GNU bug report logs - #22311
25.1.50; package.el misused (read-from-string) will potentially cause "elpa/archives/xxx/archive-contents" file malformed

Previous Next

Package: emacs;

Reported by: Tao Fang <fangtao0901 <at> gmail.com>

Date: Tue, 5 Jan 2016 15:35:02 UTC

Severity: normal

Tags: fixed, patch

Found in version 25.1.50

Fixed in version 26.2

Done: Noam Postavsky <npostavs <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Tao Fang <fangtao0901 <at> gmail.com>
To: bug-gnu-emacs <at> gnu.org
Subject: 25.1.50; package.el misused (read-from-string) will potentially cause
 "elpa/archives/xxx/archive-contents" file malformed
Date: Tue, 05 Jan 2016 23:33:45 +0800

Hi, all
  There is a misused function read-from-string in package.el L1485:

  1472	(defun package--download-one-archive (archive file &optional async)
  1473	  "Retrieve an archive file FILE from ARCHIVE, and cache it.
  1474	ARCHIVE should be a cons cell of the form (NAME . LOCATION),
  1475	similar to an entry in `package-alist'.  Save the cached copy to
  1476	\"archives/NAME/FILE\" in `package-user-dir'."
  1477	  (package--with-response-buffer (cdr archive) :file file
  1478	    :async async
  1479	    :error-form (package--update-downloads-in-progress archive)
  1480	    (let* ((location (cdr archive))
  1481	           (name (car archive))
  1482	           (content (buffer-string))
  1483	           (dir (expand-file-name (format "archives/%s" name) package-user-dir))
  1484	           (local-file (expand-file-name file dir)))
  1485	      (when (listp (read-from-string content))
  1486	        (make-directory dir t)
  1487	        (if (or (not package-check-signature)

listp checks return value of (read-from-string content) to make sure we
get file content with correct format, but as its doc says:
"
(read-from-string STRING &optional START END)

Read one Lisp expression which is represented as text by STRING.
Returns a cons: (OBJECT-READ . FINAL-STRING-INDEX).
"
(listp (read-from-string content)) will always return t, if archive-contents file download
finished with malformed content (e.g. error message return from proxy
server), it will be parsed and saved by mistake.

Simply replace (read-from-string) with (read) would resolve this, I think.
This bug report was last modified 7 years and 27 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.