diff options
authorJunio C Hamano <>2017-04-24 05:07:51 (GMT)
committerJunio C Hamano <>2017-04-24 05:07:52 (GMT)
commit9f1384f711e4d04d7808d4e24860b17f656b7333 (patch)
parentd7f8a37852fe26df530327b4131c92b2058ecd08 (diff)
parentd8f4481c4f03132174b514f428cd67d2cc0dc997 (diff)
Merge branch 'jk/quarantine-received-objects'
Add finishing touches to a recent topic. * jk/quarantine-received-objects: refs: reject ref updates while GIT_QUARANTINE_PATH is set receive-pack: document user-visible quarantine effects receive-pack: drop tmp_objdir_env from run_update_hook
5 files changed, 49 insertions, 1 deletions
diff --git a/Documentation/git-receive-pack.txt b/Documentation/git-receive-pack.txt
index 0ccd5fb..86a4b32 100644
--- a/Documentation/git-receive-pack.txt
+++ b/Documentation/git-receive-pack.txt
@@ -114,6 +114,8 @@ will be performed, and the update, post-receive and post-update
hooks will not be invoked either. This can be useful to quickly
bail out if the update is not to be supported.
+See the notes on the quarantine environment below.
update Hook
Before each ref is updated, if $GIT_DIR/hooks/update file exists
@@ -214,6 +216,33 @@ if the repository is packed and is served via a dumb transport.
exec git update-server-info
+Quarantine Environment
+When `receive-pack` takes in objects, they are placed into a temporary
+"quarantine" directory within the `$GIT_DIR/objects` directory and
+migrated into the main object store only after the `pre-receive` hook
+has completed. If the push fails before then, the temporary directory is
+removed entirely.
+This has a few user-visible effects and caveats:
+ 1. Pushes which fail due to problems with the incoming pack, missing
+ objects, or due to the `pre-receive` hook will not leave any
+ on-disk data. This is usually helpful to prevent repeated failed
+ pushes from filling up your disk, but can make debugging more
+ challenging.
+ 2. Any objects created by the `pre-receive` hook will be created in
+ the quarantine directory (and migrated only if it succeeds).
+ 3. The `pre-receive` hook MUST NOT update any refs to point to
+ quarantined objects. Other programs accessing the repository will
+ not be able to see the objects (and if the pre-receive hook fails,
+ those refs would become corrupted). For safety, any ref updates
+ from within `pre-receive` are automatically rejected.
linkgit:git-send-pack[1], linkgit:gitnamespaces[7]
diff --git a/Documentation/githooks.txt b/Documentation/githooks.txt
index 9565dc3..32343ae 100644
--- a/Documentation/githooks.txt
+++ b/Documentation/githooks.txt
@@ -256,6 +256,9 @@ environment variables will not be set. If the client selects
to use push options, but doesn't transmit any, the count variable
will be set to zero, `GIT_PUSH_OPTION_COUNT=0`.
+See the section on "Quarantine Environment" in
+linkgit:git-receive-pack[1] for some caveats.
diff --git a/builtin/receive-pack.c b/builtin/receive-pack.c
index 3cba3fd..7f484e7 100644
--- a/builtin/receive-pack.c
+++ b/builtin/receive-pack.c
@@ -772,7 +772,6 @@ static int run_update_hook(struct command *cmd)
proc.stdout_to_stderr = 1;
proc.err = use_sideband ? -1 : 0;
proc.argv = argv;
- proc.env = tmp_objdir_env(tmp_objdir);
code = start_command(&proc);
if (code)
diff --git a/refs.c b/refs.c
index d1e1b43..a3d5f42 100644
--- a/refs.c
+++ b/refs.c
@@ -1643,6 +1643,12 @@ int ref_transaction_commit(struct ref_transaction *transaction,
struct ref_store *refs = transaction->ref_store;
+ strbuf_addstr(err,
+ _("ref updates forbidden inside quarantine environment"));
+ return -1;
+ }
return refs->be->transaction_commit(refs, transaction, err);
diff --git a/t/ b/t/
index af9fcd8..113c870 100755
--- a/t/
+++ b/t/
@@ -58,4 +58,15 @@ test_expect_success 'push to repo path with path separator (colon)' '
git push "$(pwd)/xxx${pathsep}yyy.git" HEAD
+test_expect_success 'updating a ref from quarantine is forbidden' '
+ git init --bare update.git &&
+ write_script update.git/hooks/pre-receive <<-\EOF &&
+ read old new refname
+ git update-ref refs/heads/unrelated $new
+ exit 1
+ test_must_fail git push update.git HEAD &&
+ git -C update.git fsck