Bug 153725

Summary: API url-escapes path components as query components
Product: [openSUSE] openSUSE.org Reporter: Forgotten User OS1JNCFbCX <forgotten_OS1JNCFbCX>
Component: BuildServiceAssignee: Andreas Bauer <abauer>
Status: RESOLVED FIXED QA Contact: Adrian Schröter <adrian.schroeter>
Severity: Normal    
Priority: P5 - None CC: bli, blin, jonharson, mls, suse-beta
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: SuSE Linux 10.1   
Whiteboard:
Found By: Beta-Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Forgotten User OS1JNCFbCX 2006-02-27 16:47:32 UTC 
http://api.opensuse.org/result/robert/factory/ACE/x86_64/log claims:

-----------------------------------------------------------------
----- building ACE.spec (user abuild)
-----------------------------------------------------------------
-----------------------------------------------------------------
error: File /usr/src/packages/SOURCES/ACE-5.4.1+TAO-1.4.1+CIAO-0.4.1.tar.bz2: No such file or directory

But when you look at http://build.opensuse.org/package/show?project=robert&name=ACE you can see that it is there.

Escaping bug for '+'?
Comment 1 Michael Schröder 2006-02-27 17:05:22 UTC 
Yes, but in the frontend. The backend knows about:

<directory srcmd5="46f39383eb67358b62a47a22b9aaf95e" rev="6" name="ACE">
  <entry name="ACE.spec" md5="3f0866361d476fa628551ebf2acc82d9" />
  <entry name="ACE-5.3-reactors.diff" md5="21910687dcbb5ee770b5428e1496c619" />
  <entry name="ACE-5.4.1" md5="ea6d78fa667772bbab91f33a85d0e866" />
</directory>

So the api or the web UI has provided the backend with a wrong file name.
Comment 2 Forgotten User OS1JNCFbCX 2006-02-27 17:14:16 UTC 
Seems I was right with suspecting a escaping bug. Note that '+' is the escape sequence for a space.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Note that if you are not careful about handling this this might be usable for code injection attacks!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Comment 3 Klaas Freitag 2006-04-11 09:41:51 UTC 
This is fixed meanwile. Please check again, thanks.
Comment 4 Forgotten User OS1JNCFbCX 2006-04-11 10:13:09 UTC 
Hmm, does still not work. I changed the spec file to trigger a rebuild resulting in the very same error.
Comment 5 Michael Schröder 2006-04-11 10:27:14 UTC 
You probably need to upload the broken file again.
Comment 6 Forgotten User OS1JNCFbCX 2006-04-11 13:02:17 UTC 
No, even then the same error occurs.
Comment 7 Bernard Li 2006-05-23 07:07:03 UTC 
I uploaded earlier today a source tarball named "pvm3.4.5+4.tar.gz" and the web frontend thinks that it is "pvm3.4.5".  The build process fails because it could not find the file.  This is for the OSCAR project, you can check the logs there.  Thanks.
Comment 8 Kai Blin 2006-06-02 14:01:26 UTC 
Still fails for me, too. I've been trying to upload Atlas-C++-0.6.0.tar.bz2, and all that ever gets uploaded is Atlas-C. This happens when using the command line tool, too.
Comment 9 Jonathan Arsenault 2006-06-06 05:48:25 UTC 
*** Bug 181593 has been marked as a duplicate of this bug. ***
Comment 10 Peter Poeml 2006-06-06 10:44:57 UTC 
I added a workaround to the osc client.
Comment 11 Andreas Bauer 2006-06-06 11:06:03 UTC 
I added the workaround to the webclient. The real problem is a bug in the rails framework which escapes parts of the URL path as if they were in the query string.
Comment 12 Andreas Bauer 2006-10-26 13:58:35 UTC 
we patched rails to _not_ treat path elements as query parameters, so the workarounds aren't neccesary anymore.