Hi Adrian and all,
I found a regression in OBS code that was introduced with commit:
commit 6fd139a1dbc2dfff9cbce7f6555c4c63e11f6a65
Author: Adrian Schröter
Date: Fri Mar 9 10:34:23 2012 +0100
[api] mass-assignment is needed for xml object handover. Disallow
hashed parameter values instead to ensure that we have no undetected
leak yet.
The problematic behavior seems to occur with specific text patterns like this:
$ cat test.xml
<request><description>;T[]</description></request>
$ osc api -X POST /request?cmd=create -f test.xml
Server returned an error: HTTP Error 400: Bad Request
Parameter T has non String class Array
$
As you can see OBS API seems to try to interpret the content of the
description field. (???)
Obviously this request is incomplete and also not very useful but the
problem also occurs with reasonable requests as long as this specific
text pattern is contained.
Anyone with an explanation what goes wrong here or even a fix? I am
personally quite confused since I don't even understand at the moment
what exactly this change is trying to achieve. Was that checking
probably applied to the wrong content in this XML file?
Robert
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
