GNU bug report logs - #22311
25.1.50; package.el misused (read-from-string) will potentially cause "elpa/archives/xxx/archive-contents" file malformed

Previous Next

Package: emacs;

Reported by: Tao Fang <fangtao0901 <at> gmail.com>

Date: Tue, 5 Jan 2016 15:35:02 UTC

Severity: normal

Tags: fixed, patch

Found in version 25.1.50

Fixed in version 26.2

Done: Noam Postavsky <npostavs <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Noam Postavsky <npostavs <at> gmail.com>
To: Tao Fang <fangtao0901 <at> gmail.com>
Cc: 22311 <at> debbugs.gnu.org
Subject: bug#22311: 25.1.50; package.el misused (read-from-string) will potentially cause "elpa/archives/xxx/archive-contents" file malformed
Date: Sat, 16 Jun 2018 19:07:39 -0400

[Message part 1 (text/plain, inline)]
tags 22311 + patch
quit

Tao Fang <fangtao0901 <at> gmail.com> writes:

>   There is a misused function read-from-string in package.el L1485:
>
>   1472	(defun package--download-one-archive (archive file &optional async)

>   1485	      (when (listp (read-from-string content))

> (listp (read-from-string content)) will always return t, if archive-contents file download
> finished with malformed content (e.g. error message return from proxy
> server), it will be parsed and saved by mistake.
>
> Simply replace (read-from-string) with (read) would resolve this, I think.

Right, seems it's a regression in 25.1.  So I think the patch below
should go to emacs-26.


[0001-Detect-a-non-list-package-archive-content-properly-B.patch (text/x-diff, inline)]
From 1ef28a6ba81120c13135e28b32c8ae6e20c4a219 Mon Sep 17 00:00:00 2001
From: Noam Postavsky <npostavs <at> gmail.com>
Date: Sat, 16 Jun 2018 18:59:43 -0400
Subject: [PATCH] Detect a non-list package archive content properly
 (Bug#22311)

* lisp/emacs-lisp/package.el (package--download-one-archive): Use
`read' instead of `read-from-string'; the latter always returns a
cons, so the `listp' check on its return value doesn't make sense.  It
was changed from `read' to `read-from-string' in 2015-04-01 "*
emacs-lisp/package.el: Implement asynchronous refreshing", but that
change was not needed because `read' works fine on strings as well as
buffers.
---
 lisp/emacs-lisp/package.el | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lisp/emacs-lisp/package.el b/lisp/emacs-lisp/package.el
index c56502236e..576a9bc7e7 100644
--- a/lisp/emacs-lisp/package.el
+++ b/lisp/emacs-lisp/package.el
@@ -1532,7 +1532,7 @@ package--download-one-archive
            (content (buffer-string))
            (dir (expand-file-name (format "archives/%s" name) package-user-dir))
            (local-file (expand-file-name file dir)))
-      (when (listp (read-from-string content))
+      (when (listp (read content))
         (make-directory dir t)
         (if (or (not package-check-signature)
                 (member name package-unsigned-archives))
-- 
2.11.0
This bug report was last modified 7 years and 27 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.