From patchwork Sun Jan  6 23:56:04 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eli Schwartz <eschwartz@archlinux.org>
X-Patchwork-Id: 921
Return-Path: <aur-dev-bounces@archlinux.org>
Delivered-To: patchwork@archlinux.org
Received: from apollo.archlinux.org (localhost [127.0.0.1])
	by apollo.archlinux.org (Postfix) with ESMTP id AD1FCA50073D
	for <patchwork@archlinux.org>; Sun,  6 Jan 2019 23:56:25 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on apollo
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00=-1,
	DKIMWL_WL_HIGH=-2.372,DKIM_SIGNED=0.1,DKIM_VALID=-0.1,
	DKIM_VALID_AU=-0.1,MAILING_LIST_MULTI=-1,RCVD_IN_DNSWL_MED=-2.3
	autolearn=ham autolearn_force=no version=3.4.2
X-Spam-BL-Results: <dns:211.161.199.68.dnsbl.sorbs.net> [127.0.0.10]
	<dns:1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.8.0.6.0.6.1.0.8.f.4.0.1.0.a.2.list.dnswl.org>
 [127.0.9.2]
	<dns:211.161.199.68.zen.spamhaus.org> [127.0.0.10]
Received: from orion.archlinux.org (orion.archlinux.org
 [IPv6:2a01:4f8:160:6087::1])
	by apollo.archlinux.org (Postfix) with ESMTPS
	for <patchwork@archlinux.org>; Sun,  6 Jan 2019 23:56:25 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
	by orion.archlinux.org (Postfix) with ESMTP id 6C883FD241F9E;
	Sun,  6 Jan 2019 23:56:24 +0000 (UTC)
Received: from luna.archlinux.org (luna.archlinux.org
 [IPv6:2a01:4f8:160:3033::2])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by orion.archlinux.org (Postfix) with ESMTPS;
	Sun,  6 Jan 2019 23:56:24 +0000 (UTC)
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
	by luna.archlinux.org (Postfix) with ESMTP id 53010207A3;
	Sun,  6 Jan 2019 23:56:24 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org;
	s=luna2; t=1546818984;
	bh=xQ2+Jrq57RcbYaLfQhH7CnpCipGd/PjFzYfN045Ky/w=;
	h=From:To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:
	 List-Post:List-Help:List-Subscribe;
	b=Bb+vH4y/zdgrZKR2cjDFO/8ucNQqjkKs5Q/E23XWWOy+z/8WjLaEJiIkDoW6BCH1s
	 d1NFUWGFN66BbldYq6K/a3lmcL9FgLHVr0wy4vO64x9EixMd8lhfVQERpfT6dXfuWX
	 Ln+ShbtKd0GgNLVufAMM6P8WQLyHJ6IqJJv249c5GGfL/G/Omv0LcXp2B1pexaXuiw
	 G6D0Gw1MTkWos4BHIxne3YB5W8viD4HMqPnp08d67fppBKG7157aFHj3y77KtEnw3a
	 tQs+LIwq3XWVjNHU/jMU9FDpGNo51NJhhvOcHjRMUxllYZM/hBE+/Y1+cSmw1rquAT
	 X6nw+y+7pYcHAAtDBElESNDCyzh9HDTEzjqmsaCqgmfChxz43DPx6YyZNFh3GuB/QY
	 VH6diPrppiM+nSpBeLhbzVOZoMiY+pdW2Jr+P/X1XXOiGMs63spxFrgSCGzFxS7S6O
	 S5vijwBtj6BcCsvviFix7hHXuZomKSnH0j017tu1aosQk+IjPYzxf32l8hHHHjkoFu
	 QPsyehjcNbcfkZ08vRUc4az5nHQupVJGxKlCmfmUPnWZyF6t8AGGmLN851ItWMzycX
	 1H5qeim3dFm2YnZq8651dh4fqrm5t/HsBypq0+zc9q5AbJGdhdcRtAq8p77YmytVgG
	 QCx/u/GgyIISneb9TH/Z+2lU=
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
 by luna.archlinux.org (Postfix) with ESMTP id C4EE620795
 for <aur-dev@lists.archlinux.org>; Sun,  6 Jan 2019 23:56:22 +0000 (UTC)
Received: from orion.archlinux.org (orion.archlinux.org [88.198.91.70])
 by luna.archlinux.org (Postfix) with ESMTPS
 for <aur-dev@lists.archlinux.org>; Sun,  6 Jan 2019 23:56:22 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
 by orion.archlinux.org (Postfix) with ESMTP id 6FBC8FD241F9B;
 Sun,  6 Jan 2019 23:56:21 +0000 (UTC)
Received: from didactylos.localdomain (ool-44c7a1d3.dyn.optonline.net
 [68.199.161.211])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits))
 (No client certificate requested) (Authenticated sender: eschwartz)
 by orion.archlinux.org (Postfix) with ESMTPSA id EC020FD241F9A;
 Sun,  6 Jan 2019 23:56:20 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org;
 s=orion; t=1546818981;
 bh=xQ2+Jrq57RcbYaLfQhH7CnpCipGd/PjFzYfN045Ky/w=;
 h=From:To:Subject:Date;
 b=KHD5Zm5s1dmNMJAJgth6t8nHAQDZ3r7xwXFdy9uHmbfUhuh5wBEaolwpf+NVmQGeL
 wbj+s6tFR+2XBaYnNS9oofGCdi6/zpB4cHFRqP5xi7+O94v1e4ZuXT289KK6R91srQ
 GRFKCEeZu6cm43LortIGARrTBeHYATPlMDD0mHID2/OxeaKMbxTvcP8ALgSsE26wWt
 soYEWoIGkD+8cz4ioxXcD17cNnfCO9F+nk8Ttvccry7qHF152vAbh0gEai30cOu3Gw
 H0pLATkt+oSi3ONwfJgZHPraMHqBHylxOg+r4Lqgeg0jCXgCcI20LR31cx+AhKBtzK
 nFXwmrgMmqDbAObCKjTPMpc3gqNNChCGbBzWxmK6IJuRHWhW66s+PT+Xz0y1LDwKfa
 KY6hNdwOZ0ZS+1qYKMlgOurZcCecicK0C4k3sywr6tm4JyzXmz7WqyTWgIWNA8DoJp
 kT69V349pcUzqzbixWB8+iHSco5Ef+PhCVxEtJYo+9qPbAJdZLTfM7CIdEujXfBFDj
 3jVJcaUnEzB9HWNJaa/QV05J9D0tCCiKo4zWHQktamKUnkrNCbAh0z1+JN2KQ1Fb60
 PFALnV4qvpEizIAE9cEyNFhDdoKE6UXK4PzSz8Xfh2S7/tYpYuzxxUyByuVEUClj6p
 B39ZmXDLdH7Xo97GGA9PzJAY=
From: Eli Schwartz <eschwartz@archlinux.org>
To: aur-dev@archlinux.org
Subject: [aur-dev][PATCH] Correctly handle package sources which do not
 validate as an url
Date: Sun,  6 Jan 2019 18:56:04 -0500
Message-Id: <20190106235605.22167-1-eschwartz@archlinux.org>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
X-BeenThere: aur-dev@archlinux.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Arch User Repository \(AUR\) Development" <aur-dev.archlinux.org>
List-Unsubscribe: <https://lists.archlinux.org/options/aur-dev>,
 <mailto:aur-dev-request@archlinux.org?subject=unsubscribe>
List-Archive: <https://lists.archlinux.org/pipermail/aur-dev/>
List-Post: <mailto:aur-dev@archlinux.org>
List-Help: <mailto:aur-dev-request@archlinux.org?subject=help>
List-Subscribe: <https://lists.archlinux.org/listinfo/aur-dev>,
 <mailto:aur-dev-request@archlinux.org?subject=subscribe>
Errors-To: aur-dev-bounces@archlinux.org
Sender: "aur-dev" <aur-dev-bounces@archlinux.org>

