2011-07-01 21:15:46 +00:00
|
|
|
{- git-annex command
|
|
|
|
-
|
2024-02-29 17:26:06 +00:00
|
|
|
- Copyright 2011-2024 Joey Hess <id@joeyh.name>
|
2011-07-01 21:15:46 +00:00
|
|
|
-
|
2019-03-13 19:48:14 +00:00
|
|
|
- Licensed under the GNU AGPL version 3 or higher.
|
2011-07-01 21:15:46 +00:00
|
|
|
-}
|
|
|
|
|
2023-04-10 16:13:26 +00:00
|
|
|
{-# LANGUAGE OverloadedStrings #-}
|
|
|
|
|
2011-07-01 21:15:46 +00:00
|
|
|
module Command.AddUrl where
|
|
|
|
|
|
|
|
import Command
|
2012-06-05 23:51:03 +00:00
|
|
|
import Backend
|
2011-07-01 22:46:07 +00:00
|
|
|
import qualified Annex
|
2013-09-28 18:35:21 +00:00
|
|
|
import qualified Annex.Url as Url
|
2011-08-06 18:57:22 +00:00
|
|
|
import qualified Backend.URL
|
2014-12-08 23:14:24 +00:00
|
|
|
import qualified Remote
|
|
|
|
import qualified Types.Remote as Remote
|
2015-12-22 17:23:33 +00:00
|
|
|
import qualified Command.Add
|
2011-10-04 04:40:47 +00:00
|
|
|
import Annex.Content
|
2015-12-22 17:23:33 +00:00
|
|
|
import Annex.Ingest
|
2016-09-21 21:21:48 +00:00
|
|
|
import Annex.CheckIgnore
|
2020-03-06 15:57:15 +00:00
|
|
|
import Annex.Perms
|
2014-12-17 17:57:52 +00:00
|
|
|
import Annex.UUID
|
2022-10-26 17:58:20 +00:00
|
|
|
import Annex.WorkTree
|
2017-11-29 19:49:05 +00:00
|
|
|
import Annex.YoutubeDl
|
addurl --preserve-filename and a few related changes
* addurl --preserve-filename: New option, uses server-provided filename
without any sanitization, but with some security checking.
Not yet implemented for remotes other than the web.
* addurl, importfeed: Avoid adding filenames with leading '.', instead
it will be replaced with '_'.
This might be considered a security fix, but a CVE seems unwattanted.
It was possible for addurl to create a dotfile, which could change
behavior of some program. It was also possible for a web server to say
the file name was ".git" or "foo/.git". That would not overrwrite the
.git directory, but would cause addurl to fail; of course git won't
add "foo/.git".
sanitizeFilePath is too opinionated to remain in Utility, so moved it.
The changes to mkSafeFilePath are because it used sanitizeFilePath.
In particular:
isDrive will never succeed, because "c:" gets munged to "c_"
".." gets sanitized now
".git" gets sanitized now
It will never be null, because sanitizeFilePath keeps the length
the same, and splitDirectories never returns a null path.
Also, on the off chance a web server suggests a filename of "",
ignore that, rather than trying to save to such a filename, which would
fail in some way.
2020-05-08 20:09:29 +00:00
|
|
|
import Annex.UntrustedFilePath
|
2011-10-15 20:36:56 +00:00
|
|
|
import Logs.Web
|
2012-06-20 20:07:14 +00:00
|
|
|
import Types.KeySource
|
2014-12-11 19:32:42 +00:00
|
|
|
import Types.UrlContents
|
2015-12-02 19:12:33 +00:00
|
|
|
import Annex.FileMatcher
|
2013-04-11 17:35:52 +00:00
|
|
|
import Logs.Location
|
2014-12-08 23:14:24 +00:00
|
|
|
import Utility.Metered
|
2017-11-28 21:17:40 +00:00
|
|
|
import Utility.HtmlDetect
|
2017-12-31 20:08:31 +00:00
|
|
|
import Utility.Path.Max
|
2023-08-14 16:28:10 +00:00
|
|
|
import Utility.Url.Parse
|
2020-11-03 14:11:04 +00:00
|
|
|
import qualified Utility.RawFilePath as R
|
2014-03-22 14:42:38 +00:00
|
|
|
import qualified Annex.Transfer as Transfer
|
2011-07-01 21:15:46 +00:00
|
|
|
|
2020-11-03 14:11:04 +00:00
|
|
|
import Network.URI
|
|
|
|
import qualified System.FilePath.ByteString as P
|
|
|
|
|
2015-07-08 16:33:27 +00:00
|
|
|
cmd :: Command
|
2022-07-05 19:34:49 +00:00
|
|
|
cmd = notBareRepo $ withAnnexOptions
|
|
|
|
[ jobsOption
|
|
|
|
, jsonOptions
|
|
|
|
, jsonProgressOption
|
|
|
|
, backendOption
|
|
|
|
] $
|
2015-07-08 19:08:02 +00:00
|
|
|
command "addurl" SectionCommon "add urls to annex"
|
2015-07-13 14:57:49 +00:00
|
|
|
(paramRepeating paramUrl) (seek <$$> optParser)
|
2012-02-08 19:35:18 +00:00
|
|
|
|
2015-07-13 14:57:49 +00:00
|
|
|
data AddUrlOptions = AddUrlOptions
|
|
|
|
{ addUrls :: CmdParams
|
|
|
|
, pathdepthOption :: Maybe Int
|
2015-07-21 16:50:05 +00:00
|
|
|
, prefixOption :: Maybe String
|
|
|
|
, suffixOption :: Maybe String
|
2017-11-30 20:48:35 +00:00
|
|
|
, downloadOptions :: DownloadOptions
|
2015-12-21 16:57:13 +00:00
|
|
|
, batchOption :: BatchMode
|
2015-12-22 16:20:39 +00:00
|
|
|
, batchFilesOption :: Bool
|
2015-07-13 14:57:49 +00:00
|
|
|
}
|
2011-07-01 21:15:46 +00:00
|
|
|
|
2017-11-30 20:48:35 +00:00
|
|
|
data DownloadOptions = DownloadOptions
|
|
|
|
{ relaxedOption :: Bool
|
2024-02-29 17:26:06 +00:00
|
|
|
, verifiableOption :: Bool
|
2017-11-30 20:48:35 +00:00
|
|
|
, rawOption :: Bool
|
2021-06-27 15:13:38 +00:00
|
|
|
, noRawOption :: Bool
|
2024-02-05 19:16:25 +00:00
|
|
|
, rawExceptOption :: Maybe (DeferredParse Remote)
|
2017-11-30 20:48:35 +00:00
|
|
|
, fileOption :: Maybe FilePath
|
addurl --preserve-filename and a few related changes
* addurl --preserve-filename: New option, uses server-provided filename
without any sanitization, but with some security checking.
Not yet implemented for remotes other than the web.
* addurl, importfeed: Avoid adding filenames with leading '.', instead
it will be replaced with '_'.
This might be considered a security fix, but a CVE seems unwattanted.
It was possible for addurl to create a dotfile, which could change
behavior of some program. It was also possible for a web server to say
the file name was ".git" or "foo/.git". That would not overrwrite the
.git directory, but would cause addurl to fail; of course git won't
add "foo/.git".
sanitizeFilePath is too opinionated to remain in Utility, so moved it.
The changes to mkSafeFilePath are because it used sanitizeFilePath.
In particular:
isDrive will never succeed, because "c:" gets munged to "c_"
".." gets sanitized now
".git" gets sanitized now
It will never be null, because sanitizeFilePath keeps the length
the same, and splitDirectories never returns a null path.
Also, on the off chance a web server suggests a filename of "",
ignore that, rather than trying to save to such a filename, which would
fail in some way.
