From: Paolo Bonzini <pbonzini@xxxxxxxxxx> The local part of the third argument of git-request-pull is used in a regular expression without quoting it. Use qr{} and \Q\E to ensure that e.g. a period in a tag name does not match any character on the remote side. Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx> --- git-request-pull.sh | 5 ++--- t/t5150-request-pull.sh | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/git-request-pull.sh b/git-request-pull.sh index 13c172bd94..0d128be7fd 100755 --- a/git-request-pull.sh +++ b/git-request-pull.sh @@ -83,19 +83,18 @@ die "fatal: No commits in common between $base and $head" # Otherwise find a random ref that matches $headrev. find_matching_ref=' my ($head,$headrev) = (@ARGV); + my $pattern = qr{/\Q$head\E$}; my ($found); while (<STDIN>) { chomp; my ($sha1, $ref, $deref) = /^(\S+)\s+([^^]+)(\S*)$/; - my ($pattern); next unless ($sha1 eq $headrev); - $pattern="/$head\$"; if ($ref eq $head) { $found = $ref; } - if ($ref =~ /$pattern/) { + if ($ref =~ $pattern) { $found = $ref; } if ($sha1 eq $head) { diff --git a/t/t5150-request-pull.sh b/t/t5150-request-pull.sh index fca001eb9b..c1a821a549 100755 --- a/t/t5150-request-pull.sh +++ b/t/t5150-request-pull.sh @@ -246,4 +246,22 @@ test_expect_success 'request-pull ignores OPTIONS_KEEPDASHDASH poison' ' ' +test_expect_success 'request-pull quotes regex metacharacters properly' ' + + rm -fr downstream.git && + git init --bare downstream.git && + ( + cd local && + git checkout initial && + git merge --ff-only master && + git tag -mrelease v2.0 && + git push origin refs/tags/v2.0:refs/tags/v2-0 && + test_must_fail git request-pull initial "$downstream_url" tags/v2.0 \ + 2>../err + ) && + grep "No match for commit .*" err && + grep "Are you sure you pushed" err + +' + test_done -- 2.21.0