Junio C Hamano  committed a2f9fe9

lock_any_ref_for_update(): do not accept malformatted refs.

We used to use lock_any_ref_for_update() because the command
needs to also update HEAD (which is not under refs/, so
lock_ref_sha1() cannot be used). The function however did not
check for refs with illegal characters in them.

Use check_ref_format() to catch malformed refs. For this check,
we specifically do not want to say having less than two levels
in the name is illegal to allow HEAD (and perhaps other special
refs in the future).

Signed-off-by: Junio C Hamano <>

  • Participants
  • Parent commits df391b1

Comments (0)

Files changed (2)

File builtin-update-ref.c

 	lock = lock_any_ref_for_update(refname, oldval ? oldsha1 : NULL);
 	if (!lock)
-		return 1;
+		die("%s: cannot lock the ref", refname);
 	if (write_ref_sha1(lock, sha1, msg) < 0)
-		return 1;
-	/* write_ref_sha1 always unlocks the ref, no need to do it explicitly */
+		die("%s: cannot update the ref", refname);
 	return 0;
 struct ref_lock *lock_any_ref_for_update(const char *ref, const unsigned char *old_sha1)
+	if (check_ref_format(ref) == -1)
+		return NULL;
 	return lock_ref_sha1_basic(ref, old_sha1, NULL);