From 38c6cda7ba1f9efb4093c2823bd152b1fbcb75a1 Mon Sep 17 00:00:00 2001 From: Eli Schwartz Date: Thu, 30 Sep 2021 12:47:00 -0400 Subject: [PATCH] archive .asc endpoint: fix incorrect accounting of tag vs. format flask does not document this well, but url rule converters apparently *can* accept arguments, and one of them is for providing a limited choice of values. Use this to restrict the formats to the list of supported formats, which we hardcode because it must be built into the string. This avoids interpreting 1.0.tar.gz.asc as tag="1", format=".0.tar.gz" which causes the server to explode. --- gitsrht/blueprints/repo.py | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/gitsrht/blueprints/repo.py b/gitsrht/blueprints/repo.py index 78a2dc9..e6aade5 100644 --- a/gitsrht/blueprints/repo.py +++ b/gitsrht/blueprints/repo.py @@ -192,19 +192,12 @@ def lookup_ref(git_repo, ref, path): abort(404) return commit, ref, "/".join(path) -def lookup_signature(git_repo, ref, fmt=None): +def lookup_signature(git_repo, ref, fmt=['tar', 'tar.gz']): commit_or_tag = git_repo.revparse_single(ref) if not isinstance(commit_or_tag, (pygit2.Commit, pygit2.Tag)): return None, None - fmts = ['tar.gz', 'tar'] - - if fmt is not None: - if fmt not in fmts: - return None, None - fmts = [fmt] - - for trial in fmts: + for trial in fmt: try: note = git_repo.lookup_note(commit_or_tag.hex, f'refs/notes/signatures/{trial}') except KeyError: @@ -391,11 +384,11 @@ def archive(owner, repo, ref): return send_file(subp.stdout, mimetype="application/tar+gzip", as_attachment=True, attachment_filename=f"{repo.name}-{refname}.tar.gz") -@repo.route("///archive/..asc") +@repo.route("///archive/..asc") def archivesig(owner, repo, ref, fmt): owner, repo = get_repo_or_redir(owner, repo) with GitRepository(repo.path) as git_repo: - sigdata, _ = lookup_signature(git_repo, ref, fmt) + sigdata, _ = lookup_signature(git_repo, ref, [fmt]) if sigdata is None: abort(404) -- 2.38.4