Branch: refs/heads/master Home: https://github.com/openSUSE/open-build-service Commit: d42d0ebfc53ad98b0cc4434adbde758a5c7e323d https://github.com/openSUSE/open-build-service/commit/d42d0ebfc53ad98b0cc443... Author: Marcus Huewe Date: 2021-06-25 (Fri, 25 Jun 2021) Changed paths: M src/backend/BSSrcServer/Link.pm Log Message: ----------- Do no expand the upload rev When trying to expand the upload rev, a bogus tree files is written (if the upload rev contains a _link file). For instance, a tree file can look like this: c157a79031e1c40f85931829bc5fc552 foo f9079d5de256dd593c7eabdb29699e53 /LINK upload /LOCAL Since the upload rev has no "real" srcmd5, the format of the tree file is corrupted. Such a corrupted tree file can be used to generate a <directory/> xml that has an <entry/> whose "name" attribute is the empty string and whose "md5" attribute contains 32 "garbage" bytes (that is, an illegal md5). For instance, marcus@linux:~> curl http://localhost:5352/source/home:mallory/lnk2?expand=1 <directory name="lnk2" rev="4fc0e0e48934e51692aeec749600d854" vrev="10" srcmd5="4fc0e0e48934e51692aeec749600d854"> <linkinfo project="home:mallory" package="lnk2" rev="2568453a6f3542d64649fdd50186cb28" srcmd5="2568453a6f3542d64649fdd50186cb28" lsrcmd5="6497434b763387d4daba84e582636df7"/> <entry name="" md5="upload /LOCAL " error="No such file or directory"/> <entry name="foo" md5="c157a79031e1c40f85931829bc5fc552" size="4" mtime="1624438950"/> </directory> marcus@linux:~> Such a <directory/> may confuse "broken" clients (since the error attribute is present, clients have the chance to refuse such a <directory/>). (Note: in the curl call we do not expand the upload rev; the upload rev is only expanded once to generate the broken tree file; the broken tree file is then used to generate the broken <entry/> from above) In order to avoid this, simply do not expand the upload rev. Note that if a link's rev or a passed in linkrev points to the upload rev, the expansion fails because the revision returned by $getrev->(...) is "strange" (see the code in handlelinks). Hence, it is sufficient to check at the beginning of handlelinks if the passed revision is the upload rev (actually, we reject anything that is not a valid md5). Commit: 4f0ed1526c596d60f38f744fd3cce945f5384b0c https://github.com/openSUSE/open-build-service/commit/4f0ed1526c596d60f38f74... Author: Marcus Huewe Date: 2021-06-28 (Mon, 28 Jun 2021) Changed paths: M src/backend/BSSrcServer/Link.pm Log Message: ----------- Merge branch 'no_upload_rev_expansion' of https://github.com/marcus-h/open-build-service Do no expand the upload rev. Compare: https://github.com/openSUSE/open-build-service/compare/818c266e7248...4f0ed1...