From debbugs-submit-bounces@debbugs.gnu.org Tue Jan 05 10:34:10 2016 Received: (at submit) by debbugs.gnu.org; 5 Jan 2016 15:34:10 +0000 Received: from localhost ([127.0.0.1]:38968 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aGTcg-00068H-IE for submit@debbugs.gnu.org; Tue, 05 Jan 2016 10:34:10 -0500 Received: from eggs.gnu.org ([208.118.235.92]:50669) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aGTcf-000684-81 for submit@debbugs.gnu.org; Tue, 05 Jan 2016 10:34:09 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aGTcZ-0003aF-9x for submit@debbugs.gnu.org; Tue, 05 Jan 2016 10:34:04 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: * X-Spam-Status: No, score=1.1 required=5.0 tests=BAYES_50, FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:51497) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aGTcZ-0003aB-7K for submit@debbugs.gnu.org; Tue, 05 Jan 2016 10:34:03 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41637) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aGTcY-0003Fv-9E for bug-gnu-emacs@gnu.org; Tue, 05 Jan 2016 10:34:03 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aGTcT-0003ZC-7S for bug-gnu-emacs@gnu.org; Tue, 05 Jan 2016 10:34:02 -0500 Received: from mail-qg0-x22c.google.com ([2607:f8b0:400d:c04::22c]:36300) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aGTcT-0003Z7-3g for bug-gnu-emacs@gnu.org; Tue, 05 Jan 2016 10:33:57 -0500 Received: by mail-qg0-x22c.google.com with SMTP id e32so190326799qgf.3 for ; Tue, 05 Jan 2016 07:33:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:message-id:mime-version:content-type; bh=ks7VBXT02cZB56Ac394+uhpMbsfM9HMoU3yoq0lR784=; b=ST5whM5OweULdf0i2q2yAaCVD74qV9DATUjTrCc1Ix2itL+b7NIR3Bb3lOPCSJK5oS mZcgbEVCy86brariG+SJlB9N6MbZasIClXvW7D/+9M7xARm5tunaTTaWqRX9Uole3Jdp h0PZToJL1JkZmwxKoWP1gEJ3KOFFOhH/tzSVs01Sg8tOxANVV++WwZnZOyArrBAFTmBj cPh0URuQ0tiRdVCPSqWK6EHPM/hzcbN2lUspTzowqrWAVBh0l7oOus/RUWiOSNcLfjJE iJHxI69AGPyd9HPqmtOhpCu52BViooF1G25tpgPq7ly88MBi6bkWRp22UuWJBSI0axYe f/xQ== X-Received: by 10.140.229.72 with SMTP id z69mr124327473qhb.104.1452008036439; Tue, 05 Jan 2016 07:33:56 -0800 (PST) Received: from StormPC.yourcompany.com (ec2-52-3-137-119.compute-1.amazonaws.com. [52.3.137.119]) by smtp.gmail.com with ESMTPSA id u78sm714450qge.27.2016.01.05.07.33.53 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Jan 2016 07:33:55 -0800 (PST) From: Tao Fang To: bug-gnu-emacs@gnu.org Subject: 25.1.50; package.el misused (read-from-string) will potentially cause "elpa/archives/xxx/archive-contents" file malformed Date: Tue, 05 Jan 2016 23:33:45 +0800 Message-ID: <87oad0ca7a.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -3.8 (---) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.8 (---) Hi, all There is a misused function read-from-string in package.el L1485: 1472 (defun package--download-one-archive (archive file &optional async) 1473 "Retrieve an archive file FILE from ARCHIVE, and cache it. 1474 ARCHIVE should be a cons cell of the form (NAME . LOCATION), 1475 similar to an entry in `package-alist'. Save the cached copy to 1476 \"archives/NAME/FILE\" in `package-user-dir'." 