[aur-dev] [PATCH 1/2] Make URL columns 8000 characters wide
According to RFC 7230, URLs can be up too 8000 characters long. Resize all URL fields accordingly. Also, add a test to verify that URLs with more than 8000 characters are rejected by the update hook. Reported-by: Andreas Linz <klingt.net@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org> --- aurweb/git/update.py | 5 +++-- schema/aur-schema.sql | 4 ++-- test/t1300-git-update.sh | 16 ++++++++++++++++ upgrading/4.4.0.txt | 12 ++++++++++++ 4 files changed, 33 insertions(+), 4 deletions(-) create mode 100644 upgrading/4.4.0.txt diff --git a/aurweb/git/update.py b/aurweb/git/update.py index 7337341..af2dfed 100755 --- a/aurweb/git/update.py +++ b/aurweb/git/update.py @@ -324,8 +324,9 @@ def main(): die_commit('invalid package name: {:s}'.format( pkginfo['pkgname']), str(commit.id)) - for field in ('pkgname', 'pkgdesc', 'url'): - if field in pkginfo and len(pkginfo[field]) > 255: + max_len = {'pkgname': 255, 'pkgdesc': 255, 'url': 8000} + for field in max_len.keys(): + if field in pkginfo and len(pkginfo[field]) > max_len[field]: die_commit('{:s} field too long: {:s}'.format(field, pkginfo[field]), str(commit.id)) diff --git a/schema/aur-schema.sql b/schema/aur-schema.sql index 030370b..30209bd 100644 --- a/schema/aur-schema.sql +++ b/schema/aur-schema.sql @@ -119,7 +119,7 @@ CREATE TABLE Packages ( Name VARCHAR(255) NOT NULL, Version VARCHAR(255) NOT NULL DEFAULT '', Description VARCHAR(255) NULL DEFAULT NULL, - URL VARCHAR(255) NULL DEFAULT NULL, + URL VARCHAR(8000) NULL DEFAULT NULL, PRIMARY KEY (ID), UNIQUE (Name), FOREIGN KEY (PackageBaseID) REFERENCES PackageBases(ID) ON DELETE CASCADE @@ -227,7 +227,7 @@ CREATE INDEX RelationsRelName ON PackageRelations (RelName); -- CREATE TABLE PackageSources ( PackageID INTEGER UNSIGNED NOT NULL, - Source VARCHAR(255) NOT NULL DEFAULT "/dev/null", + Source VARCHAR(8000) NOT NULL DEFAULT "/dev/null", SourceArch VARCHAR(255) NULL DEFAULT NULL, FOREIGN KEY (PackageID) REFERENCES Packages(ID) ON DELETE CASCADE ) ENGINE = InnoDB; diff --git a/test/t1300-git-update.sh b/test/t1300-git-update.sh index b642089..abab7ea 100755 --- a/test/t1300-git-update.sh +++ b/test/t1300-git-update.sh @@ -309,6 +309,22 @@ test_expect_success 'Pushing .SRCINFO with invalid epoch.' ' grep -q "^error: invalid epoch: !$" actual ' +test_expect_success 'Pushing .SRCINFO with too long URL.' ' + old=$(git -C aur.git rev-parse HEAD) && + url="http://$(printf "%7993s" x | sed "s/ /x/g")/" && + test_when_finished "git -C aur.git reset --hard $old" && + ( + cd aur.git && + sed "s#.*url.*#\\0\\nurl = $url#" .SRCINFO >.SRCINFO.new + mv .SRCINFO.new .SRCINFO + git commit -q -am "Change URL" + ) && + new=$(git -C aur.git rev-parse HEAD) && + AUR_USER=user AUR_PKGBASE=foobar AUR_PRIVILEGED=0 \ + test_must_fail "$GIT_UPDATE" refs/heads/master "$old" "$new" >actual 2>&1 && + grep -q "^error: url field too long: $url\$" actual +' + test_expect_success 'Missing install file.' ' old=$(git -C aur.git rev-parse HEAD) && test_when_finished "git -C aur.git reset --hard $old" && diff --git a/upgrading/4.4.0.txt b/upgrading/4.4.0.txt new file mode 100644 index 0000000..1cc55b3 --- /dev/null +++ b/upgrading/4.4.0.txt @@ -0,0 +1,12 @@ +1. Resize the URL column of the Packages table: + +---- +ALTER TABLE Packages MODIFY URL VARCHAR(8000) NULL DEFAULT NULL; +---- + +2. Resize the Source column of the PackageSources table: + +---- +ALTER TABLE PackageSources + MODIFY Source VARCHAR(8000) NOT NULL DEFAULT "/dev/null"; +---- -- 2.10.0
Bail out early if the source array contains an entry with more than 8000 characters. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org> --- aurweb/git/update.py | 3 +++ test/t1300-git-update.sh | 16 ++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/aurweb/git/update.py b/aurweb/git/update.py index af2dfed..3b84eb5 100755 --- a/aurweb/git/update.py +++ b/aurweb/git/update.py @@ -337,6 +337,9 @@ def main(): for field in extract_arch_fields(pkginfo, 'source'): fname = field['value'] + if len(fname) > 8000: + die_commit('source entry too long: {:s}'.format(fname), + str(commit.id)) if "://" in fname or "lp:" in fname: continue if fname not in commit.tree: diff --git a/test/t1300-git-update.sh b/test/t1300-git-update.sh index abab7ea..a65ca3a 100755 --- a/test/t1300-git-update.sh +++ b/test/t1300-git-update.sh @@ -370,6 +370,22 @@ test_expect_success 'Missing source file.' ' grep -q "^error: missing source file: file$" actual ' +test_expect_success 'Pushing .SRCINFO with too long source URL.' ' + old=$(git -C aur.git rev-parse HEAD) && + url="http://$(printf "%7993s" x | sed "s/ /x/g")/" && + test_when_finished "git -C aur.git reset --hard $old" && + ( + cd aur.git && + sed "s#.*depends.*#\\0\\nsource = $url#" .SRCINFO >.SRCINFO.new + mv .SRCINFO.new .SRCINFO + git commit -q -am "Add huge source URL" + ) && + new=$(git -C aur.git rev-parse HEAD) && + AUR_USER=user AUR_PKGBASE=foobar AUR_PRIVILEGED=0 \ + test_must_fail "$GIT_UPDATE" refs/heads/master "$old" "$new" >actual 2>&1 && + grep -q "^error: source entry too long: $url\$" actual +' + test_expect_success 'Pushing a blacklisted package.' ' old=$(git -C aur.git rev-parse HEAD) && test_when_finished "git -C aur.git reset --hard $old" && -- 2.10.0
participants (1)
-
Lukas Fleischer