5.1.5
Fixes
-
UploadPack: Avoid calling AdvertiseRefsHook twice. The AdvertiseRefsHook could be called twice when the AdvertiseRefsHook doesn't set this.refs and getAdvertisedOrDefaultRefs is called after getFilteredRefs.
-
UploadPack: Filter refs used for want-ref resolution to ensure any refs the client requests are visible to the client.
-
UploadPack: Defer want-ref resolution to after parsing
-
[Security] Call AdvertiseRefsHook to fix the following vulnerability. AdvertiseRefsHook is used to limit the visibility of refs in Gerrit. If this hook is not called, then all refs are treated as visible. In protocol v2, the hook was not called, causing the server to advertise all refs. Even before then, the hook was not called in requests after the capability advertisement, so in transports like HTTP that do not retain state between round-trips, the server would advertise all refs in response to an ls-refs (ls-remote) request. Fix both cases.
-
BasePackConnection: Check for expected length of ref advertisement when using protocol v2
-
Fix DescribeCommand with multiple match options when multiple match options are given in git describe the result must not depend on the order of the match options. JGit wrongly picked the first match using the match options in the order they were defined.
-
Fix git-describe tie-breakers. Correct behaviour as git 1.7.1.1 is to resolve tie-breakers to choose the most recent tag.