php's parse_url does not handle proper rfc3986 URIs, specifically, it
does not handle the case of an empty authority such as file:/// or
local:/// and only handles the case of file by applying a special case
for file itself. These URIs are deemed "malformed" and return false.

When such URIs were used, we would end up always treating the package
source as a filename (despite that this is incorrect, since plain files
will be correctly handled by parse_url, we will correctly determine that
there is no schema, and we will go to the source_file_uri).

Instead, handle the case of a "malformed" URI by treating it as another
example of a source with a schema, and linking it as-is.

See https://lists.archlinux.org/pipermail/aur-general/2019-January/034782.html
for details.

Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
---

This fixes the case of local:///, but are there other cases where php
would claim a malformed url where we would actually want to link to
cgit?

Should we just be dumb like makepkg and git/update.py, and check if it
has the string literal '://'? Given the other two places where a source
url might be handled don't even make a pretense of being proper rfc3986
parsers, this would at least mean we're highly consistent in our
behavior.

 web/lib/pkgfuncs.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php
index ced1f8e..126b5c3 100644
--- a/web/lib/pkgfuncs.inc.php
+++ b/web/lib/pkgfuncs.inc.php
@@ -481,7 +481,7 @@ function pkg_source_link($url, $arch, $package) {
 	$url = explode('::', $url);
 	$parsed_url = parse_url($url[0]);
 
-	if (isset($parsed_url['scheme']) || isset($url[1])) {
+	if ($parsed_url === false || isset($parsed_url['scheme']) || isset($url[1])) {
 		$link = '<a href="' .  htmlspecialchars((isset($url[1]) ? $url[1] : $url[0]), ENT_QUOTES) . '">' . htmlspecialchars($url[0]) . '</a>';
 	} else {
 		$file_url = sprintf(config_get('options', 'source_file_uri'), htmlspecialchars($url[0]), $package);