From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Noam Postavsky Newsgroups: gmane.emacs.bugs Subject: bug#22311: 25.1.50; package.el misused (read-from-string) will potentially cause "elpa/archives/xxx/archive-contents" file malformed Date: Sat, 16 Jun 2018 19:07:39 -0400 Message-ID: <87o9gatjno.fsf@gmail.com> References: <87oad0ca7a.fsf@gmail.com> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Trace: blaine.gmane.org 1529190367 8481 195.159.176.226 (16 Jun 2018 23:06:07 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sat, 16 Jun 2018 23:06:07 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) Cc: 22311@debbugs.gnu.org To: Tao Fang Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sun Jun 17 01:06:03 2018 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fUKGf-00021c-9N for geb-bug-gnu-emacs@m.gmane.org; Sun, 17 Jun 2018 01:06:01 +0200 Original-Received: from localhost ([::1]:53128 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fUKIm-0007TB-3d for geb-bug-gnu-emacs@m.gmane.org; Sat, 16 Jun 2018 19:08:12 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:44190) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fUKIf-0007Rj-Gy for bug-gnu-emacs@gnu.org; Sat, 16 Jun 2018 19:08:06 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fUKIc-0008K8-AH for bug-gnu-emacs@gnu.org; Sat, 16 Jun 2018 19:08:05 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:44382) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fUKIc-0008Jm-44 for bug-gnu-emacs@gnu.org; Sat, 16 Jun 2018 19:08:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1fUKIb-0004MX-NR for bug-gnu-emacs@gnu.org; Sat, 16 Jun 2018 19:08:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Noam Postavsky Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 16 Jun 2018 23:08:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 22311 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 22311-submit@debbugs.gnu.org id=B22311.152919047016751 (code B ref 22311); Sat, 16 Jun 2018 23:08:01 +0000 Original-Received: (at 22311) by debbugs.gnu.org; 16 Jun 2018 23:07:50 +0000 Original-Received: from localhost ([127.0.0.1]:52279 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fUKIP-0004M2-Ng for submit@debbugs.gnu.org; Sat, 16 Jun 2018 19:07:49 -0400 Original-Received: from mail-it0-f50.google.com ([209.85.214.50]:53122) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fUKIN-0004Lk-0v; Sat, 16 Jun 2018 19:07:47 -0400 Original-Received: by mail-it0-f50.google.com with SMTP id m194-v6so7392733itg.2; Sat, 16 Jun 2018 16:07:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=zotSJhzAKhkE+a/5BX6MWOQOu11O0GNGObrhVLdMeCM=; b=XXgciZqBG/HMvUAOV/u+ELcjWTQuxIwpUUtrP+Or9y45sFCzA8zzFnWDMVEOvyxM/D bW0HiX9gYF5nPf3tNG5rRJ1YTDCHkm+3KELexTfn8hrWZDtQWe3Zh+HTsINMjHWiIr5C Z2i6dCxl/4lX5ukztPZv1v0u5pFDCGjRfu0022JF2tE/Vw25DTFwLBRlDzS5ErFOcJy8 gTgbCccNsOzKTWzr1YWjumrrqMpJhKleXgGiqPrOgQg7zF3dk0vWXpAq22cnhoyEQz0h F1OGmiT+Wty2uMbgnbVZpglZBuZd7XOBbBI+Pnadcde7BmyBF1x+8xFqWSRAu7jZ7XdG hs/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=zotSJhzAKhkE+a/5BX6MWOQOu11O0GNGObrhVLdMeCM=; b=FdvkALyupBO1x1HNOOSxonGLkUYCDDUkgHeZIFDZ1VdPvvJcZeOqNz51y9+OjnLHo1 2b5+DtdegS33X3lKceWF0pw3h6K7xiFc4CzfRfVYThEEQ5OkfZ3VLqNh0GeyEgv2qz9e DqpiEWpXG8YLp/P193zPmpKYsMcqADkVZLE3vl7YAKSJYdOIkHj+t9VZqKqIDB6egi/2 1rTVeWDVSyuEMp8Md0pdzEwRNf6nVidyLV7qt7Gg8qFgvxun33HdRtHOF/COx/9SWGm4 HWIjHg3HLwytlXG/U16d7AEnZpItW/E4MtCxsTFShgxisNJROxJNsTuOZOZNdr/CbHuz iSKg== X-Gm-Message-State: APt69E0UXFpHYHGx8y06x19hnUddGLWTjc/heGDD4PnU6/KEwBQEb9Do oSd/MGYmpnwzJNTk6YG+nRLG466S X-Google-Smtp-Source: ADUXVKIdKVwpdL4cu12dynYWWJKwnGSteZzN+bhuafnlPJvPuCh6133aZj9uoXjXMpf/DmsnzRcoZw== X-Received: by 2002:a02:98b4:: with SMTP id q49-v6mr5469108jaj.122.1529190461238; Sat, 16 Jun 2018 16:07:41 -0700 (PDT) Original-Received: from zebian (cbl-45-2-119-34.yyz.frontiernetworks.ca. [45.2.119.34]) by smtp.googlemail.com with ESMTPSA id c102-v6sm3339823itd.3.2018.06.16.16.07.40 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 16 Jun 2018 16:07:40 -0700 (PDT) In-Reply-To: <87oad0ca7a.fsf@gmail.com> (Tao Fang's message of "Tue, 05 Jan 2016 23:33:45 +0800") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:147545 Archived-At: --=-=-= Content-Type: text/plain tags 22311 + patch quit Tao Fang writes: > There is a misused function read-from-string in package.el L1485: > > 1472 (defun package--download-one-archive (archive file &optional async) > 1485 (when (listp (read-from-string content)) > (listp (read-from-string content)) will always return t, if archive-contents file download > finished with malformed content (e.g. error message return from proxy > server), it will be parsed and saved by mistake. > > Simply replace (read-from-string) with (read) would resolve this, I think. Right, seems it's a regression in 25.1. So I think the patch below should go to emacs-26. --=-=-= Content-Type: text/x-diff Content-Disposition: inline; filename=0001-Detect-a-non-list-package-archive-content-properly-B.patch Content-Description: patch >From 1ef28a6ba81120c13135e28b32c8ae6e20c4a219 Mon Sep 17 00:00:00 2001 From: Noam Postavsky Date: Sat, 16 Jun 2018 18:59:43 -0400 Subject: [PATCH] Detect a non-list package archive content properly (Bug#22311) * lisp/emacs-lisp/package.el (package--download-one-archive): Use `read' instead of `read-from-string'; the latter always returns a cons, so the `listp' check on its return value doesn't make sense. It was changed from `read' to `read-from-string' in 2015-04-01 "* emacs-lisp/package.el: Implement asynchronous refreshing", but that change was not needed because `read' works fine on strings as well as buffers. --- lisp/emacs-lisp/package.el | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lisp/emacs-lisp/package.el b/lisp/emacs-lisp/package.el index c56502236e..576a9bc7e7 100644 --- a/lisp/emacs-lisp/package.el +++ b/lisp/emacs-lisp/package.el @@ -1532,7 +1532,7 @@ package--download-one-archive (content (buffer-string)) (dir (expand-file-name (format "archives/%s" name) package-user-dir)) (local-file (expand-file-name file dir))) - (when (listp (read-from-string content)) + (when (listp (read content)) (make-directory dir t) (if (or (not package-check-signature) (member name package-unsigned-archives)) -- 2.11.0 --=-=-=--