filter out illegal remote names when reading proxy log

Logs/Proxy.hs

@@ -18,6 +18,7 @@ import qualified Data.Map as M
 import qualified Annex
 import Annex.Common
 import qualified Annex.Branch
+import qualified Git.Remote
 import Git.Types
 import Logs
 import Logs.UUIDBased
@@ -37,7 +38,7 @@ data Proxy = Proxy
 
 -- TODO caching
 getProxies :: Annex (M.Map UUID (S.Set Proxy))
-getProxies = M.map value . fromMapLog . parseProxyLog
+getProxies = M.map (validateProxies . value) . fromMapLog . parseProxyLog
 	<$> Annex.Branch.get proxyLog
 
 recordProxies :: S.Set Proxy -> Annex ()
@@ -76,3 +77,11 @@ parseProxyList = S.fromList <$> many parseword
 		<* (const () <$> A8.char colon)
 		<*> (decodeBS <$> A8.takeWhile1 (/= ' '))
 	colon = ':'
+
+-- Filter out any proxies that have a name that is not allowed as a git
+-- remote name. This avoids any security problems with eg escape
+-- characters in names, and ensures the name can be used anywhere a usual
+-- git remote name can be used without causing issues.
+validateProxies :: S.Set Proxy -> S.Set Proxy
+validateProxies = S.filter $ \p ->
+	Git.Remote.makeLegalName (proxyRemoteName p) == proxyRemoteName p

doc/todo/git-annex_proxies.mdwn

@@ -37,12 +37,6 @@ For June's work on [[design/passthrough_proxy]], implementation plan:
 1. getProxies should be cached to avoid repeatedly reading the log and
    parsing.
 
-1. Remote names coming from the git-annex branch need to be
-   limited to what's legal in git remote names. If a remote name is not
-   legal, munge it until it is.
-   This will also prevent remote names being a security hazard
-   via eg escape characters.
-
 2. Remote instantiation for proxies. When a remote "foo" is a proxy,
    and has a remote "bar", instantiate a remote "foo-bar" that has the UUID
    of bar but is of the same type and configuration of remote "foo".