lock_any_ref_for_update(): do not accept malformatted refs.
We used to use lock_any_ref_for_update() because the command needs to also update HEAD (which is not under refs/, so lock_ref_sha1() cannot be used). The function however did not check for refs with illegal characters in them.
Use check_ref_format() to catch malformed refs. For this check, we specifically do not want to say having less than two levels in the name is illegal to allow HEAD (and perhaps other special refs in the future).