2020-05-08 20:09:29 +00:00
|
|
|
, preserveFilenameOption :: Bool
|
Added --no-check-gitignore option for finer grained control than using --force.
add, addurl, importfeed, import: Added --no-check-gitignore option
for finer grained control than using --force.
(--force is used for too many different things, and at least one
of these also uses it for something else. I would like to reduce
--force's footprint until it only forces drops or a few other data
losses. For now, --force still disables checking ignores too.)
addunused: Don't check .gitignores when adding files. This is a behavior
change, but I justify it by analogy with git add of a gitignored file
adding it, asking to add all unused files back should add them all back,
not skip some. The old behavior was surprising.
In Command.Lock and Command.ReKey, CheckGitIgnore False does not change
behavior, it only makes explicit what is done. Since these commands are run
on annexed files, the file is already checked into git, so git add won't
check ignores.
2020-09-18 17:12:04 +00:00
|
|
|
, checkGitIgnoreOption :: CheckGitIgnore
|
2017-11-30 20:48:35 +00:00
|
|
|
}
|
|
|
|
|
2015-07-13 14:57:49 +00:00
|
|
|
optParser :: CmdParamsDesc -> Parser AddUrlOptions
|
|
|
|
optParser desc = AddUrlOptions
|
|
|
|
<$> cmdParams desc
|
|
|
|
<*> optional (option auto
|
|
|
|
( long "pathdepth" <> metavar paramNumber
|
2015-07-21 16:50:05 +00:00
|
|
|
<> help "number of url path components to use in filename"
|
|
|
|
))
|
|
|
|
<*> optional (strOption
|
|
|
|
( long "prefix" <> metavar paramValue
|
|
|
|
<> help "add a prefix to the filename"
|
|
|
|
))
|
|
|
|
<*> optional (strOption
|
|
|
|
( long "suffix" <> metavar paramValue
|
|
|
|
<> help "add a suffix to the filename"
|
2015-07-13 14:57:49 +00:00
|
|
|
))
|
2017-11-30 20:48:35 +00:00
|
|
|
<*> parseDownloadOptions True
|
2021-08-25 18:20:33 +00:00
|
|
|
<*> parseBatchOption False
|
2015-12-22 16:20:39 +00:00
|
|
|
<*> switch
|
|
|
|
( long "with-files"
|
|
|
|
<> help "parse batch mode lines of the form \"$url $file\""
|
|
|
|
)
|
2015-07-13 15:06:41 +00:00
|
|
|
|
2017-11-30 20:48:35 +00:00
|
|
|
parseDownloadOptions :: Bool -> Parser DownloadOptions
|
addurl --preserve-filename and a few related changes
* addurl --preserve-filename: New option, uses server-provided filename
without any sanitization, but with some security checking.
Not yet implemented for remotes other than the web.
* addurl, importfeed: Avoid adding filenames with leading '.', instead
it will be replaced with '_'.
This might be considered a security fix, but a CVE seems unwattanted.
It was possible for addurl to create a dotfile, which could change
behavior of some program. It was also possible for a web server to say
the file name was ".git" or "foo/.git". That would not overrwrite the
.git directory, but would cause addurl to fail; of course git won't
add "foo/.git".
sanitizeFilePath is too opinionated to remain in Utility, so moved it.
The changes to mkSafeFilePath are because it used sanitizeFilePath.
In particular:
isDrive will never succeed, because "c:" gets munged to "c_"
".." gets sanitized now
".git" gets sanitized now
It will never be null, because sanitizeFilePath keeps the length
the same, and splitDirectories never returns a null path.
Also, on the off chance a web server suggests a filename of "",
ignore that, rather than trying to save to such a filename, which would
fail in some way.
2020-05-08 20:09:29 +00:00
|
|
|
parseDownloadOptions withfileoptions = DownloadOptions
|
2017-11-30 20:48:35 +00:00
|
|
|
<$> switch
|
|
|
|
( long "relaxed"
|
2024-02-29 17:26:06 +00:00
|
|
|
<> help "accept whatever content is downloaded from web even if it changes"
|
|
|
|
)
|
|
|
|
<*> switch
|
|
|
|
( long "verifiable"
|
|
|
|
<> short 'V'
|
|
|
|
<> help "improve later verification of --fast or --relaxed content"
|
2017-11-30 20:48:35 +00:00
|
|
|
)
|
|
|
|
<*> switch
|
|
|
|
( long "raw"
|
|
|
|
<> help "disable special handling for torrents, youtube-dl, etc"
|
|
|
|
)
|
2021-06-27 15:13:38 +00:00
|
|
|
<*> switch
|
|
|
|
( long "no-raw"
|
|
|
|
<> help "prevent downloading raw url content, must use special handling"
|
|
|
|
)
|
2024-02-05 19:16:25 +00:00
|
|
|
<*> optional
|
|
|
|
(mkParseRemoteOption <$> strOption
|
|
|
|
( long "raw-except" <> metavar paramRemote
|
|
|
|
<> help "disable special handling except by this remote"
|
|
|
|
<> completeRemotes
|
|
|
|
)
|
|
|
|
)
|
addurl --preserve-filename and a few related changes
* addurl --preserve-filename: New option, uses server-provided filename
without any sanitization, but with some security checking.
Not yet implemented for remotes other than the web.
* addurl, importfeed: Avoid adding filenames with leading '.', instead
it will be replaced with '_'.
This might be considered a security fix, but a CVE seems unwattanted.
It was possible for addurl to create a dotfile, which could change
behavior of some program. It was also possible for a web server to say
the file name was ".git" or "foo/.git". That would not overrwrite the
.git directory, but would cause addurl to fail; of course git won't
add "foo/.git".
sanitizeFilePath is too opinionated to remain in Utility, so moved it.
The changes to mkSafeFilePath are because it used sanitizeFilePath.
In particular:
isDrive will never succeed, because "c:" gets munged to "c_"
".." gets sanitized now
".git" gets sanitized now
It will never be null, because sanitizeFilePath keeps the length
the same, and splitDirectories never returns a null path.
Also, on the off chance a web server suggests a filename of "",
ignore that, rather than trying to save to such a filename, which would
fail in some way.
2020-05-08 20:09:29 +00:00
|
|
|
<*> (if withfileoptions
|
2017-11-30 20:48:35 +00:00
|
|
|
then optional (strOption
|
|
|
|
( long "file" <> metavar paramFile
|
|
|
|
<> help "specify what file the url is added to"
|
|
|
|
))
|
addurl --preserve-filename and a few related changes
* addurl --preserve-filename: New option, uses server-provided filename
without any sanitization, but with some security checking.
Not yet implemented for remotes other than the web.
* addurl, importfeed: Avoid adding filenames with leading '.', instead
it will be replaced with '_'.
This might be considered a security fix, but a CVE seems unwattanted.
It was possible for addurl to create a dotfile, which could change
behavior of some program. It was also possible for a web server to say
the file name was ".git" or "foo/.git". That would not overrwrite the
.git directory, but would cause addurl to fail; of course git won't
add "foo/.git".
sanitizeFilePath is too opinionated to remain in Utility, so moved it.
The changes to mkSafeFilePath are because it used sanitizeFilePath.
In particular:
isDrive will never succeed, because "c:" gets munged to "c_"
".." gets sanitized now
".git" gets sanitized now
It will never be null, because sanitizeFilePath keeps the length
the same, and splitDirectories never returns a null path.
Also, on the off chance a web server suggests a filename of "",
ignore that, rather than trying to save to such a filename, which would
fail in some way.
