2011-07-01 21:15:46 +00:00
|
|
|
{- git-annex command
|
|
|
|
-
|
addurl --preserve-filename and a few related changes
* addurl --preserve-filename: New option, uses server-provided filename
without any sanitization, but with some security checking.
Not yet implemented for remotes other than the web.
* addurl, importfeed: Avoid adding filenames with leading '.', instead
it will be replaced with '_'.
This might be considered a security fix, but a CVE seems unwattanted.
It was possible for addurl to create a dotfile, which could change
behavior of some program. It was also possible for a web server to say
the file name was ".git" or "foo/.git". That would not overrwrite the
.git directory, but would cause addurl to fail; of course git won't
add "foo/.git".
sanitizeFilePath is too opinionated to remain in Utility, so moved it.
The changes to mkSafeFilePath are because it used sanitizeFilePath.
In particular:
isDrive will never succeed, because "c:" gets munged to "c_"
".." gets sanitized now
".git" gets sanitized now
It will never be null, because sanitizeFilePath keeps the length
the same, and splitDirectories never returns a null path.
Also, on the off chance a web server suggests a filename of "",
ignore that, rather than trying to save to such a filename, which would
fail in some way.
2020-05-08 20:09:29 +00:00
|
|
|
- Copyright 2011-2020 Joey Hess <id@joeyh.name>
|
2011-07-01 21:15:46 +00:00
|
|
|
-
|
2019-03-13 19:48:14 +00:00
|
|
|
- Licensed under the GNU AGPL version 3 or higher.
|
2011-07-01 21:15:46 +00:00
|
|
|
-}
|
|
|
|
|
|
|
|
module Command.AddUrl where
|
|
|
|
|
|
|
|
import Network.URI
|
|
|
|
|
|
|
|
import Command
|
2012-06-05 23:51:03 +00:00
|
|
|
import Backend
|
2011-07-01 22:46:07 +00:00
|
|
|
import qualified Annex
|
2013-09-28 18:35:21 +00:00
|
|
|
import qualified Annex.Url as Url
|
2011-08-06 18:57:22 +00:00
|
|
|
import qualified Backend.URL
|
2014-12-08 23:14:24 +00:00
|
|
|
import qualified Remote
|
|
|
|
import qualified Types.Remote as Remote
|
2015-12-22 17:23:33 +00:00
|
|
|
import qualified Command.Add
|
2011-10-04 04:40:47 +00:00
|
|
|
import Annex.Content
|
2015-12-22 17:23:33 +00:00
|
|
|
import Annex.Ingest
|
2016-09-21 21:21:48 +00:00
|
|
|
import Annex.CheckIgnore
|
2020-03-06 15:57:15 +00:00
|
|
|
import Annex.Perms
|
2014-12-17 17:57:52 +00:00
|
|
|
import Annex.UUID
|
2017-11-29 19:49:05 +00:00
|
|
|
import Annex.YoutubeDl
|
addurl --preserve-filename and a few related changes
* addurl --preserve-filename: New option, uses server-provided filename
without any sanitization, but with some security checking.
Not yet implemented for remotes other than the web.
* addurl, importfeed: Avoid adding filenames with leading '.', instead
it will be replaced with '_'.
This might be considered a security fix, but a CVE seems unwattanted.
It was possible for addurl to create a dotfile, which could change
behavior of some program. It was also possible for a web server to say
the file name was ".git" or "foo/.git". That would not overrwrite the
.git directory, but would cause addurl to fail; of course git won't
add "foo/.git".
sanitizeFilePath is too opinionated to remain in Utility, so moved it.
The changes to mkSafeFilePath are because it used sanitizeFilePath.
In particular:
isDrive will never succeed, because "c:" gets munged to "c_"
".." gets sanitized now
".git" gets sanitized now
It will never be null, because sanitizeFilePath keeps the length
the same, and splitDirectories never returns a null path.
Also, on the off chance a web server suggests a filename of "",
ignore that, rather than trying to save to such a filename, which would
fail in some way.
2020-05-08 20:09:29 +00:00
|
|
|
import Annex.UntrustedFilePath
|
2011-10-15 20:36:56 +00:00
|
|
|
import Logs.Web
|
2012-06-20 20:07:14 +00:00
|
|
|
import Types.KeySource
|
2014-12-11 19:32:42 +00:00
|
|
|
import Types.UrlContents
|
2015-12-02 19:12:33 +00:00
|
|
|
import Annex.FileMatcher
|
2013-04-11 17:35:52 +00:00
|
|
|
import Logs.Location
|
2014-12-08 23:14:24 +00:00
|
|
|
import Utility.Metered
|
2017-11-28 21:17:40 +00:00
|
|
|
import Utility.HtmlDetect
|
2017-12-31 20:08:31 +00:00
|
|
|
import Utility.Path.Max
|
2014-03-22 14:42:38 +00:00
|
|
|
import qualified Annex.Transfer as Transfer
|
2011-07-01 21:15:46 +00:00
|
|
|
|
2015-07-08 16:33:27 +00:00
|
|
|
cmd :: Command
|
2018-02-19 18:28:17 +00:00
|
|
|
cmd = notBareRepo $ withGlobalOptions [jobsOption, jsonOptions, jsonProgressOption] $
|
2015-07-08 19:08:02 +00:00
|
|
|
command "addurl" SectionCommon "add urls to annex"
|
2015-07-13 14:57:49 +00:00
|
|
|
(paramRepeating paramUrl) (seek <$$> optParser)
|
2012-02-08 19:35:18 +00:00
|
|
|
|
2015-07-13 14:57:49 +00:00
|
|
|
data AddUrlOptions = AddUrlOptions
|
|
|
|
{ addUrls :: CmdParams
|
|
|
|
, pathdepthOption :: Maybe Int
|
2015-07-21 16:50:05 +00:00
|
|
|
, prefixOption :: Maybe String
|
|
|
|
, suffixOption :: Maybe String
|
2017-11-30 20:48:35 +00:00
|
|
|
, downloadOptions :: DownloadOptions
|
2015-12-21 16:57:13 +00:00
|
|
|
, batchOption :: BatchMode
|
2015-12-22 16:20:39 +00:00
|
|
|
, batchFilesOption :: Bool
|
2015-07-13 14:57:49 +00:00
|
|
|
}
|
2011-07-01 21:15:46 +00:00
|
|
|
|
2017-11-30 20:48:35 +00:00
|
|
|
data DownloadOptions = DownloadOptions
|
|
|
|
{ relaxedOption :: Bool
|
|
|
|
, rawOption :: Bool
|
|
|
|
, fileOption :: Maybe FilePath
|
addurl --preserve-filename and a few related changes
* addurl --preserve-filename: New option, uses server-provided filename
without any sanitization, but with some security checking.
Not yet implemented for remotes other than the web.
* addurl, importfeed: Avoid adding filenames with leading '.', instead
it will be replaced with '_'.
This might be considered a security fix, but a CVE seems unwattanted.
It was possible for addurl to create a dotfile, which could change
behavior of some program. It was also possible for a web server to say
the file name was ".git" or "foo/.git". That would not overrwrite the
.git directory, but would cause addurl to fail; of course git won't
add "foo/.git".
sanitizeFilePath is too opinionated to remain in Utility, so moved it.
The changes to mkSafeFilePath are because it used sanitizeFilePath.
In particular:
isDrive will never succeed, because "c:" gets munged to "c_"
".." gets sanitized now
".git" gets sanitized now
It will never be null, because sanitizeFilePath keeps the length
the same, and splitDirectories never returns a null path.
Also, on the off chance a web server suggests a filename of "",
ignore that, rather than trying to save to such a filename, which would
fail in some way.
2020-05-08 20:09:29 +00:00
|
|
|
, preserveFilenameOption :: Bool
|
2017-11-30 20:48:35 +00:00
|
|
|
}
|
|
|
|
|
2015-07-13 14:57:49 +00:00
|
|
|
optParser :: CmdParamsDesc -> Parser AddUrlOptions
|
|
|
|
optParser desc = AddUrlOptions
|
|
|
|
<$> cmdParams desc
|
|
|
|
<*> optional (option auto
|
|
|
|
( long "pathdepth" <> metavar paramNumber
|
2015-07-21 16:50:05 +00:00
|
|
|
<> help "number of url path components to use in filename"
|
|
|
|
))
|
|
|
|
<*> optional (strOption
|
|
|
|
( long "prefix" <> metavar paramValue
|
|
|
|
<> help "add a prefix to the filename"
|
|
|
|
))
|
|
|
|
<*> optional (strOption
|
|
|
|
( long "suffix" <> metavar paramValue
|
|
|
|
<> help "add a suffix to the filename"
|
2015-07-13 14:57:49 +00:00
|
|
|
))
|
2017-11-30 20:48:35 +00:00
|
|
|
<*> parseDownloadOptions True
|
2015-12-21 16:57:13 +00:00
|
|
|
<*> parseBatchOption
|
2015-12-22 16:20:39 +00:00
|
|
|
<*> switch
|
|
|
|
( long "with-files"
|
|
|
|
<> help "parse batch mode lines of the form \"$url $file\""
|
|
|
|
)
|
2015-07-13 15:06:41 +00:00
|
|
|
|
2017-11-30 20:48:35 +00:00
|
|
|
parseDownloadOptions :: Bool -> Parser DownloadOptions
|
addurl --preserve-filename and a few related changes
* addurl --preserve-filename: New option, uses server-provided filename
without any sanitization, but with some security checking.
