2008-01-15 00:36:34 +08:00
|
|
|
#include "cache.h"
|
|
|
|
#include "commit.h"
|
2008-07-25 18:41:22 +08:00
|
|
|
#include "tree-walk.h"
|
2008-01-15 00:36:34 +08:00
|
|
|
#include "attr.h"
|
2008-07-15 03:22:24 +08:00
|
|
|
#include "archive.h"
|
2008-07-25 18:41:26 +08:00
|
|
|
#include "parse-options.h"
|
2009-04-18 06:18:05 +08:00
|
|
|
#include "unpack-trees.h"
|
2014-09-21 11:55:06 +08:00
|
|
|
#include "dir.h"
|
2008-07-25 18:41:26 +08:00
|
|
|
|
|
|
|
static char const * const archive_usage[] = {
|
2012-08-20 20:31:51 +08:00
|
|
|
N_("git archive [options] <tree-ish> [<path>...]"),
|
|
|
|
N_("git archive --list"),
|
|
|
|
N_("git archive --remote <repo> [--exec <cmd>] [options] <tree-ish> [<path>...]"),
|
|
|
|
N_("git archive --remote <repo> [--exec <cmd>] --list"),
|
2008-07-25 18:41:26 +08:00
|
|
|
NULL
|
|
|
|
};
|
2008-07-25 18:41:22 +08:00
|
|
|
|
2011-06-22 09:23:33 +08:00
|
|
|
static const struct archiver **archivers;
|
|
|
|
static int nr_archivers;
|
|
|
|
static int alloc_archivers;
|
add uploadarchive.allowUnreachable option
In commit ee27ca4, we started restricting remote git-archive
invocations to only accessing reachable commits. This
matches what upload-pack allows, but does restrict some
useful cases (e.g., HEAD:foo). We loosened this in 0f544ee,
which allows `foo:bar` as long as `foo` is a ref tip.
However, that still doesn't allow many useful things, like:
1. Commits accessible from a ref, like `foo^:bar`, which
are reachable
2. Arbitrary sha1s, even if they are reachable.
We can do a full object-reachability check for these cases,
but it can be quite expensive if the client has sent us the
sha1 of a tree; we have to visit every sub-tree of every
commit in the worst case.
Let's instead give site admins an escape hatch, in case they
prefer the more liberal behavior. For many sites, the full
object database is public anyway (e.g., if you allow dumb
walker access), or the site admin may simply decide the
security/convenience tradeoff is not worth it.
This patch adds a new config option to disable the
restrictions added in ee27ca4. It defaults to off, meaning
there is no change in behavior by default.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-02-28 18:04:19 +08:00
|
|
|
static int remote_allow_unreachable;
|
2011-06-22 09:23:33 +08:00
|
|
|
|
|
|
|
void register_archiver(struct archiver *ar)
|
|
|
|
{
|
|
|
|
ALLOC_GROW(archivers, nr_archivers + 1, alloc_archivers);
|
|
|
|
archivers[nr_archivers++] = ar;
|
|
|
|
}
|
2008-07-25 18:41:22 +08:00
|
|
|
|
2008-01-15 00:36:34 +08:00
|
|
|
static void format_subst(const struct commit *commit,
|
|
|
|
const char *src, size_t len,
|
|
|
|
struct strbuf *buf)
|
|
|
|
{
|
|
|
|
char *to_free = NULL;
|
2008-10-10 03:12:12 +08:00
|
|
|
struct strbuf fmt = STRBUF_INIT;
|
2009-10-19 23:48:08 +08:00
|
|
|
struct pretty_print_context ctx = {0};
|
|
|
|
ctx.date_mode = DATE_NORMAL;
|
2010-07-28 02:32:36 +08:00
|
|
|
ctx.abbrev = DEFAULT_ABBREV;
|
2008-01-15 00:36:34 +08:00
|
|
|
|
|
|
|
if (src == buf->buf)
|
|
|
|
to_free = strbuf_detach(buf, NULL);
|
|
|
|
for (;;) {
|
|
|
|
const char *b, *c;
|
|
|
|
|
|
|
|
b = memmem(src, len, "$Format:", 8);
|
2008-04-23 09:06:27 +08:00
|
|
|
if (!b)
|
2008-01-15 00:36:34 +08:00
|
|
|
break;
|
2008-04-23 09:06:27 +08:00
|
|
|
c = memchr(b + 8, '$', (src + len) - b - 8);
|
2008-01-15 00:36:34 +08:00
|
|
|
if (!c)
|
|
|
|
break;
|
|
|
|
|
|
|
|
strbuf_reset(&fmt);
|
|
|
|
strbuf_add(&fmt, b + 8, c - b - 8);
|
|
|
|
|
|
|
|
strbuf_add(buf, src, b - src);
|
2009-10-19 23:48:08 +08:00
|
|
|
format_commit_message(commit, fmt.buf, buf, &ctx);
|
2008-01-15 00:36:34 +08:00
|
|
|
len -= c + 1 - src;
|
|
|
|
src = c + 1;
|
|
|
|
}
|
|
|
|
strbuf_add(buf, src, len);
|
|
|
|
strbuf_release(&fmt);
|
|
|
|
free(to_free);
|
|
|
|
}
|
|
|
|
|
2012-05-03 09:51:03 +08:00
|
|
|
void *sha1_file_to_archive(const struct archiver_args *args,
|
|
|
|
const char *path, const unsigned char *sha1,
|
|
|
|
unsigned int mode, enum object_type *type,
|
|
|
|
unsigned long *sizep)
|
2008-01-15 00:36:34 +08:00
|
|
|
{
|
|
|
|
void *buffer;
|
2012-05-03 09:51:03 +08:00
|
|
|
const struct commit *commit = args->convert ? args->commit : NULL;
|
2008-01-15 00:36:34 +08:00
|
|
|
|
2012-05-03 09:51:03 +08:00
|
|
|
path += args->baselen;
|
2008-01-15 00:36:34 +08:00
|
|
|
buffer = read_sha1_file(sha1, type, sizep);
|
|
|
|
if (buffer && S_ISREG(mode)) {
|
2008-10-10 03:12:12 +08:00
|
|
|
struct strbuf buf = STRBUF_INIT;
|
2008-01-15 00:36:34 +08:00
|
|
|
size_t size = 0;
|
|
|
|
|
|
|
|
strbuf_attach(&buf, buffer, *sizep, *sizep + 1);
|
|
|
|
convert_to_working_tree(path, buf.buf, buf.len, &buf);
|
2008-07-15 03:22:29 +08:00
|
|
|
if (commit)
|
|
|
|
format_subst(commit, buf.buf, buf.len, &buf);
|
2008-01-15 00:36:34 +08:00
|
|
|
buffer = strbuf_detach(&buf, &size);
|
|
|
|
*sizep = size;
|
|
|
|
}
|
|
|
|
|
|
|
|
return buffer;
|
|
|
|
}
|
|
|
|
|
2008-07-15 03:22:29 +08:00
|
|
|
static void setup_archive_check(struct git_attr_check *check)
|
2008-06-09 00:42:33 +08:00
|
|
|
{
|
|
|
|
static struct git_attr *attr_export_ignore;
|
2008-07-15 03:22:29 +08:00
|
|
|
static struct git_attr *attr_export_subst;
|
2008-06-09 00:42:33 +08:00
|
|
|
|
2008-07-15 03:22:29 +08:00
|
|
|
if (!attr_export_ignore) {
|
2010-01-17 12:39:59 +08:00
|
|
|
attr_export_ignore = git_attr("export-ignore");
|
|
|
|
attr_export_subst = git_attr("export-subst");
|
2008-07-15 03:22:29 +08:00
|
|
|
}
|
2008-06-09 00:42:33 +08:00
|
|
|
check[0].attr = attr_export_ignore;
|
2008-07-15 03:22:29 +08:00
|
|
|
check[1].attr = attr_export_subst;
|
2008-06-09 00:42:33 +08:00
|
|
|
}
|
2008-07-15 03:22:24 +08:00
|
|
|
|
2014-09-21 11:55:06 +08:00
|
|
|
struct directory {
|
|
|
|
struct directory *up;
|
|
|
|
unsigned char sha1[20];
|
|
|
|
int baselen, len;
|
|
|
|
unsigned mode;
|
|
|
|
int stage;
|
|
|
|
char path[FLEX_ARRAY];
|
|
|
|
};
|
|
|
|
|
2008-07-15 03:22:24 +08:00
|
|
|
struct archiver_context {
|
|
|
|
struct archiver_args *args;
|
|
|
|
write_archive_entry_fn_t write_entry;
|
2014-09-21 11:55:06 +08:00
|
|
|
struct directory *bottom;
|
2008-07-15 03:22:24 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
static int write_archive_entry(const unsigned char *sha1, const char *base,
|
|
|
|
int baselen, const char *filename, unsigned mode, int stage,
|
|
|
|
void *context)
|
|
|
|
{
|
|
|
|
static struct strbuf path = STRBUF_INIT;
|
|
|
|
struct archiver_context *c = context;
|
|
|
|
struct archiver_args *args = c->args;
|
|
|
|
write_archive_entry_fn_t write_entry = c->write_entry;
|
2008-07-15 03:22:29 +08:00
|
|
|
struct git_attr_check check[2];
|
|
|
|
const char *path_without_prefix;
|
2008-07-15 03:22:24 +08:00
|
|
|
int err;
|
|
|
|
|
2012-05-03 09:51:03 +08:00
|
|
|
args->convert = 0;
|
2008-07-15 03:22:24 +08:00
|
|
|
strbuf_reset(&path);
|
|
|
|
strbuf_grow(&path, PATH_MAX);
|
2009-10-09 00:46:54 +08:00
|
|
|
strbuf_add(&path, args->base, args->baselen);
|
2008-07-15 03:22:24 +08:00
|
|
|
strbuf_add(&path, base, baselen);
|
|
|
|
strbuf_addstr(&path, filename);
|
2012-12-09 04:04:39 +08:00
|
|
|
if (S_ISDIR(mode) || S_ISGITLINK(mode))
|
|
|
|
strbuf_addch(&path, '/');
|
2008-07-15 03:22:29 +08:00
|
|
|
path_without_prefix = path.buf + args->baselen;
|
2008-07-15 03:22:24 +08:00
|
|
|
|
2008-07-15 03:22:29 +08:00
|
|
|
setup_archive_check(check);
|
2011-08-04 12:36:33 +08:00
|
|
|
if (!git_check_attr(path_without_prefix, ARRAY_SIZE(check), check)) {
|
2008-07-15 03:22:29 +08:00
|
|
|
if (ATTR_TRUE(check[0].value))
|
|
|
|
return 0;
|
2012-05-03 09:51:03 +08:00
|
|
|
args->convert = ATTR_TRUE(check[1].value);
|
2008-07-15 03:22:29 +08:00
|
|
|
}
|
2008-07-15 03:22:24 +08:00
|
|
|
|
|
|
|
if (S_ISDIR(mode) || S_ISGITLINK(mode)) {
|
|
|
|
if (args->verbose)
|
|
|
|
fprintf(stderr, "%.*s\n", (int)path.len, path.buf);
|
2012-05-03 09:51:03 +08:00
|
|
|
err = write_entry(args, sha1, path.buf, path.len, mode);
|
2008-07-15 03:22:24 +08:00
|
|
|
if (err)
|
|
|
|
return err;
|
2009-01-25 08:52:05 +08:00
|
|
|
return (S_ISDIR(mode) ? READ_TREE_RECURSIVE : 0);
|
2008-07-15 03:22:24 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
if (args->verbose)
|
|
|
|
fprintf(stderr, "%.*s\n", (int)path.len, path.buf);
|
2012-05-03 09:51:03 +08:00
|
|
|
return write_entry(args, sha1, path.buf, path.len, mode);
|
2008-07-15 03:22:24 +08:00
|
|
|
}
|
|
|
|
|
2014-09-21 11:55:06 +08:00
|
|
|
static void queue_directory(const unsigned char *sha1,
|
|
|
|
const char *base, int baselen, const char *filename,
|
|
|
|
unsigned mode, int stage, struct archiver_context *c)
|
|
|
|
{
|
|
|
|
struct directory *d;
|
|
|
|
d = xmallocz(sizeof(*d) + baselen + 1 + strlen(filename));
|
|
|
|
d->up = c->bottom;
|
|
|
|
d->baselen = baselen;
|
|
|
|
d->mode = mode;
|
|
|
|
d->stage = stage;
|
|
|
|
c->bottom = d;
|
|
|
|
d->len = sprintf(d->path, "%.*s%s/", baselen, base, filename);
|
|
|
|
hashcpy(d->sha1, sha1);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int write_directory(struct archiver_context *c)
|
|
|
|
{
|
|
|
|
struct directory *d = c->bottom;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
if (!d)
|
|
|
|
return 0;
|
|
|
|
c->bottom = d->up;
|
|
|
|
d->path[d->len - 1] = '\0'; /* no trailing slash */
|
|
|
|
ret =
|
|
|
|
write_directory(c) ||
|
|
|
|
write_archive_entry(d->sha1, d->path, d->baselen,
|
|
|
|
d->path + d->baselen, d->mode,
|
|
|
|
d->stage, c) != READ_TREE_RECURSIVE;
|
|
|
|
free(d);
|
|
|
|
return ret ? -1 : 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int queue_or_write_archive_entry(const unsigned char *sha1,
|
|
|
|
const char *base, int baselen, const char *filename,
|
|
|
|
unsigned mode, int stage, void *context)
|
|
|
|
{
|
|
|
|
struct archiver_context *c = context;
|
|
|
|
|
|
|
|
while (c->bottom &&
|
|
|
|
!(baselen >= c->bottom->len &&
|
|
|
|
!strncmp(base, c->bottom->path, c->bottom->len))) {
|
|
|
|
struct directory *next = c->bottom->up;
|
|
|
|
free(c->bottom);
|
|
|
|
c->bottom = next;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (S_ISDIR(mode)) {
|
|
|
|
queue_directory(sha1, base, baselen, filename,
|
|
|
|
mode, stage, c);
|
|
|
|
return READ_TREE_RECURSIVE;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (write_directory(c))
|
|
|
|
return -1;
|
|
|
|
return write_archive_entry(sha1, base, baselen, filename, mode,
|
|
|
|
stage, context);
|
|
|
|
}
|
|
|
|
|
2008-07-15 03:22:24 +08:00
|
|
|
int write_archive_entries(struct archiver_args *args,
|
|
|
|
write_archive_entry_fn_t write_entry)
|
|
|
|
{
|
|
|
|
struct archiver_context context;
|
2009-04-18 06:18:05 +08:00
|
|
|
struct unpack_trees_options opts;
|
|
|
|
struct tree_desc t;
|
2008-07-15 03:22:24 +08:00
|
|
|
int err;
|
|
|
|
|
|
|
|
if (args->baselen > 0 && args->base[args->baselen - 1] == '/') {
|
|
|
|
size_t len = args->baselen;
|
|
|
|
|
|
|
|
while (len > 1 && args->base[len - 2] == '/')
|
|
|
|
len--;
|
|
|
|
if (args->verbose)
|
|
|
|
fprintf(stderr, "%.*s\n", (int)len, args->base);
|
|
|
|
err = write_entry(args, args->tree->object.sha1, args->base,
|
2012-05-03 09:51:03 +08:00
|
|
|
len, 040777);
|
2008-07-15 03:22:24 +08:00
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2014-09-21 11:55:06 +08:00
|
|
|
memset(&context, 0, sizeof(context));
|
2008-07-15 03:22:24 +08:00
|
|
|
context.args = args;
|
|
|
|
context.write_entry = write_entry;
|
|
|
|
|
2009-04-18 06:18:05 +08:00
|
|
|
/*
|
|
|
|
* Setup index and instruct attr to read index only
|
|
|
|
*/
|
|
|
|
if (!args->worktree_attributes) {
|
|
|
|
memset(&opts, 0, sizeof(opts));
|
|
|
|
opts.index_only = 1;
|
|
|
|
opts.head_idx = -1;
|
|
|
|
opts.src_index = &the_index;
|
|
|
|
opts.dst_index = &the_index;
|
|
|
|
opts.fn = oneway_merge;
|
|
|
|
init_tree_desc(&t, args->tree->buffer, args->tree->size);
|
|
|
|
if (unpack_trees(1, &t, &opts))
|
|
|
|
return -1;
|
|
|
|
git_attr_set_direction(GIT_ATTR_INDEX, &the_index);
|
|
|
|
}
|
|
|
|
|
2013-07-14 16:35:44 +08:00
|
|
|
err = read_tree_recursive(args->tree, "", 0, 0, &args->pathspec,
|
2014-09-21 11:55:06 +08:00
|
|
|
args->pathspec.has_wildcard ?
|
|
|
|
queue_or_write_archive_entry :
|
|
|
|
write_archive_entry,
|
|
|
|
&context);
|
2008-07-15 03:22:24 +08:00
|
|
|
if (err == READ_TREE_RECURSIVE)
|
|
|
|
err = 0;
|
2014-09-21 11:55:06 +08:00
|
|
|
while (context.bottom) {
|
|
|
|
struct directory *next = context.bottom->up;
|
|
|
|
free(context.bottom);
|
|
|
|
context.bottom = next;
|
|
|
|
}
|
2008-07-15 03:22:24 +08:00
|
|
|
return err;
|
|
|
|
}
|
2008-07-25 18:41:21 +08:00
|
|
|
|
2008-07-25 18:41:22 +08:00
|
|
|
static const struct archiver *lookup_archiver(const char *name)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
2008-07-25 18:41:26 +08:00
|
|
|
if (!name)
|
|
|
|
return NULL;
|
|
|
|
|
2011-06-22 09:23:33 +08:00
|
|
|
for (i = 0; i < nr_archivers; i++) {
|
|
|
|
if (!strcmp(name, archivers[i]->name))
|
|
|
|
return archivers[i];
|
2008-07-25 18:41:22 +08:00
|
|
|
}
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2009-12-12 23:00:41 +08:00
|
|
|
static int reject_entry(const unsigned char *sha1, const char *base,
|
|
|
|
int baselen, const char *filename, unsigned mode,
|
|
|
|
int stage, void *context)
|
|
|
|
{
|
2014-09-21 11:55:06 +08:00
|
|
|
int ret = -1;
|
|
|
|
if (S_ISDIR(mode)) {
|
|
|
|
struct strbuf sb = STRBUF_INIT;
|
|
|
|
strbuf_addstr(&sb, base);
|
|
|
|
strbuf_addstr(&sb, filename);
|
|
|
|
if (!match_pathspec(context, sb.buf, sb.len, 0, NULL, 1))
|
|
|
|
ret = READ_TREE_RECURSIVE;
|
|
|
|
strbuf_release(&sb);
|
|
|
|
}
|
|
|
|
return ret;
|
2009-12-12 23:00:41 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static int path_exists(struct tree *tree, const char *path)
|
|
|
|
{
|
2011-03-25 17:34:19 +08:00
|
|
|
const char *paths[] = { path, NULL };
|
|
|
|
struct pathspec pathspec;
|
|
|
|
int ret;
|
|
|
|
|
2013-07-14 16:35:44 +08:00
|
|
|
parse_pathspec(&pathspec, 0, 0, "", paths);
|
2014-09-21 11:55:06 +08:00
|
|
|
pathspec.recursive = 1;
|
|
|
|
ret = read_tree_recursive(tree, "", 0, 0, &pathspec,
|
|
|
|
reject_entry, &pathspec);
|
2011-03-25 17:34:19 +08:00
|
|
|
free_pathspec(&pathspec);
|
|
|
|
return ret != 0;
|
2009-12-12 23:00:41 +08:00
|
|
|
}
|
|
|
|
|
2008-07-25 18:41:22 +08:00
|
|
|
static void parse_pathspec_arg(const char **pathspec,
|
|
|
|
struct archiver_args *ar_args)
|
|
|
|
{
|
2013-07-14 16:35:44 +08:00
|
|
|
/*
|
|
|
|
* must be consistent with parse_pathspec in path_exists()
|
|
|
|
* Also if pathspec patterns are dependent, we're in big
|
|
|
|
* trouble as we test each one separately
|
|
|
|
*/
|
|
|
|
parse_pathspec(&ar_args->pathspec, 0,
|
|
|
|
PATHSPEC_PREFER_FULL,
|
|
|
|
"", pathspec);
|
2014-09-21 11:55:06 +08:00
|
|
|
ar_args->pathspec.recursive = 1;
|
2009-12-12 23:00:41 +08:00
|
|
|
if (pathspec) {
|
|
|
|
while (*pathspec) {
|
archive: handle commits with an empty tree
git-archive relies on get_pathspec to convert its argv into
a list of pathspecs. When get_pathspec is given an empty
argv list, it returns a single pathspec, the empty string,
to indicate that everything matches. When we feed this to
our path_exists function, we typically see that the pathspec
turns up at least one item in the tree, and we are happy.
But when our tree is empty, we erroneously think it is
because the pathspec is too limited, when in fact it is
simply that there is nothing to be found in the tree. This
is a weird corner case, but the correct behavior is almost
certainly to produce an empty archive, not to exit with an
error.
