diff options
Diffstat (limited to 'setup.c')
-rw-r--r-- | setup.c | 2206 |
1 files changed, 2206 insertions, 0 deletions
@@ -0,0 +1,2206 @@ +#include "git-compat-util.h" +#include "abspath.h" +#include "copy.h" +#include "environment.h" +#include "exec-cmd.h" +#include "gettext.h" +#include "object-name.h" +#include "refs.h" +#include "repository.h" +#include "config.h" +#include "dir.h" +#include "setup.h" +#include "string-list.h" +#include "chdir-notify.h" +#include "path.h" +#include "promisor-remote.h" +#include "quote.h" +#include "trace2.h" +#include "worktree.h" + +static int inside_git_dir = -1; +static int inside_work_tree = -1; +static int work_tree_config_is_bogus; +enum allowed_bare_repo { + ALLOWED_BARE_REPO_EXPLICIT = 0, + ALLOWED_BARE_REPO_ALL, +}; + +static struct startup_info the_startup_info; +struct startup_info *startup_info = &the_startup_info; +const char *tmp_original_cwd; + +/* + * The input parameter must contain an absolute path, and it must already be + * normalized. + * + * Find the part of an absolute path that lies inside the work tree by + * dereferencing symlinks outside the work tree, for example: + * /dir1/repo/dir2/file (work tree is /dir1/repo) -> dir2/file + * /dir/file (work tree is /) -> dir/file + * /dir/symlink1/symlink2 (symlink1 points to work tree) -> symlink2 + * /dir/repolink/file (repolink points to /dir/repo) -> file + * /dir/repo (exactly equal to work tree) -> (empty string) + */ +static int abspath_part_inside_repo(char *path) +{ + size_t len; + size_t wtlen; + char *path0; + int off; + const char *work_tree = get_git_work_tree(); + struct strbuf realpath = STRBUF_INIT; + + if (!work_tree) + return -1; + wtlen = strlen(work_tree); + len = strlen(path); + off = offset_1st_component(path); + + /* check if work tree is already the prefix */ + if (wtlen <= len && !fspathncmp(path, work_tree, wtlen)) { + if (path[wtlen] == '/') { + memmove(path, path + wtlen + 1, len - wtlen); + return 0; + } else if (path[wtlen - 1] == '/' || path[wtlen] == '\0') { + /* work tree is the root, or the whole path */ + memmove(path, path + wtlen, len - wtlen + 1); + return 0; + } + /* work tree might match beginning of a symlink to work tree */ + off = wtlen; + } + path0 = path; + path += off; + + /* check each '/'-terminated level */ + while (*path) { + path++; + if (*path == '/') { + *path = '\0'; + strbuf_realpath(&realpath, path0, 1); + if (fspathcmp(realpath.buf, work_tree) == 0) { + memmove(path0, path + 1, len - (path - path0)); + strbuf_release(&realpath); + return 0; + } + *path = '/'; + } + } + + /* check whole path */ + strbuf_realpath(&realpath, path0, 1); + if (fspathcmp(realpath.buf, work_tree) == 0) { + *path0 = '\0'; + strbuf_release(&realpath); + return 0; + } + + strbuf_release(&realpath); + return -1; +} + +/* + * Normalize "path", prepending the "prefix" for relative paths. If + * remaining_prefix is not NULL, return the actual prefix still + * remains in the path. For example, prefix = sub1/sub2/ and path is + * + * foo -> sub1/sub2/foo (full prefix) + * ../foo -> sub1/foo (remaining prefix is sub1/) + * ../../bar -> bar (no remaining prefix) + * ../../sub1/sub2/foo -> sub1/sub2/foo (but no remaining prefix) + * `pwd`/../bar -> sub1/bar (no remaining prefix) + */ +char *prefix_path_gently(const char *prefix, int len, + int *remaining_prefix, const char *path) +{ + const char *orig = path; + char *sanitized; + if (is_absolute_path(orig)) { + sanitized = xmallocz(strlen(path)); + if (remaining_prefix) + *remaining_prefix = 0; + if (normalize_path_copy_len(sanitized, path, remaining_prefix)) { + free(sanitized); + return NULL; + } + if (abspath_part_inside_repo(sanitized)) { + free(sanitized); + return NULL; + } + } else { + sanitized = xstrfmt("%.*s%s", len, len ? prefix : "", path); + if (remaining_prefix) + *remaining_prefix = len; + if (normalize_path_copy_len(sanitized, sanitized, remaining_prefix)) { + free(sanitized); + return NULL; + } + } + return sanitized; +} + +char *prefix_path(const char *prefix, int len, const char *path) +{ + char *r = prefix_path_gently(prefix, len, NULL, path); + if (!r) { + const char *hint_path = get_git_work_tree(); + if (!hint_path) + hint_path = get_git_dir(); + die(_("'%s' is outside repository at '%s'"), path, + absolute_path(hint_path)); + } + return r; +} + +int path_inside_repo(const char *prefix, const char *path) +{ + int len = prefix ? strlen(prefix) : 0; + char *r = prefix_path_gently(prefix, len, NULL, path); + if (r) { + free(r); + return 1; + } + return 0; +} + +int check_filename(const char *prefix, const char *arg) +{ + char *to_free = NULL; + struct stat st; + + if (skip_prefix(arg, ":/", &arg)) { + if (!*arg) /* ":/" is root dir, always exists */ + return 1; + prefix = NULL; + } else if (skip_prefix(arg, ":!", &arg) || + skip_prefix(arg, ":^", &arg)) { + if (!*arg) /* excluding everything is silly, but allowed */ + return 1; + } + + if (prefix) + arg = to_free = prefix_filename(prefix, arg); + + if (!lstat(arg, &st)) { + free(to_free); + return 1; /* file exists */ + } + if (is_missing_file_error(errno)) { + free(to_free); + return 0; /* file does not exist */ + } + die_errno(_("failed to stat '%s'"), arg); +} + +static void NORETURN die_verify_filename(struct repository *r, + const char *prefix, + const char *arg, + int diagnose_misspelt_rev) +{ + if (!diagnose_misspelt_rev) + die(_("%s: no such path in the working tree.\n" + "Use 'git <command> -- <path>...' to specify paths that do not exist locally."), + arg); + /* + * Saying "'(icase)foo' does not exist in the index" when the + * user gave us ":(icase)foo" is just stupid. A magic pathspec + * begins with a colon and is followed by a non-alnum; do not + * let maybe_die_on_misspelt_object_name() even trigger. + */ + if (!(arg[0] == ':' && !isalnum(arg[1]))) + maybe_die_on_misspelt_object_name(r, arg, prefix); + + /* ... or fall back the most general message. */ + die(_("ambiguous argument '%s': unknown revision or path not in the working tree.\n" + "Use '--' to separate paths from revisions, like this:\n" + "'git <command> [<revision>...] -- [<file>...]'"), arg); + +} + +/* + * Check for arguments that don't resolve as actual files, + * but which look sufficiently like pathspecs that we'll consider + * them such for the purposes of rev/pathspec DWIM parsing. + */ +static int looks_like_pathspec(const char *arg) +{ + const char *p; + int escaped = 0; + + /* + * Wildcard characters imply the user is looking to match pathspecs + * that aren't in the filesystem. Note that this doesn't include + * backslash even though it's a glob special; by itself it doesn't + * cause any increase in the match. Likewise ignore backslash-escaped + * wildcard characters. + */ + for (p = arg; *p; p++) { + if (escaped) { + escaped = 0; + } else if (is_glob_special(*p)) { + if (*p == '\\') + escaped = 1; + else + return 1; + } + } + + /* long-form pathspec magic */ + if (starts_with(arg, ":(")) + return 1; + + return 0; +} + +/* + * Verify a filename that we got as an argument for a pathspec + * entry. Note that a filename that begins with "-" never verifies + * as true, because even if such a filename were to exist, we want + * it to be preceded by the "--" marker (or we want the user to + * use a format like "./-filename") + * + * The "diagnose_misspelt_rev" is used to provide a user-friendly + * diagnosis when dying upon finding that "name" is not a pathname. + * If set to 1, the diagnosis will try to diagnose "name" as an + * invalid object name (e.g. HEAD:foo). If set to 0, the diagnosis + * will only complain about an inexisting file. + * + * This function is typically called to check that a "file or rev" + * argument is unambiguous. In this case, the caller will want + * diagnose_misspelt_rev == 1 when