1477 (package--with-response-buffer (cdr archive) :file file 1478 :async async 1479 :error-form (package--update-downloads-in-progress archive) 1480 (let* ((location (cdr archive)) 1481 (name (car archive)) 1482 (content (buffer-string)) 1483 (dir (expand-file-name (format "archives/%s" name) package-user-dir)) 1484 (local-file (expand-file-name file dir))) 1485 (when (listp (read-from-string content)) 1486 (make-directory dir t) 1487 (if (or (not package-check-signature) listp checks return value of (read-from-string content) to make sure we get file content with correct format, but as its doc says: " (read-from-string STRING &optional START END) Read one Lisp expression which is represented as text by STRING. Returns a cons: (OBJECT-READ . FINAL-STRING-INDEX). " (listp (read-from-string content)) will always return t, if archive-contents file download finished with malformed content (e.g. error message return from proxy server), it will be parsed and saved by mistake. Simply replace (read-from-string) with (read) would resolve this, I think. From debbugs-submit-bounces@debbugs.gnu.org Sat Jun 16 19:07:50 2018 Received: (at 22311) by debbugs.gnu.org; 16 Jun 2018 23:07:50 +0000 Received: from localhost ([127.0.0.1]:52279 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fUKIP-0004M2-Ng for submit@debbugs.gnu.org; Sat, 16 Jun 2018 19:07:49 -0400 Received: from mail-it0-f50.google.com ([209.85.214.50]:53122) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fUKIN-0004Lk-0v; Sat, 16 Jun 2018 19:07:47 -0400 Received: by mail-it0-f50.google.com with SMTP id m194-v6so7392733itg.2; Sat, 16 Jun 2018 16:07:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=zotSJhzAKhkE+a/5BX6MWOQOu11O0GNGObrhVLdMeCM=; b=XXgciZqBG/HMvUAOV/u+ELcjWTQuxIwpUUtrP+Or9y45sFCzA8zzFnWDMVEOvyxM/D bW0HiX9gYF5nPf3tNG5rRJ1YTDCHkm+3KELexTfn8hrWZDtQWe3Zh+HTsINMjHWiIr5C Z2i6dCxl/4lX5ukztPZv1v0u5pFDCGjRfu0022JF2tE/Vw25DTFwLBRlDzS5ErFOcJy8 gTgbCccNsOzKTWzr1YWjumrrqMpJhKleXgGiqPrOgQg7zF3dk0vWXpAq22cnhoyEQz0h F1OGmiT+Wty2uMbgnbVZpglZBuZd7XOBbBI+Pnadcde7BmyBF1x+8xFqWSRAu7jZ7XdG hs/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=zotSJhzAKhkE+a/5BX6MWOQOu11O0GNGObrhVLdMeCM=; b=FdvkALyupBO1x1HNOOSxonGLkUYCDDUkgHeZIFDZ1VdPvvJcZeOqNz51y9+OjnLHo1 2b5+DtdegS33X3lKceWF0pw3h6K7xiFc4CzfRfVYThEEQ5OkfZ3VLqNh0GeyEgv2qz9e DqpiEWpXG8YLp/P193zPmpKYsMcqADkVZLE3vl7YAKSJYdOIkHj+t9VZqKqIDB6egi/2 1rTVeWDVSyuEMp8Md0pdzEwRNf6nVidyLV7qt7Gg8qFgvxun33HdRtHOF/COx/9SWGm4 HWIjHg3HLwytlXG/U16d7AEnZpItW/E4MtCxsTFShgxisNJROxJNsTuOZOZNdr/CbHuz iSKg== X-Gm-Message-State: APt69E0UXFpHYHGx8y06x19hnUddGLWTjc/heGDD4PnU6/KEwBQEb9Do oSd/MGYmpnwzJNTk6YG+nRLG466S X-Google-Smtp-Source: ADUXVKIdKVwpdL4cu12dynYWWJKwnGSteZzN+bhuafnlPJvPuCh6133aZj9uoXjXMpf/DmsnzRcoZw== X-Received: by 2002:a02:98b4:: with SMTP id q49-v6mr5469108jaj.122.1529190461238; Sat, 16 Jun 2018 16:07:41 -0700 (PDT) Received: from zebian (cbl-45-2-119-34.yyz.frontiernetworks.ca. [45.2.119.34]) by smtp.googlemail.com with ESMTPSA id c102-v6sm3339823itd.3.2018.06.16.16.07.40 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 16 Jun 2018 16:07:40 -0700 (PDT) From: Noam Postavsky To: Tao Fang Subject: Re: bug#22311: 25.1.50; package.el misused (read-from-string) will potentially cause "elpa/archives/xxx/archive-contents" file malformed References: <87oad0ca7a.fsf@gmail.com> Date: Sat, 16 Jun 2018 19:07:39 -0400 In-Reply-To: <87oad0ca7a.fsf@gmail.com> (Tao Fang's message of "Tue, 05 Jan 2016 23:33:45 +0800") Message-ID: <87o9gatjno.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 22311 Cc: 22311@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain tags 22311 + patch quit Tao Fang writes: > There is a misused function read-from-string in package.el L1485: > > 1472 (defun package--download-one-archive (archive file &optional async) > 1485 (when (listp (read-from-string content)) > (listp (read-from-string content)) will always return t, if archive-contents file download > finished with malformed content (e.g. error message return from proxy > server), it will be parsed and saved by mistake. > > Simply replace (read-from-string) with (read) would resolve this, I think. Right, seems it's a regression in 25.1. So I think the patch below should go to emacs-26. --=-=-= Content-Type: text/x-diff Content-Disposition: inline; filename=0001-Detect-a-non-list-package-archive-content-properly-B.patch Content-Description: patch >From 1ef28a6ba81120c13135e28b32c8ae6e20c4a219 Mon Sep 17 00:00:00 2001 From: Noam Postavsky Date: Sat, 16 Jun 2018 18:59:43 -0400 Subject: [PATCH] Detect a non-list package archive content properly (Bug#22311) * lisp/emacs-lisp/package.el (package--download-one-archive): Use `read' instead of `read-from-string'; the latter always returns a cons, so the `listp' check on its return value doesn't make sense. It was changed from `read' to `read-from-string' in 2015-04-01 "* emacs-lisp/package.el: Implement asynchronous refreshing", but that change was not needed because `read' works fine on strings as well as buffers. --- lisp/emacs-lisp/package.el | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lisp/emacs-lisp/package.el b/lisp/emacs-lisp/package.el index c56502236e..576a9bc7e7 100644 --- a/lisp/emacs-lisp/package.el +++ b/lisp/emacs-lisp/package.el @@ -1532,7 +1532,7 @@ package--download-one-archive (content (buffer-string)) (dir (expand-file-name (format "archives/%s" name) package-user-dir)) (local-file (expand-file-name file dir))) - (when (listp (read-from-string content)) + (when (listp (read content)) (make-directory dir t) (if (or (not package-check-signature) (member name package-unsigned-archives)) -- 2.11.0 --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Tue Jun 26 19:57:45 2018 Received: (at 22311) by debbugs.gnu.org; 26 Jun 2018 23:57:45 +0000 Received: from localhost ([127.0.0.1]:36710 