RFC: Follow redirects when downloading assets for cloning #5335
Conversation
Note: Untested by me as I couldn't reproduce the issue.
| @@ -141,6 +141,7 @@ sub clone_job_download_assets ($jobid, $job, $url_handler, $options) { | |||
|
|
|||
| print STDERR "downloading\n$from\nto\n$dst\n"; | |||
| my $r = $ua->mirror($from, $dst); | |||
| $r = $ua->mirror($r->header('Location'), $dst) if ($r->code == 308); | |||
There was a problem hiding this comment.
What if Location is undef? What if there's yet another redirection? We should also not follow a location from https to http.
There was a problem hiding this comment.
But generally a good idea of course.
There was a problem hiding this comment.
@Martchus FYI in my case it was the redirect from http to https on o3.
There was a problem hiding this comment.
I know. I pointed that out in the chat. And we should of course allow this case. What we should not allow is the opposite for security reasons.
There was a problem hiding this comment.
Maybe add a comment that this is a temporary fix until LWP 6.48 is available on all our supported platforms?
There was a problem hiding this comment.
@kalikiana I suppose this is expected you add before merge, right @okurz ?
There was a problem hiding this comment.
yes, or anyone else who can add a commit to this PR
There was a problem hiding this comment.
Apparently we can't achieve with a reasonable effort to update LWP in SLE/Leap hence we need to keep this workaround in place until eventually we use only more recent versions in newer OS versions
| $r = $ua->mirror($r->header('Location'), $dst) if ($r->code == 308); | |
| # Workaround for behaviour LWP < 6.48, see https://github.com/libwww-perl/libwww-perl/pull/349 | |
| $r = $ua->mirror($r->header('Location'), $dst) if $r->code == 308; |
There was a problem hiding this comment.
@pevik Maybe it's best if you take over from here? I don't even remember what issue this was addressing.
|
Maybe we just need to tweak our usage of LWP (e.g. via https://metacpan.org/pod/LWP::UserAgent#requests_redirectable) instead of trying to implement the behavior manually. Note that some HTTP requests like posting the job are done via Mojolicious and judging by the code (and my tests) they definitely follow up to 3 redirections.
Good point. I've just tried to reproduce it here as well and also wasn't able to: I only used http here and as shown in the logs it follows the redirect. It also works without asset downloads. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #5335 +/- ##
=======================================
Coverage 98.32% 98.32%
=======================================
Files 389 389
Lines 37286 37287 +1
=======================================
+ Hits 36660 36661 +1
Misses 626 626 ☔ View full report in Codecov by Sentry. |
|
I was able to reproduce it on Leap 15.4 with LWP::UserAgent 6.31: It was fixed in 6.48: https://metacpan.org/dist/libwww-perl/changes#L98 |
|
Then I suggest to add |
|
Also 15.5, as we still have the same version there... |
|
|
Sounds like we should just link the latest version in our devel repos (but I currently cannot do it because OBS is overloaded). |
|
I linked the package via
That are a lot of dependencies. So should we go down that path or just keep things as-is (which would make sense for a "stable" distribution like Leap)? |
It is interesting to see that according to perl-libwww-perl is part of Tumbleweed but not in Leap although it was part of Leap until 15.2. I wonder if there is a better way to do it then without needing to pull this in again. But with such requirements and dependencies missing the original approach is obviously not straight forward. Maybe we can think of alternative approaches then? |
|
We could also just move forward with the PR as an alternative approach. It only needs minor improvements to be mergable:
|
|
So, is this really only a workaround for OSs like Leap 15.4 which goes EOL in a couple of weeks if not already? Current is Leap 15.5 but so far I did not understand which packages of Leap 15.5 this would involve |
|
According to @pevik Leap 15.5 is also affected:
(I think "newer" is supposed to be "never".) That's also why I invoked the |
|
So why not fix it at the root and submit an update to Leap? |
I finally submitted the package to Leap 15.6: https://build.opensuse.org/request/show/1181525. Feel free to comment. |
|
@kalikiana OK, the update is unlikely to be accepted and even if it is accepted @okurz proposed to have this as a temporary fix until not needed. Could you please rebase? I'll retest it for you. FYI I've been using this code in my instance, because it's needed. |
|
As mentioned in the chat: If you really need this, please make sure to not allow redirections from https to http and make sure it cannot be stuck in an endless loop. |
|
FYI I keep using this patch (it's still needed). And I'm not sure if submitting package to openSUSE:Leap:15.6:Update would be accepted (suggested at rejected SR https://build.opensuse.org/request/show/1181525). |
|
I don't see a problem why the patch shouldn't be acceptable for SLE or Leap. https://build.opensuse.org/request/show/1181525 looks like you revoked it even though nobody rejected, or is it? |
https://build.opensuse.org/request/show/1181525#comment-1950196 |
Note: Untested by me as I couldn't reproduce the issue.