refname_is_safe(): insist that the refname already be normalized

The reference name is going to be compared to other reference names, so it should be in its normalized form. Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
author: Michael Haggerty <mhagger@alum.mit.edu> 2016-04-27 12:40:39 +0200
committer: Michael Haggerty <mhagger@alum.mit.edu> 2016-05-05 16:37:30 +0200
commit: e40f3557f7e767bd2be2a824bc3bc2379aa69931 (patch)
tree: f348ea258b59c04e6d8acbcfb0cf65d913e2ecfc
parent: refname_is_safe(): don't allow the empty string (diff)
download: tgif-e40f3557f7e767bd2be2a824bc3bc2379aa69931.tar.xz
1 files changed, 7 insertions, 2 deletions
diff --git a/refs.c b/refs.c
index ca0280f7eb..b18d9959af 100644
--- a/refs.c
+++ b/refs.c
@@ -125,14 +125,19 @@ int refname_is_safe(const char *refname)
 	if (skip_prefix(refname, "refs/", &rest)) {
 		char *buf;
 		int result;
+		size_t restlen = strlen(rest);
+
+		/* rest must not be empty, or start or end with "/" */
+		if (!restlen || *rest == '/' || rest[restlen - 1] == '/')
+			return 0;
 
 		/*
 		 * Does the refname try to escape refs/?
 		 * For example: refs/foo/../bar is safe but refs/foo/../../bar
 		 * is not.
 		 */
-		buf = xmallocz(strlen(rest));
-		result = !normalize_path_copy(buf, rest);
+		buf = xmallocz(restlen);
+		result = !normalize_path_copy(buf, rest) && !strcmp(buf, rest);
 		free(buf);
 		return result;
 	}
author	Michael Haggerty <mhagger@alum.mit.edu>	2016-04-27 12:40:39 +0200
committer	Michael Haggerty <mhagger@alum.mit.edu>	2016-05-05 16:37:30 +0200
commit	e40f3557f7e767bd2be2a824bc3bc2379aa69931 (patch)
tree	f348ea258b59c04e6d8acbcfb0cf65d913e2ecfc
parent	refname_is_safe(): don't allow the empty string (diff)
download	tgif-e40f3557f7e767bd2be2a824bc3bc2379aa69931.tar.xz