Not yet implemented for remotes other than the web.
* addurl, importfeed: Avoid adding filenames with leading '.', instead
it will be replaced with '_'.
This might be considered a security fix, but a CVE seems unwattanted.
It was possible for addurl to create a dotfile, which could change
behavior of some program. It was also possible for a web server to say
the file name was ".git" or "foo/.git". That would not overrwrite the
.git directory, but would cause addurl to fail; of course git won't
add "foo/.git".
sanitizeFilePath is too opinionated to remain in Utility, so moved it.
The changes to mkSafeFilePath are because it used sanitizeFilePath.
In particular:
isDrive will never succeed, because "c:" gets munged to "c_"
".." gets sanitized now
".git" gets sanitized now
It will never be null, because sanitizeFilePath keeps the length
the same, and splitDirectories never returns a null path.
Also, on the off chance a web server suggests a filename of "",
ignore that, rather than trying to save to such a filename, which would
fail in some way.
2020-05-08 20:09:29 +00:00
|
|
|
parseDownloadOptions withfileoptions = DownloadOptions
|
2017-11-30 20:48:35 +00:00
|
|
|
<$> switch
|
|
|
|
( long "relaxed"
|
|
|
|
<> help "skip size check"
|
|
|
|
)
|
|
|
|
<*> switch
|
|
|
|
( long "raw"
|
|
|
|
<> help "disable special handling for torrents, youtube-dl, etc"
|
|
|
|
)
|
addurl --preserve-filename and a few related changes
* addurl --preserve-filename: New option, uses server-provided filename
without any sanitization, but with some security checking.
Not yet implemented for remotes other than the web.
* addurl, importfeed: Avoid adding filenames with leading '.', instead
it will be replaced with '_'.
This might be considered a security fix, but a CVE seems unwattanted.
It was possible for addurl to create a dotfile, which could change
behavior of some program. It was also possible for a web server to say
the file name was ".git" or "foo/.git". That would not overrwrite the
.git directory, but would cause addurl to fail; of course git won't
add "foo/.git".
sanitizeFilePath is too opinionated to remain in Utility, so moved it.
The changes to mkSafeFilePath are because it used sanitizeFilePath.
In particular:
isDrive will never succeed, because "c:" gets munged to "c_"
".." gets sanitized now
".git" gets sanitized now
It will never be null, because sanitizeFilePath keeps the length
the same, and splitDirectories never returns a null path.
Also, on the off chance a web server suggests a filename of "",
ignore that, rather than trying to save to such a filename, which would
fail in some way.
2020-05-08 20:09:29 +00:00
|
|
|
<*> (if withfileoptions
|
2017-11-30 20:48:35 +00:00
|
|
|
then optional (strOption
|
|
|
|
( long "file" <> metavar paramFile
|
|
|
|
<> help "specify what file the url is added to"
|
|
|
|
))
|
addurl --preserve-filename and a few related changes
* addurl --preserve-filename: New option, uses server-provided filename
without any sanitization, but with some security checking.
Not yet implemented for remotes other than the web.
* addurl, importfeed: Avoid adding filenames with leading '.', instead
it will be replaced with '_'.
This might be considered a security fix, but a CVE seems unwattanted.
It was possible for addurl to create a dotfile, which could change
behavior of some program. It was also possible for a web server to say
the file name was ".git" or "foo/.git". That would not overrwrite the
.git directory, but would cause addurl to fail; of course git won't
add "foo/.git".
sanitizeFilePath is too opinionated to remain in Utility, so moved it.
The changes to mkSafeFilePath are because it used sanitizeFilePath.
In particular:
isDrive will never succeed, because "c:" gets munged to "c_"
".." gets sanitized now
".git" gets sanitized now
It will never be null, because sanitizeFilePath keeps the length
the same, and splitDirectories never returns a null path.
Also, on the off chance a web server suggests a filename of "",
ignore that, rather than trying to save to such a filename, which would
fail in some way.
2020-05-08 20:09:29 +00:00
|
|
|
else pure Nothing)
|
|
|
|
<*> (if withfileoptions
|
|
|
|
then switch
|
|
|
|
( long "preserve-filename"
|
|
|
|
<> help "use filename provided by server as-is"
|
|
|
|
)
|
|
|
|
else pure False)
|
2012-02-16 16:25:19 +00:00
|
|
|
|
2015-07-13 14:57:49 +00:00
|
|
|
seek :: AddUrlOptions -> CommandSeek
|
2019-06-19 16:35:08 +00:00
|
|
|
seek o = startConcurrency commandStages $ do
|
2019-12-20 19:01:34 +00:00
|
|
|
addunlockedmatcher <- addUnlockedMatcher
|
|
|
|
let go (o', u) = do
|
|
|
|
r <- Remote.claimingUrl u
|
|
|
|
if Remote.uuid r == webUUID || rawOption (downloadOptions o')
|
|
|
|
then void $ commandAction $ startWeb addunlockedmatcher o' u
|
|
|
|
else checkUrl addunlockedmatcher r o' u
|
2015-12-22 16:20:39 +00:00
|
|
|
forM_ (addUrls o) (\u -> go (o, u))
|
2015-12-21 16:57:13 +00:00
|
|
|
case batchOption o of
|
2020-04-15 20:04:05 +00:00
|
|
|
Batch fmt -> batchInput fmt (pure . parseBatchInput o) go
|
2015-12-21 16:57:13 +00:00
|
|
|
NoBatch -> noop
|
2015-12-22 16:20:39 +00:00
|
|
|
|
|
|
|
parseBatchInput :: AddUrlOptions -> String -> Either String (AddUrlOptions, URLString)
|
|
|
|
parseBatchInput o s
|
|
|
|
| batchFilesOption o =
|
|
|
|
let (u, f) = separate (== ' ') s
|
|
|
|
in if null u || null f
|
|
|
|
then Left ("parsed empty url or filename in input: " ++ s)
|
2017-11-30 20:48:35 +00:00
|
|
|
else Right (o { downloadOptions = (downloadOptions o) { fileOption = Just f } }, u)
|
2015-12-22 16:20:39 +00:00
|
|
|
| otherwise = Right (o, s)
|
2015-03-31 19:20:29 +00:00
|
|
|
|
2019-12-20 19:01:34 +00:00
|
|
|
checkUrl :: AddUnlockedMatcher -> Remote -> AddUrlOptions -> URLString -> Annex ()
|
|
|
|
checkUrl addunlockedmatcher r o u = do
|
2015-03-31 19:20:29 +00:00
|
|
|
pathmax <- liftIO $ fileNameLengthLimit "."
|
2017-11-30 20:48:35 +00:00
|
|
|
let deffile = fromMaybe (urlString2file u (pathdepthOption o) pathmax) (fileOption (downloadOptions o))
|
2015-03-31 19:20:29 +00:00
|
|
|
go deffile =<< maybe
|
|
|
|
(error $ "unable to checkUrl of " ++ Remote.name r)
|
|
|
|
(tryNonAsync . flip id u)
|
|
|
|
(Remote.checkUrl r)
|
|
|
|
where
|
|
|
|
|
make CommandStart return a StartMessage
The goal is to be able to run CommandStart in the main thread when -J is
used, rather than unncessarily passing it off to a worker thread, which
incurs overhead that is signficant when the CommandStart is going to
quickly decide to stop.
To do that, the message it displays needs to be displayed in the worker
thread, after the CommandStart has run.
Also, the change will mean that CommandStart will no longer necessarily
run with the same Annex state as CommandPerform. While its docs already
said it should avoid modifying Annex state, I audited all the
CommandStart code as part of the conversion. (Note that CommandSeek
already sometimes runs with a different Annex state, and that has not been
a source of any problems, so I am not too worried that this change will
lead to breakage going forward.)
