ChiliProject is not maintained anymore. Please be advised that there will be no more updates.
We do not recommend that you setup new ChiliProject instances and we urge all existing users to migrate their data to a maintained system, e.g. Redmine. We will provide a migration script later. In the meantime, you can use the instructions by Christian Daehn.
Reposman.rb does not consider underscore to be valid char for a project identifier (Bug #270)
Description
As of 9ed2d8ed, Project identifiers can contain underscores.
Reposman.rb has it's own validity check for project identifiers which does not yet include underscores. With the current codebase it is hence impossible for Projects with underscores in their identifier to have a repository created for them.
I have created a patch for this and will attach a pull request.
Associated revisions
[#270] bugfix: considering underscore a valid match in project identifier
[#270] bugfix: considering underscore a valid match in project identifier
History
Updated by Jens Ulferts at 2011-03-10 11:12 am
This pull request contains the changes necessary to fix the issue:
https://github.com/chiliproject/chiliproject/pull/20
It consists of two commits. The first simply adds the underscore to the regex against which the identifier is matched. The second removes the whole validation alltogether. I consider the validation unnecessary as Reposman fetches all projects from the DB and does not alter them before the validation. Hence the identifier must already be valid and a revalidation is not needed.
As there might be some side affects I am not aware of, please consider both commits and pick the preferred.
- Target version set to 1.2.0
- Status changed from Open to Ready for review
Updated by Felix Schäfer at 2011-03-14 09:00 am
I don't see a need to recheck the project identifiers as they are already checked before being written to the DB. Furthermore, the paths are constructed using the ruby built-in File
, so there should be no problem with "funny characters" should we extend the allowed character space later on.
Holger, Eric: could one of you have a quick look and confirm we can completely remove the checks for identifier presence and well-formedness?
Updated by Holger Just at 2011-03-14 10:19 am
I already talked to Jens about this. I pretty sure we are save here, as the repo names are returned from the ChiliProject. So we should be save if we trust the ChiliProject instance to not lie to us.
However, (and that just occurred to me) we should probably check the path nevertheless, in case the ChiliProjet instance is not telling the truth. This could be achieved with something like the following snippet which protects us against path traversal attacks. The rest should already be handled by the rest of the checks. This snippet saves us from having to hardcode the check regex again.
1require 'pathname'
2unless Pathname.new(repos_path).cleanpath.to_s.start_with? $repos_base
3 log("\tinvalid identifier for project #{project.name} : #{project.identifier}");
4 next;
5end
Updated by Eric Davis at 2011-03-14 09:15 pm
Holger Just wrote:
However, (and that just occurred to me) we should probably check the path nevertheless, in case the ChiliProjet instance is not telling the truth.
+1, that was my first thought last week (though I guess I never posted it ;)). If someone changes identifiers in the database, it bypasses our validations and could cause reposman.rb to cause some havoc.
Another option is to have the server check that each project is valid before sending data to reposman.rb. That would keep the logic in the server and will let reposman.rb become more of a dumb client.
Updated by Gregor Schmidt at 2011-03-18 09:22 am
Chili 1.2 is due by the end of next week. This is a bug, that can be easily fixed. While there seems to be uncertainty about the future workings of repository integration in Chili, I think we should, at first, just fix this bug.
I propose to use https://github.com/ulferts/chiliproject/commit/8f839e1a7217990d857c22043812d69d796c3ac8 since it has the littlest impact and should therefor cause no unforeseen side effects.
A rework/refactoring/redesign of repository integration should not be part of a minor release. Perhaps, we should talk about that topic in the forums.
Updated by Eric Davis at 2011-03-18 11:56 pm
Gregor:
I agree, 8f839e1 looks fine (other than whitespace issues). Removing the check has too many risks which need further discussion and can happen in the Forums.
I'll merge this weekend.
- Assignee set to Eric Davis
Updated by Eric Davis at 2011-03-19 07:46 pm
I merged 8f839e1 into master and unstable. We need to have more discussion about removing the validation (9a679d4).
- Status changed from Ready for review to Closed