2009-08-05 13:01:56 +08:00
|
|
|
#include "cache.h"
|
|
|
|
#include "remote.h"
|
|
|
|
#include "strbuf.h"
|
|
|
|
#include "walker.h"
|
|
|
|
#include "http.h"
|
2009-10-14 06:11:09 +08:00
|
|
|
#include "exec_cmd.h"
|
2009-10-31 08:47:30 +08:00
|
|
|
#include "run-command.h"
|
2009-10-31 08:47:40 +08:00
|
|
|
#include "pkt-line.h"
|
2013-08-03 06:14:50 +08:00
|
|
|
#include "string-list.h"
|
2009-10-31 08:47:41 +08:00
|
|
|
#include "sideband.h"
|
2013-07-09 13:16:31 +08:00
|
|
|
#include "argv-array.h"
|
2009-08-05 13:01:56 +08:00
|
|
|
|
2009-10-31 08:47:26 +08:00
|
|
|
static struct remote *remote;
|
2010-04-08 10:15:18 +08:00
|
|
|
static const char *url; /* always ends with a trailing slash */
|
2009-10-31 08:47:26 +08:00
|
|
|
|
2009-10-31 08:47:29 +08:00
|
|
|
struct options {
|
|
|
|
int verbosity;
|
|
|
|
unsigned long depth;
|
|
|
|
unsigned progress : 1,
|
2013-07-21 16:18:05 +08:00
|
|
|
check_self_contained_and_connected : 1,
|
2009-10-31 08:47:30 +08:00
|
|
|
followtags : 1,
|
2009-10-31 08:47:41 +08:00
|
|
|
dry_run : 1,
|
|
|
|
thin : 1;
|
2009-10-31 08:47:29 +08:00
|
|
|
};
|
|
|
|
static struct options options;
|
2013-08-03 06:14:50 +08:00
|
|
|
static struct string_list cas_options = STRING_LIST_INIT_DUP;
|
2009-10-31 08:47:29 +08:00
|
|
|
|
|
|
|
static int set_option(const char *name, const char *value)
|
|
|
|
{
|
|
|
|
if (!strcmp(name, "verbosity")) {
|
|
|
|
char *end;
|
|
|
|
int v = strtol(value, &end, 10);
|
|
|
|
if (value == end || *end)
|
|
|
|
return -1;
|
|
|
|
options.verbosity = v;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
else if (!strcmp(name, "progress")) {
|
|
|
|
if (!strcmp(value, "true"))
|
|
|
|
options.progress = 1;
|
|
|
|
else if (!strcmp(value, "false"))
|
|
|
|
options.progress = 0;
|
|
|
|
else
|
|
|
|
return -1;
|
2009-10-31 08:47:42 +08:00
|
|
|
return 0;
|
2009-10-31 08:47:29 +08:00
|
|
|
}
|
|
|
|
else if (!strcmp(name, "depth")) {
|
|
|
|
char *end;
|
|
|
|
unsigned long v = strtoul(value, &end, 10);
|
|
|
|
if (value == end || *end)
|
|
|
|
return -1;
|
|
|
|
options.depth = v;
|
2009-10-31 08:47:42 +08:00
|
|
|
return 0;
|
2009-10-31 08:47:29 +08:00
|
|
|
}
|
|
|
|
else if (!strcmp(name, "followtags")) {
|
|
|
|
if (!strcmp(value, "true"))
|
|
|
|
options.followtags = 1;
|
|
|
|
else if (!strcmp(value, "false"))
|
|
|
|
options.followtags = 0;
|
|
|
|
else
|
|
|
|
return -1;
|
2009-10-31 08:47:42 +08:00
|
|
|
return 0;
|
2009-10-31 08:47:29 +08:00
|
|
|
}
|
2009-10-31 08:47:30 +08:00
|
|
|
else if (!strcmp(name, "dry-run")) {
|
|
|
|
if (!strcmp(value, "true"))
|
|
|
|
options.dry_run = 1;
|
|
|
|
else if (!strcmp(value, "false"))
|
|
|
|
options.dry_run = 0;
|
|
|
|
else
|
|
|
|
return -1;
|
|
|
|
return 0;
|
|
|
|
}
|
2013-07-21 16:18:05 +08:00
|
|
|
else if (!strcmp(name, "check-connectivity")) {
|
|
|
|
if (!strcmp(value, "true"))
|
|
|
|
options.check_self_contained_and_connected = 1;
|
|
|
|
else if (!strcmp(value, "false"))
|
|
|
|
options.check_self_contained_and_connected = 0;
|
|
|
|
else
|
|
|
|
return -1;
|
|
|
|
return 0;
|
|
|
|
}
|
2013-08-03 06:14:50 +08:00
|
|
|
else if (!strcmp(name, "cas")) {
|
|
|
|
struct strbuf val = STRBUF_INIT;
|
|
|
|
strbuf_addf(&val, "--" CAS_OPT_NAME "=%s", value);
|
|
|
|
string_list_append(&cas_options, val.buf);
|
|
|
|
strbuf_release(&val);
|
|
|
|
return 0;
|
|
|
|
}
|
2009-10-31 08:47:29 +08:00
|
|
|
else {
|
|
|
|
return 1 /* unsupported */;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2009-10-31 08:47:40 +08:00
|
|
|
struct discovery {
|
|
|
|
const char *service;
|
|
|
|
char *buf_alloc;
|
|
|
|
char *buf;
|
|
|
|
size_t len;
|
remote-curl: always parse incoming refs
When remote-curl receives a list of refs from a server, it
keeps the whole buffer intact. When we get a "list" command,
we feed the result to get_remote_heads, and when we get a
"fetch" or "push" command, we feed it to fetch-pack or
send-pack, respectively.
If the HTTP response from the server is truncated for any
reason, we will get an incomplete ref advertisement. If we
then feed this incomplete list to fetch-pack, one of a few
things may happen:
1. If the truncation is in a packet header, fetch-pack
will notice the bogus line and complain.
2. If the truncation is inside a packet, fetch-pack will
keep waiting for us to send the rest of the packet,
which we never will.
3. If the truncation is at a packet boundary, fetch-pack
will keep waiting for us to send the next packet, which
we never will.
As a result, fetch-pack hangs, waiting for input. However,
remote-curl believes it has sent all of the advertisement,
and therefore waits for fetch-pack to speak. The two
processes end up in a deadlock.
We do notice the broken ref list if we feed it to
get_remote_heads. So if git asks the helper to do a "list"
followed by a "fetch", we are safe; we'll abort during the
list operation, which parses the refs.
This patch teaches remote-curl to always parse and save the
incoming ref list when we read the ref advertisement from a
server. That means that we will always verify and abort
before even running fetch-pack (or send-pack) when reading a
corrupted list, even if we do not run the "list" command
explicitly.
Since we save the result, in the common case of running
"list" then "fetch", we do not do any extra parsing at all.
In the case of just a "fetch", we do an extra round of
parsing, but only once.
Note also that the "fetch" case will now also initialize
server_capabilities from the remote (in remote-curl; we
already would do so inside fetch-pack). Doing "list+fetch"
already does this. It doesn't actually matter now, but the
new behavior is arguably more correct, should remote-curl
ever start caring about the server's capability list.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-02-21 04:07:19 +08:00
|
|
|
struct ref *refs;
|
2009-10-31 08:47:40 +08:00
|
|
|
unsigned proto_git : 1;
|
|
|
|
};
|
|
|
|
static struct discovery *last_discovery;
|
|
|
|
|
2013-02-21 04:07:11 +08:00
|
|
|
static struct ref *parse_git_refs(struct discovery *heads, int for_push)
|
|
|
|
{
|
|
|
|
struct ref *list = NULL;
|
|
|
|
get_remote_heads(-1, heads->buf, heads->len, &list,
|
|
|
|
for_push ? REF_NORMAL : 0, NULL);
|
|
|
|
return list;
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct ref *parse_info_refs(struct discovery *heads)
|
|
|
|
{
|
|
|
|
char *data, *start, *mid;
|
|
|
|
char *ref_name;
|
|
|
|
int i = 0;
|
|
|
|
|
|
|
|
struct ref *refs = NULL;
|
|
|
|
struct ref *ref = NULL;
|
|
|
|
struct ref *last_ref = NULL;
|
|
|
|
|
|
|
|
data = heads->buf;
|
|
|
|
start = NULL;
|
|
|
|
mid = data;
|
|
|
|
while (i < heads->len) {
|
|
|
|
if (!start) {
|
|
|
|
start = &data[i];
|
|
|
|
}
|
|
|
|
if (data[i] == '\t')
|
|
|
|
mid = &data[i];
|
|
|
|
if (data[i] == '\n') {
|
|
|
|
if (mid - start != 40)
|
|
|
|
die("%sinfo/refs not valid: is this a git repository?", url);
|
|
|
|
data[i] = 0;
|
|
|
|
ref_name = mid + 1;
|
|
|
|
ref = xmalloc(sizeof(struct ref) +
|
|
|
|
strlen(ref_name) + 1);
|
|
|
|
memset(ref, 0, sizeof(struct ref));
|
|
|
|
strcpy(ref->name, ref_name);
|
|
|
|
get_sha1_hex(start, ref->old_sha1);
|
|
|
|
if (!refs)
|
|
|
|
refs = ref;
|
|
|
|
if (last_ref)
|
|
|
|
last_ref->next = ref;
|
|
|
|
last_ref = ref;
|
|
|
|
start = NULL;
|
|
|
|
}
|
|
|
|
i++;
|
|
|
|
}
|
|
|
|
|
|
|
|
ref = alloc_ref("HEAD");
|
|
|
|
if (!http_fetch_ref(url, ref) &&
|
|
|
|
!resolve_remote_symref(ref, refs)) {
|
|
|
|
ref->next = refs;
|
|
|
|
refs = ref;
|
|
|
|
} else {
|
|
|
|
free(ref);
|
|
|
|
}
|
|
|
|
|
|
|
|
return refs;
|
|
|
|
}
|
|
|
|
|
2009-10-31 08:47:40 +08:00
|
|
|
static void free_discovery(struct discovery *d)
|
|
|
|
{
|
|
|
|
if (d) {
|
|
|
|
if (d == last_discovery)
|
|
|
|
last_discovery = NULL;
|
|
|
|
free(d->buf_alloc);
|
remote-curl: always parse incoming refs
When remote-curl receives a list of refs from a server, it
keeps the whole buffer intact. When we get a "list" command,
we feed the result to get_remote_heads, and when we get a
"fetch" or "push" command, we feed it to fetch-pack or
send-pack, respectively.
If the HTTP response from the server is truncated for any
reason, we will get an incomplete ref advertisement. If we
then feed this incomplete list to fetch-pack, one of a few
things may happen:
1. If the truncation is in a packet header, fetch-pack
will notice the bogus line and complain.
2. If the truncation is inside a packet, fetch-pack will
keep waiting for us to send the rest of the packet,
which we never will.
3. If the truncation is at a packet boundary, fetch-pack
will keep waiting for us to send the next packet, which
we never will.
As a result, fetch-pack hangs, waiting for input. However,
remote-curl believes it has sent all of the advertisement,
and therefore waits for fetch-pack to speak. The two
processes end up in a deadlock.
We do notice the broken ref list if we feed it to
get_remote_heads. So if git asks the helper to do a "list"
followed by a "fetch", we are safe; we'll abort during the
list operation, which parses the refs.
This patch teaches remote-curl to always parse and save the
incoming ref list when we read the ref advertisement from a
server. That means that we will always verify and abort
before even running fetch-pack (or send-pack) when reading a
corrupted list, even if we do not run the "list" command
explicitly.
Since we save the result, in the common case of running
"list" then "fetch", we do not do any extra parsing at all.
In the case of just a "fetch", we do an extra round of
parsing, but only once.
Note also that the "fetch" case will now also initialize
server_capabilities from the remote (in remote-curl; we
already would do so inside fetch-pack). Doing "list+fetch"
already does this. It doesn't actually matter now, but the
new behavior is arguably more correct, should remote-curl
ever start caring about the server's capability list.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-02-21 04:07:19 +08:00
|
|
|
free_refs(d->refs);
|
2009-10-31 08:47:40 +08:00
|
|
|
free(d);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
remote-curl: show server content on http errors
If an http request to a remote git server fails, we show
only the http response code, or sometimes a custom message
for particular codes. This gives the server no opportunity
to offer a more detailed explanation of the reason for the
failure, or to give extra advice.
This patch teaches remote-curl to record and display the
body content of a failed http response. We only display such
responses when the content-type is advertised as text/plain,
as it is the most likely to look presentable on the user's
terminal (and it is hoped to be a good indication that the
message is intended for git clients, and not for a web
browser).
Each line of the new output is prepended with "remote:".
Example output may look like this (assuming the server is
configured to display such a helpful message):
$ GIT_SMART_HTTP=0 git clone https://example.com/some/repo.git
Cloning into 'repo'...
remote: Sorry, fetching via dumb http is forbidden.
remote: Please upgrade your git client to v1.6.6 or greater
remote: and make sure that smart-http is enabled.
error: The requested URL returned error: 403 while accessing http://localhost:5001/some/repo.git/info/refs
fatal: HTTP request failed
For the sake of simplicity, we only record and display these
errors during the initial fetch of the ref list, as that is
the initial contact with the server and where the most
common, interesting errors happen (and there is already
precedent, as that is the only place we currently massage
http error codes into more helpful messages).