The only modification of Annex state I found was it calling
allowMessages in some Commands that default to noMessages. Dealt with
that by adding a startCustomOutput and a startingUsualMessages.
This lets a command start with noMessages and then select the output it
wants for each CommandStart.
One bit of breakage: onlyActionOn has been removed from commands that used it.
The plan is that, since a StartMessage contains an ActionItem,
when a Key can be extracted from that, the parallel job runner can
run onlyActionOn' automatically. Then commands won't need to worry about
this detail. Future work.
Otherwise, this was a fairly straightforward process of making each
CommandStart compile again. Hopefully other behavior changes were mostly
avoided.
In a few cases, a command had a CommandStart that called a CommandPerform
that then called showStart multiple times. I have collapsed those
down to a single start action. The main command to perhaps suffer from it
is Command.Direct, which used to show a start for each file, and no
longer does.
Another minor behavior change is that some commands used showStart
before, but had an associated file and a Key available, so were changed
to ShowStart with an ActionItemAssociatedFile. That will not change the
normal output or behavior, but --json output will now include the key.
This should not break it for anyone using a real json parser.
2019-06-06 19:42:30 +00:00
|
|
|
go _ (Left e) = void $ commandAction $ startingAddUrl u o $ do
|
2015-03-31 19:20:29 +00:00
|
|
|
warning (show e)
|
make CommandStart return a StartMessage
The goal is to be able to run CommandStart in the main thread when -J is
used, rather than unncessarily passing it off to a worker thread, which
incurs overhead that is signficant when the CommandStart is going to
quickly decide to stop.
To do that, the message it displays needs to be displayed in the worker
thread, after the CommandStart has run.
Also, the change will mean that CommandStart will no longer necessarily
run with the same Annex state as CommandPerform. While its docs already
said it should avoid modifying Annex state, I audited all the
CommandStart code as part of the conversion. (Note that CommandSeek
already sometimes runs with a different Annex state, and that has not been
a source of any problems, so I am not too worried that this change will
lead to breakage going forward.)
The only modification of Annex state I found was it calling
allowMessages in some Commands that default to noMessages. Dealt with
that by adding a startCustomOutput and a startingUsualMessages.
This lets a command start with noMessages and then select the output it
wants for each CommandStart.
One bit of breakage: onlyActionOn has been removed from commands that used it.
The plan is that, since a StartMessage contains an ActionItem,
when a Key can be extracted from that, the parallel job runner can
run onlyActionOn' automatically. Then commands won't need to worry about
this detail. Future work.
Otherwise, this was a fairly straightforward process of making each
CommandStart compile again. Hopefully other behavior changes were mostly
avoided.
In a few cases, a command had a CommandStart that called a CommandPerform
that then called showStart multiple times. I have collapsed those
down to a single start action. The main command to perhaps suffer from it
is Command.Direct, which used to show a start for each file, and no
longer does.
Another minor behavior change is that some commands used showStart
before, but had an associated file and a Key available, so were changed
to ShowStart with an ActionItemAssociatedFile. That will not change the
normal output or behavior, but --json output will now include the key.
This should not break it for anyone using a real json parser.
2019-06-06 19:42:30 +00:00
|
|
|
next $ return False
|
2020-05-11 18:32:36 +00:00
|
|
|
go deffile (Right (UrlContents sz mf)) = do
|
|
|
|
f <- maybe (pure deffile) (sanitizeOrPreserveFilePath o) mf
|
|
|
|
let f' = adjustFile o (fromMaybe f (fileOption (downloadOptions o)))
|
|
|
|
void $ commandAction $ startRemote addunlockedmatcher r o f' u sz
|
2018-10-29 18:41:41 +00:00
|
|
|
go deffile (Right (UrlMulti l)) = case fileOption (downloadOptions o) of
|
|
|
|
Nothing ->
|
2015-07-21 16:50:05 +00:00
|
|
|
forM_ l $ \(u', sz, f) -> do
|
2020-05-11 18:32:36 +00:00
|
|
|
f' <- sanitizeOrPreserveFilePath o f
|
2020-05-26 14:45:57 +00:00
|
|
|
let f'' = adjustFile o (deffile </> f')
|
2020-05-11 18:32:36 +00:00
|
|
|
void $ commandAction $ startRemote addunlockedmatcher r o f'' u' sz
|
2018-10-29 18:41:41 +00:00
|
|
|
Just f -> case l of
|
|
|
|
[] -> noop
|
|
|
|
((u',sz,_):[]) -> do
|
|
|
|
let f' = adjustFile o f
|
2019-12-20 19:01:34 +00:00
|
|
|
void $ commandAction $ startRemote addunlockedmatcher r o f' u' sz
|
2018-10-29 18:41:41 +00:00
|
|
|
_ -> giveup $ unwords
|
|
|
|
[ "That url contains multiple files according to the"
|
|
|
|
, Remote.name r
|
|
|
|
, " remote; cannot add it to a single file."
|
|
|
|
]
|
2014-12-08 23:14:24 +00:00
|
|
|
|
2019-12-20 19:01:34 +00:00
|
|
|
startRemote :: AddUnlockedMatcher -> Remote -> AddUrlOptions -> FilePath -> URLString -> Maybe Integer -> CommandStart
|
|
|
|
startRemote addunlockedmatcher r o file uri sz = do
|
2014-12-12 00:10:45 +00:00
|
|
|
pathmax <- liftIO $ fileNameLengthLimit "."
|
2014-12-12 00:13:57 +00:00
|
|
|
let file' = joinPath $ map (truncateFilePath pathmax) $ splitDirectories file
|
make CommandStart return a StartMessage
The goal is to be able to run CommandStart in the main thread when -J is
used, rather than unncessarily passing it off to a worker thread, which
incurs overhead that is signficant when the CommandStart is going to
quickly decide to stop.
To do that, the message it displays needs to be displayed in the worker
thread, after the CommandStart has run.
Also, the change will mean that CommandStart will no longer necessarily
run with the same Annex state as CommandPerform. While its docs already
said it should avoid modifying Annex state, I audited all the
CommandStart code as part of the conversion. (Note that CommandSeek
already sometimes runs with a different Annex state, and that has not been
a source of any problems, so I am not too worried that this change will
lead to breakage going forward.)
The only modification of Annex state I found was it calling
allowMessages in some Commands that default to noMessages. Dealt with
that by adding a startCustomOutput and a startingUsualMessages.
This lets a command start with noMessages and then select the output it
wants for each CommandStart.
One bit of breakage: onlyActionOn has been removed from commands that used it.
The plan is that, since a StartMessage contains an ActionItem,
when a Key can be extracted from that, the parallel job runner can
run onlyActionOn' automatically. Then commands won't need to worry about
this detail. Future work.
Otherwise, this was a fairly straightforward process of making each
CommandStart compile again. Hopefully other behavior changes were mostly
avoided.
In a few cases, a command had a CommandStart that called a CommandPerform
that then called showStart multiple times. I have collapsed those
down to a single start action. The main command to perhaps suffer from it
is Command.Direct, which used to show a start for each file, and no
longer does.
Another minor behavior change is that some commands used showStart
before, but had an associated file and a Key available, so were changed
to ShowStart with an ActionItemAssociatedFile. That will not change the
normal output or behavior, but --json output will now include the key.
This should not break it for anyone using a real json parser.