verifying the first non-rev + * argument (which could have been a revision), and + * diagnose_misspelt_rev == 0 for the next ones (because we already + * saw a filename, there's not ambiguity anymore). + */ +void verify_filename(const char *prefix, + const char *arg, + int diagnose_misspelt_rev) +{ + if (*arg == '-') + die(_("option '%s' must come before non-option arguments"), arg); + if (looks_like_pathspec(arg) || check_filename(prefix, arg)) + return; + die_verify_filename(the_repository, prefix, arg, diagnose_misspelt_rev); +} + +/* + * Opposite of the above: the command line did not have -- marker + * and we parsed the arg as a refname. It should not be interpretable + * as a filename. + */ +void verify_non_filename(const char *prefix, const char *arg) +{ + if (!is_inside_work_tree() || is_inside_git_dir()) + return; + if (*arg == '-') + return; /* flag */ + if (!check_filename(prefix, arg)) + return; + die(_("ambiguous argument '%s': both revision and filename\n" + "Use '--' to separate paths from revisions, like this:\n" + "'git <command> [<revision>...] -- [<file>...]'"), arg); +} + +int get_common_dir(struct strbuf *sb, const char *gitdir) +{ + const char *git_env_common_dir = getenv(GIT_COMMON_DIR_ENVIRONMENT); + if (git_env_common_dir) { + strbuf_addstr(sb, git_env_common_dir); + return 1; + } else { + return get_common_dir_noenv(sb, gitdir); + } +} + +int get_common_dir_noenv(struct strbuf *sb, const char *gitdir) +{ + struct strbuf data = STRBUF_INIT; + struct strbuf path = STRBUF_INIT; + int ret = 0; + + strbuf_addf(&path, "%s/commondir", gitdir); + if (file_exists(path.buf)) { + if (strbuf_read_file(&data, path.buf, 0) <= 0) + die_errno(_("failed to read %s"), path.buf); + while (data.len && (data.buf[data.len - 1] == '\n' || + data.buf[data.len - 1] == '\r')) + data.len--; + data.buf[data.len] = '\0'; + strbuf_reset(&path); + if (!is_absolute_path(data.buf)) + strbuf_addf(&path, "%s/", gitdir); + strbuf_addbuf(&path, &data); + strbuf_add_real_path(sb, path.buf); + ret = 1; + } else { + strbuf_addstr(sb, gitdir); + } + + strbuf_release(&data); + strbuf_release(&path); + return ret; +} + +/* + * Test if it looks like we're at a git directory. + * We want to see: + * + * - either an objects/ directory _or_ the proper + * GIT_OBJECT_DIRECTORY environment variable + * - a refs/ directory + * - either a HEAD symlink or a HEAD file that is formatted as + * a proper "ref:", or a regular file HEAD that has a properly + * formatted sha1 object name. + */ +int is_git_directory(const char *suspect) +{ + struct strbuf path = STRBUF_INIT; + int ret = 0; + size_t len; + + /* Check worktree-related signatures */ + strbuf_addstr(&path, suspect); + strbuf_complete(&path, '/'); + strbuf_addstr(&path, "HEAD"); + if (validate_headref(path.buf)) + goto done; + + strbuf_reset(&path); + get_common_dir(&path, suspect); + len = path.len; + + /* Check non-worktree-related signatures */ + if (getenv(DB_ENVIRONMENT)) { + if (access(getenv(DB_ENVIRONMENT), X_OK)) + goto done; + } + else { + strbuf_setlen(&path, len); + strbuf_addstr(&path, "/objects"); + if (access(path.buf, X_OK)) + goto done; + } + + strbuf_setlen(&path, len); + strbuf_addstr(&path, "/refs"); + if (access(path.buf, X_OK)) + goto done; + + ret = 1; +done: + strbuf_release(&path); + return ret; +} + +int is_nonbare_repository_dir(struct strbuf *path) +{ + int ret = 0; + int gitfile_error; + size_t orig_path_len = path->len; + assert(orig_path_len != 0); + strbuf_complete(path, '/'); + strbuf_addstr(path, ".git"); + if (read_gitfile_gently(path->buf, &gitfile_error) || is_git_directory(path->buf)) + ret = 1; + if (gitfile_error == READ_GITFILE_ERR_OPEN_FAILED || + gitfile_error == READ_GITFILE_ERR_READ_FAILED) + ret = 1; + strbuf_setlen(path, orig_path_len); + return ret; +} + +int is_inside_git_dir(void) +{ + if (inside_git_dir < 0) + inside_git_dir = is_inside_dir(get_git_dir()); + return inside_git_dir; +} + +int is_inside_work_tree(void) +{ + if (inside_work_tree < 0) + inside_work_tree = is_inside_dir(get_git_work_tree()); + return inside_work_tree; +} + +void setup_work_tree(void) +{ + const char *work_tree; + static int initialized = 0; + + if (initialized) + return; + + if (work_tree_config_is_bogus) + die(_("unable to set up work tree using invalid config")); + + work_tree = get_git_work_tree(); + if (!work_tree || chdir_notify(work_tree)) + die(_("this operation must be run in a work tree")); + + /* + * Make sure subsequent git processes find correct worktree + * if $GIT_WORK_TREE is set relative + */ + if (getenv(GIT_WORK_TREE_ENVIRONMENT)) + setenv(GIT_WORK_TREE_ENVIRONMENT, ".", 1); + + initialized = 1; +} + +static void setup_original_cwd(void) +{ + struct strbuf tmp = STRBUF_INIT; + const char *worktree = NULL; + int offset = -1; + + if (!tmp_original_cwd) + return; + + /* + * startup_info->original_cwd points to the current working + * directory we inherited from our parent process, which is a + * directory we want to avoid removing. + * + * For convience, we would like to have the path relative to the + * worktree instead of an absolute path. + * + * Yes, startup_info->original_cwd is usually the same as 'prefix', + * but differs in two ways: + * - prefix has a trailing '/' + * - if the user passes '-C' to git, that modifies the prefix but + * not startup_info->original_cwd. + */ + + /* Normalize the directory */ + if (!strbuf_realpath(&tmp, tmp_original_cwd, 0)) { + trace2_data_string("setup", the_repository, + "realpath-path", tmp_original_cwd); + trace2_data_string("setup", the_repository, + "realpath-failure", strerror(errno)); + free((char*)tmp_original_cwd); + tmp_original_cwd = NULL; + return; + } + + free((char*)tmp_original_cwd); + tmp_original_cwd = NULL; + startup_info->original_cwd = strbuf_detach(&tmp, NULL); + + /* + * Get our worktree; we only protect the current working directory + * if it's in the worktree. + */ + worktree = get_git_work_tree(); + if (!worktree) + goto no_prevention_needed; + + offset = dir_inside_of(startup_info->original_cwd, worktree); + if (offset >= 0) { + /* + * If startup_info->original_cwd == worktree, that is already + * protected and we don't need original_cwd as a secondary + * protection measure. + */ + if (!*(startup_info->original_cwd + offset)) + goto no_prevention_needed; + + /* + * original_cwd was inside worktree; precompose it just as + * we do prefix so that built up paths will match + */ + startup_info->original_cwd = \ + precompose_string_if_needed(startup_info->original_cwd + + offset); + return; + } + +no_prevention_needed: + free((char*)startup_info->original_cwd); + startup_info->original_cwd = NULL; +} + +static int read_worktree_config(const char *var, const char *value, + const struct config_context *ctx UNUSED, + void *vdata) +{ + struct repository_format *data = vdata; + + if (strcmp(var, "core.bare") == 0) { + data->is_bare = git_config_bool(var, value); + } else if (strcmp(var, "core.worktree") == 0) { + if (!value) + return config_error_nonbool(var); + free(data->work_tree); + data->work_tree = xstrdup(value); + } + return 0; +} + +enum extension_result { + EXTENSION_ERROR = -1, /* compatible with error(), etc */ + EXTENSION_UNKNOWN = 0, + EXTENSION_OK = 1 +}; + +/* + * Do not add new extensions to this function. It handles extensions which are + * respected even in v0-format repositories for historical compatibility. + */ +static enum extension_result handle_extension_v0(const char *var, + const char *value, + const char *ext, + struct repository_format *data) +{ + if (!strcmp(ext, "noop")) { + return EXTENSION_OK; + } else if (!strcmp(ext, "preciousobjects")) { + data->precious_objects = git_config_bool(var, value); + return EXTENSION_OK; + } else if (!strcmp(ext, "partialclone")) { + data->partial_clone = xstrdup(value); + return EXTENSION_OK; + } else if (!strcmp(ext, "worktreeconfig")) { + data->worktree_config = git_config_bool(var, value); + return EXTENSION_OK; + } + + return EXTENSION_UNKNOWN; +} + +/* + * Record any new extensions in this function. + */ +static enum extension_result handle_extension(const char *var, + const char *value, + const char *ext, + struct repository_format *data) +{ + if (!strcmp(ext, "noop-v1")) { + return EXTENSION_OK; + } else if (!strcmp(ext, "objectformat")) { + int format; + + if (!value) + return config_error_nonbool(var); + format = hash_algo_by_name(value); + if (format == GIT_HASH_UNKNOWN) + return error(_("invalid value for '%s': '%s'"), + "extensions.objectformat", value); + data->hash_algo = format; + return EXTENSION_OK; + } + return EXTENSION_UNKNOWN; +} + +static int check_repo_format(const char *var, const char *value, + const struct config_context *ctx, void *vdata) +{ + struct repository_format *data = vdata; + const char *ext; + + if (strcmp(var, "core.repositoryformatversion") == 0) + data->version = git_config_int(var, value, ctx->kvi); + else if (skip_prefix(var, "extensions.", &ext)) { + switch (handle_extension_v0(var, value, ext, data)) { + case EXTENSION_ERROR: + return -1; + case EXTENSION_OK: + return 0; + case EXTENSION_UNKNOWN: + break; + } + + switch (handle_extension(var, value, ext, data)) { + case EXTENSION_ERROR: + return -1; + case EXTENSION_OK: + string_list_append(&data->v1_only_extensions, ext); + return 0; + case EXTENSION_UNKNOWN: + string_list_append(&data->unknown_extensions, ext); + return 0; + } + } + + return read_worktree_config(var, value, ctx, vdata); +} + +static int check_repository_format_gently(const char *gitdir, struct repository_format *candidate, int *nongit_ok) +{ + struct strbuf sb = STRBUF_INIT; + struct strbuf err = STRBUF_INIT; + int has_common; + + has_common = get_common_dir(&sb, gitdir); + strbuf_addstr(&sb, "/config"); + read_repository_format(candidate, sb.buf); + strbuf_release(&sb); + + /* + * For historical use of check_repository_format() in git-init, + * we treat a missing config as a silent "ok", even when nongit_ok + * is unset. + */ + if (candidate->version < 0) + return 0; + + if (verify_repository_format(candidate, &err) < 0) { + if (nongit_ok) { + warning("%s", err.buf); + strbuf_release(&err); + *nongit_ok = -1; + return -1; + } + die("%s", err.buf); + } + + repository_format_precious_objects = candidate->precious_objects; + string_list_clear(&candidate->unknown_extensions, 0); + string_list_clear(&candidate->v1_only_extensions, 0); + + if (candidate->worktree_config) { + /* + * pick up core.bare and core.worktree from per-worktree + * config if present + */ + strbuf_addf(&sb, "%s/config.worktree", gitdir); + git_config_from_file(read_worktree_config, sb.buf, candidate); + strbuf_release(&sb); + has_common = 0; + } + + if (!has_common) { + if (candidate->is_bare != -1) { + is_bare_repository_cfg = candidate->is_bare; + if (is_bare_repository_cfg == 1) + inside_work_tree = -1; + } + if (candidate->work_tree) { + free(git_work_tree_cfg); + git_work_tree_cfg = xstrdup(candidate->work_tree); + inside_work_tree = -1; + } + } + + return 0; +} + +int upgrade_repository_format(int target_version) +{ + struct strbuf sb = STRBUF_INIT; + struct strbuf err = STRBUF_INIT; + struct strbuf repo_version = STRBUF_INIT; + struct repository_format repo_fmt = REPOSITORY_FORMAT_INIT; + int ret; + + strbuf_git_common_path(&sb, the_repository, "config"); + read_repository_format(&repo_fmt, sb.buf); + strbuf_release(&sb); + + if (repo_fmt.version >= target_version) { + ret = 0; + goto out; + } + + if (verify_repository_format(&repo_fmt, &err) < 0) { + ret = error("cannot upgrade repository format from %d to %d: %s", + repo_fmt.version, target_version, err.buf); + goto out; + } + if (!repo_fmt.version && repo_fmt.unknown_extensions.nr) { + ret = error("cannot upgrade repository format: " + "unknown extension %s", + repo_fmt.unknown_extensions.items[0].string); + goto out; + } + + strbuf_addf(&repo_version, "%d", target_version); + git_config_set("core.repositoryformatversion", repo_version.buf); + + ret = 1; + +out: + clear_repository_format(&repo_fmt); + strbuf_release(&repo_version); + strbuf_release(&err); + return ret; +} + +static void init_repository_format(struct repository_format *format) +{ + const struct repository_format fresh = REPOSITORY_FORMAT_INIT; + + memcpy(format, &fresh, sizeof(fresh)); +} + +int read_repository_format(struct repository_format *format, const char *path) +{ + clear_repository_format(format); + git_config_from_file(check_repo_format, path, format); + if (format->version == -1) + clear_repository_format(format); + return format->version; +} + +void clear_repository_format(struct repository_format *format) +{ + string_list_clear(&format->unknown_extensions, 0); + string_list_clear(&format->v1_only_extensions, 0); + free(format->work_tree); + free(format->partial_clone); + init_repository_format(format); +} + +int verify_repository_format(const struct repository_format *format, + struct strbuf *err) +{ + if (GIT_REPO_VERSION_READ < format->version) { + strbuf_addf(err, _("Expected git repo version <= %d, found %d"), + GIT_REPO_VERSION_READ, format->version); + return -1; + } + + if (format->version >= 1 && format->unknown_extensions.nr) { + int i; + + strbuf_addstr(err, Q_("unknown repository extension found:", + "unknown repository extensions found:", + format->unknown_extensions.nr)); + + for (i = 0; i < format->unknown_extensions.nr; i++) + strbuf_addf(err, "\n\t%s", + format->unknown_extensions.items[i].string); + return -1; + } + + if (format->version == 0 && format->v1_only_extensions.nr) { + int i; + + strbuf_addstr(err, + Q_("repo version is 0, but v1-only extension found:", + "repo version is 0, but v1-only extensions found:", + format->v1_only_extensions.nr)); + + for (i = 0; i < format->v1_only_extensions.nr; i++) + strbuf_addf(err, "\n\t%s", + format->v1_only_extensions.items[i].string); + return -1; + } + + return 0; +} + +void read_gitfile_error_die(int error_code, const char *path, const char *dir) +{ + switch (error_code) { + case READ_GITFILE_ERR_STAT_FAILED: + case READ_GITFILE_ERR_NOT_A_FILE: + /* non-fatal; follow return path */ + break; + case READ_GITFILE_ERR_OPEN_FAILED: + die_errno(_("error opening '%s'"), path); + case READ_GITFILE_ERR_TOO_LARGE: + die(_("too large to be a .git file: '%s'"), path); + case READ_GITFILE_ERR_READ_FAILED: + die(_("error reading %s"), path); + case READ_GITFILE_ERR_INVALID_FORMAT: + die(_("invalid gitfile format: %s"), path); + case READ_GITFILE_ERR_NO_PATH: + die(_("no path in gitfile: %s"), path); + case READ_GITFILE_ERR_NOT_A_REPO: + die(_("not a git repository: %s"), dir); + default: + BUG("unknown error code"); + } +} + +/* + * Try to read the location of the git directory from the .git file, + * return path to git directory if found. The return value comes from + * a shared buffer. + * + * On failure, if return_error_code is not NULL, return_error_code + * will be set to an error code and NULL will be returned. If + * return_error_code is NULL the function will die instead (for most + * cases). + */ +const char *read_gitfile_gently(const char *path, int *return_error_code) +{ + const int max_file_size = 1 << 20; /* 1MB */ + int error_code = 0; + char *buf = NULL; + char *dir = NULL; + const char *slash; + struct stat st; + int fd; + ssize_t len; + static struct strbuf realpath = STRBUF_INIT; + + if (stat(path, &st)) { + /* NEEDSWORK: discern between ENOENT vs other errors */ + error_code = READ_GITFILE_ERR_STAT_FAILED; + goto cleanup_return; + } + if (!S_ISREG(st.st_mode)) { + error_code = READ_GITFILE_ERR_NOT_A_FILE; + goto cleanup_return; + } + if (st.st_size > max_file_size) { + error_code = READ_GITFILE_ERR_TOO_LARGE; + goto cleanup_return; + } + fd = open(path, O_RDONLY); + if (fd < 0) { + error_code = READ_GITFILE_ERR_OPEN_FAILED; + goto cleanup_return; + } + buf = xmallocz(st.st_size); + len = read_in_full(fd, buf, st.st_size); + close(fd); + if (len != st.st_size) { + error_code = READ_GITFILE_ERR_READ_FAILED; + goto cleanup_return; + } + if (!starts_with(buf, "gitdir: ")) { + error_code = READ_GITFILE_ERR_INVALID_FORMAT; + goto cleanup_return; + } + while (buf[len - 1] == '\n' || buf[len - 1] == '\r') + len--; + if (len < 9) { + error_code = READ_GITFILE_ERR_NO_PATH; + goto cleanup_return; + } + buf[len] = '\0'; + dir = buf + 8; + + if (!is_absolute_path(dir) && (slash = strrchr(path, '/'))) { + size_t pathlen = slash+1 - path; + dir = xstrfmt("%.