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-04-06 06:17:23 +08:00
|
|
|
static int show_http_message(struct strbuf *type, struct strbuf *msg)
|
|
|
|
{
|
|
|
|
const char *p, *eol;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We only show text/plain parts, as other types are likely
|
|
|
|
* to be ugly to look at on the user's terminal.
|
|
|
|
*
|
|
|
|
* TODO should handle "; charset=XXX", and re-encode into
|
|
|
|
* logoutputencoding
|
|
|
|
*/
|
|
|
|
if (strcasecmp(type->buf, "text/plain"))
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
strbuf_trim(msg);
|
|
|
|
if (!msg->len)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
p = msg->buf;
|
|
|
|
do {
|
|
|
|
eol = strchrnul(p, '\n');
|
|
|
|
fprintf(stderr, "remote: %.*s\n", (int)(eol - p), p);
|
|
|
|
p = eol + 1;
|
|
|
|
} while(*eol);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
remote-curl: always parse incoming refs
When remote-curl receives a list of refs from a server, it
keeps the whole buffer intact. When we get a "list" command,
we feed the result to get_remote_heads, and when we get a
"fetch" or "push" command, we feed it to fetch-pack or
send-pack, respectively.
If the HTTP response from the server is truncated for any
reason, we will get an incomplete ref advertisement. If we
then feed this incomplete list to fetch-pack, one of a few
things may happen:
1. If the truncation is in a packet header, fetch-pack
will notice the bogus line and complain.
2. If the truncation is inside a packet, fetch-pack will
keep waiting for us to send the rest of the packet,
which we never will.
3. If the truncation is at a packet boundary, fetch-pack
will keep waiting for us to send the next packet, which
we never will.
As a result, fetch-pack hangs, waiting for input. However,
remote-curl believes it has sent all of the advertisement,
and therefore waits for fetch-pack to speak. The two
processes end up in a deadlock.
We do notice the broken ref list if we feed it to
get_remote_heads. So if git asks the helper to do a "list"
followed by a "fetch", we are safe; we'll abort during the
list operation, which parses the refs.
This patch teaches remote-curl to always parse and save the
incoming ref list when we read the ref advertisement from a
server. That means that we will always verify and abort
before even running fetch-pack (or send-pack) when reading a
corrupted list, even if we do not run the "list" command
explicitly.
Since we save the result, in the common case of running
"list" then "fetch", we do not do any extra parsing at all.
In the case of just a "fetch", we do an extra round of
parsing, but only once.
Note also that the "fetch" case will now also initialize
server_capabilities from the remote (in remote-curl; we
already would do so inside fetch-pack). Doing "list+fetch"
already does this. It doesn't actually matter now, but the
new behavior is arguably more correct, should remote-curl
ever start caring about the server's capability list.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-02-21 04:07:19 +08:00
|
|
|
static struct discovery* discover_refs(const char *service, int for_push)
|
2009-08-05 13:01:56 +08:00
|
|
|
{
|
2013-02-01 05:02:07 +08:00
|
|
|
struct strbuf exp = STRBUF_INIT;
|
|
|
|
struct strbuf type = STRBUF_INIT;
|
2009-08-05 13:01:56 +08:00
|
|
|
struct strbuf buffer = STRBUF_INIT;
|
2009-10-31 08:47:40 +08:00
|
|
|
struct discovery *last = last_discovery;
|
2009-08-05 13:01:56 +08:00
|
|
|
char *refs_url;
|
2012-09-21 01:00:22 +08:00
|
|
|
int http_ret, maybe_smart = 0;
|
2009-08-05 13:01:56 +08:00
|
|
|
|
2009-10-31 08:47:40 +08:00
|
|
|
if (last && !strcmp(service, last->service))
|
|
|
|
return last;
|
|
|
|
free_discovery(last);
|
2009-08-05 13:01:56 +08:00
|
|
|
|
2010-04-08 10:15:18 +08:00
|
|
|
strbuf_addf(&buffer, "%sinfo/refs", url);
|
2012-09-21 05:30:58 +08:00
|
|
|
if ((!prefixcmp(url, "http://") || !prefixcmp(url, "https://")) &&
|
|
|
|
git_env_bool("GIT_SMART_HTTP", 1)) {
|
2012-09-21 01:00:22 +08:00
|
|
|
maybe_smart = 1;
|
2009-10-31 08:47:40 +08:00
|
|
|
if (!strchr(url, '?'))
|
|
|
|
strbuf_addch(&buffer, '?');
|
|
|
|
else
|
|
|
|
strbuf_addch(&buffer, '&');
|
|
|
|
strbuf_addf(&buffer, "service=%s", service);
|
|
|
|
}
|
|
|
|
refs_url = strbuf_detach(&buffer, NULL);
|
2009-08-05 13:01:56 +08:00
|
|
|
|
remote-curl: show server content on http errors
If an http request to a remote git server fails, we show
only the http response code, or sometimes a custom message
for particular codes. This gives the server no opportunity
to offer a more detailed explanation of the reason for the
failure, or to give extra advice.
This patch teaches remote-curl to record and display the
body content of a failed http response. We only display such
responses when the content-type is advertised as text/plain,
as it is the most likely to look presentable on the user's
terminal (and it is hoped to be a good indication that the
message is intended for git clients, and not for a web
browser).
Each line of the new output is prepended with "remote:".
Example output may look like this (assuming the server is
configured to display such a helpful message):
$ GIT_SMART_HTTP=0 git clone https://example.com/some/repo.git
Cloning into 'repo'...
remote: Sorry, fetching via dumb http is forbidden.
remote: Please upgrade your git client to v1.6.6 or greater
remote: and make sure that smart-http is enabled.
error: The requested URL returned error: 403 while accessing http://localhost:5001/some/repo.git/info/refs
fatal: HTTP request failed
For the sake of simplicity, we only record and display these
errors during the initial fetch of the ref list, as that is
the initial contact with the server and where the most
common, interesting errors happen (and there is already
precedent, as that is the only place we currently massage
http error codes into more helpful messages).
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-04-06 06:17:23 +08:00
|
|
|
http_ret = http_get_strbuf(refs_url, &type, &buffer,
|
|
|
|
HTTP_NO_CACHE | HTTP_KEEP_ERROR);
|
2009-08-05 13:01:56 +08:00
|
|
|
switch (http_ret) {
|
|
|
|
case HTTP_OK:
|
|
|
|
break;
|
|
|
|
case HTTP_MISSING_TARGET:
|
remote-curl: always show friendlier 404 message
When we get an http 404 trying to get the initial list of
refs from the server, we try to be helpful and remind the
user that update-server-info may need to be run. This looks
like:
$ git clone https://github.com/non/existent
Cloning into 'existent'...
fatal: https://github.com/non/existent/info/refs?service=git-upload-pack not found: did you run git update-server-info on the server?
Suggesting update-server-info may be a good suggestion for
users who are in control of the server repo and who are
planning to set up dumb http. But for users of smart http,
and especially users who are not in control of the server
repo, the advice is useless and confusing.
Since most people are expected to use smart http these days,
it does not make sense to keep the update-server-info hint.
We not only drop the mention of update-server-info, but also
show only the main repo URL, not the full "info/refs" and
service parameter. These elements may be useful for
debugging a broken server configuration, but in the majority
of cases, users are not fetching from their own
repositories, but rather from other people's repositories;
they have neither the power nor interest to fix a broken
configuration, and the extra components just make the
message more confusing. Users who do want to debug can and
should use GIT_CURL_VERBOSE to get more complete information
on the actual URLs visited.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-04-06 06:20:43 +08:00
|
|
|
show_http_message(&type, &buffer);
|
|
|
|
die("repository '%s' not found", url);
|
2010-04-02 06:14:35 +08:00
|
|
|
case HTTP_NOAUTH:
|
remote-curl: show server content on http errors
If an http request to a remote git server fails, we show
only the http response code, or sometimes a custom message
for particular codes. This gives the server no opportunity
to offer a more detailed explanation of the reason for the
failure, or to give extra advice.
This patch teaches remote-curl to record and display the
body content of a failed http response. We only display such
responses when the content-type is advertised as text/plain,
as it is the most likely to look presentable on the user's
terminal (and it is hoped to be a good indication that the
message is intended for git clients, and not for a web
browser).
Each line of the new output is prepended with "remote:".
Example output may look like this (assuming the server is
configured to display such a helpful message):
$ GIT_SMART_HTTP=0 git clone https://example.com/some/repo.git
Cloning into 'repo'...
remote: Sorry, fetching via dumb http is forbidden.
remote: Please upgrade your git client to v1.6.6 or greater
remote: and make sure that smart-http is enabled.
error: The requested URL returned error: 403 while accessing http://localhost:5001/some/repo.git/info/refs
fatal: HTTP request failed
For the sake of simplicity, we only record and display these
errors during the initial fetch of the ref list, as that is
the initial contact with the server and where the most
common, interesting errors happen (and there is already
precedent, as that is the only place we currently massage
http error codes into more helpful messages).
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-04-06 06:17:23 +08:00
|
|
|
show_http_message(&type, &buffer);
|
2013-04-06 06:21:14 +08:00
|
|
|
die("Authentication failed for '%s'", url);
|
2009-08-05 13:01:56 +08:00
|
|
|
default:
|
remote-curl: show server content on http errors
If an http request to a remote git server fails, we show
only the http response code, or sometimes a custom message
for particular codes. This gives the server no opportunity
to offer a more detailed explanation of the reason for the
failure, or to give extra advice.
This patch teaches remote-curl to record and display the
body content of a failed http response. We only display such
responses when the content-type is advertised as text/plain,
as it is the most likely to look presentable on the user's
terminal (and it is hoped to be a good indication that the
message is intended for git clients, and not for a web
browser).
Each line of the new output is prepended with "remote:".
Example output may look like this (assuming the server is
configured to display such a helpful message):
$ GIT_SMART_HTTP=0 git clone https://example.com/some/repo.git
Cloning into 'repo'...
remote: Sorry, fetching via dumb http is forbidden.
remote: Please upgrade your git client to v1.6.6 or greater
remote: and make sure that smart-http is enabled.
error: The requested URL returned error: 403 while accessing http://localhost:5001/some/repo.git/info/refs
fatal: HTTP request failed
For the sake of simplicity, we only record and display these
errors during the initial fetch of the ref list, as that is
the initial contact with the server and where the most
common, interesting errors happen (and there is already
precedent, as that is the only place we currently massage
http error codes into more helpful messages).
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-04-06 06:17:23 +08:00
|
|
|
show_http_message(&type, &buffer);
|
2013-04-06 06:22:15 +08:00
|
|
|
die("unable to access '%s': %s", url, curl_errorstr);
|
2009-08-05 13:01:56 +08:00
|
|
|
}
|
|
|
|
|
2009-10-31 08:47:40 +08:00
|
|
|
last= xcalloc(1, sizeof(*last_discovery));
|
|
|
|
last->service = service;
|
|
|
|
last->buf_alloc = strbuf_detach(&buffer, &last->len);
|
|
|
|
last->buf = last->buf_alloc;
|
|
|
|
|
2013-02-01 05:02:07 +08:00
|
|
|
strbuf_addf(&exp, "application/x-%s-advertisement", service);
|
|
|
|
if (maybe_smart &&
|
|
|
|
(5 <= last->len && last->buf[4] == '#') &&
|
|
|
|
!strbuf_cmp(&exp, &type)) {
|
pkt-line: share buffer/descriptor reading implementation
The packet_read function reads from a descriptor. The
packet_get_line function is similar, but reads from an
in-memory buffer, and uses a completely separate
implementation. This patch teaches the generic packet_read
function to accept either source, and we can do away with
packet_get_line's implementation.
There are two other differences to account for between the
old and new functions. The first is that we used to read
into a strbuf, but now read into a fixed size buffer. The
only two callers are fine with that, and in fact it
simplifies their code, since they can use the same
static-buffer interface as the rest of the packet_read_line
callers (and we provide a similar convenience wrapper for
reading from a buffer rather than a descriptor).
This is technically an externally-visible behavior change in
that we used to accept arbitrary sized packets up to 65532
bytes, and now cap out at LARGE_PACKET_MAX, 65520. In
practice this doesn't matter, as we use it only for parsing
smart-http headers (of which there is exactly one defined,
and it is small and fixed-size). And any extension headers
would be breaking the protocol to go over LARGE_PACKET_MAX
anyway.
The other difference is that packet_get_line would return
on error rather than dying. However, both callers of
packet_get_line are actually improved by dying.
The first caller does its own error checking, but we can
drop that; as a result, we'll actually get more specific
reporting about protocol breakage when packet_read dies
internally. The only downside is that packet_read will not
print the smart-http URL that failed, but that's not a big
deal; anybody not debugging can already see the remote's URL
already, and anybody debugging would want to run with
GIT_CURL_VERBOSE anyway to see way more information.
The second caller, which is just trying to skip past any
extra smart-http headers (of which there are none defined,
but which we allow to keep room for future expansion), did
not error check at all. As a result, it would treat an error
just like a flush packet. The resulting mess would generally
cause an error later in get_remote_heads, but now we get
error reporting much closer to the source of the problem.