2019-06-06 19:42:30 +00:00
|
|
|
startingAddUrl uri o $ do
|
|
|
|
showNote $ "from " ++ Remote.name r
|
|
|
|
showDestinationFile file'
|
2019-12-20 19:01:34 +00:00
|
|
|
performRemote addunlockedmatcher r o uri file' sz
|
2014-12-08 23:14:24 +00:00
|
|
|
|
2019-12-20 19:01:34 +00:00
|
|
|
performRemote :: AddUnlockedMatcher -> Remote -> AddUrlOptions -> URLString -> FilePath -> Maybe Integer -> CommandPerform
|
|
|
|
performRemote addunlockedmatcher r o uri file sz = ifAnnexed (toRawFilePath file) adduri geturi
|
2014-12-08 23:14:24 +00:00
|
|
|
where
|
|
|
|
loguri = setDownloader uri OtherDownloader
|
2017-11-30 20:48:35 +00:00
|
|
|
adduri = addUrlChecked o loguri file (Remote.uuid r) checkexistssize
|
2014-12-11 19:32:42 +00:00
|
|
|
checkexistssize key = return $ case sz of
|
2017-12-11 17:41:41 +00:00
|
|
|
Nothing -> (True, True, loguri)
|
2019-11-22 20:24:04 +00:00
|
|
|
Just n -> (True, n == fromMaybe n (fromKey keySize key), loguri)
|
2019-12-20 19:01:34 +00:00
|
|
|
geturi = next $ isJust <$> downloadRemoteFile addunlockedmatcher r (downloadOptions o) uri file sz
|
2014-12-11 20:43:46 +00:00
|
|
|
|
2019-12-20 19:01:34 +00:00
|
|
|
downloadRemoteFile :: AddUnlockedMatcher -> Remote -> DownloadOptions -> URLString -> FilePath -> Maybe Integer -> Annex (Maybe Key)
|
|
|
|
downloadRemoteFile addunlockedmatcher r o uri file sz = checkCanAdd file $ do
|
2015-05-23 02:41:36 +00:00
|
|
|
let urlkey = Backend.URL.fromUrl uri sz
|
2020-03-06 15:57:15 +00:00
|
|
|
createWorkTreeDirectory (parentDir file)
|
2017-11-30 20:48:35 +00:00
|
|
|
ifM (Annex.getState Annex.fast <||> pure (relaxedOption o))
|
2014-12-11 20:43:46 +00:00
|
|
|
( do
|
2019-12-20 19:01:34 +00:00
|
|
|
addWorkTree addunlockedmatcher (Remote.uuid r) loguri file urlkey Nothing
|
2014-12-11 20:43:46 +00:00
|
|
|
return (Just urlkey)
|
|
|
|
, do
|
|
|
|
-- Set temporary url for the urlkey
|
|
|
|
-- so that the remote knows what url it
|
|
|
|
-- should use to download it.
|
2014-12-17 18:34:42 +00:00
|
|
|
setTempUrl urlkey loguri
|
2020-05-13 21:05:56 +00:00
|
|
|
let downloader = \dest p ->
|
2020-05-14 18:19:28 +00:00
|
|
|
fst <$> Remote.verifiedAction (Remote.retrieveKeyFile r urlkey af dest p)
|
2019-12-20 19:01:34 +00:00
|
|
|
ret <- downloadWith addunlockedmatcher downloader urlkey (Remote.uuid r) loguri file
|
2014-12-11 20:43:46 +00:00
|
|
|
removeTempUrl urlkey
|
|
|
|
return ret
|
|
|
|
)
|
|
|
|
where
|
|
|
|
loguri = setDownloader uri OtherDownloader
|
2020-05-13 21:05:56 +00:00
|
|
|
af = AssociatedFile (Just (toRawFilePath file))
|
2014-12-08 23:14:24 +00:00
|
|
|
|
2019-12-20 19:01:34 +00:00
|
|
|
startWeb :: AddUnlockedMatcher -> AddUrlOptions -> URLString -> CommandStart
|
|
|
|
startWeb addunlockedmatcher o urlstring = go $ fromMaybe bad $ parseURI urlstring
|
2012-11-12 05:05:04 +00:00
|
|
|
where
|
2016-11-16 01:29:54 +00:00
|
|
|
bad = fromMaybe (giveup $ "bad url " ++ urlstring) $
|
2015-06-14 17:39:44 +00:00
|
|
|
Url.parseURIRelaxed $ urlstring
|
2020-04-27 17:48:14 +00:00
|
|
|
go url = startingAddUrl urlstring o $
|
|
|
|
if relaxedOption (downloadOptions o)
|
|
|
|
then go' url Url.assumeUrlExists
|
|
|
|
else Url.withUrlOptions (Url.getUrlInfo urlstring) >>= \case
|
|
|
|
Right urlinfo -> go' url urlinfo
|
|
|
|
Left err -> do
|
|
|
|
warning err
|
|
|
|
next $ return False
|
|
|
|
go' url urlinfo = do
|
2013-09-09 06:16:22 +00:00
|
|
|
pathmax <- liftIO $ fileNameLengthLimit "."
|
2017-11-30 20:48:35 +00:00
|
|
|
file <- adjustFile o <$> case fileOption (downloadOptions o) of
|
2015-01-22 18:52:52 +00:00
|
|
|
Just f -> pure f
|
|
|
|
Nothing -> case Url.urlSuggestedFile urlinfo of
|
2020-05-11 18:32:36 +00:00
|
|
|
Just sf -> do
|
|
|
|
f <- sanitizeOrPreserveFilePath o sf
|
|
|
|
if preserveFilenameOption (downloadOptions o)
|
|
|
|
then pure f
|
|
|
|
else ifM (liftIO $ doesFileExist f <||> doesDirectoryExist f)
|
addurl --preserve-filename and a few related changes
* addurl --preserve-filename: New option, uses server-provided filename
without any sanitization, but with some security checking.
Not yet implemented for remotes other than the web.
* addurl, importfeed: Avoid adding filenames with leading '.', instead
it will be replaced with '_'.
This might be considered a security fix, but a CVE seems unwattanted.
It was possible for addurl to create a dotfile, which could change
behavior of some program. It was also possible for a web server to say
the file name was ".git" or "foo/.git". That would not overrwrite the
.git directory, but would cause addurl to fail; of course git won't
add "foo/.git".
sanitizeFilePath is too opinionated to remain in Utility, so moved it.
The changes to mkSafeFilePath are because it used sanitizeFilePath.
In particular:
isDrive will never succeed, because "c:" gets munged to "c_"
".." gets sanitized now
".git" gets sanitized now
It will never be null, because sanitizeFilePath keeps the length
the same, and splitDirectories never returns a null path.
Also, on the off chance a web server suggests a filename of "",
ignore that, rather than trying to save to such a filename, which would
fail in some way.
2020-05-08 20:09:29 +00:00
|
|
|
( pure $ url2file url (pathdepthOption o) pathmax
|
|
|
|
, pure f
|
|
|
|
)
|
|
|
|
_ -> pure $ url2file url (pathdepthOption o) pathmax
|
2019-12-20 19:01:34 +00:00
|
|
|
performWeb addunlockedmatcher o urlstring file urlinfo
|
2013-08-22 22:25:21 +00:00
|
|
|
|
2020-05-11 18:32:36 +00:00
|
|
|
sanitizeOrPreserveFilePath :: AddUrlOptions -> FilePath -> Annex FilePath
|
|
|
|
sanitizeOrPreserveFilePath o f
|
|
|
|
| preserveFilenameOption (downloadOptions o) && not (null f) = do
|
|
|
|
checkPreserveFileNameSecurity f
|
|
|
|
return f
|
|
|
|
| otherwise = do
|
|
|
|
pathmax <- liftIO $ fileNameLengthLimit "."
|
|
|
|
return $ truncateFilePath pathmax $ sanitizeFilePath f
|
|
|
|
|
addurl --preserve-filename and a few related changes
* addurl --preserve-filename: New option, uses server-provided filename
without any sanitization, but with some security checking.
Not yet implemented for remotes other than the web.
* addurl, importfeed: Avoid adding filenames with leading '.', instead
it will be replaced with '_'.
This might be considered a security fix, but a CVE seems unwattanted.
It was possible for addurl to create a dotfile, which could change
behavior of some program. It was also possible for a web server to say
the file name was ".git" or "foo/.git". That would not overrwrite the
.git directory, but would cause addurl to fail; of course git won't
add "foo/.git".
sanitizeFilePath is too opinionated to remain in Utility, so moved it.
The changes to mkSafeFilePath are because it used sanitizeFilePath.
In particular:
isDrive will never succeed, because "c:" gets munged to "c_"
".." gets sanitized now
".git" gets sanitized now
It will never be null, because sanitizeFilePath keeps the length
the same, and splitDirectories never returns a null path.
Also, on the off chance a web server suggests a filename of "",
ignore that, rather than trying to save to such a filename, which would
fail in some way.
