[aur-dev] [PATCH v2] git-update: Prevent from overwriting packages

Lukas Fleischer lfleischer at archlinux.org
Thu Jun 4 09:39:11 UTC 2015


Make sure we do not overwrite a package belonging to another package
base. We forgot to add this check to git-update when porting the package
submission script to Python in commit 74edb6f (Use Git repositories to
store packages, 2014-06-06).

Reported-by: Johannes Löthberg <johannes at kyriasis.com>
Signed-off-by: Lukas Fleischer <lfleischer at archlinux.org>
---
Fix the prepared statement and the handling of the query results.

 git-interface/git-update.py | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/git-interface/git-update.py b/git-interface/git-update.py
index 34633e8..0a4130e 100755
--- a/git-interface/git-update.py
+++ b/git-interface/git-update.py
@@ -252,12 +252,22 @@ srcinfo_pkgbase = srcinfo._pkgbase['pkgname']
 if srcinfo_pkgbase != pkgbase:
     die('invalid pkgbase: %s' % (srcinfo_pkgbase))
 
+pkgbase = srcinfo._pkgbase['pkgname']
+cur.execute("SELECT ID FROM PackageBases WHERE Name = %s", [pkgbase])
+pkgbase_id = cur.fetchone()[0]
+
 for pkgname in srcinfo.GetPackageNames():
     pkginfo = srcinfo.GetMergedPackage(pkgname)
+    pkgname = pkginfo['pkgname']
 
-    if pkginfo['pkgname'] in blacklist:
+    if pkgname in blacklist:
         die('package is blacklisted: %s' % (pkginfo['pkgname']))
 
+    cur.execute("SELECT COUNT(*) FROM Packages WHERE Name = %s AND " +
+                "PackageBaseID <> %s", [pkgname, pkgbase_id])
+    if cur.fetchone()[0] > 0:
+        die('cannot overwrite package: %s' % (pkgname))
+
 save_srcinfo(srcinfo, db, cur, user)
 
 db.close()
-- 
2.4.2


More information about the aur-dev mailing list