From mboxrd@z Thu Jan 1 00:00:00 1970 From: wub at partyvan.eu (Juuso Lapinlampi) Date: Mon, 23 May 2016 04:57:33 +0000 Subject: Snapshot URLs can conflict with two similar but unique tags Message-ID: <20160523045733.GA2784@partyvan.eu> Steps to reproduce bug: Create a repository with two tags, one prefixed with "v"-character and one without. These tags should reference two unique SHA-1 objects. For the sake of argument and following along, I will use an existing repository as a following example to reproduce the issue. $ git clone https://git.pantsu.cat/pantsu/pomf/ Cloning into 'pomf'... Checking connectivity... done. $ cd pomf/ $ git tag | grep "1.0.0$" 1.0.0 v1.0.0 $ git log --oneline --decorate -n 1 1.0.0 7f9d1cb (tag: 1.0.0) Add package.json and Gruntfile.js $ git log --oneline --decorate -n 1 v1.0.0 687b1be (tag: v1.0.0) Merge branch 'nuck-dev' Setup cgit with this repository. Configure `snapshots` option in `cgitrc` for at least one file supported snapshot format (e.g. `.tar`, `.zip`) to enable snapshots. # Allow download of tar.gz, tar.bz2 and zip-files snapshots=tar.gz tar.xz zip Open a browser and go to `$schema://$cgit_uri/$repository/` (example: [1]). Look for a snapshot URL on the index page or in tag detail page at /$repository/tag/?h=$tag. Expected behavior: (git.pantsu.cat is used as an example.) In somewhat simplified version, the HTML index document may be expected to look like: Tag Download [...] v1.0.0 pomf-v1.0.0.zip pomf-v1.0.0.tar.gz pomf-v1.0.0.tar.xz [...] 1.0.0 pomf-1.0.0.zip pomf-1.0.0.tar.gz pomf-1.0.0.tar.xz In somewhat simplified version, the HTML tag detail document may be expected to look like the following example for tag v1.0.0: download pomf-v1.0.0.zip pomf-v1.0.0.tar.gz pomf-v1.0.0.tar.xz In example, the download URL for 1.0.0 .zip snapshot is expected to be found at one or more of the following unique locations (adapt for other file extensions): https://git.pantsu.cat/pantsu/pomf/snapshot/1.0.0/pomf-1.0.0.zip https://git.pantsu.cat/pantsu/pomf/snapshot/pomf-1.0.0.zip In example, the download URL for v1.0.0 .zip snapshot is expected to be found at one or more of the following unique locations (adapt for other file extensions): https://git.pantsu.cat/pantsu/pomf/snapshot/v1.0.0/pomf-1.0.0.zip https://git.pantsu.cat/pantsu/pomf/snapshot/pomf-v1.0.0.zip The contents of both snapshots when extracted are expected to match those of v1.0.0 and 1.0.0 tags, respectively. The /$repository/snapshot/$tag/$project-$version.$ext syntax is a suggested enhancement to resolve the issue while keeping traditional file names without the "v"-prefix, if such functionality is desired. Actual behavior: (git.pantsu.cat is used as an example.) In somewhat simplified version, the HTML document actually looks like: Tag Download [...] v1.0.0 pomf-1.0.0.zip pomf-1.0.0.tar.gz pomf-1.0.0.tar.xz [...] 1.0.0 pomf-1.0.0.zip pomf-1.0.0.tar.gz pomf-1.0.0.tar.xz In somewhat simplified version, the HTML tag detail document for tag v1.0.0 actually looks like: download pomf-1.0.0.zip pomf-1.0.0.tar.gz pomf-1.0.0.tar.xz In example, the .zip snapshot for tag 1.0.0 is hyperlinked to the following URL (adapt for other file extensions): https://git.pantsu.cat/pantsu/pomf/snapshot/pomf-1.0.0.zip In example, the .zip snapshot for tag v1.0.0 is hyperlinked to the same URL as 1.0.0 (adapt for other file extensions): https://git.pantsu.cat/pantsu/pomf/snapshot/pomf-1.0.0.zip The contents of snapshot downloaded from v1.0.0 tag hyperlink when extracted match that of 1.0.0 tag. In other words, cgit knows of snapshot named pomf-v1.0.0.zip (or alternative configured snapshot extension) and will happily serve it correctly when requested, but never links to it. Version number: cgit v0.12 Operating system: CentOS 7 Notes: The "Pro Git" book by Scott Chacon and Ben Straub suggests prefixing tags with "v".[2] git.git follows this convention.[3] [1]: https://git.pantsu.cat/pantsu/pomf/ [2]: https://git-scm.com/book/en/v2/Git-Basics-Tagging [3]: https://git.kernel.org/cgit/git/git.git/refs/tags