[aur-dev] [PATCH 2/2] git-update: Catch long source URLs
Lukas Fleischer
lfleischer at archlinux.org
Tue Oct 11 06:56:16 UTC 2016
Bail out early if the source array contains an entry with more than 8000
characters.
Signed-off-by: Lukas Fleischer <lfleischer at archlinux.org>
---
aurweb/git/update.py | 3 +++
test/t1300-git-update.sh | 16 ++++++++++++++++
2 files changed, 19 insertions(+)
diff --git a/aurweb/git/update.py b/aurweb/git/update.py
index af2dfed..3b84eb5 100755
--- a/aurweb/git/update.py
+++ b/aurweb/git/update.py
@@ -337,6 +337,9 @@ def main():
for field in extract_arch_fields(pkginfo, 'source'):
fname = field['value']
+ if len(fname) > 8000:
+ die_commit('source entry too long: {:s}'.format(fname),
+ str(commit.id))
if "://" in fname or "lp:" in fname:
continue
if fname not in commit.tree:
diff --git a/test/t1300-git-update.sh b/test/t1300-git-update.sh
index abab7ea..a65ca3a 100755
--- a/test/t1300-git-update.sh
+++ b/test/t1300-git-update.sh
@@ -370,6 +370,22 @@ test_expect_success 'Missing source file.' '
grep -q "^error: missing source file: file$" actual
'
+test_expect_success 'Pushing .SRCINFO with too long source URL.' '
+ old=$(git -C aur.git rev-parse HEAD) &&
+ url="http://$(printf "%7993s" x | sed "s/ /x/g")/" &&
+ test_when_finished "git -C aur.git reset --hard $old" &&
+ (
+ cd aur.git &&
+ sed "s#.*depends.*#\\0\\nsource = $url#" .SRCINFO >.SRCINFO.new
+ mv .SRCINFO.new .SRCINFO
+ git commit -q -am "Add huge source URL"
+ ) &&
+ new=$(git -C aur.git rev-parse HEAD) &&
+ AUR_USER=user AUR_PKGBASE=foobar AUR_PRIVILEGED=0 \
+ test_must_fail "$GIT_UPDATE" refs/heads/master "$old" "$new" >actual 2>&1 &&
+ grep -q "^error: source entry too long: $url\$" actual
+'
+
test_expect_success 'Pushing a blacklisted package.' '
old=$(git -C aur.git rev-parse HEAD) &&
test_when_finished "git -C aur.git reset --hard $old" &&
--
2.10.0
More information about the aur-dev
mailing list