upload-pack: allow stateless client EOF just prior to haves

During stateless packfile negotiation where a depth is given, stateless
RPC clients (e.g. git-remote-curl) will send multiple upload-pack
requests with the first containing only the
wants/shallows/deepens/filters and the subsequent containing haves/done.

When upload-pack handles such requests, entering get_common_commits
without checking whether the client has hung up can result in unexpected
EOF during the negotiation loop and a die() with message "fatal: the
remote end hung up unexpectedly".

Real world effects include:

 - A client speaking to git-http-backend via a server that doesn't check
   the exit codes of CGIs (e.g. mod_cgi) doesn't know and doesn't care
   about the fatal. It continues to process the response body as normal.

 - A client speaking to a server that does check the exit code and
   returns an errant HTTP status as a result will fail with the message
   "error: RPC failed; HTTP 500 curl 22 The requested URL returned error:
   500."

 - Admins running servers that surface the failure must workaround it by
   patching code that handles execution of git-http-backend to ignore exit
   codes or take other heuristic approaches.

 - Admins may have to deal with "hung up unexpectedly" log spam related
   to the failures even in cases where the exit code isn't surfaced as an
   HTTP server-side error status.

To avoid these EOF related fatals, have upload-pack gently peek for an
EOF between the sending of shallow/unshallow lines (followed by flush)
and the reading of client haves. If the client has hung up at this
point, exit normally.

Signed-off-by: Daniel Duvall <dan@mutual.io>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/t/t5530-upload-pack-error.sh b/t/t5530-upload-pack-error.sh
index 205a2631e7f807a72259b27eb689a0b18439d7f9..9dd2d2457a3ea6c77a28bc31d1aabd87e118d9e3 100755 (executable)
--- a/t/t5530-upload-pack-error.sh
+++ b/t/t5530-upload-pack-error.sh
@@ -88,6 +88,23 @@ test_expect_success 'upload-pack fails due to error in pack-objects enumeration'
        grep "pack-objects died" output.err
 '
 
+test_expect_success 'upload-pack tolerates EOF just after stateless client wants' '
+       test_commit initial &&
+       head=$(git rev-parse HEAD) &&
+
+       {
+               packetize "want $head" &&
+               packetize "shallow $head" &&
+               packetize "deepen 1" &&
+               printf "0000"
+       } >request &&
+
+       printf "0000" >expect &&
+
+       git upload-pack --stateless-rpc . <request >actual &&
+       test_cmp expect actual
+'
+
 test_expect_success 'create empty repository' '
 
        mkdir foo &&

diff --git a/upload-pack.c b/upload-pack.c
index 3b858eb457e557592dada080f95f3fe7e218b24b..5dc8e1f844222b18ede6c3734a8ed5953ea59dd1 100644 (file)
--- a/upload-pack.c
+++ b/upload-pack.c
@@ -1344,7 +1344,18 @@ void upload_pack(struct upload_pack_options *options)
                                   PACKET_READ_DIE_ON_ERR_PACKET);
 
                receive_needs(&data, &reader);
-               if (data.want_obj.nr) {
+
+               /*
+                * An EOF at this exact point in negotiation should be
+                * acceptable from stateless clients as they will consume the
+                * shallow list before doing subsequent rpc with haves/etc.
+                */
+               if (data.stateless_rpc)
+                       reader.options |= PACKET_READ_GENTLE_ON_EOF;
+
+               if (data.want_obj.nr &&
+                   packet_reader_peek(&reader) != PACKET_READ_EOF) {
+                       reader.options &= ~PACKET_READ_GENTLE_ON_EOF;
                        get_common_commits(&data, &reader);
                        create_pack_file(&data, NULL);
                }