FS#61193 - [aurweb] cloning an invald https git url creates an 500

Attached to Project: AUR web interface
Opened by Jelle van der Waa (jelly) - Thursday, 27 December 2018, 21:03 GMT
Last edited by Leonidas Spyropoulos (inglor) - Tuesday, 08 August 2023, 09:08 GMT
Task Type Bug Report
Category Backend
Status Closed
Assigned To Marcel Korpel (Marcel-)
Lukas Fleischer (lfleischer)
Johannes Löthberg (demize)
Eli Schwartz (eschwartz)
Architecture All
Severity Low
Priority Normal
Reported Version 4.7.0
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Some users seem to do https clones with a dot appended to the git clone url. This causes an error 500, it would be better to return a 400 or 404.

A typical request is for example:

[27/Dec/2018:19:33:21 +0000] "GET /xiphos.git./info/refs?service=git-upload-pack HTTP/2.0" 500 0 "-" "git/2.19.2" "-" 0.003
This task depends upon

Closed by  Leonidas Spyropoulos (inglor)
Tuesday, 08 August 2023, 09:08 GMT
Reason for closing:  Deferred
Additional comments about closing:  See Gitlab is still an issue.
Comment by Jelle van der Waa (jelly) - Thursday, 27 December 2018, 21:25 GMT
Update, this seems to not be an issue with PHP itself but with the smartgit sock. Maybe the regex should be adjusted to disallow foo.git.

location ~ "^/([a-z0-9][a-z0-9.+_-]*?)(\.git)?/(git-(receive|upload)-pack|HEAD|info/refs|objects/(info/(http-)?alternates|packs)|[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(pack|idx))$" {
Comment by Johannes Löthberg (demize) - Saturday, 29 December 2018, 22:39 GMT
It seems like the core reason that it throws a 500 is that Git seems to not support namespaces that end with a period. This doesn't seem to be documented, so I would guess that it's a bug.

Fundamentally what this should do is let you clone an empty repo literally called xiphos.git. (xiphos.git. is identical to xiphos.git..git)
Comment by Eli Schwartz (eschwartz) - Saturday, 29 December 2018, 23:22 GMT
makepkg/pacman also supports packages named literally pkgbase="xiphos.git." -- does that mean the AUR (via a dependency) is broken in its lack of support for this? OTOH, do we care?
Comment by Jelle van der Waa (jelly) - Sunday, 30 December 2018, 10:49 GMT
Yes we care, since it makes it harder to find real 500 errors.
Comment by Justin Capella (justincapella) - Saturday, 26 October 2019, 13:30 GMT
I noticed git as an action is also permitted if you do adjust the regex-- not sure if that matters
Comment by Leonidas Spyropoulos (inglor) - Tuesday, 08 August 2023, 09:07 GMT
Closing this - if still an issue please reopen at Gitlab https://gitlab.archlinux.org/archlinux/aurweb/-/issues

Loading...