Brown-paper-bag-fixes-by: Ramsay Jones <ramsay@ramsay1.demon.co.uk>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-02-24 06:31:34 +08:00
|
|
|
char *line;
|
|
|
|
|
2013-02-01 05:02:07 +08:00
|
|
|
/*
|
|
|
|
* smart HTTP response; validate that the service
|
2009-10-31 08:47:40 +08:00
|
|
|
* pkt-line matches our request.
|
|
|
|
*/
|
pkt-line: share buffer/descriptor reading implementation
The packet_read function reads from a descriptor. The
packet_get_line function is similar, but reads from an
in-memory buffer, and uses a completely separate
implementation. This patch teaches the generic packet_read
function to accept either source, and we can do away with
packet_get_line's implementation.
There are two other differences to account for between the
old and new functions. The first is that we used to read
into a strbuf, but now read into a fixed size buffer. The
only two callers are fine with that, and in fact it
simplifies their code, since they can use the same
static-buffer interface as the rest of the packet_read_line
callers (and we provide a similar convenience wrapper for
reading from a buffer rather than a descriptor).
This is technically an externally-visible behavior change in
that we used to accept arbitrary sized packets up to 65532
bytes, and now cap out at LARGE_PACKET_MAX, 65520. In
practice this doesn't matter, as we use it only for parsing
smart-http headers (of which there is exactly one defined,
and it is small and fixed-size). And any extension headers
would be breaking the protocol to go over LARGE_PACKET_MAX
anyway.
The other difference is that packet_get_line would return
on error rather than dying. However, both callers of
packet_get_line are actually improved by dying.
The first caller does its own error checking, but we can
drop that; as a result, we'll actually get more specific
reporting about protocol breakage when packet_read dies
internally. The only downside is that packet_read will not
print the smart-http URL that failed, but that's not a big
deal; anybody not debugging can already see the remote's URL
already, and anybody debugging would want to run with
GIT_CURL_VERBOSE anyway to see way more information.
The second caller, which is just trying to skip past any
extra smart-http headers (of which there are none defined,
but which we allow to keep room for future expansion), did
not error check at all. As a result, it would treat an error
just like a flush packet. The resulting mess would generally
cause an error later in get_remote_heads, but now we get
error reporting much closer to the source of the problem.
Brown-paper-bag-fixes-by: Ramsay Jones <ramsay@ramsay1.demon.co.uk>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-02-24 06:31:34 +08:00
|
|
|
line = packet_read_line_buf(&last->buf, &last->len, NULL);
|
2009-10-31 08:47:40 +08:00
|
|
|
|
2013-02-01 05:02:07 +08:00
|
|
|
strbuf_reset(&exp);
|
2009-10-31 08:47:40 +08:00
|
|
|
strbuf_addf(&exp, "# service=%s", service);
|
pkt-line: share buffer/descriptor reading implementation
The packet_read function reads from a descriptor. The
packet_get_line function is similar, but reads from an
in-memory buffer, and uses a completely separate
implementation. This patch teaches the generic packet_read
function to accept either source, and we can do away with
packet_get_line's implementation.
There are two other differences to account for between the
old and new functions. The first is that we used to read
into a strbuf, but now read into a fixed size buffer. The
only two callers are fine with that, and in fact it
simplifies their code, since they can use the same
static-buffer interface as the rest of the packet_read_line
callers (and we provide a similar convenience wrapper for
reading from a buffer rather than a descriptor).
This is technically an externally-visible behavior change in
that we used to accept arbitrary sized packets up to 65532
bytes, and now cap out at LARGE_PACKET_MAX, 65520. In
practice this doesn't matter, as we use it only for parsing
smart-http headers (of which there is exactly one defined,
and it is small and fixed-size). And any extension headers
would be breaking the protocol to go over LARGE_PACKET_MAX
anyway.
The other difference is that packet_get_line would return
on error rather than dying. However, both callers of
packet_get_line are actually improved by dying.
The first caller does its own error checking, but we can
drop that; as a result, we'll actually get more specific
reporting about protocol breakage when packet_read dies
internally. The only downside is that packet_read will not
print the smart-http URL that failed, but that's not a big
deal; anybody not debugging can already see the remote's URL
already, and anybody debugging would want to run with
GIT_CURL_VERBOSE anyway to see way more information.
The second caller, which is just trying to skip past any
extra smart-http headers (of which there are none defined,
but which we allow to keep room for future expansion), did
not error check at all. As a result, it would treat an error
just like a flush packet. The resulting mess would generally
cause an error later in get_remote_heads, but now we get
error reporting much closer to the source of the problem.
Brown-paper-bag-fixes-by: Ramsay Jones <ramsay@ramsay1.demon.co.uk>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-02-24 06:31:34 +08:00
|
|
|
if (strcmp(line, exp.buf))
|
|
|
|
die("invalid server response; got '%s'", line);
|
2009-10-31 08:47:40 +08:00
|
|
|
strbuf_release(&exp);
|
|
|
|
|
|
|
|
/* The header can include additional metadata lines, up
|
|
|
|
* until a packet flush marker. Ignore these now, but
|
|
|
|
* in the future we might start to scan them.
|
|
|
|
*/
|
pkt-line: share buffer/descriptor reading implementation
The packet_read function reads from a descriptor. The
packet_get_line function is similar, but reads from an
in-memory buffer, and uses a completely separate
implementation. This patch teaches the generic packet_read
function to accept either source, and we can do away with
packet_get_line's implementation.
There are two other differences to account for between the
old and new functions. The first is that we used to read
into a strbuf, but now read into a fixed size buffer. The
only two callers are fine with that, and in fact it
simplifies their code, since they can use the same
static-buffer interface as the rest of the packet_read_line
callers (and we provide a similar convenience wrapper for
reading from a buffer rather than a descriptor).
This is technically an externally-visible behavior change in
that we used to accept arbitrary sized packets up to 65532
bytes, and now cap out at LARGE_PACKET_MAX, 65520. In
practice this doesn't matter, as we use it only for parsing
smart-http headers (of which there is exactly one defined,
and it is small and fixed-size). And any extension headers
would be breaking the protocol to go over LARGE_PACKET_MAX
anyway.
The other difference is that packet_get_line would return
on error rather than dying. However, both callers of
packet_get_line are actually improved by dying.
The first caller does its own error checking, but we can
drop that; as a result, we'll actually get more specific
reporting about protocol breakage when packet_read dies
internally. The only downside is that packet_read will not
print the smart-http URL that failed, but that's not a big
deal; anybody not debugging can already see the remote's URL
already, and anybody debugging would want to run with
GIT_CURL_VERBOSE anyway to see way more information.
The second caller, which is just trying to skip past any
extra smart-http headers (of which there are none defined,
but which we allow to keep room for future expansion), did
not error check at all. As a result, it would treat an error
just like a flush packet. The resulting mess would generally
cause an error later in get_remote_heads, but now we get
error reporting much closer to the source of the problem.
Brown-paper-bag-fixes-by: Ramsay Jones <ramsay@ramsay1.demon.co.uk>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-02-24 06:31:34 +08:00
|
|
|
while (packet_read_line_buf(&last->buf, &last->len, NULL))
|
|
|
|
;
|
2009-10-31 08:47:40 +08:00
|
|
|
|
|
|
|
last->proto_git = 1;
|
|
|
|
}
|
|
|
|
|
remote-curl: always parse incoming refs
When remote-curl receives a list of refs from a server, it
keeps the whole buffer intact. When we get a "list" command,
we feed the result to get_remote_heads, and when we get a
"fetch" or "push" command, we feed it to fetch-pack or
send-pack, respectively.
If the HTTP response from the server is truncated for any
reason, we will get an incomplete ref advertisement. If we
then feed this incomplete list to fetch-pack, one of a few
things may happen:
1. If the truncation is in a packet header, fetch-pack
will notice the bogus line and complain.
2. If the truncation is inside a packet, fetch-pack will
keep waiting for us to send the rest of the packet,
which we never will.
3. If the truncation is at a packet boundary, fetch-pack
will keep waiting for us to send the next packet, which
we never will.
As a result, fetch-pack hangs, waiting for input. However,
remote-curl believes it has sent all of the advertisement,
and therefore waits for fetch-pack to speak. The two
processes end up in a deadlock.
We do notice the broken ref list if we feed it to
get_remote_heads. So if git asks the helper to do a "list"
followed by a "fetch", we are safe; we'll abort during the
list operation, which parses the refs.
This patch teaches remote-curl to always parse and save the
incoming ref list when we read the ref advertisement from a
server. That means that we will always verify and abort
before even running fetch-pack (or send-pack) when reading a
corrupted list, even if we do not run the "list" command
explicitly.
Since we save the result, in the common case of running
"list" then "fetch", we do not do any extra parsing at all.
In the case of just a "fetch", we do an extra round of
parsing, but only once.
Note also that the "fetch" case will now also initialize
server_capabilities from the remote (in remote-curl; we
already would do so inside fetch-pack). Doing "list+fetch"
already does this. It doesn't actually matter now, but the
new behavior is arguably more correct, should remote-curl
ever start caring about the server's capability list.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-02-21 04:07:19 +08:00
|
|
|
if (last->proto_git)
|
|
|
|
last->refs = parse_git_refs(last, for_push);
|
|
|
|
else
|
|
|
|
last->refs = parse_info_refs(last);
|
|
|
|
|
2009-10-31 08:47:40 +08:00
|
|
|
free(refs_url);
|
2013-02-01 05:02:07 +08:00
|
|
|
strbuf_release(&exp);
|
|
|
|
strbuf_release(&type);
|
2009-10-31 08:47:40 +08:00
|
|
|
strbuf_release(&buffer);
|
|
|
|
last_discovery = last;
|
|
|
|
return last;
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct ref *get_refs(int for_push)
|
|
|
|
{
|
|
|
|
struct discovery *heads;
|
|
|
|
|
|
|
|
if (for_push)
|
remote-curl: always parse incoming refs
When remote-curl receives a list of refs from a server, it
keeps the whole buffer intact. When we get a "list" command,
we feed the result to get_remote_heads, and when we get a
"fetch" or "push" command, we feed it to fetch-pack or
send-pack, respectively.
If the HTTP response from the server is truncated for any
reason, we will get an incomplete ref advertisement. If we
then feed this incomplete list to fetch-pack, one of a few
things may happen:
1. If the truncation is in a packet header, fetch-pack
will notice the bogus line and complain.
2. If the truncation is inside a packet, fetch-pack will
keep waiting for us to send the rest of the packet,
which we never will.
3. If the truncation is at a packet boundary, fetch-pack
will keep waiting for us to send the next packet, which
we never will.
As a result, fetch-pack hangs, waiting for input. However,
remote-curl believes it has sent all of the advertisement,
and therefore waits for fetch-pack to speak. The two
processes end up in a deadlock.
We do notice the broken ref list if we feed it to
get_remote_heads. So if git asks the helper to do a "list"
followed by a "fetch", we are safe; we'll abort during the
list operation, which parses the refs.
This patch teaches remote-curl to always parse and save the
incoming ref list when we read the ref advertisement from a
server. That means that we will always verify and abort
before even running fetch-pack (or send-pack) when reading a
corrupted list, even if we do not run the "list" command
explicitly.
Since we save the result, in the common case of running
"list" then "fetch", we do not do any extra parsing at all.
In the case of just a "fetch", we do an extra round of
parsing, but only once.
Note also that the "fetch" case will now also initialize
server_capabilities from the remote (in remote-curl; we
already would do so inside fetch-pack). Doing "list+fetch"
already does this. It doesn't actually matter now, but the
new behavior is arguably more correct, should remote-curl
ever start caring about the server's capability list.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-02-21 04:07:19 +08:00
|
|
|
heads = discover_refs("git-receive-pack", for_push);
|
2009-10-31 08:47:40 +08:00
|
|
|
else
|
remote-curl: always parse incoming refs
When remote-curl receives a list of refs from a server, it
keeps the whole buffer intact. When we get a "list" command,
we feed the result to get_remote_heads, and when we get a
"fetch" or "push" command, we feed it to fetch-pack or
send-pack, respectively.
If the HTTP response from the server is truncated for any
reason, we will get an incomplete ref advertisement. If we
then feed this incomplete list to fetch-pack, one of a few
things may happen:
1. If the truncation is in a packet header, fetch-pack
will notice the bogus line and complain.
2. If the truncation is inside a packet, fetch-pack will
keep waiting for us to send the rest of the packet,
which we never will.
3. If the truncation is at a packet boundary, fetch-pack
will keep waiting for us to send the next packet, which
we never will.
As a result, fetch-pack hangs, waiting for input. However,
remote-curl believes it has sent all of the advertisement,
and therefore waits for fetch-pack to speak. The two
processes end up in a deadlock.
We do notice the broken ref list if we feed it to
get_remote_heads. So if git asks the helper to do a "list"
followed by a "fetch", we are safe; we'll abort during the
list operation, which parses the refs.
This patch teaches remote-curl to always parse and save the
incoming ref list when we read the ref advertisement from a
server. That means that we will always verify and abort
before even running fetch-pack (or send-pack) when reading a
corrupted list, even if we do not run the "list" command
explicitly.
Since we save the result, in the common case of running
"list" then "fetch", we do not do any extra parsing at all.
In the case of just a "fetch", we do an extra round of
parsing, but only once.
