This is an automated email from the ASF dual-hosted git repository. arm pushed a commit to branch arm in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
commit 8fd6be8a983d0bd52634043471e41cc40747c17d Author: Alastair McFarlane <[email protected]> AuthorDate: Mon Mar 9 09:32:23 2026 +0000 Use release name from URL and compare to the form to ensure no malicious/accidental use. Closes #655 --- atr/post/distribution.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/atr/post/distribution.py b/atr/post/distribution.py index 01f847ca..fd70485d 100644 --- a/atr/post/distribution.py +++ b/atr/post/distribution.py @@ -137,6 +137,10 @@ async def delete( await session.check_access(project_name) sql_platform = delete_form.platform.to_sql() # type: ignore[attr-defined] + url_release = sql.release_name(project_name, version_name) + if url_release != delete_form.release_name: + raise RuntimeError("Release name mismatch") + # Validate the submitted data, and obtain the committee for its name async with db.session() as data: release = await data.release(name=str(delete_form.release_name)).demand( --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