2020-05-08 20:09:29 +00:00
|
|
|
else pure Nothing)
|
|
|
|
<*> (if withfileoptions
|
|
|
|
then switch
|
|
|
|
( long "preserve-filename"
|
|
|
|
<> help "use filename provided by server as-is"
|
|
|
|
)
|
|
|
|
else pure False)
|
Added --no-check-gitignore option for finer grained control than using --force.
add, addurl, importfeed, import: Added --no-check-gitignore option
for finer grained control than using --force.
(--force is used for too many different things, and at least one
of these also uses it for something else. I would like to reduce
--force's footprint until it only forces drops or a few other data
losses. For now, --force still disables checking ignores too.)
addunused: Don't check .gitignores when adding files. This is a behavior
change, but I justify it by analogy with git add of a gitignored file
adding it, asking to add all unused files back should add them all back,
not skip some. The old behavior was surprising.
In Command.Lock and Command.ReKey, CheckGitIgnore False does not change
behavior, it only makes explicit what is done. Since these commands are run
on annexed files, the file is already checked into git, so git add won't
check ignores.
2020-09-18 17:12:04 +00:00
|
|
|
<*> Command.Add.checkGitIgnoreSwitch
|
2012-02-16 16:25:19 +00:00
|
|
|
|
2015-07-13 14:57:49 +00:00
|
|
|
seek :: AddUrlOptions -> CommandSeek
|
2019-06-19 16:35:08 +00:00
|
|
|
seek o = startConcurrency commandStages $ do
|
2019-12-20 19:01:34 +00:00
|
|
|
addunlockedmatcher <- addUnlockedMatcher
|
2020-09-14 20:49:33 +00:00
|
|
|
let go (si, (o', u)) = do
|
2024-02-05 19:16:25 +00:00
|
|
|
r <- checkClaimingUrl (downloadOptions o) u
|
2019-12-20 19:01:34 +00:00
|
|
|
if Remote.uuid r == webUUID || rawOption (downloadOptions o')
|
2020-09-14 20:49:33 +00:00
|
|
|
then void $ commandAction $
|
|
|
|
startWeb addunlockedmatcher o' si u
|
|
|
|
else checkUrl addunlockedmatcher r o' si u
|
2015-12-21 16:57:13 +00:00
|
|
|
case batchOption o of
|
2022-01-26 16:59:55 +00:00
|
|
|
Batch fmt -> batchOnly Nothing (addUrls o) $
|
|
|
|
batchInput fmt (pure . parseBatchInput o) go
|
|
|
|
NoBatch -> forM_ (addUrls o) (\u -> go (SeekInput [u], (o, u)))
|
2015-12-22 16:20:39 +00:00
|
|
|
|
2024-02-05 19:16:25 +00:00
|
|
|
checkClaimingUrl :: DownloadOptions -> URLString -> Annex Remote
|
|
|
|
checkClaimingUrl o u = do
|
|
|
|
allowedremote <- case rawExceptOption o of
|
|
|
|
Nothing -> pure (const True)
|
|
|
|
Just f -> (==) <$> getParsed f
|
|
|
|
Remote.claimingUrl' allowedremote u
|
|
|
|
|
2015-12-22 16:20:39 +00:00
|
|
|
parseBatchInput :: AddUrlOptions -> String -> Either String (AddUrlOptions, URLString)
|
|
|
|
parseBatchInput o s
|
|
|
|
| batchFilesOption o =
|
|
|
|
let (u, f) = separate (== ' ') s
|
|
|
|
in if null u || null f
|
|
|
|
then Left ("parsed empty url or filename in input: " ++ s)
|
2017-11-30 20:48:35 +00:00
|
|
|
else Right (o { downloadOptions = (downloadOptions o) { fileOption = Just f } }, u)
|
2015-12-22 16:20:39 +00:00
|
|
|
| otherwise = Right (o, s)
|
2015-03-31 19:20:29 +00:00
|
|
|
|
2020-09-14 20:49:33 +00:00
|
|
|
checkUrl :: AddUnlockedMatcher -> Remote -> AddUrlOptions -> SeekInput -> URLString -> Annex ()
|
|
|
|
checkUrl addunlockedmatcher r o si u = do
|
2015-03-31 19:20:29 +00:00
|
|
|
pathmax <- liftIO $ fileNameLengthLimit "."
|
2017-11-30 20:48:35 +00:00
|
|
|
let deffile = fromMaybe (urlString2file u (pathdepthOption o) pathmax) (fileOption (downloadOptions o))
|
2015-03-31 19:20:29 +00:00
|
|
|
go deffile =<< maybe
|
2023-04-10 17:38:14 +00:00
|
|
|
(giveup $ "unable to checkUrl of " ++ Remote.name r)
|
2015-03-31 19:20:29 +00:00
|
|
|
(tryNonAsync . flip id u)
|
|
|
|
(Remote.checkUrl r)
|
|
|
|
where
|
|
|
|
|
2020-09-14 20:49:33 +00:00
|
|
|
go _ (Left e) = void $ commandAction $ startingAddUrl si u o $ do
|
filter out control characters in warning messages
Converted warning and similar to use StringContainingQuotedPath. Most
warnings are static strings, some do refer to filepaths that need to be
quoted, and others don't need quoting.
Note that, since quote filters out control characters of even
UnquotedString, this makes all warnings safe, even when an attacker
sneaks in a control character in some other way.
When json is being output, no quoting is done, since json gets its own
quoting.
This does, as a side effect, make warning messages in json output not
be indented. The indentation is only needed to offset warning messages
underneath the display of the file they apply to, so that's ok.
Sponsored-by: Brett Eisenberg on Patreon
2023-04-10 18:47:32 +00:00
|
|
|
warning (UnquotedString (show e))
|
make CommandStart return a StartMessage
The goal is to be able to run CommandStart in the main thread when -J is
used, rather than unncessarily passing it off to a worker thread, which
incurs overhead that is signficant when the CommandStart is going to
quickly decide to stop.
To do that, the message it displays needs to be displayed in the worker
thread, after the CommandStart has run.
Also, the change will mean that CommandStart will no longer necessarily
run with the same Annex state as CommandPerform. While its docs already
said it should avoid modifying Annex state, I audited all the
CommandStart code as part of the conversion. (Note that CommandSeek
already sometimes runs with a different Annex state, and that has not been
a source of any problems, so I am not too worried that this change will
lead to breakage going forward.)
The only modification of Annex state I found was it calling
allowMessages in some Commands that default to noMessages. Dealt with
that by adding a startCustomOutput and a startingUsualMessages.
This lets a command start with noMessages and then select the output it
wants for each CommandStart.
One bit of breakage: onlyActionOn has been removed from commands that used it.
The plan is that, since a StartMessage contains an ActionItem,
when a Key can be extracted from that, the parallel job runner can
run onlyActionOn' automatically. Then commands won't need to worry about
this detail. Future work.
Otherwise, this was a fairly straightforward process of making each
CommandStart compile again. Hopefully other behavior changes were mostly
avoided.
In a few cases, a command had a CommandStart that called a CommandPerform
that then called showStart multiple times. I have collapsed those
down to a single start action. The main command to perhaps suffer from it
is Command.Direct, which used to show a start for each file, and no
longer does.
Another minor behavior change is that some commands used showStart
before, but had an associated file and a Key available, so were changed
to ShowStart with an ActionItemAssociatedFile. That will not change the
normal output or behavior, but --json output will now include the key.
This should not break it for anyone using a real json parser.
