From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Tao Fang <fangtao0901@gmail.com>
Newsgroups: gmane.emacs.bugs
Subject: bug#22311: 25.1.50;
	package.el misused (read-from-string) will potentially cause
	"elpa/archives/xxx/archive-contents" file malformed
Date: Tue, 05 Jan 2016 23:33:45 +0800
Message-ID: <87oad0ca7a.fsf@gmail.com>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: ger.gmane.org 1452008122 11692 80.91.229.3 (5 Jan 2016 15:35:22 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Tue, 5 Jan 2016 15:35:22 +0000 (UTC)
To: 22311@debbugs.gnu.org
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Jan 05 16:35:12 2016
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1aGTdf-0004TT-MK
	for geb-bug-gnu-emacs@m.gmane.org; Tue, 05 Jan 2016 16:35:11 +0100
Original-Received: from localhost ([::1]:50154 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1aGTde-0003l7-Uo
	for geb-bug-gnu-emacs@m.gmane.org; Tue, 05 Jan 2016 10:35:10 -0500
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:41797)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1aGTdb-0003ko-I5
	for bug-gnu-emacs@gnu.org; Tue, 05 Jan 2016 10:35:08 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1aGTdW-0003l8-FK
	for bug-gnu-emacs@gnu.org; Tue, 05 Jan 2016 10:35:07 -0500
Original-Received: from debbugs.gnu.org ([208.118.235.43]:50748)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1aGTdW-0003ky-CN
	for bug-gnu-emacs@gnu.org; Tue, 05 Jan 2016 10:35:02 -0500
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1aGTdW-00069U-8J
	for bug-gnu-emacs@gnu.org; Tue, 05 Jan 2016 10:35:02 -0500
X-Loop: help-debbugs@gnu.org
Resent-From: Tao Fang <fangtao0901@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Tue, 05 Jan 2016 15:35:02 +0000
Resent-Message-ID: <handler.22311.B.145200805023581@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 22311
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
X-Debbugs-Original-To: bug-gnu-emacs@gnu.org
Original-Received: via spool by submit@debbugs.gnu.org id=B.145200805023581
	(code B ref -1); Tue, 05 Jan 2016 15:35:02 +0000
Original-Received: (at submit) by debbugs.gnu.org; 5 Jan 2016 15:34:10 +0000
Original-Received: from localhost ([127.0.0.1]:38968 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1aGTcg-00068H-IE
	for submit@debbugs.gnu.org; Tue, 05 Jan 2016 10:34:10 -0500
Original-Received: from eggs.gnu.org ([208.118.235.92]:50669)
	by debbugs.gnu.org with esmtp (Exim 4.84)
	(envelope-from <fangtao0901@gmail.com>) id 1aGTcf-000684-81
	for submit@debbugs.gnu.org; Tue, 05 Jan 2016 10:34:09 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <fangtao0901@gmail.com>) id 1aGTcZ-0003aF-9x
	for submit@debbugs.gnu.org; Tue, 05 Jan 2016 10:34:04 -0500
Original-Received: from lists.gnu.org ([2001:4830:134:3::11]:51497)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <fangtao0901@gmail.com>) id 1aGTcZ-0003aB-7K
	for submit@debbugs.gnu.org; Tue, 05 Jan 2016 10:34:03 -0500
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:41637)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <fangtao0901@gmail.com>) id 1aGTcY-0003Fv-9E
	for bug-gnu-emacs@gnu.org; Tue, 05 Jan 2016 10:34:03 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <fangtao0901@gmail.com>) id 1aGTcT-0003ZC-7S
	for bug-gnu-emacs@gnu.org; Tue, 05 Jan 2016 10:34:02 -0500
Original-Received: from mail-qg0-x22c.google.com ([2607:f8b0:400d:c04::22c]:36300)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <fangtao0901@gmail.com>) id 1aGTcT-0003Z7-3g
	for bug-gnu-emacs@gnu.org; Tue, 05 Jan 2016 10:33:57 -0500
Original-Received: by mail-qg0-x22c.google.com with SMTP id e32so190326799qgf.3
	for <bug-gnu-emacs@gnu.org>; Tue, 05 Jan 2016 07:33:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; 
	h=from:to:subject:date:message-id:mime-version:content-type;
	bh=ks7VBXT02cZB56Ac394+uhpMbsfM9HMoU3yoq0lR784=;
	b=ST5whM5OweULdf0i2q2yAaCVD74qV9DATUjTrCc1Ix2itL+b7NIR3Bb3lOPCSJK5oS
	mZcgbEVCy86brariG+SJlB9N6MbZasIClXvW7D/+9M7xARm5tunaTTaWqRX9Uole3Jdp
	h0PZToJL1JkZmwxKoWP1gEJ3KOFFOhH/tzSVs01Sg8tOxANVV++WwZnZOyArrBAFTmBj
	cPh0URuQ0tiRdVCPSqWK6EHPM/hzcbN2lUspTzowqrWAVBh0l7oOus/RUWiOSNcLfjJE
	iJHxI69AGPyd9HPqmtOhpCu52BViooF1G25tpgPq7ly88MBi6bkWRp22UuWJBSI0axYe
	f/xQ==
X-Received: by 10.140.229.72 with SMTP id z69mr124327473qhb.104.1452008036439; 
	Tue, 05 Jan 2016 07:33:56 -0800 (PST)
Original-Received: from StormPC.yourcompany.com
	(ec2-52-3-137-119.compute-1.amazonaws.com. [52.3.137.119])
	by smtp.gmail.com with ESMTPSA id u78sm714450qge.27.2016.01.05.07.33.53
	for <bug-gnu-emacs@gnu.org>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 05 Jan 2016 07:33:55 -0800 (PST)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 208.118.235.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:111234
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/111234>

Hi, all
  There is a misused function read-from-string in package.el L1485:

  1472	(defun package--download-one-archive (archive file &optional async)
  1473	  "Retrieve an archive file FILE from ARCHIVE, and cache it.
  1474	ARCHIVE should be a cons cell of the form (NAME . LOCATION),
  1475	similar to an entry in `package-alist'.  Save the cached copy to
  1476	\"archives/NAME/FILE\" in `package-user-dir'."
  1477	  (package--with-response-buffer (cdr archive) :file file
  1478	    :async async
  1479	    :error-form (package--update-downloads-in-progress archive)
  1480	    (let* ((location (cdr archive))
  1481	           (name (car archive))
  1482	           (content (buffer-string))
  1483	           (dir (expand-file-name (format "archives/%s" name) package-user-dir))
  1484	           (local-file (expand-file-name file dir)))
  1485	      (when (listp (read-from-string content))
  1486	        (make-directory dir t)
  1487	        (if (or (not package-check-signature)

listp checks return value of (read-from-string content) to make sure we
get file content with correct format, but as its doc says:
"
(read-from-string STRING &optional START END)

Read one Lisp expression which is represented as text by STRING.
Returns a cons: (OBJECT-READ . FINAL-STRING-INDEX).
"
(listp (read-from-string content)) will always return t, if archive-contents file download
finished with malformed content (e.g. error message return from proxy
server), it will be parsed and saved by mistake.

Simply replace (read-from-string) with (read) would resolve this, I think.