* bug#22311: 25.1.50; package.el misused (read-from-string) will potentially cause "elpa/archives/xxx/archive-contents" file malformed
@ 2016-01-05 15:33 Tao Fang
2018-06-16 23:07 ` Noam Postavsky
0 siblings, 1 reply; 3+ messages in thread
From: Tao Fang @ 2016-01-05 15:33 UTC (permalink / raw)
To: 22311
Hi, all
There is a misused function read-from-string in package.el L1485:
1472 (defun package--download-one-archive (archive file &optional async)
1473 "Retrieve an archive file FILE from ARCHIVE, and cache it.
1474 ARCHIVE should be a cons cell of the form (NAME . LOCATION),
1475 similar to an entry in `package-alist'. Save the cached copy to
1476 \"archives/NAME/FILE\" in `package-user-dir'."
1477 (package--with-response-buffer (cdr archive) :file file
1478 :async async
1479 :error-form (package--update-downloads-in-progress archive)
1480 (let* ((location (cdr archive))
1481 (name (car archive))
1482 (content (buffer-string))
1483 (dir (expand-file-name (format "archives/%s" name) package-user-dir))
1484 (local-file (expand-file-name file dir)))
1485 (when (listp (read-from-string content))
1486 (make-directory dir t)
1487 (if (or (not package-check-signature)
listp checks return value of (read-from-string content) to make sure we
get file content with correct format, but as its doc says:
"
(read-from-string STRING &optional START END)
Read one Lisp expression which is represented as text by STRING.
Returns a cons: (OBJECT-READ . FINAL-STRING-INDEX).
"
(listp (read-from-string content)) will always return t, if archive-contents file download
finished with malformed content (e.g. error message return from proxy
server), it will be parsed and saved by mistake.
Simply replace (read-from-string) with (read) would resolve this, I think.
^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#22311: 25.1.50; package.el misused (read-from-string) will potentially cause "elpa/archives/xxx/archive-contents" file malformed
2016-01-05 15:33 bug#22311: 25.1.50; package.el misused (read-from-string) will potentially cause "elpa/archives/xxx/archive-contents" file malformed Tao Fang
@ 2018-06-16 23:07 ` Noam Postavsky
2018-06-26 23:57 ` Noam Postavsky
0 siblings, 1 reply; 3+ messages in thread
From: Noam Postavsky @ 2018-06-16 23:07 UTC (permalink / raw)
To: Tao Fang; +Cc: 22311
[-- Attachment #1: Type: text/plain, Size: 662 bytes --]
tags 22311 + patch
quit
Tao Fang <fangtao0901@gmail.com> writes:
> There is a misused function read-from-string in package.el L1485:
>
> 1472 (defun package--download-one-archive (archive file &optional async)
> 1485 (when (listp (read-from-string content))
> (listp (read-from-string content)) will always return t, if archive-contents file download
> finished with malformed content (e.g. error message return from proxy
> server), it will be parsed and saved by mistake.
>
> Simply replace (read-from-string) with (read) would resolve this, I think.
Right, seems it's a regression in 25.1. So I think the patch below
should go to emacs-26.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: patch --]
[-- Type: text/x-diff, Size: 1363 bytes --]
From 1ef28a6ba81120c13135e28b32c8ae6e20c4a219 Mon Sep 17 00:00:00 2001
From: Noam Postavsky <npostavs@gmail.com>
Date: Sat, 16 Jun 2018 18:59:43 -0400
Subject: [PATCH] Detect a non-list package archive content properly
(Bug#22311)
* lisp/emacs-lisp/package.el (package--download-one-archive): Use
`read' instead of `read-from-string'; the latter always returns a
cons, so the `listp' check on its return value doesn't make sense. It
was changed from `read' to `read-from-string' in 2015-04-01 "*
emacs-lisp/package.el: Implement asynchronous refreshing", but that
change was not needed because `read' works fine on strings as well as
buffers.
---
lisp/emacs-lisp/package.el | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lisp/emacs-lisp/package.el b/lisp/emacs-lisp/package.el
index c56502236e..576a9bc7e7 100644
--- a/lisp/emacs-lisp/package.el
+++ b/lisp/emacs-lisp/package.el
@@ -1532,7 +1532,7 @@ package--download-one-archive
(content (buffer-string))
(dir (expand-file-name (format "archives/%s" name) package-user-dir))
(local-file (expand-file-name file dir)))
- (when (listp (read-from-string content))
+ (when (listp (read content))
(make-directory dir t)
(if (or (not package-check-signature)
(member name package-unsigned-archives))
--
2.11.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-06-26 23:57 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-05 15:33 bug#22311: 25.1.50; package.el misused (read-from-string) will potentially cause "elpa/archives/xxx/archive-contents" file malformed Tao Fang
2018-06-16 23:07 ` Noam Postavsky
2018-06-26 23:57 ` Noam Postavsky
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).