2019-06-06 19:42:30 +00:00
|
|
|
next $ return False
|
2020-05-11 18:32:36 +00:00
|
|
|
go deffile (Right (UrlContents sz mf)) = do
|
|
|
|
f <- maybe (pure deffile) (sanitizeOrPreserveFilePath o) mf
|
|
|
|
let f' = adjustFile o (fromMaybe f (fileOption (downloadOptions o)))
|
2020-09-14 20:49:33 +00:00
|
|
|
void $ commandAction $ startRemote addunlockedmatcher r o si f' u sz
|
2018-10-29 18:41:41 +00:00
|
|
|
go deffile (Right (UrlMulti l)) = case fileOption (downloadOptions o) of
|
|
|
|
Nothing ->
|
2015-07-21 16:50:05 +00:00
|
|
|
forM_ l $ \(u', sz, f) -> do
|
2020-05-11 18:32:36 +00:00
|
|
|
f' <- sanitizeOrPreserveFilePath o f
|
2020-05-26 14:45:57 +00:00
|
|
|
let f'' = adjustFile o (deffile </> f')
|
2020-09-14 20:49:33 +00:00
|
|
|
void $ commandAction $ startRemote addunlockedmatcher r o si f'' u' sz
|
2018-10-29 18:41:41 +00:00
|
|
|
Just f -> case l of
|
|
|
|
[] -> noop
|
|
|
|
((u',sz,_):[]) -> do
|
|
|
|
let f' = adjustFile o f
|
2020-09-14 20:49:33 +00:00
|
|
|
void $ commandAction $ startRemote addunlockedmatcher r o si f' u' sz
|
2018-10-29 18:41:41 +00:00
|
|
|
_ -> giveup $ unwords
|
|
|
|
[ "That url contains multiple files according to the"
|
|
|
|
, Remote.name r
|
|
|
|
, " remote; cannot add it to a single file."
|
|
|
|
]
|
2014-12-08 23:14:24 +00:00
|
|
|
|
2020-09-14 20:49:33 +00:00
|
|
|
startRemote :: AddUnlockedMatcher -> Remote -> AddUrlOptions -> SeekInput -> FilePath -> URLString -> Maybe Integer -> CommandStart
|
|
|
|
startRemote addunlockedmatcher r o si file uri sz = do
|
2014-12-12 00:10:45 +00:00
|
|
|
pathmax <- liftIO $ fileNameLengthLimit "."
|
2020-11-03 22:34:27 +00:00
|
|
|
let file' = joinPath $ map (truncateFilePath pathmax) $
|
|
|
|
splitDirectories file
|
2020-09-14 20:49:33 +00:00
|
|
|
startingAddUrl si uri o $ do
|
2023-04-10 21:03:41 +00:00
|
|
|
showNote $ UnquotedString $ "from " ++ Remote.name r
|
|
|
|
showDestinationFile (toRawFilePath file')
|
2020-11-03 22:34:27 +00:00
|
|
|
performRemote addunlockedmatcher r o uri (toRawFilePath file') sz
|
2014-12-08 23:14:24 +00:00
|
|
|
|
2020-11-03 22:34:27 +00:00
|
|
|
performRemote :: AddUnlockedMatcher -> Remote -> AddUrlOptions -> URLString -> RawFilePath -> Maybe Integer -> CommandPerform
|
2022-10-26 17:58:20 +00:00
|
|
|
performRemote addunlockedmatcher r o uri file sz = lookupKey file >>= \case
|
|
|
|
Just k -> adduri k
|
|
|
|
Nothing -> geturi
|
2014-12-08 23:14:24 +00:00
|
|
|
where
|
|
|
|
loguri = setDownloader uri OtherDownloader
|
2017-11-30 20:48:35 +00:00
|
|
|
adduri = addUrlChecked o loguri file (Remote.uuid r) checkexistssize
|
2021-11-28 23:40:06 +00:00
|
|
|
checkexistssize key = return $ Just $ case sz of
|
2017-12-11 17:41:41 +00:00
|
|
|
Nothing -> (True, True, loguri)
|
2019-11-22 20:24:04 +00:00
|
|
|
Just n -> (True, n == fromMaybe n (fromKey keySize key), loguri)
|
2019-12-20 19:01:34 +00:00
|
|
|
geturi = next $ isJust <$> downloadRemoteFile addunlockedmatcher r (downloadOptions o) uri file sz
|
2014-12-11 20:43:46 +00:00
|
|
|
|
2020-11-03 22:34:27 +00:00
|
|
|
downloadRemoteFile :: AddUnlockedMatcher -> Remote -> DownloadOptions -> URLString -> RawFilePath -> Maybe Integer -> Annex (Maybe Key)
|
2020-09-29 17:00:41 +00:00
|
|
|
downloadRemoteFile addunlockedmatcher r o uri file sz = checkCanAdd o file $ \canadd -> do
|
2024-02-29 17:26:06 +00:00
|
|
|
let urlkey = Backend.URL.fromUrl uri sz (verifiableOption o)
|
2020-11-03 22:34:27 +00:00
|
|
|
createWorkTreeDirectory (parentDir file)
|
2022-06-28 19:28:14 +00:00
|
|
|
ifM (Annex.getRead Annex.fast <||> pure (relaxedOption o))
|
2014-12-11 20:43:46 +00:00
|
|
|
( do
|
2020-09-29 17:00:41 +00:00
|
|
|
addWorkTree canadd addunlockedmatcher (Remote.uuid r) loguri file urlkey Nothing
|
2014-12-11 20:43:46 +00:00
|
|
|
return (Just urlkey)
|
|
|
|
, do
|
|
|
|
-- Set temporary url for the urlkey
|
|
|
|
-- so that the remote knows what url it
|
|
|
|
-- should use to download it.
|
2014-12-17 18:34:42 +00:00
|
|
|
setTempUrl urlkey loguri
|
2020-05-13 21:05:56 +00:00
|
|
|
let downloader = \dest p ->
|
2021-08-17 16:41:36 +00:00
|
|
|
fst <$> Remote.verifiedAction
|
|
|
|
(Remote.retrieveKeyFile r urlkey af dest p (RemoteVerify r))
|
2020-09-29 17:00:41 +00:00
|
|
|
ret <- downloadWith canadd addunlockedmatcher downloader urlkey (Remote.uuid r) loguri file
|
2014-12-11 20:43:46 +00:00
|
|
|
removeTempUrl urlkey
|
|
|
|
return ret
|
|
|
|
)
|
|
|
|
where
|
|
|
|
loguri = setDownloader uri OtherDownloader
|
2020-11-03 22:34:27 +00:00
|
|
|
af = AssociatedFile (Just file)
|
2014-12-08 23:14:24 +00:00
|
|
|
|
2020-09-14 20:49:33 +00:00
|
|
|
startWeb :: AddUnlockedMatcher -> AddUrlOptions -> SeekInput -> URLString -> CommandStart
|
2023-03-27 17:38:02 +00:00
|
|
|
startWeb addunlockedmatcher o si urlstring = go $ fromMaybe bad $ parseURIPortable urlstring
|
2012-11-12 05:05:04 +00:00
|
|
|
where
|
2016-11-16 01:29:54 +00:00
|
|
|
bad = fromMaybe (giveup $ "bad url " ++ urlstring) $
|
2015-06-14 17:39:44 +00:00
|
|
|
Url.parseURIRelaxed $ urlstring
|
2020-09-14 20:49:33 +00:00
|
|
|
go url = startingAddUrl si urlstring o $
|
2020-04-27 17:48:14 +00:00
|
|
|
if relaxedOption (downloadOptions o)
|
|
|
|
then go' url Url.assumeUrlExists
|
|
|
|
else Url.withUrlOptions (Url.getUrlInfo urlstring) >>= \case
|
|
|
|
Right urlinfo -> go' url urlinfo
|
|
|
|
Left err -> do
|
filter out control characters in warning messages
Converted warning and similar to use StringContainingQuotedPath. Most
warnings are static strings, some do refer to filepaths that need to be
quoted, and others don't need quoting.