This patch teaches git-archive to create empty archives when
there is no pathspec given (we continue to complain if a
pathspec is given, since it obviously is not matched). It
also confirms that the tar and zip writers produce sane
output in this instance.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-03-11 09:32:32 +08:00
|
|
|
if (**pathspec && !path_exists(ar_args->tree, *pathspec))
|
2013-07-14 16:35:44 +08:00
|
|
|
die(_("pathspec '%s' did not match any files"), *pathspec);
|
2009-12-12 23:00:41 +08:00
|
|
|
pathspec++;
|
|
|
|
}
|
|
|
|
}
|
2008-07-25 18:41:22 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static void parse_treeish_arg(const char **argv,
|
archive: don't let remote clients get unreachable commits
Usually git is careful not to allow clients to fetch
arbitrary objects from the database; for example, objects
received via upload-pack must be reachable from a ref.
Upload-archive breaks this by feeding the client's tree-ish
directly to get_sha1, which will accept arbitrary hex sha1s,
reflogs, etc.
This is not a problem if all of your objects are publicly
reachable anyway (or at least public to anybody who can run
upload-archive). Or if you are making the repo available by
dumb protocols like http or rsync (in which case the client
can read your whole object db directly).
But for sites which allow access only through smart
protocols, clients may be able to fetch trees from commits
that exist in the server's object database but are not
referenced (e.g., because history was rewound).
This patch tightens upload-archive's lookup to use dwim_ref
rather than get_sha1. This means a remote client can only
fetch the tip of a named ref, not an arbitrary sha1 or
reflog entry.
This also restricts some legitimate requests, too:
1. Reachable non-tip commits, like:
git archive --remote=$url v1.0~5
2. Sub-trees of reachable commits, like:
git archive --remote=$url v1.7.7:Documentation
Local requests continue to use get_sha1, and are not
restricted at all.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-11-18 07:04:22 +08:00
|
|
|
struct archiver_args *ar_args, const char *prefix,
|
|
|
|
int remote)
|
2008-07-25 18:41:22 +08:00
|
|
|
{
|
|
|
|
const char *name = argv[0];
|
|
|
|
const unsigned char *commit_sha1;
|
|
|
|
time_t archive_time;
|
|
|
|
struct tree *tree;
|
|
|
|
const struct commit *commit;
|
|
|
|
unsigned char sha1[20];
|
|
|
|
|
archive: don't let remote clients get unreachable commits
Usually git is careful not to allow clients to fetch
arbitrary objects from the database; for example, objects
received via upload-pack must be reachable from a ref.
Upload-archive breaks this by feeding the client's tree-ish
directly to get_sha1, which will accept arbitrary hex sha1s,
reflogs, etc.
This is not a problem if all of your objects are publicly
reachable anyway (or at least public to anybody who can run
upload-archive). Or if you are making the repo available by
dumb protocols like http or rsync (in which case the client
can read your whole object db directly).
But for sites which allow access only through smart
protocols, clients may be able to fetch trees from commits
that exist in the server's object database but are not
referenced (e.g., because history was rewound).
This patch tightens upload-archive's lookup to use dwim_ref
rather than get_sha1. This means a remote client can only
fetch the tip of a named ref, not an arbitrary sha1 or
reflog entry.
This also restricts some legitimate requests, too:
1. Reachable non-tip commits, like:
git archive --remote=$url v1.0~5
2. Sub-trees of reachable commits, like:
git archive --remote=$url v1.7.7:Documentation
Local requests continue to use get_sha1, and are not
restricted at all.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-11-18 07:04:22 +08:00
|
|
|
/* Remotes are only allowed to fetch actual refs */
|
add uploadarchive.allowUnreachable option
In commit ee27ca4, we started restricting remote git-archive
invocations to only accessing reachable commits. This
matches what upload-pack allows, but does restrict some
useful cases (e.g., HEAD:foo). We loosened this in 0f544ee,
which allows `foo:bar` as long as `foo` is a ref tip.
However, that still doesn't allow many useful things, like:
1. Commits accessible from a ref, like `foo^:bar`, which
are reachable
2. Arbitrary sha1s, even if they are reachable.
We can do a full object-reachability check for these cases,
but it can be quite expensive if the client has sent us the
sha1 of a tree; we have to visit every sub-tree of every
commit in the worst case.
Let's instead give site admins an escape hatch, in case they
prefer the more liberal behavior. For many sites, the full
object database is public anyway (e.g., if you allow dumb
walker access), or the site admin may simply decide the
security/convenience tradeoff is not worth it.
This patch adds a new config option to disable the
restrictions added in ee27ca4. It defaults to off, meaning
there is no change in behavior by default.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-02-28 18:04:19 +08:00
|
|
|
if (remote && !remote_allow_unreachable) {
|
archive: don't let remote clients get unreachable commits
Usually git is careful not to allow clients to fetch
arbitrary objects from the database; for example, objects
received via upload-pack must be reachable from a ref.
Upload-archive breaks this by feeding the client's tree-ish
directly to get_sha1, which will accept arbitrary hex sha1s,
reflogs, etc.
This is not a problem if all of your objects are publicly
reachable anyway (or at least public to anybody who can run
upload-archive). Or if you are making the repo available by
dumb protocols like http or rsync (in which case the client
can read your whole object db directly).
But for sites which allow access only through smart
protocols, clients may be able to fetch trees from commits
that exist in the server's object database but are not
referenced (e.g., because history was rewound).
This patch tightens upload-archive's lookup to use dwim_ref
rather than get_sha1. This means a remote client can only
fetch the tip of a named ref, not an arbitrary sha1 or
reflog entry.
This also restricts some legitimate requests, too:
1. Reachable non-tip commits, like:
git archive --remote=$url v1.0~5
2. Sub-trees of reachable commits, like:
git archive --remote=$url v1.7.7:Documentation
Local requests continue to use get_sha1, and are not
restricted at all.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-11-18 07:04:22 +08:00
|
|
|
char *ref = NULL;
|
2014-03-08 14:48:31 +08:00
|
|
|
const char *colon = strchrnul(name, ':');
|
|
|
|
int refnamelen = colon - name;
|
2012-05-18 13:15:17 +08:00
|
|
|
|
|
|
|
if (!dwim_ref(name, refnamelen, sha1, &ref))
|
|
|
|
die("no such ref: %.*s", refnamelen, name);
|
archive: don't let remote clients get unreachable commits
Usually git is careful not to allow clients to fetch
arbitrary objects from the database; for example, objects
received via upload-pack must be reachable from a ref.
Upload-archive breaks this by feeding the client's tree-ish
directly to get_sha1, which will accept arbitrary hex sha1s,
reflogs, etc.
This is not a problem if all of your objects are publicly
reachable anyway (or at least public to anybody who can run
upload-archive). Or if you are making the repo available by
dumb protocols like http or rsync (in which case the client
can read your whole object db directly).
But for sites which allow access only through smart
protocols, clients may be able to fetch trees from commits
that exist in the server's object database but are not
referenced (e.g., because history was rewound).
This patch tightens upload-archive's lookup to use dwim_ref
rather than get_sha1. This means a remote client can only
fetch the tip of a named ref, not an arbitrary sha1 or
reflog entry.