2020-05-08 20:09:29 +00:00
|
|
|
-- sanitizeFilePath avoids all these security problems
|
|
|
|
-- (and probably others, but at least this catches the most egrarious ones).
|
|
|
|
checkPreserveFileNameSecurity :: FilePath -> Annex ()
|
|
|
|
checkPreserveFileNameSecurity f = do
|
|
|
|
checksecurity escapeSequenceInFilePath False "escape sequence"
|
|
|
|
checksecurity pathTraversalInFilePath True "path traversal"
|
|
|
|
checksecurity gitDirectoryInFilePath True "contains a .git directory"
|
|
|
|
where
|
|
|
|
checksecurity p canshow d = when (p f) $
|
|
|
|
giveup $ concat
|
|
|
|
[ "--preserve-filename was used, but the filename "
|
|
|
|
, if canshow then "(" ++ f ++ ") " else ""
|
|
|
|
, "has a security problem (" ++ d ++ "), not adding."
|
|
|
|
]
|
|
|
|
|
2019-12-20 19:01:34 +00:00
|
|
|
performWeb :: AddUnlockedMatcher -> AddUrlOptions -> URLString -> FilePath -> Url.UrlInfo -> CommandPerform
|
|
|
|
performWeb addunlockedmatcher o url file urlinfo = ifAnnexed (toRawFilePath file) addurl geturl
|
2014-12-11 20:11:38 +00:00
|
|
|
where
|
2019-12-20 19:01:34 +00:00
|
|
|
geturl = next $ isJust <$> addUrlFile addunlockedmatcher (downloadOptions o) url urlinfo file
|
2019-03-18 17:34:29 +00:00
|
|
|
addurl = addUrlChecked o url file webUUID $ \k ->
|
2017-11-30 20:48:35 +00:00
|
|
|
ifM (pure (not (rawOption (downloadOptions o))) <&&> youtubeDlSupported url)
|
2017-11-30 17:45:43 +00:00
|
|
|
( return (True, True, setDownloader url YoutubeDownloader)
|
2019-11-22 20:24:04 +00:00
|
|
|
, return (Url.urlExists urlinfo, Url.urlSize urlinfo == fromKey keySize k, url)
|
2017-11-30 17:45:43 +00:00
|
|
|
)
|
2014-12-11 20:11:38 +00:00
|
|
|
|
2017-11-30 17:45:43 +00:00
|
|
|
{- Check that the url exists, and has the same size as the key,
|
|
|
|
- and add it as an url to the key. -}
|
2017-11-30 20:48:35 +00:00
|
|
|
addUrlChecked :: AddUrlOptions -> URLString -> FilePath -> UUID -> (Key -> Annex (Bool, Bool, URLString)) -> Key -> CommandPerform
|
|
|
|
addUrlChecked o url file u checkexistssize key =
|
2017-11-30 17:45:43 +00:00
|
|
|
ifM ((elem url <$> getUrls key) <&&> (elem u <$> loggedLocations key))
|
2017-11-30 19:06:21 +00:00
|
|
|
( do
|
|
|
|
showDestinationFile file
|
|
|
|
next $ return True
|
2014-12-08 23:14:24 +00:00
|
|
|
, do
|
2017-11-30 17:45:43 +00:00
|
|
|
(exists, samesize, url') <- checkexistssize key
|
2017-11-30 20:48:35 +00:00
|
|
|
if exists && (samesize || relaxedOption (downloadOptions o))
|
2014-12-08 23:14:24 +00:00
|
|
|
then do
|
2018-10-04 21:33:25 +00:00
|
|
|
setUrlPresent key url'
|
|
|
|
logChange key u InfoPresent
|
2014-12-08 23:14:24 +00:00
|
|
|
next $ return True
|
|
|
|
else do
|
|
|
|
warning $ "while adding a new url to an already annexed file, " ++ if exists
|
|
|
|
then "url does not have expected file size (use --relaxed to bypass this check) " ++ url
|
|
|
|
else "failed to verify url exists: " ++ url
|
|
|
|
stop
|
|
|
|
)
|
2011-08-06 18:57:22 +00:00
|
|
|
|
2017-11-30 17:45:43 +00:00
|
|
|
{- Downloads an url (except in fast or relaxed mode) and adds it to the
|
|
|
|
- repository, normally at the specified FilePath.
|
|
|
|
- But, if youtube-dl supports the url, it will be written to a
|
2017-11-30 17:24:52 +00:00
|
|
|
- different file, based on the title of the media. Unless the user
|
|
|
|
- specified fileOption, which then forces using the FilePath.
|
2017-11-28 21:17:40 +00:00
|
|
|
-}
|
2019-12-20 19:01:34 +00:00
|
|
|
addUrlFile :: AddUnlockedMatcher -> DownloadOptions -> URLString -> Url.UrlInfo -> FilePath -> Annex (Maybe Key)
|
|
|
|
addUrlFile addunlockedmatcher o url urlinfo file =
|
2017-11-30 20:48:35 +00:00
|
|
|
ifM (Annex.getState Annex.fast <||> pure (relaxedOption o))
|
2019-12-20 19:01:34 +00:00
|
|
|
( nodownloadWeb addunlockedmatcher o url urlinfo file
|
|
|
|
, downloadWeb addunlockedmatcher o url urlinfo file
|
2013-07-28 19:27:36 +00:00
|
|
|
)
|
|
|
|
|
2019-12-20 19:01:34 +00:00
|
|
|
downloadWeb :: AddUnlockedMatcher -> DownloadOptions -> URLString -> Url.UrlInfo -> FilePath -> Annex (Maybe Key)
|
|
|
|
downloadWeb addunlockedmatcher o url urlinfo file =
|
2019-12-05 18:36:43 +00:00
|
|
|
go =<< downloadWith' downloader urlkey webUUID url (AssociatedFile (Just (toRawFilePath file)))
|
2017-11-28 21:17:40 +00:00
|
|
|
where
|
2017-11-29 19:49:05 +00:00
|
|
|
urlkey = addSizeUrlKey urlinfo $ Backend.URL.fromUrl url Nothing
|
2020-01-22 20:13:48 +00:00
|
|
|
downloader f p = Url.withUrlOptions $ downloadUrl urlkey p [url] f
|
2017-11-28 21:17:40 +00:00
|
|
|
go Nothing = return Nothing
|
|
|
|
-- If we downloaded a html file, try to use youtube-dl to
|
|
|
|
-- extract embedded media.
|
2017-11-30 20:48:35 +00:00
|
|
|
go (Just tmp) = ifM (pure (not (rawOption o)) <&&> liftIO (isHtml <$> readFile tmp))
|
2017-11-29 19:49:05 +00:00
|
|
|
( tryyoutubedl tmp
|
2017-11-28 21:17:40 +00:00
|
|
|
, normalfinish tmp
|
|
|
|
)
|
2017-11-30 17:45:43 +00:00
|
|
|
normalfinish tmp = checkCanAdd file $ do
|
2017-11-28 21:17:40 +00:00
|
|
|
showDestinationFile file
|
2020-03-06 15:57:15 +00:00
|
|
|
createWorkTreeDirectory (parentDir file)
|
2020-05-15 16:51:09 +00:00
|
|
|
Just <$> finishDownloadWith addunlockedmatcher tmp webUUID url file
|
2017-12-31 18:55:51 +00:00
|
|
|
tryyoutubedl tmp
|
|
|
|
-- Ask youtube-dl what filename it will download
|
|
|
|
-- first, and check if that is already an annexed file,
|
|
|
|
-- to avoid unnecessary work in that case.
|
limit url downloads to whitelisted schemes
Security fix! Allowing any schemes, particularly file: and
possibly others like scp: allowed file exfiltration by anyone who had
write access to the git repository, since they could add an annexed file
using such an url, or using an url that redirected to such an url,
and wait for the victim to get it into their repository and send them a copy.
* Added annex.security.allowed-url-schemes setting, which defaults
to only allowing http and https URLs. Note especially that file:/
is no longer enabled by default.
* Removed annex.web-download-command, since its interface does not allow
supporting annex.security.allowed-url-schemes across redirects.
If you used this setting, you may want to instead use annex.web-options
to pass options to curl.
With annex.web-download-command removed, nearly all url accesses in
git-annex are made via Utility.Url via http-client or curl. http-client
only supports http and https, so no problem there.
(Disabling one and not the other is not implemented.)
Used curl --proto to limit the allowed url schemes.
Note that this will cause git annex fsck --from web to mark files using
a disallowed url scheme as not being present in the web. That seems
acceptable; fsck --from web also does that when a web server is not available.
youtube-dl already disabled file: itself (probably for similar
reasons). The scheme check was also added to youtube-dl urls for
completeness, although that check won't catch any redirects it might
follow. But youtube-dl goes off and does its own thing with other
protocols anyway, so that's fine.
Special remotes that support other domain-specific url schemes are not
affected by this change. In the bittorrent remote, aria2c can still
download magnet: links. The download of the .torrent file is
otherwise now limited by annex.security.allowed-url-schemes.
This does not address any external special remotes that might download
an url themselves. Current thinking is all external special remotes will
need to be audited for this problem, although many of them will use
http libraries that only support http and not curl's menagarie.
The related problem of accessing private localhost and LAN urls is not
addressed by this commit.
This commit was sponsored by Brett Eisenberg on Patreon.
