Snapshot URLs can conflict with two similar but unique tags
Juuso Lapinlampi
wub at partyvan.eu
Mon May 23 06:57:33 CEST 2016
Steps to reproduce bug:
Create a repository with two tags, one prefixed with "v"-character and
one without. These tags should reference two unique SHA-1 objects.
For the sake of argument and following along, I will use an existing
repository as a following example to reproduce the issue.
$ git clone https://git.pantsu.cat/pantsu/pomf/
Cloning into 'pomf'...
Checking connectivity... done.
$ cd pomf/
$ git tag | grep "1.0.0$"
1.0.0
v1.0.0
$ git log --oneline --decorate -n 1 1.0.0
7f9d1cb (tag: 1.0.0) Add package.json and Gruntfile.js
$ git log --oneline --decorate -n 1 v1.0.0
687b1be (tag: v1.0.0) Merge branch 'nuck-dev'
Setup cgit with this repository.
Configure `snapshots` option in `cgitrc` for at least one file
supported snapshot format (e.g. `.tar`, `.zip`) to enable snapshots.
# Allow download of tar.gz, tar.bz2 and zip-files
snapshots=tar.gz tar.xz zip
Open a browser and go to `$schema://$cgit_uri/$repository/` (example:
[1]). Look for a snapshot URL on the index page or in tag detail page at
/$repository/tag/?h=$tag.
Expected behavior:
(git.pantsu.cat is used as an example.)
In somewhat simplified version, the HTML index document may be
expected to look like:
Tag Download
[...]
v1.0.0 pomf-v1.0.0.zip pomf-v1.0.0.tar.gz pomf-v1.0.0.tar.xz
[...]
1.0.0 pomf-1.0.0.zip pomf-1.0.0.tar.gz pomf-1.0.0.tar.xz
In somewhat simplified version, the HTML tag detail document may be
expected to look like the following example for tag v1.0.0:
download pomf-v1.0.0.zip
pomf-v1.0.0.tar.gz
pomf-v1.0.0.tar.xz
In example, the download URL for 1.0.0 .zip snapshot is expected to be
found at one or more of the following unique locations (adapt for
other file extensions):
https://git.pantsu.cat/pantsu/pomf/snapshot/1.0.0/pomf-1.0.0.zip
https://git.pantsu.cat/pantsu/pomf/snapshot/pomf-1.0.0.zip
In example, the download URL for v1.0.0 .zip snapshot is expected to
be found at one or more of the following unique locations (adapt for
other file extensions):
https://git.pantsu.cat/pantsu/pomf/snapshot/v1.0.0/pomf-1.0.0.zip
https://git.pantsu.cat/pantsu/pomf/snapshot/pomf-v1.0.0.zip
The contents of both snapshots when extracted are expected to match
those of v1.0.0 and 1.0.0 tags, respectively.
The /$repository/snapshot/$tag/$project-$version.$ext syntax is a
suggested enhancement to resolve the issue while keeping traditional
file names without the "v"-prefix, if such functionality is desired.
Actual behavior:
(git.pantsu.cat is used as an example.)
In somewhat simplified version, the HTML document actually looks like:
Tag Download
[...]
v1.0.0 pomf-1.0.0.zip pomf-1.0.0.tar.gz pomf-1.0.0.tar.xz
[...]
1.0.0 pomf-1.0.0.zip pomf-1.0.0.tar.gz pomf-1.0.0.tar.xz
In somewhat simplified version, the HTML tag detail document for tag
v1.0.0 actually looks like:
download pomf-1.0.0.zip
pomf-1.0.0.tar.gz
pomf-1.0.0.tar.xz
In example, the .zip snapshot for tag 1.0.0 is hyperlinked to the
following URL (adapt for other file extensions):
https://git.pantsu.cat/pantsu/pomf/snapshot/pomf-1.0.0.zip
In example, the .zip snapshot for tag v1.0.0 is hyperlinked to the
same URL as 1.0.0 (adapt for other file extensions):
https://git.pantsu.cat/pantsu/pomf/snapshot/pomf-1.0.0.zip
The contents of snapshot downloaded from v1.0.0 tag hyperlink when
extracted match that of 1.0.0 tag.
In other words, cgit knows of snapshot named pomf-v1.0.0.zip (or
alternative configured snapshot extension) and will happily serve it
correctly when requested, but never links to it.
Version number:
cgit v0.12
Operating system:
CentOS 7
Notes:
The "Pro Git" book by Scott Chacon and Ben Straub suggests prefixing
tags with "v".[2] git.git follows this convention.[3]
[1]: https://git.pantsu.cat/pantsu/pomf/
[2]: https://git-scm.com/book/en/v2/Git-Basics-Tagging
[3]: https://git.kernel.org/cgit/git/git.git/refs/tags
More information about the CGit
mailing list