*s%.*s", (int)pathlen, path, + (int)(len - 8), buf + 8); + free(buf); + buf = dir; + } + if (!is_git_directory(dir)) { + error_code = READ_GITFILE_ERR_NOT_A_REPO; + goto cleanup_return; + } + + strbuf_realpath(&realpath, dir, 1); + path = realpath.buf; + +cleanup_return: + if (return_error_code) + *return_error_code = error_code; + else if (error_code) + read_gitfile_error_die(error_code, path, dir); + + free(buf); + return error_code ? NULL : path; +} + +static const char *setup_explicit_git_dir(const char *gitdirenv, + struct strbuf *cwd, + struct repository_format *repo_fmt, + int *nongit_ok) +{ + const char *work_tree_env = getenv(GIT_WORK_TREE_ENVIRONMENT); + const char *worktree; + char *gitfile; + int offset; + + if (PATH_MAX - 40 < strlen(gitdirenv)) + die(_("'$%s' too big"), GIT_DIR_ENVIRONMENT); + + gitfile = (char*)read_gitfile(gitdirenv); + if (gitfile) { + gitfile = xstrdup(gitfile); + gitdirenv = gitfile; + } + + if (!is_git_directory(gitdirenv)) { + if (nongit_ok) { + *nongit_ok = 1; + free(gitfile); + return NULL; + } + die(_("not a git repository: '%s'"), gitdirenv); + } + + if (check_repository_format_gently(gitdirenv, repo_fmt, nongit_ok)) { + free(gitfile); + return NULL; + } + + /* #3, #7, #11, #15, #19, #23, #27, #31 (see t1510) */ + if (work_tree_env) + set_git_work_tree(work_tree_env); + else if (is_bare_repository_cfg > 0) { + if (git_work_tree_cfg) { + /* #22.2, #30 */ + warning("core.bare and core.worktree do not make sense"); + work_tree_config_is_bogus = 1; + } + + /* #18, #26 */ + set_git_dir(gitdirenv, 0); + free(gitfile); + return NULL; + } + else if (git_work_tree_cfg) { /* #6, #14 */ + if (is_absolute_path(git_work_tree_cfg)) + set_git_work_tree(git_work_tree_cfg); + else { + char *core_worktree; + if (chdir(gitdirenv)) + die_errno(_("cannot chdir to '%s'"), gitdirenv); + if (chdir(git_work_tree_cfg)) + die_errno(_("cannot chdir to '%s'"), git_work_tree_cfg); + core_worktree = xgetcwd(); + if (chdir(cwd->buf)) + die_errno(_("cannot come back to cwd")); + set_git_work_tree(core_worktree); + free(core_worktree); + } + } + else if (!git_env_bool(GIT_IMPLICIT_WORK_TREE_ENVIRONMENT, 1)) { + /* #16d */ + set_git_dir(gitdirenv, 0); + free(gitfile); + return NULL; + } + else /* #2, #10 */ + set_git_work_tree("."); + + /* set_git_work_tree() must have been called by now */ + worktree = get_git_work_tree(); + + /* both get_git_work_tree() and cwd are already normalized */ + if (!strcmp(cwd->buf, worktree)) { /* cwd == worktree */ + set_git_dir(gitdirenv, 0); + free(gitfile); + return NULL; + } + + offset = dir_inside_of(cwd->buf, worktree); + if (offset >= 0) { /* cwd inside worktree? */ + set_git_dir(gitdirenv, 1); + if (chdir(worktree)) + die_errno(_("cannot chdir to '%s'"), worktree); + strbuf_addch(cwd, '/'); + free(gitfile); + return cwd->buf + offset; + } + + /* cwd outside worktree */ + set_git_dir(gitdirenv, 0); + free(gitfile); + return NULL; +} + +static const char *setup_discovered_git_dir(const char *gitdir, + struct strbuf *cwd, int offset, + struct repository_format *repo_fmt, + int *nongit_ok) +{ + if (check_repository_format_gently(gitdir, repo_fmt, nongit_ok)) + return NULL; + + /* --work-tree is set without --git-dir; use discovered one */ + if (getenv(GIT_WORK_TREE_ENVIRONMENT) || git_work_tree_cfg) { + char *to_free = NULL; + const char *ret; + + if (offset != cwd->len && !is_absolute_path(gitdir)) + gitdir = to_free = real_pathdup(gitdir, 1); + if (chdir(cwd->buf)) + die_errno(_("cannot come back to cwd")); + ret = setup_explicit_git_dir(gitdir, cwd, repo_fmt, nongit_ok); + free(to_free); + return ret; + } + + /* #16.2, #17.2, #20.2, #21.2, #24, #25, #28, #29 (see t1510) */ + if (is_bare_repository_cfg > 0) { + set_git_dir(gitdir, (offset != cwd->len)); + if (chdir(cwd->buf)) + die_errno(_("cannot come back to cwd")); + return NULL; + } + + /* #0, #1, #5, #8, #9, #12, #13 */ + set_git_work_tree("."); + if (strcmp(gitdir, DEFAULT_GIT_DIR_ENVIRONMENT)) + set_git_dir(gitdir, 0); + inside_git_dir = 0; + inside_work_tree = 1; + if (offset >= cwd->len) + return NULL; + + /* Make "offset" point past the '/' (already the case for root dirs) */ + if (offset != offset_1st_component(cwd->buf)) + offset++; + /* Add a '/' at the end */ + strbuf_addch(cwd, '/'); + return cwd->buf + offset; +} + +/* #16.1, #17.1, #20.1, #21.1, #22.1 (see t1510) */ +static const char *setup_bare_git_dir(struct strbuf *cwd, int offset, + struct repository_format *repo_fmt, + int *nongit_ok) +{ + int root_len; + + if (check_repository_format_gently(".", repo_fmt, nongit_ok)) + return NULL; + + setenv(GIT_IMPLICIT_WORK_TREE_ENVIRONMENT, "0", 1); + + /* --work-tree is set without --git-dir; use discovered one */ + if (getenv(GIT_WORK_TREE_ENVIRONMENT) || git_work_tree_cfg) { + static const char *gitdir; + + gitdir = offset == cwd->len ? "." : xmemdupz(cwd->buf, offset); + if (chdir(cwd->buf)) + die_errno(_("cannot come back to cwd")); + return setup_explicit_git_dir(gitdir, cwd, repo_fmt, nongit_ok); + } + + inside_git_dir = 1; + inside_work_tree = 0; + if (offset != cwd->len) { + if (chdir(cwd->buf)) + die_errno(_("cannot come back to cwd")); + root_len = offset_1st_component(cwd->buf); + strbuf_setlen(cwd, offset > root_len ? offset : root_len); + set_git_dir(cwd->buf, 0); + } + else + set_git_dir(".", 0); + return NULL; +} + +static dev_t get_device_or_die(const char *path, const char *prefix, int prefix_len) +{ + struct stat buf; + if (stat(path, &buf)) { + die_errno(_("failed to stat '%*s%s%s'"), + prefix_len, + prefix ? prefix : "", + prefix ? "/" : "", path); + } + return buf.st_dev; +} + +/* + * A "string_list_each_func_t" function that canonicalizes an entry + * from GIT_CEILING_DIRECTORIES using real_pathdup(), or + * discards it if unusable. The presence of an empty entry in + * GIT_CEILING_DIRECTORIES turns off canonicalization for all + * subsequent entries. + */ +static int canonicalize_ceiling_entry(struct string_list_item *item, + void *cb_data) +{ + int *empty_entry_found = cb_data; + char *ceil = item->string; + + if (!*ceil) { + *empty_entry_found = 1; + return 0; + } else if (!is_absolute_path(ceil)) { + return 0; + } else if (*empty_entry_found) { + /* Keep entry but do not canonicalize it */ + return 1; + } else { + char *real_path = real_pathdup(ceil, 0); + if (!real_path) { + return 0; + } + free(item->string); + item->string = real_path; + return 1; + } +} + +struct safe_directory_data { + const char *path; + int is_safe; +}; + +static int safe_directory_cb(const char *key, const char *value, + const struct config_context *ctx UNUSED, void *d) +{ + struct safe_directory_data *data = d; + + if (strcmp(key, "safe.directory")) + return 0; + + if (!value || !