Branch: refs/heads/master
Home: https://github.com/openSUSE/open-build-service
Commit: d42d0ebfc53ad98b0cc4434adbde758a5c7e323d
https://github.com/openSUSE/open-build-service/commit/d42d0ebfc53ad98b0cc443...
Author: Marcus Huewe
Date: 2021-06-25 (Fri, 25 Jun 2021)
Changed paths:
M src/backend/BSSrcServer/Link.pm
Log Message:
-----------
Do no expand the upload rev
When trying to expand the upload rev, a bogus tree files is written
(if the upload rev contains a _link file). For instance, a tree file
can look like this:
c157a79031e1c40f85931829bc5fc552 foo
f9079d5de256dd593c7eabdb29699e53 /LINK
upload /LOCAL
Since the upload rev has no "real" srcmd5, the format of the tree
file is corrupted. Such a corrupted tree file can be used to generate
a <directory/> xml that has an <entry/> whose "name" attribute is the
empty string and whose "md5" attribute contains 32 "garbage" bytes
(that is, an illegal md5). For instance,
marcus@linux:~> curl http://localhost:5352/source/home:mallory/lnk2?expand=1
<directory name="lnk2" rev="4fc0e0e48934e51692aeec749600d854" vrev="10" srcmd5="4fc0e0e48934e51692aeec749600d854">
<linkinfo project="home:mallory" package="lnk2" rev="2568453a6f3542d64649fdd50186cb28" srcmd5="2568453a6f3542d64649fdd50186cb28" lsrcmd5="6497434b763387d4daba84e582636df7"/>
<entry name="" md5="upload /LOCAL " error="No such file or directory"/>
<entry name="foo" md5="c157a79031e1c40f85931829bc5fc552" size="4" mtime="1624438950"/>
</directory>
marcus@linux:~>
Such a <directory/> may confuse "broken" clients (since the error
attribute is present, clients have the chance to refuse such a
<directory/>).
(Note: in the curl call we do not expand the upload rev; the upload
rev is only expanded once to generate the broken tree file; the
broken tree file is then used to generate the broken <entry/> from
above)
In order to avoid this, simply do not expand the upload rev. Note
that if a link's rev or a passed in linkrev points to the upload rev,
the expansion fails because the revision returned by $getrev->(...)
is "strange" (see the code in handlelinks). Hence, it is sufficient
to check at the beginning of handlelinks if the passed revision is
the upload rev (actually, we reject anything that is not a valid
md5).
Commit: 4f0ed1526c596d60f38f744fd3cce945f5384b0c
https://github.com/openSUSE/open-build-service/commit/4f0ed1526c596d60f38f74...
Author: Marcus Huewe
Date: 2021-06-28 (Mon, 28 Jun 2021)
Changed paths:
M src/backend/BSSrcServer/Link.pm
Log Message:
-----------
Merge branch 'no_upload_rev_expansion' of https://github.com/marcus-h/open-build-service
Do no expand the upload rev.
Compare: https://github.com/openSUSE/open-build-service/compare/818c266e7248...4f0ed1...