Note also that the "fetch" case will now also initialize
server_capabilities from the remote (in remote-curl; we
already would do so inside fetch-pack). Doing "list+fetch"
already does this. It doesn't actually matter now, but the
new behavior is arguably more correct, should remote-curl
ever start caring about the server's capability list.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-02-21 04:07:19 +08:00
|
|
|
heads = discover_refs("git-upload-pack", for_push);
|
2009-10-31 08:47:40 +08:00
|
|
|
|
remote-curl: always parse incoming refs
When remote-curl receives a list of refs from a server, it
keeps the whole buffer intact. When we get a "list" command,
we feed the result to get_remote_heads, and when we get a
"fetch" or "push" command, we feed it to fetch-pack or
send-pack, respectively.
If the HTTP response from the server is truncated for any
reason, we will get an incomplete ref advertisement. If we
then feed this incomplete list to fetch-pack, one of a few
things may happen:
1. If the truncation is in a packet header, fetch-pack
will notice the bogus line and complain.
2. If the truncation is inside a packet, fetch-pack will
keep waiting for us to send the rest of the packet,
which we never will.
3. If the truncation is at a packet boundary, fetch-pack
will keep waiting for us to send the next packet, which
we never will.
As a result, fetch-pack hangs, waiting for input. However,
remote-curl believes it has sent all of the advertisement,
and therefore waits for fetch-pack to speak. The two
processes end up in a deadlock.
We do notice the broken ref list if we feed it to
get_remote_heads. So if git asks the helper to do a "list"
followed by a "fetch", we are safe; we'll abort during the
list operation, which parses the refs.
This patch teaches remote-curl to always parse and save the
incoming ref list when we read the ref advertisement from a
server. That means that we will always verify and abort
before even running fetch-pack (or send-pack) when reading a
corrupted list, even if we do not run the "list" command
explicitly.
Since we save the result, in the common case of running
"list" then "fetch", we do not do any extra parsing at all.
In the case of just a "fetch", we do an extra round of
parsing, but only once.
Note also that the "fetch" case will now also initialize
server_capabilities from the remote (in remote-curl; we
already would do so inside fetch-pack). Doing "list+fetch"
already does this. It doesn't actually matter now, but the
new behavior is arguably more correct, should remote-curl
ever start caring about the server's capability list.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-02-21 04:07:19 +08:00
|
|
|
return heads->refs;
|
2009-10-31 08:47:40 +08:00
|
|
|
}
|
|
|
|
|
2009-10-31 08:47:30 +08:00
|
|
|
static void output_refs(struct ref *refs)
|
|
|
|
{
|
|
|
|
struct ref *posn;
|
|
|
|
for (posn = refs; posn; posn = posn->next) {
|
|
|
|
if (posn->symref)
|
|
|
|
printf("@%s %s\n", posn->symref, posn->name);
|
|
|
|
else
|
|
|
|
printf("%s %s\n", sha1_to_hex(posn->old_sha1), posn->name);
|
|
|
|
}
|
|
|
|
printf("\n");
|
|
|
|
fflush(stdout);
|
|
|
|
}
|
|
|
|
|
2009-10-31 08:47:41 +08:00
|
|
|
struct rpc_state {
|
|
|
|
const char *service_name;
|
|
|
|
const char **argv;
|
2012-04-02 23:14:44 +08:00
|
|
|
struct strbuf *stdin_preamble;
|
2009-10-31 08:47:41 +08:00
|
|
|
char *service_url;
|
|
|
|
char *hdr_content_type;
|
|
|
|
char *hdr_accept;
|
|
|
|
char *buf;
|
|
|
|
size_t alloc;
|
|
|
|
size_t len;
|
|
|
|
size_t pos;
|
|
|
|
int in;
|
|
|
|
int out;
|
|
|
|
struct strbuf result;
|
2009-10-31 08:47:43 +08:00
|
|
|
unsigned gzip_request : 1;
|
2009-12-01 18:33:39 +08:00
|
|
|
unsigned initial_buffer : 1;
|
2009-10-31 08:47:41 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
static size_t rpc_out(void *ptr, size_t eltsize,
|
|
|
|
size_t nmemb, void *buffer_)
|
|
|
|
{
|
|
|
|
size_t max = eltsize * nmemb;
|
|
|
|
struct rpc_state *rpc = buffer_;
|
|
|
|
size_t avail = rpc->len - rpc->pos;
|
|
|
|
|
|
|
|
if (!avail) {
|
2009-12-01 18:33:39 +08:00
|
|
|
rpc->initial_buffer = 0;
|
pkt-line: share buffer/descriptor reading implementation
The packet_read function reads from a descriptor. The
packet_get_line function is similar, but reads from an
in-memory buffer, and uses a completely separate
implementation. This patch teaches the generic packet_read
function to accept either source, and we can do away with
packet_get_line's implementation.
There are two other differences to account for between the
old and new functions. The first is that we used to read
into a strbuf, but now read into a fixed size buffer. The
only two callers are fine with that, and in fact it
simplifies their code, since they can use the same
static-buffer interface as the rest of the packet_read_line
callers (and we provide a similar convenience wrapper for
reading from a buffer rather than a descriptor).
This is technically an externally-visible behavior change in
that we used to accept arbitrary sized packets up to 65532
bytes, and now cap out at LARGE_PACKET_MAX, 65520. In
practice this doesn't matter, as we use it only for parsing
smart-http headers (of which there is exactly one defined,
and it is small and fixed-size). And any extension headers
would be breaking the protocol to go over LARGE_PACKET_MAX
anyway.
The other difference is that packet_get_line would return
on error rather than dying. However, both callers of
packet_get_line are actually improved by dying.
The first caller does its own error checking, but we can
drop that; as a result, we'll actually get more specific
reporting about protocol breakage when packet_read dies
internally. The only downside is that packet_read will not
print the smart-http URL that failed, but that's not a big
deal; anybody not debugging can already see the remote's URL
already, and anybody debugging would want to run with
GIT_CURL_VERBOSE anyway to see way more information.
The second caller, which is just trying to skip past any
extra smart-http headers (of which there are none defined,
but which we allow to keep room for future expansion), did
not error check at all. As a result, it would treat an error
just like a flush packet. The resulting mess would generally
cause an error later in get_remote_heads, but now we get
error reporting much closer to the source of the problem.
Brown-paper-bag-fixes-by: Ramsay Jones <ramsay@ramsay1.demon.co.uk>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-02-24 06:31:34 +08:00
|
|
|
avail = packet_read(rpc->out, NULL, NULL, rpc->buf, rpc->alloc, 0);
|
2009-10-31 08:47:41 +08:00
|
|
|
if (!avail)
|
|
|
|
return 0;
|
|
|
|
rpc->pos = 0;
|
|
|
|
rpc->len = avail;
|
|
|
|
}
|
|
|
|
|
2009-11-24 10:31:30 +08:00
|
|
|
if (max < avail)
|
2009-10-31 08:47:41 +08:00
|
|
|
avail = max;
|
|
|
|
memcpy(ptr, rpc->buf + rpc->pos, avail);
|
|
|
|
rpc->pos += avail;
|
|
|
|
return avail;
|
|
|
|
}
|
|
|
|
|
2009-12-01 18:33:39 +08:00
|
|
|
#ifndef NO_CURL_IOCTL
|
2010-01-12 14:30:36 +08:00
|
|
|
static curlioerr rpc_ioctl(CURL *handle, int cmd, void *clientp)
|
2009-12-01 18:33:39 +08:00
|
|
|
{
|
|
|
|
struct rpc_state *rpc = clientp;
|
|
|
|
|
|
|
|
switch (cmd) {
|
|
|
|
case CURLIOCMD_NOP:
|
|
|
|
return CURLIOE_OK;
|
|
|
|
|
|
|
|
case CURLIOCMD_RESTARTREAD:
|
|
|
|
if (rpc->initial_buffer) {
|
|
|
|
rpc->pos = 0;
|
|
|
|
return CURLIOE_OK;
|
|
|
|
}
|
|
|
|
fprintf(stderr, "Unable to rewind rpc post data - try increasing http.postBuffer\n");
|
|
|
|
return CURLIOE_FAILRESTART;
|
|
|
|
|
|
|
|
default:
|
|
|
|
return CURLIOE_UNKNOWNCMD;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2011-05-03 23:47:27 +08:00
|
|
|
static size_t rpc_in(char *ptr, size_t eltsize,
|
2009-10-31 08:47:41 +08:00
|
|
|
size_t nmemb, void *buffer_)
|
|
|
|
{
|
|
|
|
size_t size = eltsize * nmemb;
|
|
|
|
struct rpc_state *rpc = buffer_;
|
|
|
|
write_or_die(rpc->in, ptr, size);
|
|
|
|
return size;
|
|
|
|
}
|
|
|
|
|
2011-02-16 00:57:24 +08:00
|
|
|
static int run_slot(struct active_request_slot *slot)
|
|
|
|
{
|
http: prompt for credentials on failed POST
All of the smart-http GET requests go through the http_get_*
functions, which will prompt for credentials and retry if we
see an HTTP 401.
POST requests, however, do not go through any central point.
Moreover, it is difficult to retry in the general case; we
cannot assume the request body fits in memory or is even
seekable, and we don't know how much of it was consumed
during the attempt.
Most of the time, this is not a big deal; for both fetching
and pushing, we make a GET request before doing any POSTs,
so typically we figure out the credentials during the first
request, then reuse them during the POST. However, some
servers may allow a client to get the list of refs from
receive-pack without authentication, and then require
authentication when the client actually tries to POST the
pack.
This is not ideal, as the client may do a non-trivial amount
of work to generate the pack (e.g., delta-compressing
objects). However, for a long time it has been the
recommended example configuration in git-http-backend(1) for
setting up a repository with anonymous fetch and
authenticated push. This setup has always been broken
without putting a username into the URL. Prior to commit
986bbc0, it did work with a username in the URL, because git
would prompt for credentials before making any requests at
all. However, post-986bbc0, it is totally broken. Since it
has been advertised in the manpage for some time, we should
make sure it works.
Unfortunately, it is not as easy as simply calling post_rpc
again when it fails, due to the input issue mentioned above.
However, we can still make this specific case work by
retrying in two specific instances:
1. If the request is large (bigger than LARGE_PACKET_MAX),
we will first send a probe request with a single flush
packet. Since this request is static, we can freely
retry it.
2. If the request is small and we are not using gzip, then
we have the whole thing in-core, and we can freely
retry.
That means we will not retry in some instances, including:
1. If we are using gzip. However, we only do so when
calling git-upload-pack, so it does not apply to
pushes.
2. If we have a large request, the probe succeeds, but
then the real POST wants authentication. This is an
extremely unlikely configuration and not worth worrying
about.
While it might be nice to cover those instances, doing so
would be significantly more complex for very little
real-world gain. In the long run, we will be much better off
when curl learns to internally handle authentication as a
callback, and we can cleanly handle all cases that way.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2012-08-27 21:27:15 +08:00
|
|
|
int err;
|
2011-02-16 00:57:24 +08:00
|
|
|
struct slot_results results;
|
|
|
|
|
|
|
|
slot->results = &results;
|
|
|
|
slot->curl_result = curl_easy_perform(slot->curl);
|
|
|
|
finish_active_slot(slot);
|
|
|
|
|
http: do not set up curl auth after a 401
When we get an http 401, we prompt for credentials and put
them in our global credential struct. We also feed them to
the curl handle that produced the 401, with the intent that
they will be used on a retry.
When the code was originally introduced in commit 42653c0,
this was a necessary step. However, since dfa1725, we always
feed our global credential into every curl handle when we
initialize the slot with get_active_slot. So every further
request already feeds the credential to curl.
Moreover, accessing the slot here is somewhat dubious. After
the slot has produced a response, we don't actually control
it any more. If we are using curl_multi, it may even have
been re-initialized to handle a different request.
It just so happens that we will reuse the curl handle within
the slot in such a case, and that because we only keep one
global credential, it will be the one we want. So the
current code is not buggy, but it is misleading.
By cleaning it up, we can remove the slot argument entirely
from handle_curl_result, making it much more obvious that
slots should not be accessed after they are marked as
finished.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2012-10-12 15:35:59 +08:00
|
|
|
err = handle_curl_result(&results);
|
http: prompt for credentials on failed POST
All of the smart-http GET requests go through the http_get_*
functions, which will prompt for credentials and retry if we
see an HTTP 401.
POST requests, however, do not go through any central point.
Moreover, it is difficult to retry in the general case; we
cannot assume the request body fits in memory or is even
seekable, and we don't know how much of it was consumed
during the attempt.
Most of the time, this is not a big deal; for both fetching
and pushing, we make a GET request before doing any POSTs,
so typically we figure out the credentials during the first
request, then reuse them during the POST. However, some
servers may allow a client to get the list of refs from
receive-pack without authentication, and then require
authentication when the client actually tries to POST the
pack.
This is not ideal, as the client may do a non-trivial amount
of work to generate the pack (e.g., delta-compressing
objects). However, for a long time it has been the
recommended example configuration in git-http-backend(1) for
setting up a repository with anonymous fetch and
authenticated push. This setup has always been broken
without putting a username into the URL. Prior to commit
986bbc0, it did work with a username in the URL, because git
would prompt for credentials before making any requests at
all. However, post-986bbc0, it is totally broken. Since it
has been advertised in the manpage for some time, we should
make sure it works.
Unfortunately, it is not as easy as simply calling post_rpc
again when it fails, due to the input issue mentioned above.
However, we can still make this specific case work by
retrying in two specific instances:
1. If the request is large (bigger than LARGE_PACKET_MAX),
we will first send a probe request with a single flush
packet. Since this request is static, we can freely
retry it.
