ref_transaction_create(): disallow recursive pruning

It is nonsensical (and a little bit dangerous) to use REF_ISPRUNING
without REF_NODEREF. Forbid it explicitly. Change the one REF_ISPRUNING
caller to pass REF_NODEREF too.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>

diff --git a/refs.c b/refs.c
index ba14105..5dc2473 100644 (file)
--- a/refs.c
+++ b/refs.c
@@ -790,6 +790,9 @@ int ref_transaction_update(struct ref_transaction *transaction,
        if (transaction->state != REF_TRANSACTION_OPEN)
                die("BUG: update called for transaction that is not open");
 
+       if ((flags & REF_ISPRUNING) && !(flags & REF_NODEREF))
+               die("BUG: REF_ISPRUNING set without REF_NODEREF");
+
        if (new_sha1 && !is_null_sha1(new_sha1) &&
            check_refname_format(refname, REFNAME_ALLOW_ONELEVEL)) {
                strbuf_addf(err, "refusing to update ref with bad name '%s'",

diff --git a/refs/files-backend.c b/refs/files-backend.c
index c978fe4..35d37ce 100644 (file)
--- a/refs/files-backend.c
+++ b/refs/files-backend.c
@@ -2087,7 +2087,7 @@ static void prune_ref(struct ref_to_prune *r)
        transaction = ref_transaction_begin(&err);
        if (!transaction ||
            ref_transaction_delete(transaction, r->name, r->sha1,
-                                  REF_ISPRUNING, NULL, &err) ||
+                                  REF_ISPRUNING | REF_NODEREF, NULL, &err) ||
            ref_transaction_commit(transaction, &err)) {
                ref_transaction_free(transaction);
                error("%s", err.buf);

diff --git a/refs/refs-internal.h b/refs/refs-internal.h
index de7722e..1f94f7a 100644 (file)
--- a/refs/refs-internal.h
+++ b/refs/refs-internal.h
@@ -15,7 +15,7 @@
 
 /*
  * Used as a flag in ref_update::flags when a loose ref is being
- * pruned.
+ * pruned. This flag must only be used when REF_NODEREF is set.
  */
 #define REF_ISPRUNING  0x04