commit 57c181985845591d1fcd97be660feb8e256fd4be
from: Stefan Sperling <stsp@stsp.name>
date: Mon May 24 18:25:19 2021 UTC

validate reference names in open_ref()

This catches invalid reference names passed to 'got ref -l' and will also be
needed to validate reference names passed to a future 'gotadmin pack' command.

ok naddy@

commit - 91b40e30e0dbff0c8a1546a02fb784fa8007a91b
commit + 57c181985845591d1fcd97be660feb8e256fd4be
blob - bd14fc85a3dbeaf7baadcc85f8c09be4d2d5529c
blob + fcfc4cbf94642d9a6d37ac919bf5ba788dc7d9f8
--- lib/reference.c
+++ lib/reference.c
@@ -409,6 +409,9 @@ open_ref(struct got_reference **ref, const char *path_
 
 	*ref = NULL;
 
+	if (!is_valid_ref_name(name))
+		return got_error_path(name, GOT_ERR_BAD_REF_NAME);
+
 	if (ref_is_absolute || ref_is_well_known) {
 		if (asprintf(&path, "%s/%s", path_refs, name) == -1)
 			return got_error_from_errno("asprintf");
blob - f680079f8821648decd0d8f2ee5fb463bf45484a
blob + 0093198f72cd80b8562f1b5be725d6dfcd6cffc4
--- regress/cmdline/ref.sh
+++ regress/cmdline/ref.sh
@@ -389,21 +389,31 @@ test_ref_list() {
 		fi
 	done
 
-	for r in refs//foo/bar refs//foo//bar refs////////foo//bar; do
-		got ref -r $testroot/repo -l $r > $testroot/stdout
+	for r in /refs/abc refs//foo/bar refs//foo//bar refs////////foo//bar; do
+		got ref -r $testroot/repo -l $r > $testroot/stdout \
+			2> $testroot/stderr
 
-		echo "refs/foo/bar/baz: $commit_id" > $testroot/stdout.expected
+		echo -n > $testroot/stdout.expected
 		cmp -s $testroot/stdout $testroot/stdout.expected
 		ret="$?"
 		if [ "$ret" != "0" ]; then
 			diff -u $testroot/stdout.expected $testroot/stdout
+			test_done "$testroot" "$ret"
+			return 1
+		fi
+
+		echo "got: $r: bad reference name" > $testroot/stderr.expected
+		cmp -s $testroot/stderr $testroot/stderr.expected
+		ret="$?"
+		if [ "$ret" != "0" ]; then
+			diff -u $testroot/stderr.expected $testroot/stderr
 			test_done "$testroot" "$ret"
 			return 1
 		fi
 	done
 
 	# attempt to list non-existing references
-	for r in refs/fo bar baz moo riffs /refs/abc refs/foo/bar/baz/moo; do
+	for r in refs/fo bar baz moo riffs refs/abc refs/foo/bar/baz/moo; do
 		got ref -r $testroot/repo -l $r > $testroot/stdout
 
 		echo -n > $testroot/stdout.expected