2. If the request is small and we are not using gzip, then
we have the whole thing in-core, and we can freely
retry.
That means we will not retry in some instances, including:
1. If we are using gzip. However, we only do so when
calling git-upload-pack, so it does not apply to
pushes.
2. If we have a large request, the probe succeeds, but
then the real POST wants authentication. This is an
extremely unlikely configuration and not worth worrying
about.
While it might be nice to cover those instances, doing so
would be significantly more complex for very little
real-world gain. In the long run, we will be much better off
when curl learns to internally handle authentication as a
callback, and we can cleanly handle all cases that way.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2012-08-27 21:27:15 +08:00
|
|
|
if (err != HTTP_OK && err != HTTP_REAUTH) {
|
|
|
|
error("RPC failed; result=%d, HTTP code = %ld",
|
|
|
|
results.curl_result, results.http_code);
|
2011-02-16 00:57:24 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int probe_rpc(struct rpc_state *rpc)
|
|
|
|
{
|
|
|
|
struct active_request_slot *slot;
|
|
|
|
struct curl_slist *headers = NULL;
|
|
|
|
struct strbuf buf = STRBUF_INIT;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
slot = get_active_slot();
|
|
|
|
|
|
|
|
headers = curl_slist_append(headers, rpc->hdr_content_type);
|
|
|
|
headers = curl_slist_append(headers, rpc->hdr_accept);
|
|
|
|
|
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_NOBODY, 0);
|
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_POST, 1);
|
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_URL, rpc->service_url);
|
2012-09-20 07:12:02 +08:00
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_ENCODING, NULL);
|
2011-02-16 00:57:24 +08:00
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_POSTFIELDS, "0000");
|
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_POSTFIELDSIZE, 4);
|
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_HTTPHEADER, headers);
|
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_WRITEFUNCTION, fwrite_buffer);
|
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_FILE, &buf);
|
|
|
|
|
|
|
|
err = run_slot(slot);
|
|
|
|
|
|
|
|
curl_slist_free_all(headers);
|
|
|
|
strbuf_release(&buf);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2009-10-31 08:47:41 +08:00
|
|
|
static int post_rpc(struct rpc_state *rpc)
|
|
|
|
{
|
|
|
|
struct active_request_slot *slot;
|
|
|
|
struct curl_slist *headers = NULL;
|
2009-10-31 08:47:43 +08:00
|
|
|
int use_gzip = rpc->gzip_request;
|
|
|
|
char *gzip_body = NULL;
|
2012-11-22 03:08:51 +08:00
|
|
|
size_t gzip_size = 0;
|
2011-02-16 00:57:24 +08:00
|
|
|
int err, large_request = 0;
|
2009-10-31 08:47:41 +08:00
|
|
|
|
|
|
|
/* Try to load the entire request, if we can fit it into the
|
|
|
|
* allocated buffer space we can use HTTP/1.0 and avoid the
|
|
|
|
* chunked encoding mess.
|
|
|
|
*/
|
|
|
|
while (1) {
|
|
|
|
size_t left = rpc->alloc - rpc->len;
|
|
|
|
char *buf = rpc->buf + rpc->len;
|
|
|
|
int n;
|
|
|
|
|
|
|
|
if (left < LARGE_PACKET_MAX) {
|
|
|
|
large_request = 1;
|
2009-10-31 08:47:43 +08:00
|
|
|
use_gzip = 0;
|
2009-10-31 08:47:41 +08:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
pkt-line: share buffer/descriptor reading implementation
The packet_read function reads from a descriptor. The
packet_get_line function is similar, but reads from an
in-memory buffer, and uses a completely separate
implementation. This patch teaches the generic packet_read
function to accept either source, and we can do away with
packet_get_line's implementation.
There are two other differences to account for between the
old and new functions. The first is that we used to read
into a strbuf, but now read into a fixed size buffer. The
only two callers are fine with that, and in fact it
simplifies their code, since they can use the same
static-buffer interface as the rest of the packet_read_line
callers (and we provide a similar convenience wrapper for
reading from a buffer rather than a descriptor).
This is technically an externally-visible behavior change in
that we used to accept arbitrary sized packets up to 65532
bytes, and now cap out at LARGE_PACKET_MAX, 65520. In
practice this doesn't matter, as we use it only for parsing
smart-http headers (of which there is exactly one defined,
and it is small and fixed-size). And any extension headers
would be breaking the protocol to go over LARGE_PACKET_MAX
anyway.
The other difference is that packet_get_line would return
on error rather than dying. However, both callers of
packet_get_line are actually improved by dying.
The first caller does its own error checking, but we can
drop that; as a result, we'll actually get more specific
reporting about protocol breakage when packet_read dies
internally. The only downside is that packet_read will not
print the smart-http URL that failed, but that's not a big
deal; anybody not debugging can already see the remote's URL
already, and anybody debugging would want to run with
GIT_CURL_VERBOSE anyway to see way more information.
The second caller, which is just trying to skip past any
extra smart-http headers (of which there are none defined,
but which we allow to keep room for future expansion), did
not error check at all. As a result, it would treat an error
just like a flush packet. The resulting mess would generally
cause an error later in get_remote_heads, but now we get
error reporting much closer to the source of the problem.
Brown-paper-bag-fixes-by: Ramsay Jones <ramsay@ramsay1.demon.co.uk>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-02-24 06:31:34 +08:00
|
|
|
n = packet_read(rpc->out, NULL, NULL, buf, left, 0);
|
2009-10-31 08:47:41 +08:00
|
|
|
if (!n)
|
|
|
|
break;
|
|
|
|
rpc->len += n;
|
|
|
|
}
|
|
|
|
|
2011-02-16 00:57:24 +08:00
|
|
|
if (large_request) {
|
http: prompt for credentials on failed POST
All of the smart-http GET requests go through the http_get_*
functions, which will prompt for credentials and retry if we
see an HTTP 401.
POST requests, however, do not go through any central point.
Moreover, it is difficult to retry in the general case; we
cannot assume the request body fits in memory or is even
seekable, and we don't know how much of it was consumed
during the attempt.
Most of the time, this is not a big deal; for both fetching
and pushing, we make a GET request before doing any POSTs,
so typically we figure out the credentials during the first
request, then reuse them during the POST. However, some
servers may allow a client to get the list of refs from
receive-pack without authentication, and then require
authentication when the client actually tries to POST the
pack.
This is not ideal, as the client may do a non-trivial amount
of work to generate the pack (e.g., delta-compressing
objects). However, for a long time it has been the
recommended example configuration in git-http-backend(1) for
setting up a repository with anonymous fetch and
authenticated push. This setup has always been broken
without putting a username into the URL. Prior to commit
986bbc0, it did work with a username in the URL, because git
would prompt for credentials before making any requests at
all. However, post-986bbc0, it is totally broken. Since it
has been advertised in the manpage for some time, we should
make sure it works.
Unfortunately, it is not as easy as simply calling post_rpc
again when it fails, due to the input issue mentioned above.
However, we can still make this specific case work by
retrying in two specific instances:
1. If the request is large (bigger than LARGE_PACKET_MAX),
we will first send a probe request with a single flush
packet. Since this request is static, we can freely
retry it.
2. If the request is small and we are not using gzip, then
we have the whole thing in-core, and we can freely
retry.
That means we will not retry in some instances, including:
1. If we are using gzip. However, we only do so when
calling git-upload-pack, so it does not apply to
pushes.
2. If we have a large request, the probe succeeds, but
then the real POST wants authentication. This is an
extremely unlikely configuration and not worth worrying
about.
While it might be nice to cover those instances, doing so
would be significantly more complex for very little
real-world gain. In the long run, we will be much better off
when curl learns to internally handle authentication as a
callback, and we can cleanly handle all cases that way.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2012-08-27 21:27:15 +08:00
|
|
|
do {
|
|
|
|
err = probe_rpc(rpc);
|
|
|
|
} while (err == HTTP_REAUTH);
|
|
|
|
if (err != HTTP_OK)
|
|
|
|
return -1;
|
2011-02-16 00:57:24 +08:00
|
|
|
}
|
|
|
|
|
remote-curl: do not call run_slot repeatedly
Commit b81401c (http: prompt for credentials on failed POST)
taught post_rpc to call run_slot in a loop in order to retry
a request after asking the user for credentials. However,
after a call to run_slot we will have called
finish_active_slot. This means we have released the slot,
and we should no longer look at it.
As it happens, this does not cause any bugs in the current
code, since we know that we are not using curl_multi in this
code path, and therefore nobody will have taken over our
slot in the meantime. However, it is good form to actually
call get_active_slot again. It also future proofs us against
changes in the http code.
We can do this by jumping back to a retry label at the top
of our function. We just need to reorder a few setup lines
that should not be repeated; everything else within the loop
is either idempotent, needs to be repeated, or in a path we
do not follow (e.g., we do not even try when large_request
is set, because we don't know how much data we might have
streamed from our helper program).
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2012-10-12 15:35:33 +08:00
|
|
|
headers = curl_slist_append(headers, rpc->hdr_content_type);
|
|
|
|
headers = curl_slist_append(headers, rpc->hdr_accept);
|
|
|
|
headers = curl_slist_append(headers, "Expect:");
|
|
|
|
|
|
|
|
retry:
|
2009-10-31 08:47:41 +08:00
|
|
|
slot = get_active_slot();
|
|
|
|
|
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_NOBODY, 0);
|
2009-11-23 11:03:28 +08:00
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_POST, 1);
|
2009-10-31 08:47:41 +08:00
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_URL, rpc->service_url);
|
2012-09-20 07:12:02 +08:00
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_ENCODING, "gzip");
|
2009-10-31 08:47:41 +08:00
|
|
|
|
|
|
|
if (large_request) {
|
|
|
|
/* The request body is large and the size cannot be predicted.
|
|
|
|
* We must use chunked encoding to send it.
|
|
|
|
*/
|
|
|
|
headers = curl_slist_append(headers, "Transfer-Encoding: chunked");
|
2009-12-01 18:33:39 +08:00
|
|
|
rpc->initial_buffer = 1;
|
2009-10-31 08:47:41 +08:00
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_READFUNCTION, rpc_out);
|
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_INFILE, rpc);
|
2009-12-01 18:33:39 +08:00
|
|
|
#ifndef NO_CURL_IOCTL
|
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_IOCTLFUNCTION, rpc_ioctl);
|
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_IOCTLDATA, rpc);
|
|
|
|
#endif
|
2009-10-31 08:47:41 +08:00
|
|
|
if (options.verbosity > 1) {
|
|
|
|
fprintf(stderr, "POST %s (chunked)\n", rpc->service_name);
|
|
|
|
fflush(stderr);
|
|
|
|
}
|
|
|
|
|
remote-curl: retry failed requests for auth even with gzip
Commit b81401c taught the post_rpc function to retry the
http request after prompting for credentials. However, it
did not handle two cases:
1. If we have a large request, we do not retry. That's OK,
since we would have sent a probe (with retry) already.
2. If we are gzipping the request, we do not retry. That
was considered OK, because the intended use was for
push (e.g., listing refs is OK, but actually pushing
objects is not), and we never gzip on push.
This patch teaches post_rpc to retry even a gzipped request.
This has two advantages:
1. It is possible to configure a "half-auth" state for
fetching, where the set of refs and their sha1s are
advertised, but one cannot actually fetch objects.
This is not a recommended configuration, as it leaks
some information about what is in the repository (e.g.,
an attacker can try brute-forcing possible content in
your repository and checking whether it matches your
branch sha1). However, it can be slightly more
convenient, since a no-op fetch will not require a
password at all.
2. It future-proofs us should we decide to ever gzip more
requests.