Note that, since quote filters out control characters of even
UnquotedString, this makes all warnings safe, even when an attacker
sneaks in a control character in some other way.
When json is being output, no quoting is done, since json gets its own
quoting.
This does, as a side effect, make warning messages in json output not
be indented. The indentation is only needed to offset warning messages
underneath the display of the file they apply to, so that's ok.
Sponsored-by: Brett Eisenberg on Patreon
2023-04-10 18:47:32 +00:00
|
|
|
warning (UnquotedString err)
|
2020-04-27 17:48:14 +00:00
|
|
|
next $ return False
|
|
|
|
go' url urlinfo = do
|
2013-09-09 06:16:22 +00:00
|
|
|
pathmax <- liftIO $ fileNameLengthLimit "."
|
2017-11-30 20:48:35 +00:00
|
|
|
file <- adjustFile o <$> case fileOption (downloadOptions o) of
|
2015-01-22 18:52:52 +00:00
|
|
|
Just f -> pure f
|
|
|
|
Nothing -> case Url.urlSuggestedFile urlinfo of
|
2020-05-11 18:32:36 +00:00
|
|
|
Just sf -> do
|
|
|
|
f <- sanitizeOrPreserveFilePath o sf
|
|
|
|
if preserveFilenameOption (downloadOptions o)
|
|
|
|
then pure f
|
|
|
|
else ifM (liftIO $ doesFileExist f <||> doesDirectoryExist f)
|
addurl --preserve-filename and a few related changes
* addurl --preserve-filename: New option, uses server-provided filename
without any sanitization, but with some security checking.
Not yet implemented for remotes other than the web.
* addurl, importfeed: Avoid adding filenames with leading '.', instead
it will be replaced with '_'.
This might be considered a security fix, but a CVE seems unwattanted.
It was possible for addurl to create a dotfile, which could change
behavior of some program. It was also possible for a web server to say
the file name was ".git" or "foo/.git". That would not overrwrite the
.git directory, but would cause addurl to fail; of course git won't
add "foo/.git".
sanitizeFilePath is too opinionated to remain in Utility, so moved it.
The changes to mkSafeFilePath are because it used sanitizeFilePath.
In particular:
isDrive will never succeed, because "c:" gets munged to "c_"
".." gets sanitized now
".git" gets sanitized now
It will never be null, because sanitizeFilePath keeps the length
the same, and splitDirectories never returns a null path.
Also, on the off chance a web server suggests a filename of "",
ignore that, rather than trying to save to such a filename, which would
fail in some way.
2020-05-08 20:09:29 +00:00
|
|
|
( pure $ url2file url (pathdepthOption o) pathmax
|
|
|
|
, pure f
|
|
|
|
)
|
|
|
|
_ -> pure $ url2file url (pathdepthOption o) pathmax
|
2020-11-03 22:34:27 +00:00
|
|
|
performWeb addunlockedmatcher o urlstring (toRawFilePath file) urlinfo
|
2013-08-22 22:25:21 +00:00
|
|
|
|
2020-05-11 18:32:36 +00:00
|
|
|
sanitizeOrPreserveFilePath :: AddUrlOptions -> FilePath -> Annex FilePath
|
|
|
|
sanitizeOrPreserveFilePath o f
|
|
|
|
| preserveFilenameOption (downloadOptions o) && not (null f) = do
|
|
|
|
checkPreserveFileNameSecurity f
|
|
|
|
return f
|
|
|
|
| otherwise = do
|
|
|
|
pathmax <- liftIO $ fileNameLengthLimit "."
|
|
|
|
return $ truncateFilePath pathmax $ sanitizeFilePath f
|
|
|
|
|
addurl --preserve-filename and a few related changes
* addurl --preserve-filename: New option, uses server-provided filename
without any sanitization, but with some security checking.
Not yet implemented for remotes other than the web.
* addurl, importfeed: Avoid adding filenames with leading '.', instead
it will be replaced with '_'.
This might be considered a security fix, but a CVE seems unwattanted.
It was possible for addurl to create a dotfile, which could change
behavior of some program. It was also possible for a web server to say
the file name was ".git" or "foo/.git". That would not overrwrite the
.git directory, but would cause addurl to fail; of course git won't
add "foo/.git".
sanitizeFilePath is too opinionated to remain in Utility, so moved it.
The changes to mkSafeFilePath are because it used sanitizeFilePath.
In particular:
isDrive will never succeed, because "c:" gets munged to "c_"
".." gets sanitized now
".git" gets sanitized now
It will never be null, because sanitizeFilePath keeps the length
the same, and splitDirectories never returns a null path.
Also, on the off chance a web server suggests a filename of "",
ignore that, rather than trying to save to such a filename, which would
fail in some way.
2020-05-08 20:09:29 +00:00
|
|
|
-- sanitizeFilePath avoids all these security problems
|
|
|
|
-- (and probably others, but at least this catches the most egrarious ones).
|
|
|
|
checkPreserveFileNameSecurity :: FilePath -> Annex ()
|
|
|
|
checkPreserveFileNameSecurity f = do
|
2023-04-10 16:13:26 +00:00
|
|
|
checksecurity controlCharacterInFilePath "control character"
|
|
|
|
checksecurity pathTraversalInFilePath "path traversal"
|
|
|
|
checksecurity gitDirectoryInFilePath "contains a .git directory"
|
addurl --preserve-filename and a few related changes
* addurl --preserve-filename: New option, uses server-provided filename
without any sanitization, but with some security checking.
Not yet implemented for remotes other than the web.
* addurl, importfeed: Avoid adding filenames with leading '.', instead
it will be replaced with '_'.
This might be considered a security fix, but a CVE seems unwattanted.
It was possible for addurl to create a dotfile, which could change
behavior of some program. It was also possible for a web server to say
the file name was ".git" or "foo/.git". That would not overrwrite the
.git directory, but would cause addurl to fail; of course git won't
add "foo/.git".
sanitizeFilePath is too opinionated to remain in Utility, so moved it.
The changes to mkSafeFilePath are because it used sanitizeFilePath.
In particular:
isDrive will never succeed, because "c:" gets munged to "c_"
".." gets sanitized now
".git" gets sanitized now
It will never be null, because sanitizeFilePath keeps the length
the same, and splitDirectories never returns a null path.
Also, on the off chance a web server suggests a filename of "",
ignore that, rather than trying to save to such a filename, which would
fail in some way.
2020-05-08 20:09:29 +00:00
|
|
|
where
|
2023-04-10 16:13:26 +00:00
|
|
|
checksecurity p d = when (p f) $ do
|
|
|
|
qp <- coreQuotePath <$> Annex.getGitConfig
|
|
|
|
giveup $ decodeBS $ quote qp $
|
|
|
|
"--preserve-filename was used, but the filename ("
|
|
|
|
<> QuotedPath (toRawFilePath f)
|
|
|
|
<> ") has a security problem ("
|
|
|
|
<> d
|
|
|
|
<> "), not adding."
|
addurl --preserve-filename and a few related changes
* addurl --preserve-filename: New option, uses server-provided filename
without any sanitization, but with some security checking.
Not yet implemented for remotes other than the web.
* addurl, importfeed: Avoid adding filenames with leading '.', instead
it will be replaced with '_'.
This might be considered a security fix, but a CVE seems unwattanted.
It was possible for addurl to create a dotfile, which could change
behavior of some program. It was also possible for a web server to say
the file name was ".git" or "foo/.git". That would not overrwrite the
.git directory, but would cause addurl to fail; of course git won't
add "foo/.git".
sanitizeFilePath is too opinionated to remain in Utility, so moved it.
