[Bug 244453] Re: pycurl does not fail on authentication error

Wed, 07 Sep 2011 08:51:24 -0700 

** Changed in: smart (Ubuntu)
       Status: New => Fix Released

** Description changed:

  Request for SRU
  ===============
  
+ 0. This is fixed in oneiric with smart 1.4 (the fix was released in
+ 1.3.1 upstream)
  
  1. Statement explaining the impact
  
  Smart doesn't catch 401 (and other 40x) errors when trying to download files 
from a repository. As a result, the html error page presented by the server is 
downloaded as if it were the requested file.
  This usually leads to a weird error about the GPG signature being incorrect 
or being made with an unknown key:
  """
- -> 
https://ahasenack:*@private-ppa.launchpad.net/landscape/lds-stable/ubuntu/dists/lucid/Release
                                                                  
+ -> 
https://ahasenack:*@private-ppa.launchpad.net/landscape/lds-stable/ubuntu/dists/lucid/Release
  Release
  ################################################################# [  7%]
- error: Channel 'lucid - main' signed with unknown key          
+ error: Channel 'lucid - main' signed with unknown key
  """
  And these are the contents of the downloaded file:
  """
  root@amra:/var/lib/smart/channels# cat 
aptsync-c57be5d14aae4fbf00383bbe1479fbb9%%https:__ahasenack:[email protected]_landscape_lds-stable_ubuntu_dists_lucid_Release.gpg
  <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  <html><head>
  <title>401 Authorization Required</title>
  </head><body>
  <h1>Authorization Required</h1>
  <p>This server could not verify that you
  are authorized to access the document
  requested.  Either you supplied the wrong
  credentials (e.g., bad password), or your
  browser doesn't understand how to supply
  the credentials required.</p>
  <hr>
  <address>Apache/2.2.14 (Ubuntu) Server at private-ppa.launchpad.net Port 
443</address>
  </body></html>
- root@amra:/var/lib/smart/channels# 
+ root@amra:/var/lib/smart/channels#
  """
- 
  
  2. How has the bug been addressed
  A patch was taken from trunk to make pycurl fail on http errors and then 
catch this error:
  bzr diff  -r 947..948 lp:smart
  
- 
  3. Patch
  That patch was applied to the source package and a debdiff was generated for 
each ubuntu release.
- 
  
  4. How to reproduce
  - install smartpm-core
  - add this line to your sources.list:
  deb https://foo:[email protected]/landscape/lds-trunk/ubuntu 
lucid main
  - run smart update as root
  - with the broken package, you will get a gpg signature error when that 
repository is fetched:
  """
- -> 
https://foo:*@private-ppa.launchpad.net/landscape/lds-trunk/ubuntu/dists/lucid/Release
                                                                         
+ -> 
https://foo:*@private-ppa.launchpad.net/landscape/lds-trunk/ubuntu/dists/lucid/Release
  Release                                                          
##########################################################################################
 [ 74%]
  error: Channel 'lucid - main' signed with unknown key
  """
  - with the fixed package, you will get a proper 401 error:
  """
  # smart update
  (...)
- -> 
https://foo:*@private-ppa.launchpad.net/landscape/lds-trunk/ubuntu/dists/lucid/Release
                                                                         
+ -> 
https://foo:*@private-ppa.launchpad.net/landscape/lds-trunk/ubuntu/dists/lucid/Release
  Release                                                                       
                                                                              [ 
66%]
  error: Download of Release failed for channel 'lucid - main': The requested 
URL returned error: 401
  """
- 
  
  5. Regression potential
  
  - In both cases, before and after the patch, smart update would fail.
  With the patch, it fails with the correct error message.
  
  - Without the patch, if the repository's signature isn't checked, the error 
is even more cryptic:
  """
- warning: Component 'main' is not in Release file for channel 'lucid - main'   
                                                                                
    
+ warning: Component 'main' is not in Release file for channel 'lucid - main'
  """
  That's because the release file that was downloaded is actually the 401 html 
error page.
  
  - the patch has a test
  
  - I don't know of any other side effects of setting
  handle.setopt(pycurl.FAILONERROR, 1), which is the main fix here.
- 
  
  Original bug description follows
  ================================
  
  Imported: http://tracker.labix.org/issue310
  
  Reason for Import: Patch Review
  
  further details: https://blueprints.launchpad.net/smart/+spec/bug-
  reporting-migration
  
  msg1153 (view)          Author: peter-endian    Date:
  2007-06-21.13:35:42
  
  When you use python-curl, curl downloads the error message if authentication
  fails and stores it as the respective xml file, with which smart is not very
  happy of course.
  
  The attached patch (against 0.50) sets the curl configuration option which
  causes curl to fail if an authentication error occurrs, which then causes 
smart
  to print out the error and consider the download not to be ok instead of 
writing
  the errormessage down to the file.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/244453

Title:
  pycurl does not fail on authentication error

To manage notifications about this bug go to:
https://bugs.launchpad.net/smart/+bug/244453/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to