www-infrastructure-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sebb (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (INFRA-5367) Apache mirror.cgi - does not recognize Preferred mirror URL ending with slash
Date Sat, 13 Oct 2012 01:03:03 GMT

    [ https://issues.apache.org/jira/browse/INFRA-5367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13475476#comment-13475476
] 

Sebb commented on INFRA-5367:
-----------------------------

@Steven: I think there are two issues being conflated here.

1) the behaviour of the script when selecting a mirror using the Preferred CGI parameter (pressing
the Change button)
AFAICT, this is the issue originally raised by the JIRA.

2) the behaviour of the script when creating the download URL from the selected [preferred]
mirror.
This is a secondary (but important) issue to make sure that the created URL cannot be accidentally
compromised.

As far as I can tell, both your original patch and mine would fix issue 1.

Given that the script already ensures that mirror paths end with /, entries in the drop-down
list will always have a trailing /
So pressing the Change button will pass a /-terminated URL as the Preferred parameter, which
can be compared directly with the entries in the mirror list.
To allow for using a Preferred URL without trailing slash, it seems to me the simplest is
to add a / if required, and then compare with the existing entries in the mirror list.

Issue 2) is already solved, because the mirror list always contains URLs with trailing /

This may results in creating URLs with // rather than /, but that does not seem to cause problems
with browsers; it just looks wrong.
Though I don't understand why this is not already happening, as the script I'm looking at
(on minotaur) seems to already do this:

  # The mirror URL already has a trailing slash. Avoid doubling it up.
  if path_info.startswith('/'):
    path_info = path_info[1:]

                
> Apache mirror.cgi - does not recognize Preferred mirror URL ending with slash
> -----------------------------------------------------------------------------
>
>                 Key: INFRA-5367
>                 URL: https://issues.apache.org/jira/browse/INFRA-5367
>             Project: Infrastructure
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Dists, Mirrors
>            Reporter: Steven J. Hathaway
>
> There is a BUG in the python script for:
>    http://www.apache.org/dyn/mirrors/mirrors.cgi
> that prevents web pages (i.e. XERCES mirror downloads) from specifying a specific mirror
from a selection of mirrors.  This issue is also common to other Apache projects.
> The problem is that the list of mirrors is populated from the database file "mirrors.list"
that have the URI's
> appended with a slash.  The python script that looks for a Preferred mirror expects the
parameter to NOT HAVE an appended slash.
> It looks like the Apache mirror.cgi python script needs to be fixed.
> This code snip shows where the '/' is being mistreated.
> Here is the snip of code from Apache dyn/mirrors/mirrors.cgi that has the issue:
>   # Check if the requested Preferred mirror is in the list
>   # Note the user-requested mirror doesn't have a trailing-slash
>   prefmir = None
>   if preferred:
>     for mir in mirrors:
>       if mir[2][:-1] == preferred:
>         prefmir = mir
>         break
>   # Otherwise pick a preferred mirror from our country
> --
> This snip is from the Xerces page that creates a form to select a preferred mirror. 
This should allow the user to select a specific mirror for downloads.  The resulting GET method
invokes the mirror.cgi with a URL that looks like:
>    "xerces.apache.org/mirrors.cgi&Preferred="the preferred mirror string/"
> Note that "the preferred mirror string/" is uri-encoded and ends with a slash.
> <p>You are currently using the <strong>[preferred]</strong> mirror.
> If you encounter a problem with this mirror, please select another mirror.
> If all mirrors are failing, there are <em>backup</em> mirrors
> (at the end of the mirrors list) that should be available.</p>
> <a name="SelectMirror"></a>
> <form action="[location]" method="get" id="SelectMirror">Other mirrors:
> <select name="Preferred">
> <!--[if-any http] [for http]--><option selected="selected"
> value="[http]">[http]</option>
> <!--[end] [end]-->
> <!--[if-any ftp] [for ftp]--><option value="[ftp]">[ftp]</option>
> <!--[end] [end]-->
> <!--[if-any backup] [for backup]--><option value="[backup]">[backup]
> (backup)</option>
> <!--[end] [end]--></select> <input value="Change" type="submit">
> </form>
> --
> Sincerely,
> Steven J. Hathaway

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message