*value) { + data->is_safe = 0; + } else if (!strcmp(value, "*")) { + data->is_safe = 1; + } else { + const char *interpolated = NULL; + + if (!git_config_pathname(&interpolated, key, value) && + !fspathcmp(data->path, interpolated ? interpolated : value)) + data->is_safe = 1; + + free((char *)interpolated); + } + + return 0; +} + +/* + * Check if a repository is safe, by verifying the ownership of the + * worktree (if any), the git directory, and the gitfile (if any). + * + * Exemptions for known-safe repositories can be added via `safe.directory` + * config settings; for non-bare repositories, their worktree needs to be + * added, for bare ones their git directory. + */ +static int ensure_valid_ownership(const char *gitfile, + const char *worktree, const char *gitdir, + struct strbuf *report) +{ + struct safe_directory_data data = { + .path = worktree ? worktree : gitdir + }; + + if (!git_env_bool("GIT_TEST_ASSUME_DIFFERENT_OWNER", 0) && + (!gitfile || is_path_owned_by_current_user(gitfile, report)) && + (!worktree || is_path_owned_by_current_user(worktree, report)) && + (!gitdir || is_path_owned_by_current_user(gitdir, report))) + return 1; + + /* + * data.path is the "path" that identifies the repository and it is + * constant regardless of what failed above. data.is_safe should be + * initialized to false, and might be changed by the callback. + */ + git_protected_config(safe_directory_cb, &data); + + return data.is_safe; +} + +static int allowed_bare_repo_cb(const char *key, const char *value, + const struct config_context *ctx UNUSED, + void *d) +{ + enum allowed_bare_repo *allowed_bare_repo = d; + + if (strcasecmp(key, "safe.bareRepository")) + return 0; + + if (!strcmp(value, "explicit")) { + *allowed_bare_repo = ALLOWED_BARE_REPO_EXPLICIT; + return 0; + } + if (!strcmp(value, "all")) { + *allowed_bare_repo = ALLOWED_BARE_REPO_ALL; + return 0; + } + return -1; +} + +static enum allowed_bare_repo get_allowed_bare_repo(void) +{ + enum allowed_bare_repo result = ALLOWED_BARE_REPO_ALL; + git_protected_config(allowed_bare_repo_cb, &result); + return result; +} + +static const char *allowed_bare_repo_to_string( + enum allowed_bare_repo allowed_bare_repo) +{ + switch (allowed_bare_repo) { + case ALLOWED_BARE_REPO_EXPLICIT: + return "explicit"; + case ALLOWED_BARE_REPO_ALL: + return "all"; + default: + BUG("invalid allowed_bare_repo %d", + allowed_bare_repo); + } + return NULL; +} + +/* + * We cannot decide in this function whether we are in the work tree or + * not, since the config can only be read _after_ this function was called. + * + * Also, we avoid changing any global state (such as the current working + * directory) to allow early callers. + * + * The directory where the search should start needs to be passed in via the + * `dir` parameter; upon return, the `dir` buffer will contain the path of + * the directory where the search ended, and `gitdir` will contain the path of + * the discovered .git/ directory, if any. If `gitdir` is not absolute, it + * is relative to `dir` (i.e. *not* necessarily the cwd). + */ +static enum discovery_result setup_git_directory_gently_1(struct strbuf *dir, + struct strbuf *gitdir, + struct strbuf *report, + int die_on_error) +{ + const char *env_ceiling_dirs = getenv(CEILING_DIRECTORIES_ENVIRONMENT); + struct string_list ceiling_dirs = STRING_LIST_INIT_DUP; + const char *gitdirenv; + int ceil_offset = -1, min_offset = offset_1st_component(dir->buf); + dev_t current_device = 0; + int one_filesystem = 1; + + /* + * If GIT_DIR is set explicitly, we're not going + * to do any discovery, but we still do repository + * validation. + */ + gitdirenv = getenv(GIT_DIR_ENVIRONMENT); + if (gitdirenv) { + strbuf_addstr(gitdir, gitdirenv); + return GIT_DIR_EXPLICIT; + } + + if (env_ceiling_dirs) { + int empty_entry_found = 0; + + string_list_split(&ceiling_dirs, env_ceiling_dirs, PATH_SEP, -1); + filter_string_list(&ceiling_dirs, 0, + canonicalize_ceiling_entry, &empty_entry_found); + ceil_offset = longest_ancestor_length(dir->buf, &ceiling_dirs); + string_list_clear(&ceiling_dirs, 0); + } + + if (ceil_offset < 0) + ceil_offset = min_offset - 2; + + if (min_offset && min_offset == dir->len && + !is_dir_sep(dir->buf[min_offset - 1])) { + strbuf_addch(dir, '/'); + min_offset++; + } + + /* + * Test in the following order (relative to the dir): + * - .git (file containing "gitdir: <path>") + * - .git/ + * - ./ (bare) + * - ../.git + * - ../.git/ + * - ../ (bare) + * - ../../.git + * etc. + */ + one_filesystem = !git_env_bool("GIT_DISCOVERY_ACROSS_FILESYSTEM", 0); + if (one_filesystem) + current_device = get_device_or_die(dir->buf, NULL, 0); + for (;;) { + int offset = dir->len, error_code = 0; + char *gitdir_path = NULL; + char *gitfile = NULL; + + if (offset > min_offset) + strbuf_addch(dir, '/'); + strbuf_addstr(dir, DEFAULT_GIT_DIR_ENVIRONMENT); + gitdirenv = read_gitfile_gently(dir->buf, die_on_error ? + NULL : &error_code); + if (!gitdirenv) { + if (die_on_error || + error_code == READ_GITFILE_ERR_NOT_A_FILE) { + /* NEEDSWORK: fail if .git is not file nor dir */ + if (is_git_directory(dir->buf)) { + gitdirenv = DEFAULT_GIT_DIR_ENVIRONMENT; + gitdir_path = xstrdup(dir->buf); + } + } else if (error_code != READ_GITFILE_ERR_STAT_FAILED) + return GIT_DIR_INVALID_GITFILE; + } else + gitfile = xstrdup(dir->buf); + /* + * Earlier, we tentatively added DEFAULT_GIT_DIR_ENVIRONMENT + * to check that directory for a repository. + * Now trim that tentative addition away, because we want to + * focus on the real directory we are in. + */ + strbuf_setlen(dir, offset); + if (gitdirenv) { + enum discovery_result ret; + const char *gitdir_candidate = + gitdir_path ? gitdir_path : gitdirenv; + + if (ensure_valid_ownership(gitfile, dir->buf, + gitdir_candidate, report)) { + strbuf_addstr(gitdir, gitdirenv); + ret = GIT_DIR_DISCOVERED; + } else + ret = GIT_DIR_INVALID_OWNERSHIP; + + /* + * Earlier, during discovery, we might have allocated + * string copies for gitdir_path or gitfile so make + * sure we don't leak by freeing them now, before + * leaving the loop and function. + * + * Note: gitdirenv will be non-NULL whenever these are + * allocated, therefore we need not take care of releasing + * them outside of this conditional block. + */ + free(gitdir_path); + free(gitfile); + + return ret; + } + + if (is_git_directory(dir->buf)) { + trace2_data_string("setup", NULL, "implicit-bare-repository", dir->buf); + if (get_allowed_bare_repo() == ALLOWED_BARE_REPO_EXPLICIT) + return GIT_DIR_DISALLOWED_BARE; + if (!ensure_valid_ownership(NULL, NULL, dir->buf, report)) + return GIT_DIR_INVALID_OWNERSHIP; + strbuf_addstr(gitdir, "."); + return GIT_DIR_BARE; + } + + if (offset <= min_offset) + return GIT_DIR_HIT_CEILING; + + while (--offset > ceil_offset && !is_dir_sep(dir->buf[offset])) + ; /* continue */ + if (offset <= ceil_offset) + return GIT_DIR_HIT_CEILING; + + strbuf_setlen(dir, offset > min_offset ? offset : min_offset); + if (one_filesystem && + current_device != get_device_or_die(dir->buf, NULL, offset)) + return GIT_DIR_HIT_MOUNT_POINT; + } +} + +enum discovery_result discover_git_directory_reason(struct strbuf *commondir, + struct strbuf *gitdir) +{ + struct strbuf dir = STRBUF_INIT, err = STRBUF_INIT; + size_t gitdir_offset = gitdir->len, cwd_len; + size_t commondir_offset = commondir->len; + struct repository_format candidate = REPOSITORY_FORMAT_INIT; + enum discovery_result result; + + if (strbuf_getcwd(&dir)) + return GIT_DIR_CWD_FAILURE; + + cwd_len = dir.len; + result = setup_git_directory_gently_1(&dir, gitdir, NULL, 0); + if (result <= 0) { + strbuf_release(&dir); + return result; + } + + /* + * The returned gitdir is relative to dir, and if dir does not reflect + * the current working directory, we simply make the gitdir absolute. + */ + if (dir.len < cwd_len && !is_absolute_path(gitdir->buf + gitdir_offset)) { + /* Avoid a trailing "/." */ + if (!strcmp(".", gitdir->buf + gitdir_offset)) + strbuf_setlen(gitdir, gitdir_offset); + else + strbuf_addch(&dir, '/'); + strbuf_insert(gitdir, gitdir_offset, dir.buf, dir.len); + } + + get_common_dir(commondir, gitdir->buf + gitdir_offset); + + strbuf_reset(&dir); + strbuf_addf(&dir, "%s/config", commondir->buf + commondir_offset); + read_repository_format(&candidate, dir.buf); + strbuf_release(&dir); + + if (verify_repository_format(&candidate, &err) < 0) { + warning("ignoring git dir '%s': %s", + gitdir->buf + gitdir_offset, err.buf); + strbuf_release(&err); + strbuf_setlen(commondir, commondir_offset); + strbuf_setlen(gitdir, gitdir_offset); + clear_repository_format(&candidate); + return GIT_DIR_INVALID_FORMAT; + } + + clear_repository_format(&candidate); + return result; +} + +const char *setup_git_directory_gently(int *nongit_ok) +{ + static struct strbuf cwd = STRBUF_INIT; + struct strbuf dir = STRBUF_INIT, gitdir = STRBUF_INIT, report = STRBUF_INIT; + const char *prefix = NULL; + struct repository_format repo_fmt = REPOSITORY_FORMAT_INIT; + + /* + * We may have read an incomplete configuration before + * setting-up the git directory. If so, clear the cache so + * that the next queries to the configuration reload complete + * configuration (including the per-repo config file that we + * ignored previously). + */ + git_config_clear(); + + /* + * Let's assume that we are in a git repository. + * If it turns out later that we are somewhere else, the value will be + * updated accordingly. + */ + if (nongit_ok) + *nongit_ok = 0; + + if (strbuf_getcwd(&cwd)) + die_errno(_("Unable to read current working directory")); + strbuf_addbuf(&dir, &cwd); + + switch (setup_git_directory_gently_1(&dir, &gitdir, &report, 1)) { + case GIT_DIR_EXPLICIT: + prefix = setup_explicit_git_dir(gitdir.buf, &cwd, &repo_fmt, nongit_ok); + break; + case GIT_DIR_DISCOVERED: + if (dir.len < cwd.len && chdir(dir.buf)) + die(_("cannot change to '%s'"), dir.buf); + prefix = setup_discovered_git_dir(gitdir.buf, &cwd, dir.len, + &repo_fmt, nongit_ok); + break; + case GIT_DIR_BARE: + if (dir.len < cwd.len && chdir(dir.buf)) + die(_("cannot change to '%s'"), dir.buf); + prefix = setup_bare_git_dir(&cwd, dir.len, &repo_fmt, nongit_ok); + break; + case GIT_DIR_HIT_CEILING: + if (!nongit_ok) + die(_("not a git repository (or any of the parent directories): %s"), + DEFAULT_GIT_DIR_ENVIRONMENT); + *nongit_ok = 1; + break; + case GIT_DIR_HIT_MOUNT_POINT: + if (!nongit_ok) + die(_("not a git repository (or any parent up to mount point %s)\n" + "Stopping at filesystem boundary (GIT_DISCOVERY_ACROSS_FILESYSTEM not set)."), + dir.buf); + *nongit_ok = 1; + break; + case GIT_DIR_INVALID_OWNERSHIP: + if (!nongit_ok) { + struct strbuf quoted = STRBUF_INIT; + + strbuf_complete(&report, '\n'); + sq_quote_buf_pretty("ed, dir.buf); + die(_("detected dubious ownership in repository at '%s'\n" + "%s" + "To add an exception for this directory, call:\n" + "\n" + "\tgit config --global --add safe.directory %s"), + dir.buf, report.buf, quoted.buf); + } + *nongit_ok = 1; + break; + case GIT_DIR_DISALLOWED_BARE: + if (!nongit_ok) { + die(_("cannot use bare repository '%s' (safe.bareRepository is '%s')"), + dir.buf, + allowed_bare_repo_to_string(get_allowed_bare_repo())); + } + *nongit_ok = 1; + break; + case GIT_DIR_CWD_FAILURE: + case GIT_DIR_INVALID_FORMAT: + /* + * As a safeguard against setup_git_directory_gently_1 returning + * these values, fallthrough to BUG. Otherwise it is possible to + * set startup_info->have_repository to 1 when we did nothing to + * find a repository. + */ + default: + BUG("unhandled setup_git_directory_gently_1() result"); + } + + /* + * At this point, nongit_ok is stable. If it is non-NULL and points + * to a non-zero value, then this means that we haven't found a + * repository and that the caller expects startup_info to reflect + * this. + * + * Regardless of the state of nongit_ok, startup_info->prefix and + * the GIT_PREFIX environment variable must always match. For details + * see Documentation/config/alias.txt. + */ + if (nongit_ok && *nongit_ok) + startup_info->have_repository = 0; + else + startup_info->have_repository = 1; + + /* + * Not all paths through the setup code will call 'set_git_dir()' (which + * directly sets up the environment) so in order to guarantee that the + * environment is in a consistent state after setup, explicitly setup + * the environment if we have a repository. + * + * NEEDSWORK: currently we allow bogus GIT_DIR values to be set in some + * code paths so we also need to explicitly setup the environment if + * the user has set GIT_DIR. It may be beneficial to disallow bogus + * GIT_DIR values at some point in the future. + */ + if (/* GIT_DIR_EXPLICIT, GIT_DIR_DISCOVERED, GIT_DIR_BARE */ + startup_info->have_repository || + /* GIT_DIR_EXPLICIT */ + getenv(GIT_DIR_ENVIRONMENT)) { + if (!the_repository->gitdir) { + const char *gitdir = getenv(GIT_DIR_ENVIRONMENT); + if (!gitdir) + gitdir = DEFAULT_GIT_DIR_ENVIRONMENT; + setup_git_env(gitdir); + } + if (startup_info->have_repository) { + repo_set_hash_algo(the_repository, repo_fmt.hash_algo); + the_repository->repository_format_worktree_config = + repo_fmt.worktree_config; + /* take ownership of repo_fmt.partial_clone */ + the_repository->repository_format_partial_clone = + repo_fmt.partial_clone; + repo_fmt.partial_clone = NULL; + } + } + /* + * Since precompose_string_if_needed() needs to look at + * the core.precomposeunicode configuration, this + * has to happen after the above block that finds + * out where the repository is, i.e. a preparation + * for calling git_config_get_bool(). + */ + if (prefix) { + prefix = precompose_string_if_needed(prefix); + startup_info->prefix = prefix; + setenv(GIT_PREFIX_ENVIRONMENT, prefix, 1); + } else { + startup_info->prefix = NULL; + setenv(GIT_PREFIX_ENVIRONMENT, "", 1); + } + + setup_original_cwd(); + + strbuf_release(&dir); + strbuf_release(&gitdir); + strbuf_release(&report); + clear_repository_format(&repo_fmt); + + return prefix; +} + +int git_config_perm(const char *var, const char *value) +{ + int i; + char *endptr; + + if (!value) + return PERM_GROUP; + + if (!strcmp(value, "umask")) + return PERM_UMASK; + if (!strcmp(value, "group")) + return PERM_GROUP; + if (!strcmp(value, "all") || + !strcmp(value, "world") || + !strcmp(value, "everybody")) + return PERM_EVERYBODY; + + /* Parse octal numbers */ + i = strtol(value, &endptr, 8); + + /* If not an octal number, maybe true/false? */ + if (*endptr != 0) + return git_config_bool(var, value) ? PERM_GROUP : PERM_UMASK; + + /* + * Treat values 0, 1 and 2 as compatibility cases, otherwise it is + * a chmod value to restrict to. + */ + switch (i) { + case PERM_UMASK: /* 0 */ + return PERM_UMASK; + case OLD_PERM_GROUP: /* 1 */ + return PERM_GROUP; + case OLD_PERM_EVERYBODY: /* 2 */ + return PERM_EVERYBODY; + } + + /* A filemode value was given: 0xxx */ + + if ((i & 0600) != 0600) + die(_("problem with core.sharedRepository filemode value " + "(0%.3o).