This also restricts some legitimate requests, too:
1. Reachable non-tip commits, like:
git archive --remote=$url v1.0~5
2. Sub-trees of reachable commits, like:
git archive --remote=$url v1.7.7:Documentation
Local requests continue to use get_sha1, and are not
restricted at all.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-11-18 07:04:22 +08:00
|
|
|
free(ref);
|
|
|
|
}
|
2012-01-11 20:12:38 +08:00
|
|
|
|
|
|
|
if (get_sha1(name, sha1))
|
|
|
|
die("Not a valid object name");
|
2008-07-25 18:41:22 +08:00
|
|
|
|
|
|
|
commit = lookup_commit_reference_gently(sha1, 1);
|
|
|
|
if (commit) {
|
|
|
|
commit_sha1 = commit->object.sha1;
|
|
|
|
archive_time = commit->date;
|
|
|
|
} else {
|
|
|
|
commit_sha1 = NULL;
|
|
|
|
archive_time = time(NULL);
|
|
|
|
}
|
|
|
|
|
|
|
|
tree = parse_tree_indirect(sha1);
|
|
|
|
if (tree == NULL)
|
|
|
|
die("not a tree object");
|
|
|
|
|
|
|
|
if (prefix) {
|
|
|
|
unsigned char tree_sha1[20];
|
|
|
|
unsigned int mode;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
err = get_tree_entry(tree->object.sha1, prefix,
|
|
|
|
tree_sha1, &mode);
|
|
|
|
if (err || !S_ISDIR(mode))
|
|
|
|
die("current working directory is untracked");
|
|
|
|
|
|
|
|
tree = parse_tree_indirect(tree_sha1);
|
|
|
|
}
|
|
|
|
ar_args->tree = tree;
|
|
|
|
ar_args->commit_sha1 = commit_sha1;
|
|
|
|
ar_args->commit = commit;
|
|
|
|
ar_args->time = archive_time;
|
|
|
|
}
|
|
|
|
|
2008-07-25 18:41:26 +08:00
|
|
|
#define OPT__COMPR(s, v, h, p) \
|
|
|
|
{ OPTION_SET_INT, (s), NULL, (v), NULL, (h), \
|
|
|
|
PARSE_OPT_NOARG | PARSE_OPT_NONEG, NULL, (p) }
|
|
|
|
#define OPT__COMPR_HIDDEN(s, v, p) \
|
|
|
|
{ OPTION_SET_INT, (s), NULL, (v), NULL, "", \
|
|
|
|
PARSE_OPT_NOARG | PARSE_OPT_NONEG | PARSE_OPT_HIDDEN, NULL, (p) }
|
|
|
|
|
2008-07-25 18:41:22 +08:00
|
|
|
static int parse_archive_args(int argc, const char **argv,
|
archive: move file extension format-guessing lower
The process for guessing an archive output format based on
the filename is something like this:
a. parse --output in cmd_archive; check the filename
against a static set of mapping heuristics (right now
it just matches ".zip" for zip files).
b. if found, stick a fake "--format=zip" at the beginning
of the arguments list (if the user did specify a
--format manually, the later option will override our
fake one)
c. if it's a remote call, ship the arguments to the remote
(including the fake), which will call write_archive on
their end
d. if it's local, ship the arguments to write_archive
locally
There are two problems:
1. The set of mappings is static and at too high a level.
The write_archive level is going to check config for
user-defined formats, some of which will specify
extensions. We need to delay lookup until those are
parsed, so we can match against them.
2. For a remote archive call, our set of mappings (or
formats) may not match the remote side's. This is OK in
practice right now, because all versions of git
understand "zip" and "tar". But as new formats are
added, there is going to be a mismatch between what the
client can do and what the remote server can do.
To fix (1), this patch refactors the location guessing to
happen at the write_archive level, instead of the
cmd_archive level. So instead of sticking a fake --format
field in the argv list, we actually pass a "name hint" down
the callchain; this hint is used at the appropriate time to
guess the format (if one hasn't been given already).
This patch leaves (2) unfixed. The name_hint is converted to
a "--format" option as before, and passed to the remote.
This means the local side's idea of how extensions map to
formats will take precedence.
Another option would be to pass the name hint to the remote
side and let the remote choose. This isn't a good idea for
two reasons:
1. There's no room in the protocol for passing that
information. We can pass a new argument, but older
versions of git on the server will choke on it.
2. Letting the remote side decide creates a silent
inconsistency in user experience. Consider the case
that the locally installed git knows about the "tar.gz"
format, but a remote server doesn't.
Running "git archive -o foo.tar.gz" will use the tar.gz
format. If we use --remote, and the local side chooses
the format, then we send "--format=tar.gz" to the
remote, which will complain about the unknown format.
But if we let the remote side choose the format, then
it will realize that it doesn't know about "tar.gz" and
output uncompressed tar without even issuing a warning.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-06-22 09:24:48 +08:00
|
|
|
const struct archiver **ar, struct archiver_args *args,
|
2011-06-22 11:17:35 +08:00
|
|
|
const char *name_hint, int is_remote)
|
2008-07-25 18:41:22 +08:00
|
|
|
{
|
archive: move file extension format-guessing lower
The process for guessing an archive output format based on
the filename is something like this:
a. parse --output in cmd_archive; check the filename
against a static set of mapping heuristics (right now
it just matches ".zip" for zip files).
b. if found, stick a fake "--format=zip" at the beginning
of the arguments list (if the user did specify a
--format manually, the later option will override our
fake one)
c. if it's a remote call, ship the arguments to the remote
(including the fake), which will call write_archive on
their end
d. if it's local, ship the arguments to write_archive
locally
There are two problems:
1. The set of mappings is static and at too high a level.
The write_archive level is going to check config for
user-defined formats, some of which will specify
extensions. We need to delay lookup until those are
parsed, so we can match against them.
2. For a remote archive call, our set of mappings (or
formats) may not match the remote side's. This is OK in
practice right now, because all versions of git
understand "zip" and "tar". But as new formats are
added, there is going to be a mismatch between what the
client can do and what the remote server can do.
To fix (1), this patch refactors the location guessing to
happen at the write_archive level, instead of the
cmd_archive level. So instead of sticking a fake --format
field in the argv list, we actually pass a "name hint" down
the callchain; this hint is used at the appropriate time to
guess the format (if one hasn't been given already).
This patch leaves (2) unfixed. The name_hint is converted to
a "--format" option as before, and passed to the remote.
This means the local side's idea of how extensions map to
formats will take precedence.
Another option would be to pass the name hint to the remote
side and let the remote choose. This isn't a good idea for
two reasons:
1. There's no room in the protocol for passing that
information. We can pass a new argument, but older
versions of git on the server will choke on it.
2. Letting the remote side decide creates a silent
inconsistency in user experience. Consider the case
that the locally installed git knows about the "tar.gz"
format, but a remote server doesn't.
Running "git archive -o foo.tar.gz" will use the tar.gz
format. If we use --remote, and the local side chooses
the format, then we send "--format=tar.gz" to the
remote, which will complain about the unknown format.