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fXxqD-0006zX-Fr for submit@debbugs.gnu.org; Tue, 26 Jun 2018 19:57:45 -0400 Received: from mail-io0-f194.google.com ([209.85.223.194]:37562) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fXxq9-0006zA-Jt; Tue, 26 Jun 2018 19:57:43 -0400 Received: by mail-io0-f194.google.com with SMTP id s26-v6so189345ioj.4; Tue, 26 Jun 2018 16:57:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=PaeZkLUeCtLV6ura+GqeQG8VFpjzHlBnvzV5bfcZT8w=; b=D/DdrDh/Q8OJT9ht+ld+/X7+BcfJAEF9LPhsA0INJWv9jMPYek+bziCk5XddOm2ONj g5kzjjU5G6NVwy6B2klBkGLnCRVgaI4bOc/F+EpubSVVrRcILoHsVj/eUlEn21PkTGiL +WTa4dBbI0XnPmeUFU/xLEC7CvASERLieYT89P5ISUF5NNk0Hn7+Vu3fL+jO4J6vQhi1 /V5IQ6pFfTcz6ZBECUnNFctQC9WzmuBQgOuX8/RsPdfas+I6/cx+TgVjt/WAhF2+Cju8 pfp0aNC/LcxcsJu1u+pCdFRrdWUzS/INQGZaYHwVMsnOtVue6P+52I7baaLmi07BOWGh Pgaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=PaeZkLUeCtLV6ura+GqeQG8VFpjzHlBnvzV5bfcZT8w=; b=R5snl9l7JEKJLVFcQm+DNFGCPd6fsmKKyNe47avYKyp4R+7v1IN6njC7EHMt/EytiD U9uoYjmFdLwZmiejeyHZ66uLFGp1ouLXR0flJ49s16RoOeQ8nOixrA29s4eumfErGTj+ jPu+seY8rVIUEuyedQBGbNRupPnM2VGR7DEnlcdFY8I+/t4vfgE4AK97+e53CFdDlLxC G0Dea9HWIyJokoS98DPDUCslM9kj4fpgw+FkCxRd2OnYCVHRUXVLmwpgYj+knDGp0U94 kM+4fQn6gvWmpX8jFk0aL/UoKRMEdKznSMUvPj0I5oBP9Kwnp+jlekB6HAIREC+JTr3k 0M5w== X-Gm-Message-State: APt69E2HR0f0U/4W462NH3swWCUFpthfWLvOR10kMf/Yq2tUyfpLXDYp f0iZ4p3dfRhnYZ4rJTRDKtweXg== X-Google-Smtp-Source: AAOMgpdmKZkO9zanXdWv4Ht/k6mqX4kQ7gGu4CtkotzeKW1//vKIiF0KU/Qv9iH6T/d+MrrS3ZCKKg== X-Received: by 2002:a6b:8e81:: with SMTP id q123-v6mr36173iod.248.1530057455742; Tue, 26 Jun 2018 16:57:35 -0700 (PDT) Received: from zebian (cbl-45-2-119-34.yyz.frontiernetworks.ca. [45.2.119.34]) by smtp.googlemail.com with ESMTPSA id p20-v6sm5803743itf.4.2018.06.26.16.57.34 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 26 Jun 2018 16:57:34 -0700 (PDT) From: Noam Postavsky To: Tao Fang Subject: Re: bug#22311: 25.1.50; package.el misused (read-from-string) will potentially cause "elpa/archives/xxx/archive-contents" file malformed References: <87oad0ca7a.fsf@gmail.com> <87o9gatjno.fsf@gmail.com> Date: Tue, 26 Jun 2018 19:57:33 -0400 In-Reply-To: <87o9gatjno.fsf@gmail.com> (Noam Postavsky's message of "Sat, 16 Jun 2018 19:07:39 -0400") Message-ID: <871sctp0cy.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 22311 Cc: 22311@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) tags 22311 fixed close 22311 26.2 quit Noam Postavsky writes: >> Simply replace (read-from-string) with (read) would resolve this, I think. > > Right, seems it's a regression in 25.1. So I think the patch below > should go to emacs-26. Pushed. [1: 6f6d525683]: 2018-06-26 19:56:04 -0400 Detect a non-list package archive content properly (Bug#22311) https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=6f6d525683d5731d55fcd801a66b078bd6ba8369 From unknown Tue Aug 19 23:11:38 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Wed, 25 Jul 2018 11:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator