Allow serving cabal files with package name in the file name. #1262
Conversation
ghost
mentioned this pull request
| @@ -456,6 +458,11 @@ coreFeature ServerEnv{serverBlobStore = store} UserFeature{..} | |||
| resourceDesc = [(GET, "Get package .cabal file revision")] | |||
| , resourceGet = [("cabal", serveCabalFileRevision)] | |||
| } | |||
| coreCabalFileRevName = (resourceAt "/package/:package/revision/:package-:revision.:format") { | |||
There was a problem hiding this comment.
I wonder how :package...:package template works. It probably doesn't (i.e. allows non-sense like /package/foo/revision/bar-1-r2.cabal, or even /package/non---sense-1-1-1-1/revision/bar-1-r2.cabal
See e.g
corePackageTarball = (resourceAt "/package/:package/:tarball.tar.gz") {
--- which uses:
packageTarballInPath dpath = do
PackageIdentifier name version <- packageInPath dpath
case lookup "tarball" dpath >>= fromReqURI of
Nothing -> mzero
Just pkgid@(PackageIdentifier name' version') -> do
-- rules:
-- \* the package name and tarball name must be the same
-- \* the tarball must specify a version
-- \* the package must either have no version or the same version as the tarball
guard $ name == name' && version' /= nullVersion && (version == version' || version == nullVersion)
return pkgidThere was a problem hiding this comment.
Why is that a problem? If someone is using a malformed url, they will get malformed data. I.e. it's their problem.
Is there a security issue here I don't see?
There was a problem hiding this comment.
Is there a security issue here I don't see?
There is CDN in from of hackage-server which caches the results. I'm sure someone can be annoying, as there would be infinitely many cacheable urls. Maybe not a security risk, but in my opinion wrong URLs should be reported as the wrong ones.
There was a problem hiding this comment.
Okay. Then I don't know how to implement it. I can monkey-copy the code that closely matches someone else's, but I don't know how to implement unification in Haskell.
In the defence of my, undoubtedly, flawed, position, I can say that github also allows infinitely many cacheable URLs, like https://github.com/username/project/archive/v1.0.0/bar-$version.tag.gz
There was a problem hiding this comment.
Then I don't know how to implement it.
I gave you a pointer. Look how corePackageTarball is implemented (using packageTarballInPath which you can use as an example).
There was a problem hiding this comment.
Please theck the new version. I have reused the "tarball" function, because, as far as I understand, it is essentially the same.
But maybe I misunderstood.
There was a problem hiding this comment.
@phadej does the new version make sense? Although I re-used the function with "tar" in the name, it seems that the pattern match is the same.
|
What do the failures with those two older compilers mean? |
Allow serving url like this:
https://hackage.haskell.org/package/pkg-2.6/revision/pkg-2.6-1.cabal
Resolves: #1261 #1261