The file stream associated with downloads without a filename is not
being freed when downloading using the sandbox user.
Signed-off-by: Allan McRae <allan@archlinux.org>
On NFS caches, using chown to change file permissions to the UID 0 user
will fail due to root_squash. When DownloadUser is unset, or set to
the UID 0 user (root), avoid the unneeded chown calls providing a
workaround.
Fixes#194
Signed-off-by: Allan McRae <allan@archlinux.org>
While the event is already globally initialised, initialising the fields
prevents a valgrind warning (since the gcc-15 update).
Signed-off-by: Allan McRae <allan@archlinux.org>
Some libaplm utilities sync databases as a non-root user for use in
actvities other than system updates. The ability to download as a
non-root user was broken as part of the download sandboxing.
Applying a minimial fix by preventing the chown of the downloaded file
if the user is non-root. A larger change increasing the robustness
and error checking of this path is warranted in the future.
Signed-off-by: Allan McRae <allan@archlinux.org>
Sorting modifies the list in place, causing any existing pointers to the
list to point to a random element.
Fixes#165
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
If a package was already downloaded but its signature file was not,
pacman would download the signature then error out despite all files
being present.
Also fixes a similar error when some, but not all, package databases
were updated with -Sy.
Fixes#156
Signed-off-by: Allan McRae <allan@archlinux.org>
Filling in more of the payload fields before passing to the downloader ensures
that the these fields do not get lost during sandboxed operations.
It also fixes the use of -U with XferCommand, but testsuite still fails due to
"404" page being downloaded for the signature. Given we can not identify this
as being a non-signature download with the XferCommand, we can just turn off
signature checking in this test.
Signed-off-by: Allan McRae <allan@archlinux.org>
If the SandboxUser configure option is set, the internal downloader
will fork of a child process and drop to the specified user to download
the files.
Signed-off-by: Remi Gacogne <rgacogne@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Previously, the for loops on lines 1035 and 1037 would advance to the
next element in the server list, even if downloading the URL succeeded.
If there are no more servers in the list, `s` would be NULL, causing
a NULL pointer dereference on line 1046. If there were servers left
in the list, the signature would be downloaded from a wrong URL.
1. Fetching of database signatures is enabled.
2. There is only one enabled remote repository URL, or fetching from
all but the last one fails and fetching from the last one succeeds.
3. An XferCommand is used.
Qubes OS Arch templates satisfy all of these conditions and trigger the bug.
Cache servers differ from regular servers in that they do not produce
warnings and are not removed from the server pool for "soft errors"
(i.e. the server was reachable, but the download failed) and they are
not used for databases. If a host is used for both a cache server and a
regular server, it may still be removed from the server pool for soft
errors that occur when used as cache server and removal from the server
pool for soft errors will not affect future attempted use as a cache
server.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
We have not set handle in the function at this stage, so we can not
assign an error to it. Pass the handle to the function to avoid
waiting until the payload is retrieved.
Signed-off-by: Allan McRae <allan@archlinux.org>
The last user of ABORT_SIGINT was removed in commit 84723cab5d
("Cleanup the old sequential download code"), and this isn't exported as
part of the public API.
Signed-off-by: Chris Down <chris@chrisdown.name>
Signed-off-by: Allan McRae <allan@archlinux.org>
Parsing of Content-Disposition relies on well formed headers.
A malformed header such as:
Content-Disposition="";
will result in a strnduppayload->content_disp_name, -1, ptr),
which will copy memory until it hits a \0.
Prevent this by only copying the value if it exists.
Fixes FS#73704.
Signed-off-by: Allan McRae <allan@archlinux.org>
Allow finding which mirror was used to fetch a file.
This makes it a bit easier to debug situations in which mirrors serve
bad files with HTTP 200.
Signed-off-by: Vladimir Panteleev <archlinux@cy.md>
When downloading in parallel, sort by package size so that the larger
packages are queued first to fully leverage parallelism.
Addresses FS#70172
Signed-off-by: Charlie Sale <softwaresale01@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Github and other sites redirect their downloads to a cdn. So the
download http://foo.org/myrepo.db may redirect to something like
https://cdn.foo.org/83749327439.
This then causes pacman to try and download the sig as
https://cdn.foo.org/83749327439.sig which is incorrect. In this case
pacman should append .sig to the original url.
However urls like https://archlinux.org/packages/community/x86_64/0ad/download/
Redirect to the mirror, so .sig has to appended after the redirects and
not before.
So we decide if we should append .sig on the original or effective url
based on if the effective url (minus the query part) has .db or .pkg in it.
Fixes FS#71148
---
v2: move variable decleration to start of block
v3: use dbext instead of db
archweb's download links all ended in /download. This cause all the temp
files to be named download.part. With parallel downloads this results in
multiple downloads to go to the same temp file and breaks the transaction.
Assign random temporary filenames to downloads from URLs that are either
missing a filename, or if the filename does not contain at least three
hyphens (as a well formed package filename does).
While this approach to determining when to use a temporary filename is
not 100% foolproof, it does keep nice looking download progress bar names
when a proper package filename is given. The only downside of not using
temporary files when provided with a filename with three or more hyphens
is URLs created specifically to bypass temporary filename usage can not
be downloaded in parallel. We probably do not want to download packages
from such URLs anyway.
Fixes FS#71464
Modified-by: Allan McRae (do not use temporary files for realish URLs)
Signed-off-by: Allan McRae <allan@archlinux.org>
If the original download redirects to to a different url then alpm would
try to name the sig file after the url instead of <original_file>.sig.
Instead force this naming scheme regardless of url.
Fixes FS#71274
Signed-off-by: Allan McRae <allan@archlinux.org>
Around the same time retry events were added, there was a patch to pass
sig download events to the frontend. The retry code was not updated to
account for this.
Signed-off-by: morganamilo <morganamilo@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Some servers respond with error pages (e.g. 404.html) when a package is
not present. These were getting written to packages before moving onto
the next server. Reset the download progress on 400+ error conditions
to avoid this.
Signed-off-by: Allan McRae <allan@archlinux.org>
When a download fails on one mirror a new download is started on the
next mirror. This causes the ammount downloaded to reset, confusing the
rate math and making it display a negative rate.
This is further complicated by the fact that a download may be resumed
from where it is or started over.
To account for this we alert the frontend that the download was
restarted. Pacman then starts the progress bar over.
Signed-off-by: Allan McRae <allan@archlinux.org>
Restore the prior indicator whether or not databases were up to date.
0 is used to indicate if *any* db was actually updated as callers are
more likely to care about that than if *all* dbs were updated.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
An extra break causes _alpm_download to break out of the payload loop as
soon as it sees a successful url download with XferCommand.
Fixes: FS#70608 - -U fails to download all files with XferCommand
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Our callbacks require front-ends to maintain state in order to provide
reasonable output. The new download callback in particular requires
much more complex state information to be saved. Without the ability to
provide context, state must be saved globally, which may not be possible
for all front-ends. Scripting language bindings in particular have no
way to register per-handle callbacks without some form of context.
Implements: FS#12721
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Keep track of errors from servers so that bad ones can be skipped once
a threshold is reached. Key the error tracking off the hostname because
hosts may serve multiple repos under different url's and errors are
likely to be host-wide.
Implements: FS#29293.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Total download callback called right before packages start downloaded.
But we already have an event for such event (ALPM_EVENT_PKG_RETRIEVE_START)
and it is naturally to use the event to pass information about expected
download size.
Signed-off-by: Anatol Pomozov <anatol.pomozov@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