The changes to mkSafeFilePath are because it used sanitizeFilePath.
In particular:
isDrive will never succeed, because "c:" gets munged to "c_"
".." gets sanitized now
".git" gets sanitized now
It will never be null, because sanitizeFilePath keeps the length
the same, and splitDirectories never returns a null path.
Also, on the off chance a web server suggests a filename of "",
ignore that, rather than trying to save to such a filename, which would
fail in some way.
2020-05-08 20:09:29 +00:00
|
|
|
|
2020-11-03 22:34:27 +00:00
|
|
|
performWeb :: AddUnlockedMatcher -> AddUrlOptions -> URLString -> RawFilePath -> Url.UrlInfo -> CommandPerform
|
2022-10-26 17:58:20 +00:00
|
|
|
performWeb addunlockedmatcher o url file urlinfo = lookupKey file >>= \case
|
|
|
|
Just k -> addurl k
|
|
|
|
Nothing -> geturl
|
2014-12-11 20:11:38 +00:00
|
|
|
where
|
2019-12-20 19:01:34 +00:00
|
|
|
geturl = next $ isJust <$> addUrlFile addunlockedmatcher (downloadOptions o) url urlinfo file
|
2019-03-18 17:34:29 +00:00
|
|
|
addurl = addUrlChecked o url file webUUID $ \k ->
|
2024-02-05 19:16:25 +00:00
|
|
|
ifM (useYoutubeDl (downloadOptions o) <&&> youtubeDlSupported url)
|
2021-11-28 23:40:06 +00:00
|
|
|
( return (Just (True, True, setDownloader url YoutubeDownloader))
|
2023-05-09 19:49:05 +00:00
|
|
|
, checkRaw Nothing (downloadOptions o) (pure Nothing) $
|
2021-11-28 23:40:06 +00:00
|
|
|
return (Just (Url.urlExists urlinfo, Url.urlSize urlinfo == fromKey keySize k, url))
|
2017-11-30 17:45:43 +00:00
|
|
|
)
|
2014-12-11 20:11:38 +00:00
|
|
|
|
2017-11-30 17:45:43 +00:00
|
|
|
{- Check that the url exists, and has the same size as the key,
|
|
|
|
- and add it as an url to the key. -}
|
2021-11-28 23:40:06 +00:00
|
|
|
addUrlChecked :: AddUrlOptions -> URLString -> RawFilePath -> UUID -> (Key -> Annex (Maybe (Bool, Bool, URLString))) -> Key -> CommandPerform
|
2017-11-30 20:48:35 +00:00
|
|
|
addUrlChecked o url file u checkexistssize key =
|
2017-11-30 17:45:43 +00:00
|
|
|
ifM ((elem url <$> getUrls key) <&&> (elem u <$> loggedLocations key))
|
2017-11-30 19:06:21 +00:00
|
|
|
( do
|
2023-04-10 21:03:41 +00:00
|
|
|
showDestinationFile file
|
2017-11-30 19:06:21 +00:00
|
|
|
next $ return True
|
2021-11-28 23:40:06 +00:00
|
|
|
, checkexistssize key >>= \case
|
|
|
|
Just (exists, samesize, url')
|
|
|
|
| exists && (samesize || relaxedOption (downloadOptions o)) -> do
|
2018-10-04 21:33:25 +00:00
|
|
|
setUrlPresent key url'
|
|
|
|
logChange key u InfoPresent
|
2014-12-08 23:14:24 +00:00
|
|
|
next $ return True
|
2021-11-28 23:40:06 +00:00
|
|
|
| otherwise -> do
|
filter out control characters in warning messages
Converted warning and similar to use StringContainingQuotedPath. Most
warnings are static strings, some do refer to filepaths that need to be
quoted, and others don't need quoting.
Note that, since quote filters out control characters of even
UnquotedString, this makes all warnings safe, even when an attacker
sneaks in a control character in some other way.
When json is being output, no quoting is done, since json gets its own
quoting.
This does, as a side effect, make warning messages in json output not
be indented. The indentation is only needed to offset warning messages
underneath the display of the file they apply to, so that's ok.
Sponsored-by: Brett Eisenberg on Patreon
2023-04-10 18:47:32 +00:00
|
|
|
warning $ UnquotedString $ "while adding a new url to an already annexed file, " ++ if exists
|
2014-12-08 23:14:24 +00:00
|
|
|
then "url does not have expected file size (use --relaxed to bypass this check) " ++ url
|
|
|
|
else "failed to verify url exists: " ++ url
|
|
|
|
stop
|
2021-11-28 23:40:06 +00:00
|
|
|
Nothing -> stop
|
2014-12-08 23:14:24 +00:00
|
|
|
)
|
2011-08-06 18:57:22 +00:00
|
|
|
|
2017-11-30 17:45:43 +00:00
|
|
|
{- Downloads an url (except in fast or relaxed mode) and adds it to the
|
|
|
|
- repository, normally at the specified FilePath.
|
|
|
|
- But, if youtube-dl supports the url, it will be written to a
|
2017-11-30 17:24:52 +00:00
|
|
|
- different file, based on the title of the media. Unless the user
|
|
|
|
- specified fileOption, which then forces using the FilePath.
|
2017-11-28 21:17:40 +00:00
|
|
|
-}
|
2020-11-03 22:34:27 +00:00
|
|
|
addUrlFile :: AddUnlockedMatcher -> DownloadOptions -> URLString -> Url.UrlInfo -> RawFilePath -> Annex (Maybe Key)
|
2019-12-20 19:01:34 +00:00
|
|
|
addUrlFile addunlockedmatcher o url urlinfo file =
|
2022-06-28 19:28:14 +00:00
|
|
|
ifM (Annex.getRead Annex.fast <||> pure (relaxedOption o))
|
2019-12-20 19:01:34 +00:00
|
|
|
( nodownloadWeb addunlockedmatcher o url urlinfo file
|
|
|
|
, downloadWeb addunlockedmatcher o url urlinfo file
|
2013-07-28 19:27:36 +00:00
|
|
|
)
|
|
|
|
|
2020-11-03 22:34:27 +00:00
|
|
|
downloadWeb :: AddUnlockedMatcher -> DownloadOptions -> URLString -> Url.UrlInfo -> RawFilePath -> Annex (Maybe Key)
|
2019-12-20 19:01:34 +00:00
|
|
|
downloadWeb addunlockedmatcher o url urlinfo file =
|
2023-03-27 19:10:46 +00:00
|
|
|
go =<< downloadWith' downloader urlkey webUUID url file
|
2017-11-28 21:17:40 +00:00
|
|
|
where
|
2024-02-29 17:26:06 +00:00
|
|
|
urlkey = addSizeUrlKey urlinfo $ Backend.URL.fromUrl url Nothing (verifiableOption o)
|
2021-09-01 19:28:22 +00:00
|
|
|
downloader f p = Url.withUrlOptions $ downloadUrl False urlkey p Nothing [url] f
|
2017-11-28 21:17:40 +00:00
|
|
|
go Nothing = return Nothing
|
2024-02-05 19:16:25 +00:00
|
|
|
go (Just (tmp, backend)) = ifM (useYoutubeDl o <&&> liftIO (isHtmlFile (fromRawFilePath tmp)))
|
2023-03-27 19:10:46 +00:00
|
|
|
( tryyoutubedl tmp backend
|
|
|
|
, normalfinish tmp backend
|
2017-11-28 21:17:40 +00:00
|
|
|
)
|
2023-03-27 19:10:46 +00:00
|
|
|
normalfinish tmp backend = checkCanAdd o file $ \canadd -> do
|
2023-04-10 21:03:41 +00:00
|
|
|
showDestinationFile file
|
2020-11-03 22:34:27 +00:00
|
|
|
createWorkTreeDirectory (parentDir file)
|
2023-03-27 19:10:46 +00:00
|
|
|
Just <$> finishDownloadWith canadd addunlockedmatcher tmp backend webUUID url file
|
2020-08-25 16:56:38 +00:00
|
|
|
-- Ask youtube-dl what filename it will download first,
|
|
|
|
-- so it's only used when the file contains embedded media.