2018-06-15 20:52:24 +00:00
|
|
|
| otherwise = youtubeDlFileNameHtmlOnly url >>= \case
|
2019-12-05 18:36:43 +00:00
|
|
|
Right dest -> ifAnnexed (toRawFilePath dest)
|
2017-12-31 18:55:51 +00:00
|
|
|
(alreadyannexed dest)
|
|
|
|
(dl dest)
|
|
|
|
Left _ -> normalfinish tmp
|
2019-03-18 17:34:29 +00:00
|
|
|
-- Ask youtube-dl what filename it will download
|
|
|
|
-- fist, so it's only used when the file contains embedded
|
|
|
|
-- media.
|
|
|
|
| isJust (fileOption o) = youtubeDlFileNameHtmlOnly url >>= \case
|
|
|
|
Right _ -> dl file
|
|
|
|
Left _ -> normalfinish tmp
|
2017-11-30 17:45:43 +00:00
|
|
|
where
|
2018-06-28 16:48:54 +00:00
|
|
|
dl dest = withTmpWorkDir mediakey $ \workdir -> do
|
|
|
|
let cleanuptmp = pruneTmpWorkDirBefore tmp (liftIO . nukeFile)
|
2017-12-31 18:55:51 +00:00
|
|
|
Transfer.notifyTransfer Transfer.Download url $
|
|
|
|
Transfer.download webUUID mediakey (AssociatedFile Nothing) Transfer.noRetry $ \_p ->
|
|
|
|
youtubeDl url workdir >>= \case
|
|
|
|
Right (Just mediafile) -> do
|
2018-06-28 16:48:54 +00:00
|
|
|
cleanuptmp
|
2017-12-31 18:55:51 +00:00
|
|
|
checkCanAdd dest $ do
|
|
|
|
showDestinationFile dest
|
2019-12-20 19:01:34 +00:00
|
|
|
addWorkTree addunlockedmatcher webUUID mediaurl dest mediakey (Just mediafile)
|
2017-12-31 18:55:51 +00:00
|
|
|
return $ Just mediakey
|
|
|
|
Right Nothing -> normalfinish tmp
|
|
|
|
Left msg -> do
|
2018-06-28 16:48:54 +00:00
|
|
|
cleanuptmp
|
2017-12-31 18:55:51 +00:00
|
|
|
warning msg
|
|
|
|
return Nothing
|
2017-11-30 17:45:43 +00:00
|
|
|
mediaurl = setDownloader url YoutubeDownloader
|
|
|
|
mediakey = Backend.URL.fromUrl mediaurl Nothing
|
2017-12-31 18:55:51 +00:00
|
|
|
-- Does the already annexed file have the mediaurl
|
|
|
|
-- as an url? If so nothing to do.
|
|
|
|
alreadyannexed dest k = do
|
|
|
|
us <- getUrls k
|
|
|
|
if mediaurl `elem` us
|
|
|
|
then return (Just k)
|
|
|
|
else do
|
|
|
|
warning $ dest ++ " already exists; not overwriting"
|
|
|
|
return Nothing
|
2017-11-28 21:17:40 +00:00
|
|
|
|
2018-08-06 16:52:09 +00:00
|
|
|
{- The destination file is not known at start time unless the user provided
|
|
|
|
- a filename. It's not displayed then for output consistency,
|
|
|
|
- but is added to the json when available. -}
|
make CommandStart return a StartMessage
The goal is to be able to run CommandStart in the main thread when -J is
used, rather than unncessarily passing it off to a worker thread, which
incurs overhead that is signficant when the CommandStart is going to
quickly decide to stop.
To do that, the message it displays needs to be displayed in the worker
thread, after the CommandStart has run.
Also, the change will mean that CommandStart will no longer necessarily
run with the same Annex state as CommandPerform. While its docs already
said it should avoid modifying Annex state, I audited all the
CommandStart code as part of the conversion. (Note that CommandSeek
already sometimes runs with a different Annex state, and that has not been
a source of any problems, so I am not too worried that this change will
lead to breakage going forward.)
The only modification of Annex state I found was it calling
allowMessages in some Commands that default to noMessages. Dealt with
that by adding a startCustomOutput and a startingUsualMessages.
This lets a command start with noMessages and then select the output it
wants for each CommandStart.
One bit of breakage: onlyActionOn has been removed from commands that used it.
The plan is that, since a StartMessage contains an ActionItem,
when a Key can be extracted from that, the parallel job runner can
run onlyActionOn' automatically. Then commands won't need to worry about
this detail. Future work.
Otherwise, this was a fairly straightforward process of making each
CommandStart compile again. Hopefully other behavior changes were mostly
avoided.
In a few cases, a command had a CommandStart that called a CommandPerform
that then called showStart multiple times. I have collapsed those
down to a single start action. The main command to perhaps suffer from it
is Command.Direct, which used to show a start for each file, and no
longer does.
Another minor behavior change is that some commands used showStart
before, but had an associated file and a Key available, so were changed
to ShowStart with an ActionItemAssociatedFile. That will not change the
normal output or behavior, but --json output will now include the key.
This should not break it for anyone using a real json parser.
2019-06-06 19:42:30 +00:00
|
|
|
startingAddUrl :: URLString -> AddUrlOptions -> CommandPerform -> CommandStart
|
|
|
|
startingAddUrl url o p = starting "addurl" (ActionItemOther (Just url)) $ do
|
2018-08-06 16:52:09 +00:00
|
|
|
case fileOption (downloadOptions o) of
|
|
|
|
Nothing -> noop
|
|
|
|
Just file -> maybeShowJSON $ JSONChunk [("file", file)]
|
make CommandStart return a StartMessage
The goal is to be able to run CommandStart in the main thread when -J is
used, rather than unncessarily passing it off to a worker thread, which
incurs overhead that is signficant when the CommandStart is going to
quickly decide to stop.
To do that, the message it displays needs to be displayed in the worker
thread, after the CommandStart has run.
Also, the change will mean that CommandStart will no longer necessarily
run with the same Annex state as CommandPerform. While its docs already
said it should avoid modifying Annex state, I audited all the
CommandStart code as part of the conversion. (Note that CommandSeek
already sometimes runs with a different Annex state, and that has not been
a source of any problems, so I am not too worried that this change will
lead to breakage going forward.)
The only modification of Annex state I found was it calling
allowMessages in some Commands that default to noMessages. Dealt with
that by adding a startCustomOutput and a startingUsualMessages.
This lets a command start with noMessages and then select the output it
wants for each CommandStart.
One bit of breakage: onlyActionOn has been removed from commands that used it.
The plan is that, since a StartMessage contains an ActionItem,
when a Key can be extracted from that, the parallel job runner can
run onlyActionOn' automatically. Then commands won't need to worry about
this detail. Future work.
Otherwise, this was a fairly straightforward process of making each
CommandStart compile again. Hopefully other behavior changes were mostly
avoided.
In a few cases, a command had a CommandStart that called a CommandPerform
that then called showStart multiple times. I have collapsed those
down to a single start action. The main command to perhaps suffer from it
is Command.Direct, which used to show a start for each file, and no
longer does.
Another minor behavior change is that some commands used showStart
before, but had an associated file and a Key available, so were changed
to ShowStart with an ActionItemAssociatedFile. That will not change the
normal output or behavior, but --json output will now include the key.
This should not break it for anyone using a real json parser.
2019-06-06 19:42:30 +00:00
|
|
|
p
|
2018-08-06 16:52:09 +00:00
|
|
|
|
2017-11-28 21:17:40 +00:00
|
|
|
showDestinationFile :: FilePath -> Annex ()
|
|
|
|
showDestinationFile file = do
|
|
|
|
showNote ("to " ++ file)
|
|
|
|
maybeShowJSON $ JSONChunk [("file", file)]
|
2014-12-08 23:14:24 +00:00
|
|
|
|
|
|
|
{- The Key should be a dummy key, based on the URL, which is used
|
|
|
|
- for this download, before we can examine the file and find its real key.
|
|
|
|
- For resuming downloads to work, the dummy key for a given url should be
|
2017-11-28 21:17:40 +00:00
|
|
|
- stable. For disk space checking to work, the dummy key should have
|
|
|
|
- the size of the url already set.
|
|
|
|
-
|
|
|
|
- Downloads the url, sets up the worktree file, and returns the
|
|
|
|
- real key.