But if we let the remote side choose the format, then
it will realize that it doesn't know about "tar.gz" and
output uncompressed tar without even issuing a warning.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-06-22 09:24:48 +08:00
|
|
|
const char *format = NULL;
|
2008-07-25 18:41:26 +08:00
|
|
|
const char *base = NULL;
|
|
|
|
const char *remote = NULL;
|
|
|
|
const char *exec = NULL;
|
2009-02-17 01:20:25 +08:00
|
|
|
const char *output = NULL;
|
2008-07-25 18:41:22 +08:00
|
|
|
int compression_level = -1;
|
|
|
|
int verbose = 0;
|
|
|
|
int i;
|
2008-07-25 18:41:26 +08:00
|
|
|
int list = 0;
|
2009-04-18 06:18:05 +08:00
|
|
|
int worktree_attributes = 0;
|
2008-07-25 18:41:26 +08:00
|
|
|
struct option opts[] = {
|
|
|
|
OPT_GROUP(""),
|
2012-08-20 20:31:51 +08:00
|
|
|
OPT_STRING(0, "format", &format, N_("fmt"), N_("archive format")),
|
|
|
|
OPT_STRING(0, "prefix", &base, N_("prefix"),
|
|
|
|
N_("prepend prefix to each pathname in the archive")),
|
|
|
|
OPT_STRING('o', "output", &output, N_("file"),
|
|
|
|
N_("write the archive to this file")),
|
2011-09-28 07:59:01 +08:00
|
|
|
OPT_BOOL(0, "worktree-attributes", &worktree_attributes,
|
2012-08-20 20:31:51 +08:00
|
|
|
N_("read .gitattributes in working directory")),
|
|
|
|
OPT__VERBOSE(&verbose, N_("report archived files on stderr")),
|
|
|
|
OPT__COMPR('0', &compression_level, N_("store only"), 0),
|
|
|
|
OPT__COMPR('1', &compression_level, N_("compress faster"), 1),
|
2008-07-25 18:41:26 +08:00
|
|
|
OPT__COMPR_HIDDEN('2', &compression_level, 2),
|
|
|
|
OPT__COMPR_HIDDEN('3', &compression_level, 3),
|
|
|
|
OPT__COMPR_HIDDEN('4', &compression_level, 4),
|
|
|
|
OPT__COMPR_HIDDEN('5', &compression_level, 5),
|
|
|
|
OPT__COMPR_HIDDEN('6', &compression_level, 6),
|
|
|
|
OPT__COMPR_HIDDEN('7', &compression_level, 7),
|
|
|
|
OPT__COMPR_HIDDEN('8', &compression_level, 8),
|
2012-08-20 20:31:51 +08:00
|
|
|
OPT__COMPR('9', &compression_level, N_("compress better"), 9),
|
2008-07-25 18:41:26 +08:00
|
|
|
OPT_GROUP(""),
|
2011-09-28 07:59:01 +08:00
|
|
|
OPT_BOOL('l', "list", &list,
|
2012-08-20 20:31:51 +08:00
|
|
|
N_("list supported archive formats")),
|
2008-07-25 18:41:26 +08:00
|
|
|
OPT_GROUP(""),
|
2012-08-20 20:31:51 +08:00
|
|
|
OPT_STRING(0, "remote", &remote, N_("repo"),
|
|
|
|
N_("retrieve the archive from remote repository <repo>")),
|
2012-08-20 20:32:54 +08:00
|
|
|
OPT_STRING(0, "exec", &exec, N_("command"),
|
2012-08-20 20:31:51 +08:00
|
|
|
N_("path to the remote git-upload-archive command")),
|
2008-07-25 18:41:26 +08:00
|
|
|
OPT_END()
|
|
|
|
};
|
|
|
|
|
2009-05-24 02:53:12 +08:00
|
|
|
argc = parse_options(argc, argv, NULL, opts, archive_usage, 0);
|
2008-07-25 18:41:26 +08:00
|
|
|
|
|
|
|
if (remote)
|
|
|
|
die("Unexpected option --remote");
|
|
|
|
if (exec)
|
|
|
|
die("Option --exec can only be used together with --remote");
|
2009-03-09 02:21:53 +08:00
|
|
|
if (output)
|
|
|
|
die("Unexpected option --output");
|
2008-07-25 18:41:26 +08:00
|
|
|
|
|
|
|
if (!base)
|
|
|
|
base = "";
|
|
|
|
|
|
|
|
if (list) {
|
2011-06-22 09:23:33 +08:00
|
|
|
for (i = 0; i < nr_archivers; i++)
|
2011-06-22 11:17:35 +08:00
|
|
|
if (!is_remote || archivers[i]->flags & ARCHIVER_REMOTE)
|
|
|
|
printf("%s\n", archivers[i]->name);
|
2008-07-25 18:41:26 +08:00
|
|
|
exit(0);
|
2008-07-25 18:41:22 +08:00
|
|
|
}
|
|
|
|
|
archive: move file extension format-guessing lower
The process for guessing an archive output format based on
the filename is something like this:
a. parse --output in cmd_archive; check the filename
against a static set of mapping heuristics (right now
it just matches ".zip" for zip files).
b. if found, stick a fake "--format=zip" at the beginning
of the arguments list (if the user did specify a
--format manually, the later option will override our
fake one)
c. if it's a remote call, ship the arguments to the remote
(including the fake), which will call write_archive on
their end
d. if it's local, ship the arguments to write_archive
locally
There are two problems:
1. The set of mappings is static and at too high a level.
The write_archive level is going to check config for
user-defined formats, some of which will specify
extensions. We need to delay lookup until those are
parsed, so we can match against them.
2. For a remote archive call, our set of mappings (or
formats) may not match the remote side's. This is OK in
practice right now, because all versions of git
understand "zip" and "tar". But as new formats are
added, there is going to be a mismatch between what the
client can do and what the remote server can do.
To fix (1), this patch refactors the location guessing to
happen at the write_archive level, instead of the
cmd_archive level. So instead of sticking a fake --format
field in the argv list, we actually pass a "name hint" down
the callchain; this hint is used at the appropriate time to
guess the format (if one hasn't been given already).
This patch leaves (2) unfixed. The name_hint is converted to
a "--format" option as before, and passed to the remote.
This means the local side's idea of how extensions map to
formats will take precedence.
Another option would be to pass the name hint to the remote
side and let the remote choose. This isn't a good idea for
two reasons:
1. There's no room in the protocol for passing that
information. We can pass a new argument, but older
versions of git on the server will choke on it.
2. Letting the remote side decide creates a silent
inconsistency in user experience. Consider the case
that the locally installed git knows about the "tar.gz"
format, but a remote server doesn't.
Running "git archive -o foo.tar.gz" will use the tar.gz
format. If we use --remote, and the local side chooses
the format, then we send "--format=tar.gz" to the
remote, which will complain about the unknown format.