Signed-off-by: Jeff King <peff@peff.net>
2012-10-31 19:29:16 +08:00
|
|
|
} else if (gzip_body) {
|
|
|
|
/*
|
|
|
|
* If we are looping to retry authentication, then the previous
|
|
|
|
* run will have set up the headers and gzip buffer already,
|
|
|
|
* and we just need to send it.
|
|
|
|
*/
|
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_POSTFIELDS, gzip_body);
|
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_POSTFIELDSIZE, gzip_size);
|
|
|
|
|
2009-10-31 08:47:43 +08:00
|
|
|
} else if (use_gzip && 1024 < rpc->len) {
|
|
|
|
/* The client backend isn't giving us compressed data so
|
|
|
|
* we can try to deflate it ourselves, this may save on.
|
|
|
|
* the transfer time.
|
|
|
|
*/
|
2011-06-11 02:52:15 +08:00
|
|
|
git_zstream stream;
|
2009-10-31 08:47:43 +08:00
|
|
|
int ret;
|
|
|
|
|
|
|
|
memset(&stream, 0, sizeof(stream));
|
2011-06-11 01:55:10 +08:00
|
|
|
git_deflate_init_gzip(&stream, Z_BEST_COMPRESSION);
|
2012-10-31 19:20:15 +08:00
|
|
|
gzip_size = git_deflate_bound(&stream, rpc->len);
|
|
|
|
gzip_body = xmalloc(gzip_size);
|
2009-10-31 08:47:43 +08:00
|
|
|
|
|
|
|
stream.next_in = (unsigned char *)rpc->buf;
|
|
|
|
stream.avail_in = rpc->len;
|
|
|
|
stream.next_out = (unsigned char *)gzip_body;
|
2012-10-31 19:20:15 +08:00
|
|
|
stream.avail_out = gzip_size;
|
2009-10-31 08:47:43 +08:00
|
|
|
|
2011-06-11 01:55:10 +08:00
|
|
|
ret = git_deflate(&stream, Z_FINISH);
|
2009-10-31 08:47:43 +08:00
|
|
|
if (ret != Z_STREAM_END)
|
|
|
|
die("cannot deflate request; zlib deflate error %d", ret);
|
|
|
|
|
2011-06-11 01:55:10 +08:00
|
|
|
ret = git_deflate_end_gently(&stream);
|
2009-10-31 08:47:43 +08:00
|
|
|
if (ret != Z_OK)
|
|
|
|
die("cannot deflate request; zlib end error %d", ret);
|
|
|
|
|
2012-10-31 19:20:15 +08:00
|
|
|
gzip_size = stream.total_out;
|
2009-10-31 08:47:43 +08:00
|
|
|
|
|
|
|
headers = curl_slist_append(headers, "Content-Encoding: gzip");
|
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_POSTFIELDS, gzip_body);
|
2012-10-31 19:20:15 +08:00
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_POSTFIELDSIZE, gzip_size);
|
2009-10-31 08:47:43 +08:00
|
|
|
|
|
|
|
if (options.verbosity > 1) {
|
|
|
|
fprintf(stderr, "POST %s (gzip %lu to %lu bytes)\n",
|
|
|
|
rpc->service_name,
|
2012-10-31 19:20:15 +08:00
|
|
|
(unsigned long)rpc->len, (unsigned long)gzip_size);
|
2009-10-31 08:47:43 +08:00
|
|
|
fflush(stderr);
|
|
|
|
}
|
2009-10-31 08:47:41 +08:00
|
|
|
} else {
|
|
|
|
/* We know the complete request size in advance, use the
|
|
|
|
* more normal Content-Length approach.
|
|
|
|
*/
|
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_POSTFIELDS, rpc->buf);
|
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_POSTFIELDSIZE, rpc->len);
|
|
|
|
if (options.verbosity > 1) {
|
|
|
|
fprintf(stderr, "POST %s (%lu bytes)\n",
|
|
|
|
rpc->service_name, (unsigned long)rpc->len);
|
|
|
|
fflush(stderr);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_HTTPHEADER, headers);
|
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_WRITEFUNCTION, rpc_in);
|
|
|
|
curl_easy_setopt(slot->curl, CURLOPT_FILE, rpc);
|
|
|
|
|
remote-curl: do not call run_slot repeatedly
Commit b81401c (http: prompt for credentials on failed POST)
taught post_rpc to call run_slot in a loop in order to retry
a request after asking the user for credentials. However,
after a call to run_slot we will have called
finish_active_slot. This means we have released the slot,
and we should no longer look at it.
As it happens, this does not cause any bugs in the current
code, since we know that we are not using curl_multi in this
code path, and therefore nobody will have taken over our
slot in the meantime. However, it is good form to actually
call get_active_slot again. It also future proofs us against
changes in the http code.
We can do this by jumping back to a retry label at the top
of our function. We just need to reorder a few setup lines
that should not be repeated; everything else within the loop
is either idempotent, needs to be repeated, or in a path we
do not follow (e.g., we do not even try when large_request
is set, because we don't know how much data we might have
streamed from our helper program).
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2012-10-12 15:35:33 +08:00
|
|
|
err = run_slot(slot);
|
remote-curl: retry failed requests for auth even with gzip
Commit b81401c taught the post_rpc function to retry the
http request after prompting for credentials. However, it
did not handle two cases:
1. If we have a large request, we do not retry. That's OK,
since we would have sent a probe (with retry) already.
2. If we are gzipping the request, we do not retry. That
was considered OK, because the intended use was for
push (e.g., listing refs is OK, but actually pushing
objects is not), and we never gzip on push.
This patch teaches post_rpc to retry even a gzipped request.
This has two advantages:
1. It is possible to configure a "half-auth" state for
fetching, where the set of refs and their sha1s are
advertised, but one cannot actually fetch objects.
This is not a recommended configuration, as it leaks
some information about what is in the repository (e.g.,
an attacker can try brute-forcing possible content in
your repository and checking whether it matches your
branch sha1). However, it can be slightly more
convenient, since a no-op fetch will not require a
password at all.
2. It future-proofs us should we decide to ever gzip more
requests.
Signed-off-by: Jeff King <peff@peff.net>
2012-10-31 19:29:16 +08:00
|
|
|
if (err == HTTP_REAUTH && !large_request)
|
remote-curl: do not call run_slot repeatedly
Commit b81401c (http: prompt for credentials on failed POST)
taught post_rpc to call run_slot in a loop in order to retry
a request after asking the user for credentials. However,
after a call to run_slot we will have called
finish_active_slot. This means we have released the slot,
and we should no longer look at it.
As it happens, this does not cause any bugs in the current
code, since we know that we are not using curl_multi in this
code path, and therefore nobody will have taken over our
slot in the meantime. However, it is good form to actually
call get_active_slot again. It also future proofs us against
changes in the http code.
We can do this by jumping back to a retry label at the top
of our function. We just need to reorder a few setup lines
that should not be repeated; everything else within the loop
is either idempotent, needs to be repeated, or in a path we
do not follow (e.g., we do not even try when large_request
is set, because we don't know how much data we might have
streamed from our helper program).
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2012-10-12 15:35:33 +08:00
|
|
|
goto retry;
|
http: prompt for credentials on failed POST
All of the smart-http GET requests go through the http_get_*
functions, which will prompt for credentials and retry if we
see an HTTP 401.
POST requests, however, do not go through any central point.
Moreover, it is difficult to retry in the general case; we
cannot assume the request body fits in memory or is even
seekable, and we don't know how much of it was consumed
during the attempt.
Most of the time, this is not a big deal; for both fetching
and pushing, we make a GET request before doing any POSTs,
so typically we figure out the credentials during the first
request, then reuse them during the POST. However, some
servers may allow a client to get the list of refs from
receive-pack without authentication, and then require
authentication when the client actually tries to POST the
pack.
This is not ideal, as the client may do a non-trivial amount
of work to generate the pack (e.g., delta-compressing
objects). However, for a long time it has been the
recommended example configuration in git-http-backend(1) for
setting up a repository with anonymous fetch and
authenticated push. This setup has always been broken
without putting a username into the URL. Prior to commit
986bbc0, it did work with a username in the URL, because git
would prompt for credentials before making any requests at
all. However, post-986bbc0, it is totally broken. Since it
has been advertised in the manpage for some time, we should
make sure it works.
Unfortunately, it is not as easy as simply calling post_rpc
again when it fails, due to the input issue mentioned above.
However, we can still make this specific case work by
retrying in two specific instances:
1. If the request is large (bigger than LARGE_PACKET_MAX),
we will first send a probe request with a single flush
packet. Since this request is static, we can freely
retry it.
2. If the request is small and we are not using gzip, then
we have the whole thing in-core, and we can freely
retry.
That means we will not retry in some instances, including:
1. If we are using gzip. However, we only do so when
calling git-upload-pack, so it does not apply to
pushes.
2. If we have a large request, the probe succeeds, but
then the real POST wants authentication. This is an
extremely unlikely configuration and not worth worrying
about.
While it might be nice to cover those instances, doing so
would be significantly more complex for very little
real-world gain. In the long run, we will be much better off
when curl learns to internally handle authentication as a
callback, and we can cleanly handle all cases that way.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2012-08-27 21:27:15 +08:00
|
|
|
if (err != HTTP_OK)
|
|
|
|
err = -1;
|
2009-10-31 08:47:41 +08:00
|
|
|
|
|
|
|
curl_slist_free_all(headers);
|
2009-10-31 08:47:43 +08:00
|
|
|
free(gzip_body);
|
2009-10-31 08:47:41 +08:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int rpc_service(struct rpc_state *rpc, struct discovery *heads)
|
|
|
|
{
|
|
|
|
const char *svc = rpc->service_name;
|
|
|
|
struct strbuf buf = STRBUF_INIT;
|
2012-04-02 23:14:44 +08:00
|
|
|
struct strbuf *preamble = rpc->stdin_preamble;
|
2009-10-31 08:47:41 +08:00
|
|
|
struct child_process client;
|
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
memset(&client, 0, sizeof(client));
|
|
|
|
client.in = -1;
|
|
|
|
client.out = -1;
|
|
|
|
client.git_cmd = 1;
|
|
|
|
client.argv = rpc->argv;
|
|
|
|
if (start_command(&client))
|
|
|
|
exit(1);
|
2012-04-02 23:14:44 +08:00
|
|
|
if (preamble)
|
|
|
|
write_or_die(client.in, preamble->buf, preamble->len);
|
2009-10-31 08:47:41 +08:00
|
|
|
if (heads)
|
|
|
|
write_or_die(client.in, heads->buf, heads->len);
|
|
|
|
|
|
|
|
rpc->alloc = http_post_buffer;
|
|
|
|
rpc->buf = xmalloc(rpc->alloc);
|
|
|
|
rpc->in = client.in;
|
|
|
|
rpc->out = client.out;
|
|
|
|
strbuf_init(&rpc->result, 0);
|
|
|
|
|
2010-04-08 10:15:18 +08:00
|
|
|
strbuf_addf(&buf, "%s%s", url, svc);
|
2009-10-31 08:47:41 +08:00
|
|
|
rpc->service_url = strbuf_detach(&buf, NULL);
|
|
|
|
|
|
|
|
strbuf_addf(&buf, "Content-Type: application/x-%s-request", svc);
|
|
|
|
rpc->hdr_content_type = strbuf_detach(&buf, NULL);
|
|
|
|
|
2010-01-13 01:54:04 +08:00
|
|
|
strbuf_addf(&buf, "Accept: application/x-%s-result", svc);
|
2009-10-31 08:47:41 +08:00
|
|
|
rpc->hdr_accept = strbuf_detach(&buf, NULL);
|
|
|
|
|
|
|
|
while (!err) {
|
pkt-line: share buffer/descriptor reading implementation
The packet_read function reads from a descriptor. The
packet_get_line function is similar, but reads from an
in-memory buffer, and uses a completely separate
implementation. This patch teaches the generic packet_read
function to accept either source, and we can do away with
packet_get_line's implementation.
There are two other differences to account for between the
old and new functions. The first is that we used to read
into a strbuf, but now read into a fixed size buffer. The
only two callers are fine with that, and in fact it
simplifies their code, since they can use the same
static-buffer interface as the rest of the packet_read_line
callers (and we provide a similar convenience wrapper for
reading from a buffer rather than a descriptor).
This is technically an externally-visible behavior change in
that we used to accept arbitrary sized packets up to 65532
bytes, and now cap out at LARGE_PACKET_MAX, 65520. In
practice this doesn't matter, as we use it only for parsing
smart-http headers (of which there is exactly one defined,
and it is small and fixed-size). And any extension headers
would be breaking the protocol to go over LARGE_PACKET_MAX
anyway.
The other difference is that packet_get_line would return
on error rather than dying. However, both callers of
packet_get_line are actually improved by dying.
The first caller does its own error checking, but we can
drop that; as a result, we'll actually get more specific
reporting about protocol breakage when packet_read dies
internally. The only downside is that packet_read will not
print the smart-http URL that failed, but that's not a big
deal; anybody not debugging can already see the remote's URL
already, and anybody debugging would want to run with
GIT_CURL_VERBOSE anyway to see way more information.
The second caller, which is just trying to skip past any
extra smart-http headers (of which there are none defined,
but which we allow to keep room for future expansion), did
not error check at all. As a result, it would treat an error
just like a flush packet. The resulting mess would generally
cause an error later in get_remote_heads, but now we get
error reporting much closer to the source of the problem.
