[kgb-maintainers] DoS bug in KGB
Damyan Ivanov
dmn at debian.org
Thu Sep 24 06:36:06 UTC 2009
-=| Martín Ferrari, Sun, Sep 20, 2009 at 08:33:35PM +0200 |=-
> Hi there,
>
> today the 3 kgb bots died suddenly, and I started taking a look. The
> origin was a commit by Raphael Hertzog that had some extended chars in
> the commit log (it's seems we're so boring as to never use them :)).
Damn UTF-8 we all love :)
> It was a two-fold problem: on the server side, it received utf8 wide
> chars that passed to the sha1 module for authentication, and that
> failed. I added the correct conversion code for that to work.
I guess I shall 'release' a new version of the preliminary packages so
that the servers can be upgraded?
> In the client side, it stopped being able to authenticate, because
> the
> strings were handled differently. SVN gives utf-8 encoded *byte
> sequences*, so perl treats them as legacy-encoded or something like
> that :)
> I added the code that tries to automatically detect if the strings are
> legacy or utf and then convert them to proper utf8 *char* sequences
> and uses those for SOAP (so it can faithfully transmit them). Then
> decodes them for sha1 generation.
(nitpick: s/decodes/encodes/. You give sha1 a sequence of bytes, which
represent encoded UTF-8 sequences. decode = convert from some
representation to Perl's internal one. encode = covert from Perl chars
to byte sequences using some encoding (latin1, whatever))
> This triggered another bug. SOAP::Lite had an ugly hack to decode
> utf8
> (instead of using utf8::decode) that doesn't seem to work. I left a
> modified copy of one file in the alioth tree so the post-commit hook
> uses it. I need to see if this is still present in current SOAP:Lite
> versions, but I don't have any environment to test this outside of
> alioth right now.
If this was in /home/groups/kgb/stable/lib, then it is gone. I have
reset the checkout.
Have you reported the bug in SOAP::Lite? We want this fixed :)
> I commited all this to trunk/, and tried to commit to
> branches/stable.
> But I really don't understand how it is supposed to work. Dam, you
> might be able to help here.
> In the repo, brances/stable/debian/changelog says version 0.04
> released. But the tree is identical to tags/0.03... So I really don't
> get it :)
For some reason, the auto-update of the stable branch checkout in
/home/groups/kgb/stable was in a state of merge-resolving. This is now
fixed, here's how it is supposed to work:
You develop in trunk. You break things. This is good. Once in a while,
you are fooled your work is really OK and can be used in production.
At this point you merge it into branches/stable. A post-commit hook
updates the checkout of branches/stable in /home/groups/kgb/stable.
'Official' KGB 'customers' shall use that checkout in their
post-commit hooks. pkg-perl uses it, PET does, as well as KGB project
itself. There is also a checkout of trunk
(/home/groups/kgb/stable/trunk), which is used only by the KGB
project, in parallel to the stable one and which send notifications in
#kgb-test).
It is complicated with these multiple layers -- developers, commits,
repositories, hooks, clients, servers and IRC channels. I hope it is
a bit clearer now :)
--
dam
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/kgb-maintainers/attachments/20090924/85712405/attachment.pgp>
More information about the kgb-maintainers
mailing list