\nThe owner of files must always have " + "read and write permissions."), i); + + /* + * Mask filemode value. Others can not get write permission. + * x flags for directories are handled separately. + */ + return -(i & 0666); +} + +void check_repository_format(struct repository_format *fmt) +{ + struct repository_format repo_fmt = REPOSITORY_FORMAT_INIT; + if (!fmt) + fmt = &repo_fmt; + check_repository_format_gently(get_git_dir(), fmt, NULL); + startup_info->have_repository = 1; + repo_set_hash_algo(the_repository, fmt->hash_algo); + the_repository->repository_format_worktree_config = + fmt->worktree_config; + the_repository->repository_format_partial_clone = + xstrdup_or_null(fmt->partial_clone); + clear_repository_format(&repo_fmt); +} + +/* + * Returns the "prefix", a path to the current working directory + * relative to the work tree root, or NULL, if the current working + * directory is not a strict subdirectory of the work tree root. The + * prefix always ends with a '/' character. + */ +const char *setup_git_directory(void) +{ + return setup_git_directory_gently(NULL); +} + +const char *resolve_gitdir_gently(const char *suspect, int *return_error_code) +{ + if (is_git_directory(suspect)) + return suspect; + return read_gitfile_gently(suspect, return_error_code); +} + +/* if any standard file descriptor is missing open it to /dev/null */ +void sanitize_stdfds(void) +{ + int fd = xopen("/dev/null", O_RDWR); + while (fd < 2) + fd = xdup(fd); + if (fd > 2) + close(fd); +} + +int daemonize(void) +{ +#ifdef NO_POSIX_GOODIES + errno = ENOSYS; + return -1; +#else + switch (fork()) { + case 0: + break; + case -1: + die_errno(_("fork failed")); + default: + exit(0); + } + if (setsid() == -1) + die_errno(_("setsid failed")); + close(0); + close(1); + close(2); + sanitize_stdfds(); + return 0; +#endif +} + +#ifdef NO_TRUSTABLE_FILEMODE +#define TEST_FILEMODE 0 +#else +#define TEST_FILEMODE 1 +#endif + +#define GIT_DEFAULT_HASH_ENVIRONMENT "GIT_DEFAULT_HASH" + +static void copy_templates_1(struct strbuf *path, struct strbuf *template_path, + DIR *dir) +{ + size_t path_baselen = path->len; + size_t template_baselen = template_path->len; + struct dirent *de; + + /* Note: if ".git/hooks" file exists in the repository being + * re-initialized, /etc/core-git/templates/hooks/update would + * cause "git init" to fail here. I think this is sane but + * it means that the set of templates we ship by default, along + * with the way the namespace under .git/ is organized, should + * be really carefully chosen. + */ + safe_create_dir(path->buf, 1); + while ((de = readdir(dir)) != NULL) { + struct stat st_git, st_template; + int exists = 0; + + strbuf_setlen(path, path_baselen); + strbuf_setlen(template_path, template_baselen); + + if (de->d_name[0] == '.') + continue; + strbuf_addstr(path, de->d_name); + strbuf_addstr(template_path, de->d_name); + if (lstat(path->buf, &st_git)) { + if (errno != ENOENT) + die_errno(_("cannot stat '%s'"), path->buf); + } + else + exists = 1; + + if (lstat(template_path->buf, &st_template)) + die_errno(_("cannot stat template '%s'"), template_path->buf); + + if (S_ISDIR(st_template.st_mode)) { + DIR *subdir = opendir(template_path->buf); + if (!subdir) + die_errno(_("cannot opendir '%s'"), template_path->buf); + strbuf_addch(path, '/'); + strbuf_addch(template_path, '/'); + copy_templates_1(path, template_path, subdir); + closedir(subdir); + } + else if (exists) + continue; + else if (S_ISLNK(st_template.st_mode)) { + struct strbuf lnk = STRBUF_INIT; + if (strbuf_readlink(&lnk, template_path->buf, + st_template.st_size) < 0) + die_errno(_("cannot readlink '%s'"), template_path->buf); + if (symlink(lnk.buf, path->buf)) + die_errno(_("cannot symlink '%s' '%s'"), + lnk.buf, path->buf); + strbuf_release(&lnk); + } + else if (S_ISREG(st_template.st_mode)) { + if (copy_file(path->buf, template_path->buf, st_template.st_mode)) + die_errno(_("cannot copy '%s' to '%s'"), + template_path->buf, path->buf); + } + else + error(_("ignoring template %s"), template_path->buf); + } +} + +static void copy_templates(const char *template_dir, const char *init_template_dir) +{ + struct strbuf path = STRBUF_INIT; + struct strbuf template_path = STRBUF_INIT; + size_t template_len; + struct repository_format template_format = REPOSITORY_FORMAT_INIT; + struct strbuf err = STRBUF_INIT; + DIR *dir; + char *to_free = NULL; + + if (!template_dir) + template_dir = getenv(TEMPLATE_DIR_ENVIRONMENT); + if (!template_dir) + template_dir = init_template_dir; + if (!template_dir) + template_dir = to_free = system_path(DEFAULT_GIT_TEMPLATE_DIR); + if (!template_dir[0]) { + free(to_free); + return; + } + + strbuf_addstr(&template_path, template_dir); + strbuf_complete(&template_path, '/'); + template_len = template_path.len; + + dir = opendir(template_path.buf); + if (!dir) { + warning(_("templates not found in %s"), template_dir); + goto free_return; + } + + /* Make sure that template is from the correct vintage */ + strbuf_addstr(&template_path, "config"); + read_repository_format(&template_format, template_path.buf); + strbuf_setlen(&template_path, template_len); + + /* + * No mention of version at all is OK, but anything else should be + * verified. + */ + if (template_format.version >= 0 && + verify_repository_format(&template_format, &err) < 0) { + warning(_("not copying templates from '%s': %s"), + template_dir, err.buf); + strbuf_release(&err); + goto close_free_return; + } + + strbuf_addstr(&path, get_git_common_dir()); + strbuf_complete(&path, '/'); + copy_templates_1(&path, &template_path, dir); +close_free_return: + closedir(dir); +free_return: + free(to_free); + strbuf_release(&path); + strbuf_release(&template_path); + clear_repository_format(&template_format); +} + +/* + * If the git_dir is not directly inside the working tree, then git will not + * find it by default, and we need to set the worktree explicitly. + */ +static int needs_work_tree_config(const char *git_dir, const char *work_tree) +{ + if (!strcmp(work_tree, "/") && !strcmp(git_dir, "/.git")) + return 0; + if (skip_prefix(git_dir, work_tree, &git_dir) && + !strcmp(git_dir, "/.git")) + return 0; + return 1; +} + +void initialize_repository_version(int hash_algo, int reinit) +{ + char repo_version_string[10]; + int repo_version = GIT_REPO_VERSION; + + if (hash_algo != GIT_HASH_SHA1) + repo_version = GIT_REPO_VERSION_READ; + + /* This forces creation of new config file */ + xsnprintf(repo_version_string, sizeof(repo_version_string), + "%d", repo_version); + git_config_set("core.repositoryformatversion", repo_version_string); + + if (hash_algo != GIT_HASH_SHA1) + git_config_set("extensions.objectformat", + hash_algos[hash_algo].name); + else if (reinit) + git_config_set_gently("extensions.objectformat", NULL); +} + +static int create_default_files(const char *template_path, + const char *original_git_dir, + const char *initial_branch, + const struct repository_format *fmt, + int prev_bare_repository, + int init_shared_repository, + int quiet) +{ + struct stat st1; + struct strbuf buf = STRBUF_INIT; + char *path; + char junk[2]; + int reinit; + int filemode; + struct strbuf err = STRBUF_INIT; + const char *init_template_dir = NULL; + const char *work_tree = get_git_work_tree(); + + /* + * First copy the templates -- we might have the default + * config file there, in which case we would want to read + * from it after installing. + * + * Before reading that config, we also need to clear out any cached + * values (since we've just potentially changed what's available on + * disk). + */ + git_config_get_pathname("init.templatedir", &init_template_dir); + copy_templates(template_path, init_template_dir); + free((char *)init_template_dir); + git_config_clear(); + reset_shared_repository(); + git_config(git_default_config, NULL); + + /* + * We must make sure command-line options continue to override any + * values we might have just re-read from the config. + */ + if (init_shared_repository != -1) + set_shared_repository(init_shared_repository); + /* + * TODO: heed core.bare from config file in templates if no + * command-line override given + */ + is_bare_repository_cfg = prev_bare_repository || !work_tree; + /* TODO (continued): + * + * Unfortunately, the line above is equivalent to + * is_bare_repository_cfg = !work_tree; + * which ignores the config entirely even if no `--[no-]bare` + * command line option was present. + * + * To see why, note that before this function, there was this call: + * prev_bare_repository = is_bare_repository() + * expanding the right hand side: + * = is_bare_repository_cfg && !get_git_work_tree() + * = is_bare_repository_cfg && !work_tree + * note that the last simplification above is valid because nothing + * calls repo_init() or set_git_work_tree() between any of the + * relevant calls in the code, and thus the !get_git_work_tree() + * calls will return the same result each time. So, what we are + * interested in computing is the right hand side of the line of + * code just above this comment: + * prev_bare_repository || !work_tree + * = is_bare_repository_cfg && !work_tree || !work_tree + * = !work_tree + * because "A && !B || !B == !B" for all boolean values of A & B. + */ + + /* + * We would have created the above under user's umask -- under + * shared-repository settings, we would need to fix them up. + */ + if (get_shared_repository()) { + adjust_shared_perm(get_git_dir()); + } + + /* + * We need to create a "refs" dir in any case so that older + * versions of git can tell that this is a repository. + */ + safe_create_dir(git_path("refs"), 1); + adjust_shared_perm(git_path("refs")); + + if (refs_init_db(&err)) + die("failed to set up refs db: %s", err.buf); + + /* + * Point the HEAD symref to the initial branch with if HEAD does + * not yet exist. + */ + path = git_path_buf(&buf, "HEAD"); + reinit = (!access(path, R_OK) + || readlink(path, junk, sizeof(junk)-1) != -1); + if (!reinit) { + char *ref; + + if (!initial_branch) + initial_branch = git_default_branch_name(quiet); + + ref = xstrfmt("refs/heads/%s", initial_branch); + if (check_refname_format(ref, 0) < 0) + die(_("invalid initial branch name: '%s'"), + initial_branch); + + if (create_symref("HEAD", ref, NULL) < 0) + exit(1); + free(ref); + } + + initialize_repository_version(fmt->hash_algo, 0); + + /* Check filemode trustability */ + path = git_path_buf(&buf, "config"); + filemode = TEST_FILEMODE; + if (TEST_FILEMODE && !lstat(path, &st1)) { + struct stat st2; + filemode = (!chmod(path, st1.st_mode ^ S_IXUSR) && + !lstat(path, &st2) && + st1.st_mode != st2.st_mode && + !chmod(path, st1.st_mode)); + if (filemode && !reinit && (st1.st_mode & S_IXUSR)) + filemode = 0; + } + git_config_set("core.filemode", filemode ? "true" : "false"); + + if (is_bare_repository()) + git_config_set("core.bare", "true"); + else { + git_config_set("core.bare", "false"); + /* allow template config file to override the default */ + if (log_all_ref_updates == LOG_REFS_UNSET) + git_config_set("core.logallrefupdates", "true"); + if (needs_work_tree_config(original_git_dir, work_tree)) + git_config_set("core.worktree", work_tree); + } + + if (!reinit) { + /* Check if symlink is supported in the work tree */ + path = git_path_buf(&buf, "tXXXXXX"); + if (!close(xmkstemp(path)) && + !unlink(path) && + !symlink("testing", path) && + !lstat(path, &st1) && + S_ISLNK(st1.st_mode)) + unlink(path); /* good */ + else + git_config_set("core.symlinks", "false"); + + /* Check if the filesystem is case-insensitive */ + path = git_path_buf(&buf, "CoNfIg"); + if (!access(path, F_OK)) + git_config_set("core.ignorecase", "true"); + probe_utf8_pathname_composition(); + } + + strbuf_release(&buf); + return reinit; +} + +static void create_object_directory(void) +{ + struct strbuf path = STRBUF_INIT; + size_t baselen; + + strbuf_addstr(&path, get_object_directory()); + baselen = path.len; + + safe_create_dir(path.buf, 1); + + strbuf_setlen(&path, baselen); + strbuf_addstr(&path, "/pack"); + safe_create_dir(path.buf, 1); + + strbuf_setlen(&path, baselen); + strbuf_addstr(&path, "/info"); + safe_create_dir(path.buf, 1); + + strbuf_release(&path); +} + +static void separate_git_dir(const char *git_dir, const char *git_link) +{ + struct stat st; + + if (!stat(git_link, &st)) { + const char *src; + + if (S_ISREG(st.st_mode)) + src = read_gitfile(git_link); + else if (S_ISDIR(st.st_mode)) + src = git_link; + else + die(_("unable to handle file type %d"), (int)st.st_mode); + + if (rename(src, git_dir)) + die_errno(_("unable to move %s to %s"), src, git_dir); + repair_worktrees(NULL, NULL); + } + + write_file(git_link, "gitdir: %s", git_dir); +} + +static void validate_hash_algorithm(struct repository_format *repo_fmt, int hash) +{ + const char *env = getenv(GIT_DEFAULT_HASH_ENVIRONMENT); + /* + * If we already have an initialized repo, don't allow the user to + * specify a different algorithm, as that could cause corruption. + * Otherwise, if the user has specified one on the command line, use it. + */ + if (repo_fmt->version >= 0 && hash != GIT_HASH_UNKNOWN && hash != repo_fmt->hash_algo) + die(_("attempt to reinitialize repository with different hash")); + else if (hash != GIT_HASH_UNKNOWN) + repo_fmt->hash_algo = hash; + else if (env) { + int env_algo = hash_algo_by_name(env); + if (env_algo == GIT_HASH_UNKNOWN) + die(_("unknown hash algorithm '%s'"), env); + repo_fmt->hash_algo = env_algo; + } +} + +int init_db(const char *git_dir, const char *real_git_dir, + const char *template_dir, int hash, const char *initial_branch, + int init_shared_repository, unsigned int flags) +{ + int reinit; + int exist_ok = flags & INIT_DB_EXIST_OK; + char *original_git_dir = real_pathdup(git_dir, 1); + struct repository_format repo_fmt = REPOSITORY_FORMAT_INIT; + int prev_bare_repository; + + if (real_git_dir) { + struct stat st; + + if (!exist_ok && !stat(git_dir, &st)) + die(_("%s already exists"), git_dir); + + if (!exist_ok && !stat(real_git_dir, &st)) + die(_("%s already exists"), real_git_dir); + + set_git_dir(real_git_dir, 1); + git_dir = get_git_dir(); + separate_git_dir(git_dir, original_git_dir); + } + else { + set_git_dir(git_dir, 1); + git_dir = get_git_dir(); + } + startup_info->have_repository = 1; + + /* Ensure `core.hidedotfiles` is processed */ + git_config(platform_core_config, NULL); + + safe_create_dir(git_dir, 0); + + prev_bare_repository = is_bare_repository(); + + /* Check to see if the repository version is right. + * Note that a newly created repository does not have + * config file, so this will not fail. What we are catching + * is an attempt to reinitialize new repository with an old tool. + */ + check_repository_format(&repo_fmt); + + validate_hash_algorithm(&repo_fmt, hash); + + reinit = create_default_files(template_dir, original_git_dir, + initial_branch, &repo_fmt, + prev_bare_repository, + init_shared_repository, + flags & INIT_DB_QUIET); + if (reinit && initial_branch) + warning(_("re-init: ignored --initial-branch=%s"), + initial_branch); + + create_object_directory(); + + if (get_shared_repository()) { + char buf[10]; + /* We do not spell "group" and such, so that + * the configuration can be read by older version + * of git. Note, we use octal numbers for new share modes, + * and compatibility values for PERM_GROUP and + * PERM_EVERYBODY. + */ + if (get_shared_repository() < 0) + /* force to the mode value */ + xsnprintf(buf, sizeof(buf), "0%o", -get_shared_repository()); + else if (get_shared_repository() == PERM_GROUP) + xsnprintf(buf, sizeof(buf), "%d", OLD_PERM_GROUP); + else if (get_shared_repository() == PERM_EVERYBODY) + xsnprintf(buf, sizeof(buf), "%d", OLD_PERM_EVERYBODY); + else + BUG("invalid value for shared_repository"); + git_config_set("core.sharedrepository", buf); + git_config_set("receive.denyNonFastforwards", "true"); + } + + if (!(flags & INIT_DB_QUIET)) { + int len = strlen(git_dir); + + if (reinit) + printf(get_shared_repository() + ? _("Reinitialized existing shared Git repository in %s%s\n") + : _("Reinitialized existing Git repository in %s%s\n"), + git_dir, len && git_dir[len-1] != '/' ? "/" : ""); + else + printf(get_shared_repository() + ? _("Initialized empty shared Git repository in %s%s\n") + : _("Initialized empty Git repository in %s%s\n"), + git_dir, len && git_dir[len-1] != '/' ? "/" : ""); + } + + clear_repository_format(&repo_fmt); + free(original_git_dir); + return 0; +} |