|
|
|
|
-}
|
2019-12-20 19:01:34 +00:00
|
|
|
downloadWith :: AddUnlockedMatcher -> (FilePath -> MeterUpdate -> Annex Bool) -> Key -> UUID -> URLString -> FilePath -> Annex (Maybe Key)
|
|
|
|
downloadWith addunlockedmatcher downloader dummykey u url file =
|
2017-11-28 21:17:40 +00:00
|
|
|
go =<< downloadWith' downloader dummykey u url afile
|
2013-04-11 20:14:17 +00:00
|
|
|
where
|
2019-12-05 18:36:43 +00:00
|
|
|
afile = AssociatedFile (Just (toRawFilePath file))
|
2017-11-28 21:17:40 +00:00
|
|
|
go Nothing = return Nothing
|
2020-05-15 16:51:09 +00:00
|
|
|
go (Just tmp) = Just <$> finishDownloadWith addunlockedmatcher tmp u url file
|
2017-11-28 21:17:40 +00:00
|
|
|
|
|
|
|
{- Like downloadWith, but leaves the dummy key content in
|
|
|
|
- the returned location. -}
|
|
|
|
downloadWith' :: (FilePath -> MeterUpdate -> Annex Bool) -> Key -> UUID -> URLString -> AssociatedFile -> Annex (Maybe FilePath)
|
|
|
|
downloadWith' downloader dummykey u url afile =
|
|
|
|
checkDiskSpaceToGet dummykey Nothing $ do
|
|
|
|
tmp <- fromRepo $ gitAnnexTmpObjectLocation dummykey
|
|
|
|
ok <- Transfer.notifyTransfer Transfer.Download url $
|
2018-03-29 17:04:07 +00:00
|
|
|
Transfer.download u dummykey afile Transfer.stdRetry $ \p -> do
|
2020-03-06 15:57:15 +00:00
|
|
|
createAnnexDirectory (parentDir tmp)
|
2017-11-28 21:17:40 +00:00
|
|
|
downloader tmp p
|
|
|
|
if ok
|
|
|
|
then return (Just tmp)
|
|
|
|
else return Nothing
|
|
|
|
|
2020-05-15 16:51:09 +00:00
|
|
|
finishDownloadWith :: AddUnlockedMatcher -> FilePath -> UUID -> URLString -> FilePath -> Annex Key
|
2019-12-20 19:01:34 +00:00
|
|
|
finishDownloadWith addunlockedmatcher tmp u url file = do
|
2017-11-28 21:17:40 +00:00
|
|
|
backend <- chooseBackend file
|
|
|
|
let source = KeySource
|
2020-02-21 13:34:59 +00:00
|
|
|
{ keyFilename = toRawFilePath file
|
|
|
|
, contentLocation = toRawFilePath tmp
|
2017-11-28 21:17:40 +00:00
|
|
|
, inodeCache = Nothing
|
|
|
|
}
|
2020-05-15 16:51:09 +00:00
|
|
|
key <- fst <$> genKey source nullMeterUpdate backend
|
|
|
|
addWorkTree addunlockedmatcher u url file key (Just tmp)
|
|
|
|
return key
|
2013-04-11 17:35:52 +00:00
|
|
|
|
2015-01-22 18:52:52 +00:00
|
|
|
{- Adds the url size to the Key. -}
|
|
|
|
addSizeUrlKey :: Url.UrlInfo -> Key -> Key
|
2019-11-22 20:24:04 +00:00
|
|
|
addSizeUrlKey urlinfo key = alterKey key $ \d -> d
|
|
|
|
{ keySize = Url.urlSize urlinfo
|
|
|
|
}
|
2014-01-04 19:38:59 +00:00
|
|
|
|
convert importfeed to youtube-dl
Fully working, including --fast/--relaxed.
Note that, while git-annex addurl --relaxed is not going to check
youtube-dl, I kept git annex importfeed --relaxed checking it.
Thinking is that, let's not break people's importfeed cron jobs, and
importfeed does not typically have to check a large number of new items,
so it's ok if it's a little bit slower when used with youtube playlist
feeds.
importfeed's behavior is also improved (?) when a feed has links in it
to non-media files. Before, those were skipped. Now, the content of the
link is downloaded. This had to be done, because trying to use
youtube-dl is slow, and if those were skipped, it would have to check
every time importfeed was run. While this behavior change may not be
desirable for some feeds, that intersperse links to web pages with
enclosures, it will be desirable for other feeds, that have
non-enclosure directy links to media files.
Remove old quvi modules.
This commit was sponsored by Øyvind Andersen Holm.
2017-11-29 21:05:27 +00:00
|
|
|
{- Adds worktree file to the repository. -}
|
2019-12-20 19:01:34 +00:00
|
|
|
addWorkTree :: AddUnlockedMatcher -> UUID -> URLString -> FilePath -> Key -> Maybe FilePath -> Annex ()
|
|
|
|
addWorkTree addunlockedmatcher u url file key mtmp = case mtmp of
|
2015-12-02 19:12:33 +00:00
|
|
|
Nothing -> go
|
|
|
|
Just tmp -> do
|
2016-11-22 15:12:33 +00:00
|
|
|
-- Move to final location for large file check.
|
2020-03-06 15:57:15 +00:00
|
|
|
pruneTmpWorkDirBefore tmp $ \_ -> do
|
|
|
|
createWorkTreeDirectory (takeDirectory file)
|
|
|
|
liftIO $ renameFile tmp file
|
2015-12-02 19:12:33 +00:00
|
|
|
largematcher <- largeFilesMatcher
|
2016-11-22 15:12:33 +00:00
|
|
|
large <- checkFileMatcher largematcher file
|
|
|
|
if large
|
|
|
|
then do
|
|
|
|
-- Move back to tmp because addAnnexedFile
|
|
|
|
-- needs the file in a different location
|
|
|
|
-- than the work tree file.
|
|
|
|
liftIO $ renameFile file tmp
|
|
|
|
go
|
2019-12-05 18:36:43 +00:00
|
|
|
else void $ Command.Add.addSmall (toRawFilePath file)
|
2015-12-02 19:12:33 +00:00
|
|
|
where
|
|
|
|
go = do
|
2019-01-14 17:03:35 +00:00
|
|
|
maybeShowJSON $ JSONChunk [("key", serializeKey key)]
|
2018-10-04 21:33:25 +00:00
|
|
|
setUrlPresent key url
|
|
|
|
logChange key u InfoPresent
|
2019-12-20 19:01:34 +00:00
|
|
|
ifM (addAnnexedFile addunlockedmatcher file key mtmp)
|
annex.securehashesonly
Cryptographically secure hashes can be forced to be used in a repository,
by setting annex.securehashesonly. This does not prevent the git repository
from containing files with insecure hashes, but it does prevent the content
of such files from being pulled into .git/annex/objects from another
repository.
We want to make sure that at no point does git-annex accept content into
.git/annex/objects that is hashed with an insecure key. Here's how it
was done:
* .git/annex/objects/xx/yy/KEY/ is kept frozen, so nothing can be
written to it normally
* So every place that writes content must call, thawContent or modifyContent.
We can audit for these, and be sure we've considered all cases.
* The main functions are moveAnnex, and linkToAnnex; these were made to
check annex.securehashesonly, and are the main security boundary
for annex.securehashesonly.
* Most other calls to modifyContent deal with other files in the KEY
directory (inode cache etc). The other ones that mess with the content
are:
- Annex.Direct.toDirectGen, in which content already in the
annex directory is moved to the direct mode file, so not relevant.
- fix and lock, which don't add new content
- Command.ReKey.linkKey, which manually unlocks it to make a
copy.
* All other calls to thawContent appear safe.
Made moveAnnex return a Bool, so checked all callsites and made them
deal with a failure in appropriate ways.
linkToAnnex simply returns LinkAnnexFailed; all callsites already deal
with it failing in appropriate ways.
This commit was sponsored by Riku Voipio.
2017-02-27 17:01:32 +00:00
|
|
|
( do
|
|
|
|
when (isJust mtmp) $
|
|
|
|
logStatus key InfoPresent
|
2017-11-29 19:49:05 +00:00
|
|
|
, maybe noop (\tmp -> pruneTmpWorkDirBefore tmp (liftIO . nukeFile)) mtmp
|
annex.securehashesonly
Cryptographically secure hashes can be forced to be used in a repository,
by setting annex.securehashesonly. This does not prevent the git repository
from containing files with insecure hashes, but it does prevent the content
of such files from being pulled into .git/annex/objects from another
repository.
We want to make sure that at no point does git-annex accept content into
.git/annex/objects that is hashed with an insecure key. Here's how it
was done:
* .git/annex/objects/xx/yy/KEY/ is kept frozen, so nothing can be
written to it normally
* So every place that writes content must call, thawContent or modifyContent.
We can audit for these, and be sure we've considered all cases.
* The main functions are moveAnnex, and linkToAnnex; these were made to
check annex.securehashesonly, and are the main security boundary
for annex.securehashesonly.
