[aur-dev] [PATCH 2/2] git-update: Catch long source URLs

[Lukas Fleischer]

Bail out early if the source array contains an entry with more than 8000
characters.

Signed-off-by: Lukas Fleischer <lfleischer at archlinux.org>
---
 aurweb/git/update.py     |  3 +++
 test/t1300-git-update.sh | 16 ++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/aurweb/git/update.py b/aurweb/git/update.py
index af2dfed..3b84eb5 100755
--- a/aurweb/git/update.py
+++ b/aurweb/git/update.py
@@ -337,6 +337,9 @@ def main():
 
             for field in extract_arch_fields(pkginfo, 'source'):
                 fname = field['value']
+                if len(fname) > 8000:
+                    die_commit('source entry too long: {:s}'.format(fname),
+                               str(commit.id))
                 if "://" in fname or "lp:" in fname:
                     continue
                 if fname not in commit.tree:
diff --git a/test/t1300-git-update.sh b/test/t1300-git-update.sh
index abab7ea..a65ca3a 100755
--- a/test/t1300-git-update.sh
+++ b/test/t1300-git-update.sh
@@ -370,6 +370,22 @@ test_expect_success 'Missing source file.' '
 	grep -q "^error: missing source file: file$" actual
 '
 
+test_expect_success 'Pushing .SRCINFO with too long source URL.' '
+	old=$(git -C aur.git rev-parse HEAD) &&
+	url="http://$(printf "%7993s" x | sed "s/ /x/g")/" &&
+	test_when_finished "git -C aur.git reset --hard $old" &&
+	(
+		cd aur.git &&
+		sed "s#.*depends.*#\\0\\nsource = $url#" .SRCINFO >.SRCINFO.new
+		mv .SRCINFO.new .SRCINFO
+		git commit -q -am "Add huge source URL"
+	) &&
+	new=$(git -C aur.git rev-parse HEAD) &&
+	AUR_USER=user AUR_PKGBASE=foobar AUR_PRIVILEGED=0 \
+	test_must_fail "$GIT_UPDATE" refs/heads/master "$old" "$new" >actual 2>&1 &&
+	grep -q "^error: source entry too long: $url\$" actual
+'
+
 test_expect_success 'Pushing a blacklisted package.' '
 	old=$(git -C aur.git rev-parse HEAD) &&
 	test_when_finished "git -C aur.git reset --hard $old" &&
-- 
2.10.0