Brown-paper-bag-fixes-by: Ramsay Jones <ramsay@ramsay1.demon.co.uk>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-02-24 06:31:34 +08:00
|
|
|
int n = packet_read(rpc->out, NULL, NULL, rpc->buf, rpc->alloc, 0);
|
2009-10-31 08:47:41 +08:00
|
|
|
if (!n)
|
|
|
|
break;
|
|
|
|
rpc->pos = 0;
|
|
|
|
rpc->len = n;
|
|
|
|
err |= post_rpc(rpc);
|
|
|
|
}
|
|
|
|
|
|
|
|
close(client.in);
|
|
|
|
client.in = -1;
|
2011-10-05 07:20:19 +08:00
|
|
|
if (!err) {
|
|
|
|
strbuf_read(&rpc->result, client.out, 0);
|
|
|
|
} else {
|
|
|
|
char buf[4096];
|
|
|
|
for (;;)
|
|
|
|
if (xread(client.out, buf, sizeof(buf)) <= 0)
|
|
|
|
break;
|
|
|
|
}
|
2010-08-07 05:19:44 +08:00
|
|
|
|
|
|
|
close(client.out);
|
2009-10-31 08:47:41 +08:00
|
|
|
client.out = -1;
|
|
|
|
|
|
|
|
err |= finish_command(&client);
|
|
|
|
free(rpc->service_url);
|
|
|
|
free(rpc->hdr_content_type);
|
|
|
|
free(rpc->hdr_accept);
|
|
|
|
free(rpc->buf);
|
|
|
|
strbuf_release(&buf);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2009-10-31 08:47:28 +08:00
|
|
|
static int fetch_dumb(int nr_heads, struct ref **to_fetch)
|
|
|
|
{
|
2010-03-02 18:49:31 +08:00
|
|
|
struct walker *walker;
|
2009-10-31 08:47:28 +08:00
|
|
|
char **targets = xmalloc(nr_heads * sizeof(char*));
|
|
|
|
int ret, i;
|
|
|
|
|
2009-10-31 08:47:42 +08:00
|
|
|
if (options.depth)
|
|
|
|
die("dumb http transport does not support --depth");
|
2009-10-31 08:47:28 +08:00
|
|
|
for (i = 0; i < nr_heads; i++)
|
|
|
|
targets[i] = xstrdup(sha1_to_hex(to_fetch[i]->old_sha1));
|
|
|
|
|
2010-03-02 18:49:31 +08:00
|
|
|
walker = get_http_walker(url);
|
2009-10-31 08:47:28 +08:00
|
|
|
walker->get_all = 1;
|
|
|
|
walker->get_tree = 1;
|
|
|
|
walker->get_history = 1;
|
2009-10-31 08:47:29 +08:00
|
|
|
walker->get_verbosely = options.verbosity >= 3;
|
2009-10-31 08:47:28 +08:00
|
|
|
walker->get_recover = 0;
|
|
|
|
ret = walker_fetch(walker, nr_heads, targets, NULL, NULL);
|
2010-03-02 18:49:31 +08:00
|
|
|
walker_free(walker);
|
2009-10-31 08:47:28 +08:00
|
|
|
|
|
|
|
for (i = 0; i < nr_heads; i++)
|
|
|
|
free(targets[i]);
|
|
|
|
free(targets);
|
|
|
|
|
|
|
|
return ret ? error("Fetch failed.") : 0;
|
|
|
|
}
|
|
|
|
|
2009-10-31 08:47:42 +08:00
|
|
|
static int fetch_git(struct discovery *heads,
|
|
|
|
int nr_heads, struct ref **to_fetch)
|
|
|
|
{
|
|
|
|
struct rpc_state rpc;
|
2012-04-02 23:14:44 +08:00
|
|
|
struct strbuf preamble = STRBUF_INIT;
|
2009-10-31 08:47:42 +08:00
|
|
|
char *depth_arg = NULL;
|
|
|
|
int argc = 0, i, err;
|
2013-07-21 16:18:05 +08:00
|
|
|
const char *argv[16];
|
2009-10-31 08:47:42 +08:00
|
|
|
|
|
|
|
argv[argc++] = "fetch-pack";
|
|
|
|
argv[argc++] = "--stateless-rpc";
|
2012-04-02 23:14:44 +08:00
|
|
|
argv[argc++] = "--stdin";
|
2009-10-31 08:47:42 +08:00
|
|
|
argv[argc++] = "--lock-pack";
|
|
|
|
if (options.followtags)
|
|
|
|
argv[argc++] = "--include-tag";
|
|
|
|
if (options.thin)
|
|
|
|
argv[argc++] = "--thin";
|
|
|
|
if (options.verbosity >= 3) {
|
|
|
|
argv[argc++] = "-v";
|
|
|
|
argv[argc++] = "-v";
|
|
|
|
}
|
2013-07-21 16:18:05 +08:00
|
|
|
if (options.check_self_contained_and_connected)
|
|
|
|
argv[argc++] = "--check-self-contained-and-connected";
|
2009-10-31 08:47:42 +08:00
|
|
|
if (!options.progress)
|
|
|
|
argv[argc++] = "--no-progress";
|
|
|
|
if (options.depth) {
|
|
|
|
struct strbuf buf = STRBUF_INIT;
|
|
|
|
strbuf_addf(&buf, "--depth=%lu", options.depth);
|
|
|
|
depth_arg = strbuf_detach(&buf, NULL);
|
|
|
|
argv[argc++] = depth_arg;
|
|
|
|
}
|
|
|
|
argv[argc++] = url;
|
2012-04-02 23:14:44 +08:00
|
|
|
argv[argc++] = NULL;
|
|
|
|
|
2009-10-31 08:47:42 +08:00
|
|
|
for (i = 0; i < nr_heads; i++) {
|
|
|
|
struct ref *ref = to_fetch[i];
|
|
|
|
if (!ref->name || !*ref->name)
|
|
|
|
die("cannot fetch by sha1 over smart http");
|
2012-04-02 23:14:44 +08:00
|
|
|
packet_buf_write(&preamble, "%s\n", ref->name);
|
2009-10-31 08:47:42 +08:00
|
|
|
}
|
2012-04-02 23:14:44 +08:00
|
|
|
packet_buf_flush(&preamble);
|
2009-10-31 08:47:42 +08:00
|
|
|
|
|
|
|
memset(&rpc, 0, sizeof(rpc));
|
|
|
|
rpc.service_name = "git-upload-pack",
|
|
|
|
rpc.argv = argv;
|
2012-04-02 23:14:44 +08:00
|
|
|
rpc.stdin_preamble = &preamble;
|
2009-10-31 08:47:43 +08:00
|
|
|
rpc.gzip_request = 1;
|
2009-10-31 08:47:42 +08:00
|
|
|
|
|
|
|
err = rpc_service(&rpc, heads);
|
|
|
|
if (rpc.result.len)
|
2013-02-21 04:01:56 +08:00
|
|
|
write_or_die(1, rpc.result.buf, rpc.result.len);
|
2009-10-31 08:47:42 +08:00
|
|
|
strbuf_release(&rpc.result);
|
2012-04-02 23:14:44 +08:00
|
|
|
strbuf_release(&preamble);
|
2009-10-31 08:47:42 +08:00
|
|
|
free(depth_arg);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int fetch(int nr_heads, struct ref **to_fetch)
|
|
|
|
{
|
remote-curl: always parse incoming refs
When remote-curl receives a list of refs from a server, it
keeps the whole buffer intact. When we get a "list" command,
we feed the result to get_remote_heads, and when we get a
"fetch" or "push" command, we feed it to fetch-pack or
send-pack, respectively.
If the HTTP response from the server is truncated for any
reason, we will get an incomplete ref advertisement. If we
then feed this incomplete list to fetch-pack, one of a few
things may happen:
1. If the truncation is in a packet header, fetch-pack
will notice the bogus line and complain.
2. If the truncation is inside a packet, fetch-pack will
keep waiting for us to send the rest of the packet,
which we never will.
3. If the truncation is at a packet boundary, fetch-pack
will keep waiting for us to send the next packet, which
we never will.
As a result, fetch-pack hangs, waiting for input. However,
remote-curl believes it has sent all of the advertisement,
and therefore waits for fetch-pack to speak. The two
processes end up in a deadlock.
We do notice the broken ref list if we feed it to
get_remote_heads. So if git asks the helper to do a "list"
followed by a "fetch", we are safe; we'll abort during the
list operation, which parses the refs.
This patch teaches remote-curl to always parse and save the
incoming ref list when we read the ref advertisement from a
server. That means that we will always verify and abort
before even running fetch-pack (or send-pack) when reading a
corrupted list, even if we do not run the "list" command
explicitly.
Since we save the result, in the common case of running
"list" then "fetch", we do not do any extra parsing at all.
In the case of just a "fetch", we do an extra round of
parsing, but only once.
Note also that the "fetch" case will now also initialize
server_capabilities from the remote (in remote-curl; we
already would do so inside fetch-pack). Doing "list+fetch"
already does this. It doesn't actually matter now, but the
new behavior is arguably more correct, should remote-curl
ever start caring about the server's capability list.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-02-21 04:07:19 +08:00
|
|
|
struct discovery *d = discover_refs("git-upload-pack", 0);
|
2009-10-31 08:47:42 +08:00
|
|
|
if (d->proto_git)
|
|
|
|
return fetch_git(d, nr_heads, to_fetch);
|
|
|
|
else
|
|
|
|
return fetch_dumb(nr_heads, to_fetch);
|
|
|
|
}
|
|
|
|
|
2009-10-31 08:47:28 +08:00
|
|
|
static void parse_fetch(struct strbuf *buf)
|
|
|
|
{
|
|
|
|
struct ref **to_fetch = NULL;
|
|
|
|
struct ref *list_head = NULL;
|
|
|
|
struct ref **list = &list_head;
|
|
|
|
int alloc_heads = 0, nr_heads = 0;
|
|
|
|
|
|
|
|
do {
|
|
|
|
if (!prefixcmp(buf->buf, "fetch ")) {
|
|
|
|
char *p = buf->buf + strlen("fetch ");
|
|
|
|
char *name;
|
|
|
|
struct ref *ref;
|
|
|
|
unsigned char old_sha1[20];
|
|
|
|
|
|
|
|
if (strlen(p) < 40 || get_sha1_hex(p, old_sha1))
|
|
|
|
die("protocol error: expected sha/ref, got %s'", p);
|
|
|
|
if (p[40] == ' ')
|
|
|
|
name = p + 41;
|
|
|
|
else if (!p[40])
|
|
|
|
name = "";
|
|
|
|
else
|
|
|
|
die("protocol error: expected sha/ref, got %s'", p);
|
|
|
|
|
|
|
|
ref = alloc_ref(name);
|
|
|
|
hashcpy(ref->old_sha1, old_sha1);
|
|
|
|
|
|
|
|
*list = ref;
|
|
|
|
list = &ref->next;
|
|
|
|
|
|
|
|
ALLOC_GROW(to_fetch, nr_heads + 1, alloc_heads);
|
|
|
|
to_fetch[nr_heads++] = ref;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
die("http transport does not support %s", buf->buf);
|
|
|
|
|
|
|
|
strbuf_reset(buf);
|
|
|
|
if (strbuf_getline(buf, stdin, '\n') == EOF)
|
|
|
|
return;
|
|
|
|
if (!*buf->buf)
|
|
|
|
break;
|
|
|
|
} while (1);
|
|
|
|
|
2009-10-31 08:47:42 +08:00
|
|
|
if (fetch(nr_heads, to_fetch))
|
2009-10-31 08:47:28 +08:00
|
|
|
exit(128); /* error already reported */
|
|
|
|
free_refs(list_head);
|
|
|
|
free(to_fetch);
|
|
|
|
|
|
|
|
printf("\n");
|
|
|
|
fflush(stdout);
|
|
|
|
strbuf_reset(buf);
|
|
|
|
}
|
|
|
|
|
2009-10-31 08:47:30 +08:00
|
|
|
static int push_dav(int nr_spec, char **specs)
|
|
|
|
{
|
|
|
|
const char **argv = xmalloc((10 + nr_spec) * sizeof(char*));
|
|
|
|
int argc = 0, i;
|
|
|
|
|
|
|
|
argv[argc++] = "http-push";
|
|
|
|
argv[argc++] = "--helper-status";
|
|
|
|
if (options.dry_run)
|
|
|
|
argv[argc++] = "--dry-run";
|
|
|
|
if (options.verbosity > 1)
|
|
|
|
argv[argc++] = "--verbose";
|
|
|
|
argv[argc++] = url;
|
|
|
|
for (i = 0; i < nr_spec; i++)
|
|
|
|
argv[argc++] = specs[i];
|
|
|
|
argv[argc++] = NULL;
|
|
|
|
|
|
|
|
if (run_command_v_opt(argv, RUN_GIT_CMD))
|
|
|
|
die("git-%s failed", argv[0]);
|
|
|
|
free(argv);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2009-10-31 08:47:41 +08:00
|
|
|
static int push_git(struct discovery *heads, int nr_spec, char **specs)
|
|
|
|
{
|
|
|
|
struct rpc_state rpc;
|
2013-07-09 13:16:31 +08:00
|
|
|
int i, err;
|
|
|
|
struct argv_array args;
|
2013-08-03 06:14:50 +08:00
|
|
|
struct string_list_item *cas_option;
|
2013-07-09 13:16:31 +08:00
|
|
|
|
|
|
|
argv_array_init(&args);
|
|
|
|
argv_array_pushl(&args, "send-pack", "--stateless-rpc", "--helper-status",
|
|
|
|
NULL);
|
2009-10-31 08:47:41 +08:00
|
|
|
|
|
|
|
if (options.thin)
|
2013-07-09 13:16:31 +08:00
|
|
|
argv_array_push(&args, "--thin");
|
2009-10-31 08:47:41 +08:00
|
|
|
if (options.dry_run)
|
2013-07-09 13:16:31 +08:00
|
|
|
argv_array_push(&args, "--dry-run");
|
2012-01-09 05:06:20 +08:00
|
|
|
if (options.verbosity == 0)
|
2013-07-09 13:16:31 +08:00
|
|
|
argv_array_push(&args, "--quiet");
|
2012-01-09 05:06:20 +08:00
|
|
|
else if (options.verbosity > 1)
|
2013-07-09 13:16:31 +08:00
|
|
|
argv_array_push(&args, "--verbose");
|
|
|
|
argv_array_push(&args, options.progress ? "--progress" : "--no-progress");
|
2013-08-03 06:14:50 +08:00
|
|
|
for_each_string_list_item(cas_option, &cas_options)
|
2013-09-10 05:30:29 +08:00
|
|
|
argv_array_push(&args, cas_option->string);
|
2013-07-09 13:16:31 +08:00
|
|
|
argv_array_push(&args, url);
|
2009-10-31 08:47:41 +08:00
|
|
|
for (i = 0; i < nr_spec; i++)
|
2013-07-09 13:16:31 +08:00
|
|
|
argv_array_push(&args, specs[i]);
|
2009-10-31 08:47:41 +08:00
|
|
|
|
|
|
|
memset(&rpc, 0, sizeof(rpc));
|
|
|
|
rpc.service_name = "git-receive-pack",
|
2013-07-09 13:16:31 +08:00
|
|
|
rpc.argv = args.argv;
|
2009-10-31 08:47:41 +08:00
|
|
|
|
|
|
|
err = rpc_service(&rpc, heads);
|
|
|
|
if (rpc.result.len)
|
2013-02-21 04:01:56 +08:00
|
|
|
write_or_die(1, rpc.result.buf, rpc.result.len);
|
2009-10-31 08:47:41 +08:00
|
|
|
strbuf_release(&rpc.result);
|
2013-07-09 13:16:31 +08:00
|
|
|
argv_array_clear(&args);
|
2009-10-31 08:47:41 +08:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int push(int nr_spec, char **specs)
|
|
|
|
{
|
remote-curl: always parse incoming refs
When remote-curl receives a list of refs from a server, it
keeps the whole buffer intact. When we get a "list" command,
we feed the result to get_remote_heads, and when we get a
"fetch" or "push" command, we feed it to fetch-pack or
send-pack, respectively.