But if we let the remote side choose the format, then
it will realize that it doesn't know about "tar.gz" and
output uncompressed tar without even issuing a warning.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-06-22 09:24:48 +08:00
|
|
|
if (!format && name_hint)
|
|
|
|
format = archive_format_from_filename(name_hint);
|
|
|
|
if (!format)
|
|
|
|
format = "tar";
|
|
|
|
|
2008-07-25 18:41:22 +08:00
|
|
|
/* We need at least one parameter -- tree-ish */
|
2008-07-25 18:41:26 +08:00
|
|
|
if (argc < 1)
|
|
|
|
usage_with_options(archive_usage, opts);
|
2008-07-25 18:41:22 +08:00
|
|
|
*ar = lookup_archiver(format);
|
2011-06-22 11:17:35 +08:00
|
|
|
if (!*ar || (is_remote && !((*ar)->flags & ARCHIVER_REMOTE)))
|
2008-07-25 18:41:22 +08:00
|
|
|
die("Unknown archive format '%s'", format);
|
|
|
|
|
|
|
|
args->compression_level = Z_DEFAULT_COMPRESSION;
|
|
|
|
if (compression_level != -1) {
|
2011-06-22 09:23:33 +08:00
|
|
|
if ((*ar)->flags & ARCHIVER_WANT_COMPRESSION_LEVELS)
|
2008-07-25 18:41:22 +08:00
|
|
|
args->compression_level = compression_level;
|
|
|
|
else {
|
|
|
|
die("Argument not supported for format '%s': -%d",
|
|
|
|
format, compression_level);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
args->verbose = verbose;
|
|
|
|
args->base = base;
|
|
|
|
args->baselen = strlen(base);
|
2009-04-18 06:18:05 +08:00
|
|
|
args->worktree_attributes = worktree_attributes;
|
2008-07-25 18:41:22 +08:00
|
|
|
|
2008-07-25 18:41:26 +08:00
|
|
|
return argc;
|
2008-07-25 18:41:22 +08:00
|
|
|
}
|
|
|
|
|
2008-07-25 18:41:21 +08:00
|
|
|
int write_archive(int argc, const char **argv, const char *prefix,
|
2011-06-22 11:17:35 +08:00
|
|
|
int setup_prefix, const char *name_hint, int remote)
|
2008-07-25 18:41:21 +08:00
|
|
|
{
|
archive: reorder option parsing and config reading
The archive command does three things during its
initialization phase:
1. parse command-line options
2. setup the git directory
3. read config
During phase (1), if we see any options that do not require
a git directory (like "--list"), we handle them immediately
and exit, making it safe to abort step (2) if we are not in
a git directory.
Step (3) must come after step (2), since the git directory
may influence configuration. However, this leaves no
possibility of configuration from step (3) impacting the
command-line options in step (1) (which is useful, for
example, for supporting user-configurable output formats).
Instead, let's reorder this to:
1. setup the git directory, if it exists
2. read config
3. parse command-line options
4. if we are not in a git repository, die
This should have the same external behavior, but puts
configuration before command-line parsing.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-06-16 06:31:28 +08:00
|
|
|
int nongit = 0;
|
2008-07-25 18:41:21 +08:00
|
|
|
const struct archiver *ar = NULL;
|
|
|
|
struct archiver_args args;
|
|
|
|
|
|
|
|
if (setup_prefix && prefix == NULL)
|
archive: reorder option parsing and config reading
The archive command does three things during its
initialization phase:
1. parse command-line options
2. setup the git directory
3. read config
During phase (1), if we see any options that do not require
a git directory (like "--list"), we handle them immediately
and exit, making it safe to abort step (2) if we are not in
a git directory.
Step (3) must come after step (2), since the git directory
may influence configuration. However, this leaves no
possibility of configuration from step (3) impacting the
command-line options in step (1) (which is useful, for
example, for supporting user-configurable output formats).
Instead, let's reorder this to:
1. setup the git directory, if it exists
2. read config
3. parse command-line options
4. if we are not in a git repository, die
This should have the same external behavior, but puts
configuration before command-line parsing.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-06-16 06:31:28 +08:00
|
|
|
prefix = setup_git_directory_gently(&nongit);
|
|
|
|
|
2014-08-08 00:21:19 +08:00
|
|
|
git_config_get_bool("uploadarchive.allowunreachable", &remote_allow_unreachable);
|
|
|
|
git_config(git_default_config, NULL);
|
|
|
|
|
2011-06-22 09:23:33 +08:00
|
|
|
init_tar_archiver();
|
|
|
|
init_zip_archiver();
|
archive: reorder option parsing and config reading
The archive command does three things during its
initialization phase:
1. parse command-line options
2. setup the git directory
3. read config
During phase (1), if we see any options that do not require
a git directory (like "--list"), we handle them immediately
and exit, making it safe to abort step (2) if we are not in
a git directory.
Step (3) must come after step (2), since the git directory
may influence configuration. However, this leaves no
possibility of configuration from step (3) impacting the
command-line options in step (1) (which is useful, for
example, for supporting user-configurable output formats).
Instead, let's reorder this to:
1. setup the git directory, if it exists
2. read config
3. parse command-line options
4. if we are not in a git repository, die
This should have the same external behavior, but puts
configuration before command-line parsing.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-06-16 06:31:28 +08:00
|
|
|
|
2011-06-22 11:17:35 +08:00
|
|
|
argc = parse_archive_args(argc, argv, &ar, &args, name_hint, remote);
|
archive: reorder option parsing and config reading
The archive command does three things during its
initialization phase:
1. parse command-line options
2. setup the git directory
3. read config
During phase (1), if we see any options that do not require
a git directory (like "--list"), we handle them immediately
and exit, making it safe to abort step (2) if we are not in
a git directory.
Step (3) must come after step (2), since the git directory
may influence configuration. However, this leaves no
possibility of configuration from step (3) impacting the
command-line options in step (1) (which is useful, for
example, for supporting user-configurable output formats).
Instead, let's reorder this to:
1. setup the git directory, if it exists
2. read config
3. parse command-line options
4. if we are not in a git repository, die
This should have the same external behavior, but puts
configuration before command-line parsing.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-06-16 06:31:28 +08:00
|
|
|
if (nongit) {
|
|
|
|
/*
|
|
|
|
* We know this will die() with an error, so we could just
|
|
|
|
* die ourselves; but its error message will be more specific
|
|
|
|
* than what we could write here.
|
|
|
|
*/
|
|
|
|
setup_git_directory();
|
|
|
|
}
|
2008-07-25 18:41:21 +08:00
|
|
|
|
archive: don't let remote clients get unreachable commits
Usually git is careful not to allow clients to fetch
arbitrary objects from the database; for example, objects
received via upload-pack must be reachable from a ref.
Upload-archive breaks this by feeding the client's tree-ish
directly to get_sha1, which will accept arbitrary hex sha1s,
reflogs, etc.
This is not a problem if all of your objects are publicly
reachable anyway (or at least public to anybody who can run
upload-archive). Or if you are making the repo available by
dumb protocols like http or rsync (in which case the client
can read your whole object db directly).
But for sites which allow access only through smart
protocols, clients may be able to fetch trees from commits
that exist in the server's object database but are not
referenced (e.g., because history was rewound).
This patch tightens upload-archive's lookup to use dwim_ref
rather than get_sha1. This means a remote client can only
fetch the tip of a named ref, not an arbitrary sha1 or
reflog entry.
This also restricts some legitimate requests, too:
1. Reachable non-tip commits, like:
git archive --remote=$url v1.0~5
2. Sub-trees of reachable commits, like:
git archive --remote=$url v1.7.7:Documentation
Local requests continue to use get_sha1, and are not
restricted at all.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-11-18 07:04:22 +08:00
|
|
|
parse_treeish_arg(argv, &args, prefix, remote);
|
2008-07-25 18:41:21 +08:00
|
|
|
parse_pathspec_arg(argv + 1, &args);
|
|
|
|
|
2011-06-22 09:24:07 +08:00
|
|
|
return ar->write_archive(ar, &args);
|
2008-07-25 18:41:21 +08:00
|
|
|
}
|
archive: move file extension format-guessing lower
The process for guessing an archive output format based on
the filename is something like this:
a. parse --output in cmd_archive; check the filename
against a static set of mapping heuristics (right now
it just matches ".zip" for zip files).
b. if found, stick a fake "--format=zip" at the beginning
of the arguments list (if the user did specify a
--format manually, the later option will override our
fake one)
c. if it's a remote call, ship the arguments to the remote
(including the fake), which will call write_archive on
their end
d. if it's local, ship the arguments to write_archive
locally
There are two problems:
1. The set of mappings is static and at too high a level.
The write_archive level is going to check config for
user-defined formats, some of which will specify
extensions. We need to delay lookup until those are
parsed, so we can match against them.
