From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Thu, 5 Jan 2017 13:46:34 +0000 (+0000)
Subject: dgit-repos-server: Defend against bad commits (from eg #849041).
X-Git-Tag: debian/2.15~6
X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=dgit.git;a=commitdiff_plain;h=82da82e49b4ae7143bf9fdb582fcb46e1446a2e4;ds=sidebyside

dgit-repos-server: Defend against bad commits (from eg #849041).

Right now, this causes the test `debpolicy-quilt-gbp' to fail,
because in this branch #849041 is unfixed.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---

diff --git a/Debian/Dgit.pm b/Debian/Dgit.pm
index 50e3b860..e9921d6a 100644
--- a/Debian/Dgit.pm
+++ b/Debian/Dgit.pm
@@ -54,7 +54,7 @@ BEGIN {
                       $debugprefix *debuglevel *DEBUG
                       shellquote printcmd messagequote);
     # implicitly uses $main::us
-    %EXPORT_TAGS = ( policyflags => [qw(NOFFCHECK FRESHREPO)] );
+    %EXPORT_TAGS = ( policyflags => [qw(NOFFCHECK FRESHREPO NOCOMMITCHECK)] );
     @EXPORT_OK   = @{ $EXPORT_TAGS{policyflags} };
 }
 
@@ -71,6 +71,7 @@ our $branchprefix = 'dgit';
 # dynamic loader, runtime, etc., failures, which report 127 or 255
 sub NOFFCHECK () { return 0x2; }
 sub FRESHREPO () { return 0x4; }
+sub NOCOMMITCHECK () { return 0x8; }
 
 our $debugprefix;
 our $debuglevel = 0;
diff --git a/infra/dgit-repos-server b/infra/dgit-repos-server
index 1be33609..eb4b3773 100755
--- a/infra/dgit-repos-server
+++ b/infra/dgit-repos-server
@@ -160,6 +160,9 @@ setup_sigwarn();
 #    FRESHREPO   (4)
 #         blow away repo right away (ie, as if before push or fetch)
 #         ("check-package" and "push" only)
+#    NOCOMMITCHECK   (8)
+#         suppress dgit-repos-server's check that commits do
+#         not lack "committer" info (eg as produced by #849041)
 # any unexpected bits mean failure, and then known set bits are ignored
 # if no unexpected bits set, operation continues (subject to meaning
 # of any expected bits set).  So, eg, exit 0 means "continue normally"
@@ -890,6 +893,27 @@ sub checks () {
 	chomp $mb;
 	$mb eq $oldcommit or reject "not fast forward on dgit branch";
     }
+
+    # defend against commits generated by #849041
+    if (!($policy & NOCOMMITCHECK)) {
+	my @checks = qw(%an %ae %at
+			%cn %ce %ct);
+	my @chk = qw(git log -z);
+	push @chk, '--pretty=tformat:%H%n'.
+	    (join "", map { $_, '%n' } @checks);
+	push @chk, "^$oldcommit" if $oldcommit =~ m/[^0]/;
+	push @chk, $commit;;
+	printdebug " ~NOCOMMITCHECK @chk\n";
+	open CHK, "-|", @chk or die $!;
+	local $/ = "\0";
+	while (<CHK>) {
+	    next unless m/^$/m;
+	    m/^\w+(?=\n)/ or die;
+	    reject "corrupted object $& (missing metadata)";
+	}
+	$!=0; $?=0; close CHK or $?==256 or die "$? $!";
+    }
+
     if ($policy & FRESHREPO) {
 	# It's a bit late to be discovering this here, isn't it ?
 	#