* Most other calls to modifyContent deal with other files in the KEY
directory (inode cache etc). The other ones that mess with the content
are:
- Annex.Direct.toDirectGen, in which content already in the
annex directory is moved to the direct mode file, so not relevant.
- fix and lock, which don't add new content
- Command.ReKey.linkKey, which manually unlocks it to make a
copy.
* All other calls to thawContent appear safe.
Made moveAnnex return a Bool, so checked all callsites and made them
deal with a failure in appropriate ways.
linkToAnnex simply returns LinkAnnexFailed; all callsites already deal
with it failing in appropriate ways.
This commit was sponsored by Riku Voipio.
2017-02-27 17:01:32 +00:00
|
|
|
)
|
2011-07-01 21:15:46 +00:00
|
|
|
|
2019-12-20 19:01:34 +00:00
|
|
|
nodownloadWeb :: AddUnlockedMatcher -> DownloadOptions -> URLString -> Url.UrlInfo -> FilePath -> Annex (Maybe Key)
|
|
|
|
nodownloadWeb addunlockedmatcher o url urlinfo file
|
2017-11-30 20:48:35 +00:00
|
|
|
| Url.urlExists urlinfo = if rawOption o
|
|
|
|
then nomedia
|
|
|
|
else either (const nomedia) usemedia
|
|
|
|
=<< youtubeDlFileName url
|
2015-01-22 18:52:52 +00:00
|
|
|
| otherwise = do
|
|
|
|
warning $ "unable to access url: " ++ url
|
|
|
|
return Nothing
|
2017-11-30 18:35:25 +00:00
|
|
|
where
|
2017-11-30 20:48:35 +00:00
|
|
|
nomedia = do
|
2017-11-30 18:35:25 +00:00
|
|
|
let key = Backend.URL.fromUrl url (Url.urlSize urlinfo)
|
2019-12-20 19:01:34 +00:00
|
|
|
nodownloadWeb' addunlockedmatcher url key file
|
2017-11-30 20:48:35 +00:00
|
|
|
usemedia mediafile = do
|
|
|
|
let dest = if isJust (fileOption o)
|
2017-11-30 18:35:25 +00:00
|
|
|
then file
|
|
|
|
else takeFileName mediafile
|
|
|
|
let mediaurl = setDownloader url YoutubeDownloader
|
|
|
|
let mediakey = Backend.URL.fromUrl mediaurl Nothing
|
2019-12-20 19:01:34 +00:00
|
|
|
nodownloadWeb' addunlockedmatcher mediaurl mediakey dest
|
2017-11-30 18:35:25 +00:00
|
|
|
|
2019-12-20 19:01:34 +00:00
|
|
|
nodownloadWeb' :: AddUnlockedMatcher -> URLString -> Key -> FilePath -> Annex (Maybe Key)
|
|
|
|
nodownloadWeb' addunlockedmatcher url key file = checkCanAdd file $ do
|
2017-11-30 18:35:25 +00:00
|
|
|
showDestinationFile file
|
2020-03-06 15:57:15 +00:00
|
|
|
createWorkTreeDirectory (parentDir file)
|
2019-12-20 19:01:34 +00:00
|
|
|
addWorkTree addunlockedmatcher webUUID url file key Nothing
|
2017-11-30 18:35:25 +00:00
|
|
|
return (Just key)
|
2011-08-06 18:57:22 +00:00
|
|
|
|
Fix a few bugs involving filenames that are at or near the filesystem's maximum filename length limit.
Started with a problem when running addurl on a really long url,
because the whole url is munged into the filename. Ended up doing
a fairly extensive review for places where filenames could get too large,
although it's hard to say I'm not missed any..
Backend.Url had a 128 character limit, which is fine when the limit is 255,
but not if it's a lot shorter on some systems. So check the pathconf()
limit. Note that this could result in fromUrl creating different keys
for the same url, if run on systems with different limits. I don't see
this is likely to cause any problems. That can already happen when using
addurl --fast, or if the content of an url changes.
Both Command.AddUrl and Backend.Url assumed that urls don't contain a
lot of multi-byte unicode, and would fail to truncate an url that did
properly.
A few places use a filename as the template to make a temp file.
While that's nice in that the temp file name can be easily related back to
the original filename, it could lead to `git annex add` failing to add a
filename that was at or close to the maximum length.
Note that in Command.Add.lockdown, the template is still derived from the
filename, just with enough space left to turn it into a temp file.
This is an important optimisation, because the assistant may lock down
a bunch of files all at once, and using the same template for all of them
would cause openTempFile to iterate through the same set of names,
looking for an unused temp file. I'm not very happy with the relatedTemplate
hack, but it avoids that slowdown.
Backend.WORM does not limit the filename stored in the key.
I have not tried to change that; so git annex add will fail on really long
filenames when using the WORM backend. It seems better to preserve the
invariant that a WORM key always contains the complete filename, since
the filename is the only unique material in the key, other than mtime and
size. Since nobody has complained about add failing (I think I saw it
once?) on WORM, probably it's ok, or nobody but me uses it.
There may be compatability problems if using git annex addurl --fast
or the WORM backend on a system with the 255 limit and then trying to use
that repo in a system with a smaller limit. I have not tried to deal with
those.
This commit was sponsored by Alexander Brem. Thanks!
2013-07-30 21:49:11 +00:00
|
|
|
url2file :: URI -> Maybe Int -> Int -> FilePath
|
|
|
|
url2file url pathdepth pathmax = case pathdepth of
|
2013-10-05 17:32:42 +00:00
|
|
|
Nothing -> truncateFilePath pathmax $ sanitizeFilePath fullurl
|
2012-02-16 16:25:19 +00:00
|
|
|
Just depth
|
2013-07-05 16:46:38 +00:00
|
|
|
| depth >= length urlbits -> frombits id
|
2012-02-16 18:26:53 +00:00
|
|
|
| depth > 0 -> frombits $ drop depth
|
2012-02-16 18:28:17 +00:00
|
|
|
| depth < 0 -> frombits $ reverse . take (negate depth) . reverse
|
2016-11-16 01:29:54 +00:00
|
|
|
| otherwise -> giveup "bad --pathdepth"
|
2012-11-12 05:05:04 +00:00
|
|
|
where
|
2014-12-08 23:14:24 +00:00
|
|
|
fullurl = concat
|
|
|
|
[ maybe "" uriRegName (uriAuthority url)
|
|
|
|
, uriPath url
|
|
|
|
, uriQuery url
|
|
|
|
]
|
2013-04-23 00:24:53 +00:00
|
|
|
frombits a = intercalate "/" $ a urlbits
|
2013-10-05 17:30:13 +00:00
|
|
|
urlbits = map (truncateFilePath pathmax . sanitizeFilePath) $
|
2017-01-31 22:40:42 +00:00
|
|
|
filter (not . null) $ splitc '/' fullurl
|
2014-12-11 20:09:56 +00:00
|
|
|
|
|
|
|
urlString2file :: URLString -> Maybe Int -> Int -> FilePath
|
|
|
|
urlString2file s pathdepth pathmax = case Url.parseURIRelaxed s of
|
2016-11-16 01:29:54 +00:00
|
|
|
Nothing -> giveup $ "bad uri " ++ s
|
2014-12-11 20:09:56 +00:00
|
|
|
Just u -> url2file u pathdepth pathmax
|
2015-07-21 16:50:05 +00:00
|
|
|
|
|
|
|
adjustFile :: AddUrlOptions -> FilePath -> FilePath
|
|
|
|
adjustFile o = addprefix . addsuffix
|
|
|
|
where
|
|
|
|
addprefix f = maybe f (++ f) (prefixOption o)
|
|
|
|
addsuffix f = maybe f (f ++) (suffixOption o)
|
2016-09-21 21:21:48 +00:00
|
|
|
|
|
|
|
checkCanAdd :: FilePath -> Annex (Maybe a) -> Annex (Maybe a)
|
|
|
|
checkCanAdd file a = ifM (isJust <$> (liftIO $ catchMaybeIO $ getSymbolicLinkStatus file))
|
|
|
|
( do
|
2017-11-30 19:00:53 +00:00
|
|
|
warning $ file ++ " already exists; not overwriting"
|
2016-09-21 21:21:48 +00:00
|
|
|
return Nothing
|
|
|
|
, ifM ((not <$> Annex.getState Annex.force) <&&> checkIgnored file)
|
|
|
|
( do
|
|
|
|
warning $ "not adding " ++ file ++ " which is .gitignored (use --force to override)"
|
|
|
|
return Nothing
|
|
|
|
, a
|
|
|
|
)
|
|
|
|
)
|