2. For a remote archive call, our set of mappings (or
formats) may not match the remote side's. This is OK in
practice right now, because all versions of git
understand "zip" and "tar". But as new formats are
added, there is going to be a mismatch between what the
client can do and what the remote server can do.
To fix (1), this patch refactors the location guessing to
happen at the write_archive level, instead of the
cmd_archive level. So instead of sticking a fake --format
field in the argv list, we actually pass a "name hint" down
the callchain; this hint is used at the appropriate time to
guess the format (if one hasn't been given already).
This patch leaves (2) unfixed. The name_hint is converted to
a "--format" option as before, and passed to the remote.
This means the local side's idea of how extensions map to
formats will take precedence.
Another option would be to pass the name hint to the remote
side and let the remote choose. This isn't a good idea for
two reasons:
1. There's no room in the protocol for passing that
information. We can pass a new argument, but older
versions of git on the server will choke on it.
2. Letting the remote side decide creates a silent
inconsistency in user experience. Consider the case
that the locally installed git knows about the "tar.gz"
format, but a remote server doesn't.
Running "git archive -o foo.tar.gz" will use the tar.gz
format. If we use --remote, and the local side chooses
the format, then we send "--format=tar.gz" to the
remote, which will complain about the unknown format.
But if we let the remote side choose the format, then
it will realize that it doesn't know about "tar.gz" and
output uncompressed tar without even issuing a warning.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-06-22 09:24:48 +08:00
|
|
|
|
2011-06-22 09:25:25 +08:00
|
|
|
static int match_extension(const char *filename, const char *ext)
|
|
|
|
{
|
|
|
|
int prefixlen = strlen(filename) - strlen(ext);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We need 1 character for the '.', and 1 character to ensure that the
|
|
|
|
* prefix is non-empty (k.e., we don't match .tar.gz with no actual
|
|
|
|
* filename).
|
|
|
|
*/
|
2013-10-16 06:27:17 +08:00
|
|
|
if (prefixlen < 2 || filename[prefixlen - 1] != '.')
|
2011-06-22 09:25:25 +08:00
|
|
|
return 0;
|
|
|
|
return !strcmp(filename + prefixlen, ext);
|
|
|
|
}
|
|
|
|
|
archive: move file extension format-guessing lower
The process for guessing an archive output format based on
the filename is something like this:
a. parse --output in cmd_archive; check the filename
against a static set of mapping heuristics (right now
it just matches ".zip" for zip files).
b. if found, stick a fake "--format=zip" at the beginning
of the arguments list (if the user did specify a
--format manually, the later option will override our
fake one)
c. if it's a remote call, ship the arguments to the remote
(including the fake), which will call write_archive on
their end
d. if it's local, ship the arguments to write_archive
locally
There are two problems:
1. The set of mappings is static and at too high a level.
The write_archive level is going to check config for
user-defined formats, some of which will specify
extensions. We need to delay lookup until those are
parsed, so we can match against them.
2. For a remote archive call, our set of mappings (or
formats) may not match the remote side's. This is OK in
practice right now, because all versions of git
understand "zip" and "tar". But as new formats are
added, there is going to be a mismatch between what the
client can do and what the remote server can do.
To fix (1), this patch refactors the location guessing to
happen at the write_archive level, instead of the
cmd_archive level. So instead of sticking a fake --format
field in the argv list, we actually pass a "name hint" down
the callchain; this hint is used at the appropriate time to
guess the format (if one hasn't been given already).
This patch leaves (2) unfixed. The name_hint is converted to
a "--format" option as before, and passed to the remote.
This means the local side's idea of how extensions map to
formats will take precedence.
Another option would be to pass the name hint to the remote
side and let the remote choose. This isn't a good idea for
two reasons:
1. There's no room in the protocol for passing that
information. We can pass a new argument, but older
versions of git on the server will choke on it.
2. Letting the remote side decide creates a silent
inconsistency in user experience. Consider the case
that the locally installed git knows about the "tar.gz"
format, but a remote server doesn't.
Running "git archive -o foo.tar.gz" will use the tar.gz
format. If we use --remote, and the local side chooses
the format, then we send "--format=tar.gz" to the
remote, which will complain about the unknown format.
But if we let the remote side choose the format, then
it will realize that it doesn't know about "tar.gz" and
output uncompressed tar without even issuing a warning.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-06-22 09:24:48 +08:00
|
|
|
const char *archive_format_from_filename(const char *filename)
|
|
|
|
{
|
2011-06-22 09:25:25 +08:00
|
|
|
int i;
|
|
|
|
|
|
|
|
for (i = 0; i < nr_archivers; i++)
|
|
|
|
if (match_extension(filename, archivers[i]->name))
|
|
|
|
return archivers[i]->name;
|
archive: move file extension format-guessing lower
The process for guessing an archive output format based on
the filename is something like this:
a. parse --output in cmd_archive; check the filename
against a static set of mapping heuristics (right now
it just matches ".zip" for zip files).
b. if found, stick a fake "--format=zip" at the beginning
of the arguments list (if the user did specify a
--format manually, the later option will override our
fake one)
c. if it's a remote call, ship the arguments to the remote
(including the fake), which will call write_archive on
their end
d. if it's local, ship the arguments to write_archive
locally
There are two problems:
1. The set of mappings is static and at too high a level.
The write_archive level is going to check config for
user-defined formats, some of which will specify
extensions. We need to delay lookup until those are
parsed, so we can match against them.
2. For a remote archive call, our set of mappings (or
formats) may not match the remote side's. This is OK in
practice right now, because all versions of git
understand "zip" and "tar". But as new formats are
added, there is going to be a mismatch between what the
client can do and what the remote server can do.
To fix (1), this patch refactors the location guessing to
happen at the write_archive level, instead of the
cmd_archive level. So instead of sticking a fake --format
field in the argv list, we actually pass a "name hint" down
the callchain; this hint is used at the appropriate time to
guess the format (if one hasn't been given already).
This patch leaves (2) unfixed. The name_hint is converted to
a "--format" option as before, and passed to the remote.
This means the local side's idea of how extensions map to
formats will take precedence.
Another option would be to pass the name hint to the remote
side and let the remote choose. This isn't a good idea for
two reasons:
1. There's no room in the protocol for passing that
information. We can pass a new argument, but older
versions of git on the server will choke on it.
2. Letting the remote side decide creates a silent
inconsistency in user experience. Consider the case
that the locally installed git knows about the "tar.gz"
format, but a remote server doesn't.
Running "git archive -o foo.tar.gz" will use the tar.gz
format. If we use --remote, and the local side chooses
the format, then we send "--format=tar.gz" to the
remote, which will complain about the unknown format.
But if we let the remote side choose the format, then
it will realize that it doesn't know about "tar.gz" and
output uncompressed tar without even issuing a warning.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-06-22 09:24:48 +08:00
|
|
|
return NULL;
|
|
|
|
}
|