remote branch via @{-1}' ' git update-ref refs/remotes/origin/previous one && git checkout -b origin/previous two && @@ -114,7 +114,7 @@ test_expect_failure 'create branch named "@"' ' expect_branch refs/heads/@ one ' -test_expect_failure 'delete branch named "@"' ' +test_expect_success 'delete branch named "@"' ' git update-ref refs/heads/@ two && git branch -D @ && expect_deleted refs/heads/@ From 7d5c960bf6f98601dce992f1ffaf4c7ab932e6dc Mon Sep 17 00:00:00 2001 From: Jeff King Date: Thu, 2 Mar 2017 03:23:14 -0500 Subject: [PATCH 8/9] strbuf_check_ref_format(): expand only local branches This function asks strbuf_branchname() to expand any @-marks in the branchname, and then we blindly stick refs/heads/ in front of the result. This is obviously nonsense if the expansion is "HEAD" or a ref in refs/remotes/. The most obvious end-user effect is that creating or renaming a branch with an expansion may have confusing results (e.g., creating refs/heads/origin/master from "@{upstream}" when the operation should be disallowed). We can fix this by telling strbuf_branchname() that we are only interested in local expansions. Any unexpanded bits are then fed to check_ref_format(), which either disallows them (in the case of "@{upstream}") or lets them through ("refs/heads/@" is technically valid, if a bit silly). Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- sha1_name.c | 2 +- t/t3204-branch-name-interpretation.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/sha1_name.c b/sha1_name.c index 7f754b60c4..26ceec1d79 100644 --- a/sha1_name.c +++ b/sha1_name.c @@ -1319,7 +1319,7 @@ void strbuf_branchname(struct strbuf *sb, const char *name, unsigned allowed) int strbuf_check_branch_ref(struct strbuf *sb, const char *name) { - strbuf_branchname(sb, name, 0); + strbuf_branchname(sb, name, INTERPRET_BRANCH_LOCAL); if (name[0] == '-') return -1; strbuf_splice(sb, 0, 0, "refs/heads/", 11); diff --git a/t/t3204-branch-name-interpretation.sh b/t/t3204-branch-name-interpretation.sh index 4f4af1fb46..05e88f92d9 100755 --- a/t/t3204-branch-name-interpretation.sh +++ b/t/t3204-branch-name-interpretation.sh @@ -42,7 +42,7 @@ test_expect_success 'update branch via local @{upstream}' ' expect_branch local two ' -test_expect_failure 'disallow updating branch via remote @{upstream}' ' +test_expect_success 'disallow updating branch via remote @{upstream}' ' git update-ref refs/remotes/origin/remote one && git branch --set-upstream-to=origin/remote && @@ -109,7 +109,7 @@ test_expect_success 'disallow deleting remote branch via @{-1}' ' # and not refs/heads/HEAD. These tests should not imply that refs/heads/@ is a # sane thing, but it _is_ technically allowed for now. If we disallow it, these # can be switched to test_must_fail. -test_expect_failure 'create branch named "@"' ' +test_expect_success 'create branch named "@"' ' git branch -f @ one && expect_branch refs/heads/@ one ' From fd4692ff7040e690546ed139a419995e76a96196 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Thu, 2 Mar 2017 03:23:18 -0500 Subject: [PATCH 9/9] checkout: restrict @-expansions when finding branch When we parse "git checkout $NAME", we try to interpret $NAME as a local branch-name. If it is, then we point HEAD to that branch. Otherwise, we detach the HEAD at whatever commit $NAME points to. We do the interpretation by calling strbuf_branchname(), and then blindly sticking "refs/heads/" on the front. This leads to nonsense results when expansions like "@{upstream}" or "@" point to something besides a local branch. We end up with a local branch name like "refs/heads/origin/master" or "refs/heads/HEAD". Normally this has no user-visible effect because those branches don't exist, and so we fallback to feeding the result to get_sha1(), which resolves them correctly. But as the new test in t3204 shows, there are corner cases where the effect is observable, and we check out the wrong local branch rather than detaching to the correct one. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- builtin/checkout.c | 2 +- t/t3204-branch-name-interpretation.sh | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/builtin/checkout.c b/builtin/checkout.c index 711a923530..767ca9e18c 100644 --- a/builtin/checkout.c +++ b/builtin/checkout.c @@ -452,7 +452,7 @@ static void setup_branch_path(struct branch_info *branch) { struct strbuf buf = STRBUF_INIT; - strbuf_branchname(&buf, branch->name, 0); + strbuf_branchname(&buf, branch->name, INTERPRET_BRANCH_LOCAL); if (strcmp(buf.buf, branch->name)) branch->name = xstrdup(buf.buf); strbuf_splice(&buf, 0, 0, "refs/heads/", 11); diff --git a/t/t3204-branch-name-interpretation.sh b/t/t3204-branch-name-interpretation.sh index 05e88f92d9..698d9cc4f3 100755 --- a/t/t3204-branch-name-interpretation.sh +++ b/t/t3204-branch-name-interpretation.sh @@ -120,4 +120,14 @@ test_expect_success 'delete branch named "@"' ' expect_deleted refs/heads/@ ' +test_expect_success 'checkout does not treat remote @{upstream} as a branch' ' + git update-ref refs/remotes/origin/checkout one && + git branch --set-upstream-to=origin/checkout && + git update-ref refs/heads/origin/checkout two && + git update-ref refs/heads/remotes/origin/checkout two && + + git checkout @{upstream} && + expect_branch HEAD one +' + test_done