If the HTTP response from the server is truncated for any
reason, we will get an incomplete ref advertisement. If we
then feed this incomplete list to fetch-pack, one of a few
things may happen:
1. If the truncation is in a packet header, fetch-pack
will notice the bogus line and complain.
2. If the truncation is inside a packet, fetch-pack will
keep waiting for us to send the rest of the packet,
which we never will.
3. If the truncation is at a packet boundary, fetch-pack
will keep waiting for us to send the next packet, which
we never will.
As a result, fetch-pack hangs, waiting for input. However,
remote-curl believes it has sent all of the advertisement,
and therefore waits for fetch-pack to speak. The two
processes end up in a deadlock.
We do notice the broken ref list if we feed it to
get_remote_heads. So if git asks the helper to do a "list"
followed by a "fetch", we are safe; we'll abort during the
list operation, which parses the refs.
This patch teaches remote-curl to always parse and save the
incoming ref list when we read the ref advertisement from a
server. That means that we will always verify and abort
before even running fetch-pack (or send-pack) when reading a
corrupted list, even if we do not run the "list" command
explicitly.
Since we save the result, in the common case of running
"list" then "fetch", we do not do any extra parsing at all.
In the case of just a "fetch", we do an extra round of
parsing, but only once.
Note also that the "fetch" case will now also initialize
server_capabilities from the remote (in remote-curl; we
already would do so inside fetch-pack). Doing "list+fetch"
already does this. It doesn't actually matter now, but the
new behavior is arguably more correct, should remote-curl
ever start caring about the server's capability list.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-02-21 04:07:19 +08:00
|
|
|
struct discovery *heads = discover_refs("git-receive-pack", 1);
|
2009-10-31 08:47:41 +08:00
|
|
|
int ret;
|
|
|
|
|
|
|
|
if (heads->proto_git)
|
|
|
|
ret = push_git(heads, nr_spec, specs);
|
|
|
|
else
|
|
|
|
ret = push_dav(nr_spec, specs);
|
|
|
|
free_discovery(heads);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2009-10-31 08:47:30 +08:00
|
|
|
static void parse_push(struct strbuf *buf)
|
|
|
|
{
|
|
|
|
char **specs = NULL;
|
remote-curl: Fix push status report when all branches fail
The protocol between transport-helper.c and remote-curl requires
remote-curl to always print a blank line after the push command
has run. If the blank line is ommitted, transport-helper kills its
container process (the git push the user started) with exit(128)
and no message indicating a problem, assuming the helper already
printed reasonable error text to the console.
However if the remote rejects all branches with "ng" commands in the
report-status reply, send-pack terminates with non-zero status, and
in turn remote-curl exited with non-zero status before outputting
the blank line after the helper status printed by send-pack. No
error messages reach the user.
This caused users to see the following from git push over HTTP
when the remote side's update hook rejected the branch:
$ git push http://... master
Counting objects: 4, done.
Delta compression using up to 6 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 301 bytes, done.
Total 3 (delta 0), reused 0 (delta 0)
$
Always print a blank line after the send-pack process terminates,
ensuring the helper status report (if it was output) will be
correctly parsed by the calling transport-helper.c. This ensures
the helper doesn't abort before the status report can be shown to
the user.
Signed-off-by: Shawn O. Pearce <spearce@spearce.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2012-01-20 11:12:09 +08:00
|
|
|
int alloc_spec = 0, nr_spec = 0, i, ret;
|
2009-10-31 08:47:30 +08:00
|
|
|
|
|
|
|
do {
|
|
|
|
if (!prefixcmp(buf->buf, "push ")) {
|
|
|
|
ALLOC_GROW(specs, nr_spec + 1, alloc_spec);
|
|
|
|
specs[nr_spec++] = xstrdup(buf->buf + 5);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
die("http transport does not support %s", buf->buf);
|
|
|
|
|
|
|
|
strbuf_reset(buf);
|
|
|
|
if (strbuf_getline(buf, stdin, '\n') == EOF)
|
2011-06-20 15:40:06 +08:00
|
|
|
goto free_specs;
|
2009-10-31 08:47:30 +08:00
|
|
|
if (!*buf->buf)
|
|
|
|
break;
|
|
|
|
} while (1);
|
|
|
|
|
remote-curl: Fix push status report when all branches fail
The protocol between transport-helper.c and remote-curl requires
remote-curl to always print a blank line after the push command
has run. If the blank line is ommitted, transport-helper kills its
container process (the git push the user started) with exit(128)
and no message indicating a problem, assuming the helper already
printed reasonable error text to the console.
However if the remote rejects all branches with "ng" commands in the
report-status reply, send-pack terminates with non-zero status, and
in turn remote-curl exited with non-zero status before outputting
the blank line after the helper status printed by send-pack. No
error messages reach the user.
This caused users to see the following from git push over HTTP
when the remote side's update hook rejected the branch:
$ git push http://... master
Counting objects: 4, done.
Delta compression using up to 6 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 301 bytes, done.
Total 3 (delta 0), reused 0 (delta 0)
$
Always print a blank line after the send-pack process terminates,
ensuring the helper status report (if it was output) will be
correctly parsed by the calling transport-helper.c. This ensures
the helper doesn't abort before the status report can be shown to
the user.
Signed-off-by: Shawn O. Pearce <spearce@spearce.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2012-01-20 11:12:09 +08:00
|
|
|
ret = push(nr_spec, specs);
|
2009-10-31 08:47:30 +08:00
|
|
|
printf("\n");
|
|
|
|
fflush(stdout);
|
2011-06-20 15:40:06 +08:00
|
|
|
|
remote-curl: Fix push status report when all branches fail
The protocol between transport-helper.c and remote-curl requires
remote-curl to always print a blank line after the push command
has run. If the blank line is ommitted, transport-helper kills its
container process (the git push the user started) with exit(128)
and no message indicating a problem, assuming the helper already
printed reasonable error text to the console.
However if the remote rejects all branches with "ng" commands in the
report-status reply, send-pack terminates with non-zero status, and
in turn remote-curl exited with non-zero status before outputting
the blank line after the helper status printed by send-pack. No
error messages reach the user.
This caused users to see the following from git push over HTTP
when the remote side's update hook rejected the branch:
$ git push http://... master
Counting objects: 4, done.
Delta compression using up to 6 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 301 bytes, done.
Total 3 (delta 0), reused 0 (delta 0)
$
Always print a blank line after the send-pack process terminates,
ensuring the helper status report (if it was output) will be
correctly parsed by the calling transport-helper.c. This ensures
the helper doesn't abort before the status report can be shown to
the user.
Signed-off-by: Shawn O. Pearce <spearce@spearce.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2012-01-20 11:12:09 +08:00
|
|
|
if (ret)
|
|
|
|
exit(128); /* error already reported */
|
|
|
|
|
2011-06-20 15:40:06 +08:00
|
|
|
free_specs:
|
|
|
|
for (i = 0; i < nr_spec; i++)
|
|
|
|
free(specs[i]);
|
|
|
|
free(specs);
|
2009-10-31 08:47:30 +08:00
|
|
|
}
|
|
|
|
|
2009-08-05 13:01:56 +08:00
|
|
|
int main(int argc, const char **argv)
|
|
|
|
{
|
|
|
|
struct strbuf buf = STRBUF_INIT;
|
2009-11-04 10:52:35 +08:00
|
|
|
int nongit;
|
2009-08-05 13:01:56 +08:00
|
|
|
|
2009-10-13 18:53:28 +08:00
|
|
|
git_extract_argv0_path(argv[0]);
|
2009-11-04 10:52:35 +08:00
|
|
|
setup_git_directory_gently(&nongit);
|
2009-08-05 13:01:56 +08:00
|
|
|
if (argc < 2) {
|
|
|
|
fprintf(stderr, "Remote needed\n");
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2009-10-31 08:47:29 +08:00
|
|
|
options.verbosity = 1;
|
|
|
|
options.progress = !!isatty(2);
|
2009-10-31 08:47:41 +08:00
|
|
|
options.thin = 1;
|
2009-10-31 08:47:29 +08:00
|
|
|
|
2009-08-05 13:01:56 +08:00
|
|
|
remote = remote_get(argv[1]);
|
|
|
|
|
|
|
|
if (argc > 2) {
|
2010-04-08 10:15:18 +08:00
|
|
|
end_url_with_slash(&buf, argv[2]);
|
2009-08-05 13:01:56 +08:00
|
|
|
} else {
|
2010-04-08 10:15:18 +08:00
|
|
|
end_url_with_slash(&buf, remote->url[0]);
|
2009-08-05 13:01:56 +08:00
|
|
|
}
|
|
|
|
|
2010-04-08 10:15:18 +08:00
|
|
|
url = strbuf_detach(&buf, NULL);
|
|
|
|
|
2011-12-14 08:11:56 +08:00
|
|
|
http_init(remote, url, 0);
|
2010-03-02 18:49:29 +08:00
|
|
|
|
2009-08-05 13:01:56 +08:00
|
|
|
do {
|
2011-07-16 21:03:29 +08:00
|
|
|
if (strbuf_getline(&buf, stdin, '\n') == EOF) {
|
|
|
|
if (ferror(stdin))
|
|
|
|
fprintf(stderr, "Error reading command stream\n");
|
|
|
|
else
|
|
|
|
fprintf(stderr, "Unexpected end of command stream\n");
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
if (buf.len == 0)
|
2009-08-05 13:01:56 +08:00
|
|
|
break;
|
|
|
|
if (!prefixcmp(buf.buf, "fetch ")) {
|
2009-11-04 10:52:35 +08:00
|
|
|
if (nongit)
|
|
|
|
die("Fetch attempted without a local repo");
|
2009-10-31 08:47:28 +08:00
|
|
|
parse_fetch(&buf);
|
|
|
|
|
2009-10-31 08:47:30 +08:00
|
|
|
} else if (!strcmp(buf.buf, "list") || !prefixcmp(buf.buf, "list ")) {
|
2009-10-31 08:47:40 +08:00
|
|
|
int for_push = !!strstr(buf.buf + 4, "for-push");
|
|
|
|
output_refs(get_refs(for_push));
|
2009-10-31 08:47:30 +08:00
|
|
|
|
|
|
|
} else if (!prefixcmp(buf.buf, "push ")) {
|
|
|
|
parse_push(&buf);
|
|
|
|
|
2009-10-31 08:47:29 +08:00
|
|
|
} else if (!prefixcmp(buf.buf, "option ")) {
|
|
|
|
char *name = buf.buf + strlen("option ");
|
|
|
|
char *value = strchr(name, ' ');
|
|
|
|
int result;
|
|
|
|
|
|
|
|
if (value)
|
|
|
|
*value++ = '\0';
|
|
|
|
else
|
|
|
|
value = "true";
|
|
|
|
|
|
|
|
result = set_option(name, value);
|
|
|
|
if (!result)
|
|
|
|
printf("ok\n");
|
|
|
|
else if (result < 0)
|
|
|
|
printf("error invalid value\n");
|
|
|
|
else
|
|
|
|
printf("unsupported\n");
|
2009-08-05 13:01:56 +08:00
|
|
|
fflush(stdout);
|
2009-10-31 08:47:29 +08:00
|
|
|
|
2009-08-05 13:01:56 +08:00
|
|
|
} else if (!strcmp(buf.buf, "capabilities")) {
|
|
|
|
printf("fetch\n");
|
2009-10-31 08:47:29 +08:00
|
|
|
printf("option\n");
|
2009-10-31 08:47:30 +08:00
|
|
|
printf("push\n");
|
2013-07-21 16:18:05 +08:00
|
|
|
printf("check-connectivity\n");
|
2009-08-05 13:01:56 +08:00
|
|
|
printf("\n");
|
|
|
|
fflush(stdout);
|
|
|
|
} else {
|
2011-07-16 21:03:29 +08:00
|
|
|
fprintf(stderr, "Unknown command '%s'\n", buf.buf);
|
2009-08-05 13:01:56 +08:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
strbuf_reset(&buf);
|
|
|
|
} while (1);
|
2010-03-02 18:49:29 +08:00
|
|
|
|
|
|
|
http_cleanup();
|
|
|
|
|
2009-08-05 13:01:56 +08:00
|
|
|
return 0;
|
|
|
|
}
|