tighten up ref/file names (warning: possible backward compat breakage)

The backward compat breakage is for people who already have all kinds of
arbitrary characters in filenames *and* use `NAME/` rules.  See the doc
change in this commit for details and mitigation.  See this link for
background:

    http://groups.google.com/group/gitolite/browse_thread/thread/8dc5242052b16d0f

Thanks to Dan Carpenter for the audit.

src/gitolite.pm

@@ -213,6 +213,10 @@ sub check_ref {
     # NOTE: the function DIES when access is denied, unless arg 5 is true
 
     my ($allowed_refs, $repo, $ref, $perm, $dry_run) = @_;
+
+    # sanity check the ref
+    die "invalid characters in ref or filename: $ref\n" unless $ref =~ $GL_REF_OR_FILENAME_PATT;
+
     my @allowed_refs = sort { $a->[0] <=> $b->[0] } @{$allowed_refs};
     for my $ar (@allowed_refs) {
         my $refex = $ar->[1];

src/gitolite_rc.pm

@@ -9,7 +9,7 @@ use Exporter 'import';
 @EXPORT = qw(
     $ABRT $WARN
     $R_COMMANDS $W_COMMANDS
-    $REPONAME_PATT $USERNAME_PATT $REPOPATT_PATT
+    $REPONAME_PATT $USERNAME_PATT $REPOPATT_PATT $GL_REF_OR_FILENAME_PATT
     $ADC_CMD_ARGS_PATT
     $BIG_INFO_CAP
     $current_data_version
@@ -48,6 +48,8 @@ $REPONAME_PATT=qr(^\@?[0-9a-zA-Z][0-9a-zA-Z._\@/+-]*$);
 $USERNAME_PATT=qr(^\@?[0-9a-zA-Z][0-9a-zA-Z._\@+-]*$);
 # same as REPONAME, but used for wildcard repos, allows some common regex metas
 $REPOPATT_PATT=qr(^\@?[0-9a-zA-Z[][\\^.$|()[\]*+?{}0-9a-zA-Z._\@/,-]*$);
+# pattern for refnames pushed or names of files changed
+$GL_REF_OR_FILENAME_PATT=qr(^[0-9a-zA-Z][0-9a-zA-Z._\@/+ :,-]*$);
 
 # ADC commands and arguments must match this pattern
 $ADC_CMD_ARGS_PATT=qr(^[0-9a-zA-Z._\@/+:-]*$);