|
2023-03-27 19:10:46 +00:00
|
|
|
tryyoutubedl tmp backend = youtubeDlFileNameHtmlOnly url >>= \case
|
2023-06-19 19:01:47 +00:00
|
|
|
Right mediafile -> do
|
|
|
|
liftIO $ liftIO $ removeWhenExistsWith R.removeLink tmp
|
2020-11-03 22:34:27 +00:00
|
|
|
let f = youtubeDlDestFile o file (toRawFilePath mediafile)
|
2023-06-19 19:01:47 +00:00
|
|
|
lookupKey f >>= \case
|
filter out control characters in warning messages
Converted warning and similar to use StringContainingQuotedPath. Most
warnings are static strings, some do refer to filepaths that need to be
quoted, and others don't need quoting.
Note that, since quote filters out control characters of even
UnquotedString, this makes all warnings safe, even when an attacker
sneaks in a control character in some other way.
When json is being output, no quoting is done, since json gets its own
quoting.
This does, as a side effect, make warning messages in json output not
be indented. The indentation is only needed to offset warning messages
underneath the display of the file they apply to, so that's ok.
Sponsored-by: Brett Eisenberg on Patreon
2023-04-10 18:47:32 +00:00
|
|
|
Just k -> alreadyannexed f k
|
2022-10-26 17:58:20 +00:00
|
|
|
Nothing -> dl f
|
2023-05-09 19:49:05 +00:00
|
|
|
Left err -> checkRaw (Just err) o (pure Nothing) (normalfinish tmp backend)
|
2017-11-30 17:45:43 +00:00
|
|
|
where
|
2018-06-28 16:48:54 +00:00
|
|
|
dl dest = withTmpWorkDir mediakey $ \workdir -> do
|
2020-11-03 14:11:04 +00:00
|
|
|
let cleanuptmp = pruneTmpWorkDirBefore tmp (liftIO . removeWhenExistsWith R.removeLink)
|
2023-06-20 18:55:25 +00:00
|
|
|
dlcmd <- youtubeDlCommand
|
|
|
|
showNote ("using " <> UnquotedString dlcmd)
|
2017-12-31 18:55:51 +00:00
|
|
|
Transfer.notifyTransfer Transfer.Download url $
|
2023-06-20 18:55:25 +00:00
|
|
|
Transfer.download' webUUID mediakey (AssociatedFile Nothing) Nothing Transfer.noRetry $ \p -> do
|
|
|
|
showDestinationFile dest
|
2020-11-03 22:34:27 +00:00
|
|
|
youtubeDl url (fromRawFilePath workdir) p >>= \case
|
2017-12-31 18:55:51 +00:00
|
|
|
Right (Just mediafile) -> do
|
2018-06-28 16:48:54 +00:00
|
|
|
cleanuptmp
|
2020-09-29 17:00:41 +00:00
|
|
|
checkCanAdd o dest $ \canadd -> do
|
2020-11-03 22:34:27 +00:00
|
|
|
addWorkTree canadd addunlockedmatcher webUUID mediaurl dest mediakey (Just (toRawFilePath mediafile))
|
2017-12-31 18:55:51 +00:00
|
|
|
return $ Just mediakey
|
|
|
|
Left msg -> do
|
2018-06-28 16:48:54 +00:00
|
|
|
cleanuptmp
|
filter out control characters in warning messages
Converted warning and similar to use StringContainingQuotedPath. Most
warnings are static strings, some do refer to filepaths that need to be
quoted, and others don't need quoting.
Note that, since quote filters out control characters of even
UnquotedString, this makes all warnings safe, even when an attacker
sneaks in a control character in some other way.
When json is being output, no quoting is done, since json gets its own
quoting.
This does, as a side effect, make warning messages in json output not
be indented. The indentation is only needed to offset warning messages
underneath the display of the file they apply to, so that's ok.
Sponsored-by: Brett Eisenberg on Patreon
2023-04-10 18:47:32 +00:00
|
|
|
warning (UnquotedString msg)
|
2017-12-31 18:55:51 +00:00
|
|
|
return Nothing
|
2023-06-20 18:55:25 +00:00
|
|
|
Right Nothing -> do
|
|
|
|
cleanuptmp
|
|
|
|
warning (UnquotedString dlcmd <> " did not download anything")
|
|
|
|
return Nothing
|
2017-11-30 17:45:43 +00:00
|
|
|
mediaurl = setDownloader url YoutubeDownloader
|
2024-02-29 17:26:06 +00:00
|
|
|
mediakey = Backend.URL.fromUrl mediaurl Nothing (verifiableOption o)
|
2017-12-31 18:55:51 +00:00
|
|
|
-- Does the already annexed file have the mediaurl
|
|
|
|
-- as an url? If so nothing to do.
|
|
|
|
alreadyannexed dest k = do
|
|
|
|
us <- getUrls k
|
|
|
|
if mediaurl `elem` us
|
|
|
|
then return (Just k)
|
|
|
|
else do
|
filter out control characters in warning messages
Converted warning and similar to use StringContainingQuotedPath. Most
warnings are static strings, some do refer to filepaths that need to be
quoted, and others don't need quoting.
Note that, since quote filters out control characters of even
UnquotedString, this makes all warnings safe, even when an attacker
sneaks in a control character in some other way.
When json is being output, no quoting is done, since json gets its own
quoting.
This does, as a side effect, make warning messages in json output not
be indented. The indentation is only needed to offset warning messages
underneath the display of the file they apply to, so that's ok.
Sponsored-by: Brett Eisenberg on Patreon
2023-04-10 18:47:32 +00:00
|
|
|
warning $ QuotedPath dest <> " already exists; not overwriting"
|
2017-12-31 18:55:51 +00:00
|
|
|
return Nothing
|
2021-06-27 15:13:38 +00:00
|
|
|
|
2023-05-09 19:49:05 +00:00
|
|
|
checkRaw :: (Maybe String) -> DownloadOptions -> Annex a -> Annex a -> Annex a
|
2021-11-28 23:40:06 +00:00
|
|
|
checkRaw failreason o f a
|
|
|
|
| noRawOption o = do
|
filter out control characters in warning messages
Converted warning and similar to use StringContainingQuotedPath. Most
warnings are static strings, some do refer to filepaths that need to be
quoted, and others don't need quoting.
Note that, since quote filters out control characters of even
UnquotedString, this makes all warnings safe, even when an attacker
sneaks in a control character in some other way.
When json is being output, no quoting is done, since json gets its own
quoting.
This does, as a side effect, make warning messages in json output not
be indented. The indentation is only needed to offset warning messages
underneath the display of the file they apply to, so that's ok.
