lock_any_ref_for_update(): do not accept malformatted refs.

We used to use lock_any_ref_for_update() because the command
needs to also update HEAD (which is not under refs/, so
lock_ref_sha1() cannot be used).  The function however did not
check for refs with illegal characters in them.

Use check_ref_format() to catch malformed refs.  For this check,
we specifically do not want to say having less than two levels
in the name is illegal to allow HEAD (and perhaps other special
refs in the future).

Signed-off-by: Junio C Hamano <junkio@cox.net>

diff --git a/builtin-update-ref.c b/builtin-update-ref.c
index 1461937cb987ec18a0b91e7c1084063c7174f3ae..5ee960bf41c4518b6c5530acb123a7ed668538fc 100644 (file)
--- a/builtin-update-ref.c
+++ b/builtin-update-ref.c
@@ -61,10 +61,8 @@ int cmd_update_ref(int argc, const char **argv, const char *prefix)
 
        lock = lock_any_ref_for_update(refname, oldval ? oldsha1 : NULL);
        if (!lock)
-               return 1;
+               die("%s: cannot lock the ref", refname);
        if (write_ref_sha1(lock, sha1, msg) < 0)
-               return 1;
-
-       /* write_ref_sha1 always unlocks the ref, no need to do it explicitly */
+               die("%s: cannot update the ref", refname);
        return 0;
 }

diff --git a/refs.c b/refs.c
index 12e46b8bbefb35e5d402b3c8ef20dd9e4263e81a..3db444cad2b24a1b44ff8a2dae1aa6818b61cbea 100644 (file)
--- a/refs.c
+++ b/refs.c
@@ -710,6 +710,8 @@ struct ref_lock *lock_ref_sha1(const char *ref, const unsigned char *old_sha1)
 
 struct ref_lock *lock_any_ref_for_update(const char *ref, const unsigned char *old_sha1)
 {
+       if (check_ref_format(ref) == -1)
+               return NULL;
        return lock_ref_sha1_basic(ref, old_sha1, NULL);
 }