FS#17482 - Can't upload to AUR when source contains #

Attached to Project: AUR web interface
Opened by Jim Pryor (Profjim) - Saturday, 12 December 2009, 23:15 GMT
Last edited by Andrea Scarpino (BaSh) - Wednesday, 03 November 2010, 17:50 GMT
Task Type Bug Report
Category PKGBUILD Parser
Status Closed
Assigned To No-one
Architecture All
Severity Medium
Priority Normal
Reported Version 1.6.0
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Trying to upload a package whose source name contains "...${pkgname#something}" fails---with a misleading message ("Missing build function in PKGBUILD.") to boot. Changing it to "...${pkgname%something}" or just "...${pkgname}" succeeds. The package tarballs were built using makepkg --source and seem otherwise to be fine.
This task depends upon

Closed by  Andrea Scarpino (BaSh)
Wednesday, 03 November 2010, 17:50 GMT
Reason for closing:  Fixed
Additional comments about closing:  in 1.7.0
Comment by Jim Pryor (Profjim) - Saturday, 12 December 2009, 23:18 GMT
"source name" may be misleading. I mean the problem happens when the PKGBUILD contains:
...
source=("blahblah${pkgname#something}")

In the particular cases I'm working with, the source fields really have this form:
source=("localfilename::http://blahblah/blah.cgi?name=${pkgname#something-}")

I don't know whether the localfilename:: part is necessary to produce the problem.
Comment by Jim Pryor (Profjim) - Sunday, 13 December 2009, 08:27 GMT
Changing the bash variable mangling to ${pkgname/something-/} then will let AUR upload the package, but the Sources line on the AUR webpage is then screwed up: it will link to "http://blahblah/blah.cgi?name=originalname/something-/}"

Are we permitted to do no bash operations on variables that appear in PKGBUILD metadata fields? I've seen it documented that we shouldn't use extra variables, even ones with _nameslikethis. But I hadn't seen this documented. I guess you're doing the variable substitutions manually, rather than evaluating the PKGBUILDs through a shell. I can see the security advantages of that. But it's not clear up-front what is and isn't allowed.
Comment by xduugu (xduugu) - Monday, 14 December 2009, 01:20 GMT
Seems to be a duplicate of  FS#17328 .
Comment by Jim Pryor (Profjim) - Monday, 14 December 2009, 01:41 GMT
Sorry, I searched but didn't find that.

1. Yes, the core of this bug report is the same as what's in  FS#17328 .
2. The observation that ${pkgname/something-/} produces garbage too is additional to what's in  FS#17328 . It'd be helpful if the AUR php script checked for standard Bash substitutions, say ${base#something}, ${base##something}, ${base%something}, ${base%%something}, ${base/something/somethingelse}, and ${base//something/somethingelse}.
3. Or at least it should be loudly announced that these aren't allowed. I haven't yet encountered such an announcement, if it's out there I apologize for wasting time.
Comment by Jim Pryor (Profjim) - Monday, 14 December 2009, 02:23 GMT
Here's a proposed fix for the bug reported in  FS#17328 , and which initiated this bug report. Change line 77 of web/html/pkgsubmit.php from:
$line = preg_replace('/\s*#.*/', '', $line);
to:
$line = preg_replace('/((^|})[^{]*)\s*#.*/', '$1', $line);

That will have the effect of never stripping '# text' when inside an unclosed "{ ..." context.


Comment by Andrea Scarpino (BaSh) - Wednesday, 10 March 2010, 17:42 GMT
Your rule works, but works bad with double #. Try with imagemagick-doc to understand what I mean.
Comment by Lukas Fleischer (lfleischer) - Sunday, 30 May 2010, 10:19 GMT
As I already said in  FS#17328 , regex cannot be used to parse PKGBUILDs 100% correctly. If you want to remove comments properly, you will need to write a bash parser from scratch. Following workaround could be used to prevent removal of "#.*" if the pound sign ("#") is surrounded by "${"/"}": "$line = preg_replace('/^([^\$]*(\$[^{][^\$]*|\$\{[^}]*\}[^\$]*)*)\s*#.*$/U', '\1', $line);". The "U" modifier might also be removed if "[^\$]*" are replaced by "[^\$#]*" and line trim()'ing is done after comment removal.

Please consider that this is only a workaround and will fail in some cases (e.g. if "{}" braces are nested). The only proper way to fix this is to write a proper parser.
Comment by Lukas Fleischer (lfleischer) - Thursday, 24 June 2010, 04:52 GMT
This will be due in version 1.7.0. There's a patch in the GIT repo that removes the build() function check [1].

[1] http://projects.archlinux.org/aur.git/commit/?id=f08fbbe80eba009c6f42411456479e328c92175b

Loading...