From: Paolo Bonzini <pbonzini@xxxxxxxxxx>
The local part of the third argument of git-request-pull is used in
a regular expression without quoting it. Use qr{} and \Q\E to ensure
that e.g. a period in a tag name does not match any character on the
remote side.
Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
---
git-request-pull.sh | 5 ++---
t/t5150-request-pull.sh | 18 ++++++++++++++++++
2 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/git-request-pull.sh b/git-request-pull.sh
index 13c172bd94..0d128be7fd 100755
--- a/git-request-pull.sh
+++ b/git-request-pull.sh
@@ -83,19 +83,18 @@ die "fatal: No commits in common between $base and $head"
# Otherwise find a random ref that matches $headrev.
find_matching_ref='
my ($head,$headrev) = (@ARGV);
+ my $pattern = qr{/\Q$head\E$};
my ($found);
while (<STDIN>) {
chomp;
my ($sha1, $ref, $deref) = /^(\S+)\s+([^^]+)(\S*)$/;
- my ($pattern);
next unless ($sha1 eq $headrev);
- $pattern="/$head\$";
if ($ref eq $head) {
$found = $ref;
}
- if ($ref =~ /$pattern/) {
+ if ($ref =~ $pattern) {
$found = $ref;
}
if ($sha1 eq $head) {
diff --git a/t/t5150-request-pull.sh b/t/t5150-request-pull.sh
index fca001eb9b..c1a821a549 100755
--- a/t/t5150-request-pull.sh
+++ b/t/t5150-request-pull.sh
@@ -246,4 +246,22 @@ test_expect_success 'request-pull ignores OPTIONS_KEEPDASHDASH poison' '
'
+test_expect_success 'request-pull quotes regex metacharacters properly' '
+
+ rm -fr downstream.git &&
+ git init --bare downstream.git &&
+ (
+ cd local &&
+ git checkout initial &&
+ git merge --ff-only master &&
+ git tag -mrelease v2.0 &&
+ git push origin refs/tags/v2.0:refs/tags/v2-0 &&
+ test_must_fail git request-pull initial "$downstream_url" tags/v2.0 \
+ 2>../err
+ ) &&
+ grep "No match for commit .*" err &&
+ grep "Are you sure you pushed" err
+
+'
+
test_done
--
2.21.0