Sponsored-by: Brett Eisenberg on Patreon
2023-04-10 18:47:32 +00:00
|
|
|
warning $ UnquotedString $ "Unable to use youtube-dl or a special remote and --no-raw was specified" ++
|
2021-11-28 23:40:06 +00:00
|
|
|
case failreason of
|
|
|
|
Just msg -> ": " ++ msg
|
|
|
|
Nothing -> ""
|
2023-05-09 19:49:05 +00:00
|
|
|
f
|
2021-06-27 15:13:38 +00:00
|
|
|
| otherwise = a
|
2017-11-28 21:17:40 +00:00
|
|
|
|
2024-02-05 19:16:25 +00:00
|
|
|
useYoutubeDl :: DownloadOptions -> Annex Bool
|
|
|
|
useYoutubeDl o
|
|
|
|
| rawOption o = pure False
|
|
|
|
| otherwise = case rawExceptOption o of
|
|
|
|
Nothing -> pure True
|
|
|
|
Just f -> do
|
|
|
|
remote <- getParsed f
|
|
|
|
pure (Remote.uuid remote == webUUID)
|
|
|
|
|
2018-08-06 16:52:09 +00:00
|
|
|
{- The destination file is not known at start time unless the user provided
|
|
|
|
- a filename. It's not displayed then for output consistency,
|
|
|
|
- but is added to the json when available. -}
|
2020-09-14 20:49:33 +00:00
|
|
|
startingAddUrl :: SeekInput -> URLString -> AddUrlOptions -> CommandPerform -> CommandStart
|
2021-10-27 20:15:41 +00:00
|
|
|
startingAddUrl si url o p = starting "addurl" ai si $ do
|
2018-08-06 16:52:09 +00:00
|
|
|
case fileOption (downloadOptions o) of
|
|
|
|
Nothing -> noop
|
|
|
|
Just file -> maybeShowJSON $ JSONChunk [("file", file)]
|
make CommandStart return a StartMessage
The goal is to be able to run CommandStart in the main thread when -J is
used, rather than unncessarily passing it off to a worker thread, which
incurs overhead that is signficant when the CommandStart is going to
quickly decide to stop.
To do that, the message it displays needs to be displayed in the worker
thread, after the CommandStart has run.
Also, the change will mean that CommandStart will no longer necessarily
run with the same Annex state as CommandPerform. While its docs already
said it should avoid modifying Annex state, I audited all the
CommandStart code as part of the conversion. (Note that CommandSeek
already sometimes runs with a different Annex state, and that has not been
a source of any problems, so I am not too worried that this change will
lead to breakage going forward.)
The only modification of Annex state I found was it calling
allowMessages in some Commands that default to noMessages. Dealt with
that by adding a startCustomOutput and a startingUsualMessages.
This lets a command start with noMessages and then select the output it
wants for each CommandStart.
One bit of breakage: onlyActionOn has been removed from commands that used it.
The plan is that, since a StartMessage contains an ActionItem,
when a Key can be extracted from that, the parallel job runner can
run onlyActionOn' automatically. Then commands won't need to worry about
this detail. Future work.
Otherwise, this was a fairly straightforward process of making each
CommandStart compile again. Hopefully other behavior changes were mostly
avoided.
In a few cases, a command had a CommandStart that called a CommandPerform
that then called showStart multiple times. I have collapsed those
down to a single start action. The main command to perhaps suffer from it
is Command.Direct, which used to show a start for each file, and no
longer does.
Another minor behavior change is that some commands used showStart
before, but had an associated file and a Key available, so were changed
to ShowStart with an ActionItemAssociatedFile. That will not change the
normal output or behavior, but --json output will now include the key.
This should not break it for anyone using a real json parser.
2019-06-06 19:42:30 +00:00
|
|
|
p
|
2021-10-27 20:15:41 +00:00
|
|
|
where
|
|
|
|
-- Avoid failure when the same url is downloaded concurrently
|
|
|
|
-- to two different files, by using OnlyActionOn with a key
|
|
|
|
-- based on the url. Note that this may not be the actual key
|
|
|
|
-- that is used for the download; later size information may be
|
|
|
|
-- available and get added to it. That's ok, this is only
|
|
|
|
-- used to prevent two threads running concurrently when that would
|
|
|
|
-- likely fail.
|
2023-04-08 19:48:32 +00:00
|
|
|
ai = OnlyActionOn urlkey (ActionItemOther (Just (UnquotedString url)))
|
2024-02-29 17:26:06 +00:00
|
|
|
urlkey = Backend.URL.fromUrl url Nothing (verifiableOption (downloadOptions o))
|
2018-08-06 16:52:09 +00:00
|
|
|
|
2023-04-10 21:03:41 +00:00
|
|
|
showDestinationFile :: RawFilePath -> Annex ()
|
2017-11-28 21:17:40 +00:00
|
|
|
showDestinationFile file = do
|
2023-04-10 21:03:41 +00:00
|
|
|
showNote ("to " <> QuotedPath file)
|
|
|
|
maybeShowJSON $ JSONChunk [("file", fromRawFilePath file)]
|
2014-12-08 23:14:24 +00:00
|
|
|
|
|
|
|
{- The Key should be a dummy key, based on the URL, which is used
|
|
|
|
- for this download, before we can examine the file and find its real key.
|
|
|
|
- For resuming downloads to work, the dummy key for a given url should be
|
2017-11-28 21:17:40 +00:00
|
|
|
- stable. For disk space checking to work, the dummy key should have
|
|
|
|
- the size of the url already set.
|
|
|
|
-
|
|
|
|
- Downloads the url, sets up the worktree file, and returns the
|
|
|
|
- real key.
|
|
|
|
-}
|
2020-11-03 22:34:27 +00:00
|
|
|
downloadWith :: CanAddFile -> AddUnlockedMatcher -> (FilePath -> MeterUpdate -> Annex Bool) -> Key -> UUID -> URLString -> RawFilePath -> Annex (Maybe Key)
|
2020-09-29 17:00:41 +00:00
|
|
|
downloadWith canadd addunlockedmatcher downloader dummykey u url file =
|
2023-03-27 19:10:46 +00:00
|
|
|
go =<< downloadWith' downloader dummykey u url file
|
2013-04-11 20:14:17 +00:00
|
|
|
where
|
2017-11-28 21:17:40 +00:00
|
|
|
go Nothing = return Nothing
|
2023-03-27 19:10:46 +00:00
|
|
|
go (Just (tmp, backend)) = Just <$> finishDownloadWith canadd addunlockedmatcher tmp backend u url file
|
2017-11-28 21:17:40 +00:00
|
|
|
|
|
|
|
{- Like downloadWith, but leaves the dummy key content in
|
|
|
|
- the returned location. -}
|
2023-03-27 19:10:46 +00:00
|
|
|
downloadWith' :: (FilePath -> MeterUpdate -> Annex Bool) -> Key -> UUID -> URLString -> RawFilePath -> Annex (Maybe (RawFilePath, Backend))
|
|
|
|
downloadWith' downloader dummykey u url file =
|
disk free checking for unsized keys
Improve disk free space checking when transferring unsized keys to
local git remotes. Since the size of the object file is known, can
check that instead.
Getting unsized keys from local git remotes does not check the actual
object size. It would be harder to handle that direction because the size
check is run locally, before anything involving the remote is done. So it
doesn't know the size of the file on the remote.
Also, transferring unsized keys to other remotes, including ssh remotes and
p2p remotes don't do disk size checking for unsized keys. This would need a
change in protocol.
(It does seem like it would be possible to implement the same thing for
directory special remotes though.)
In some sense, it might be better to not ever do disk free checking for
unsized keys, than to do it only sometimes. A user might notice this
direction working and consider it a bug that the other direction does not.
On the other hand, disk reserve checking is not implemented for most
special remotes at all, and yet it is implemented for a few, which is also
inconsistent, but best effort. And so doing this best effort seems to make
some sense. Fundamentally, if the user wants the size to always be checked,
they should not use unsized keys.
Sponsored-by: Brock Spratlen on Patreon
2024-01-16 18:29:10 +00:00
|
|
|
checkDiskSpaceToGet dummykey Nothing Nothing $ do
|
2023-03-27 19:10:46 +00:00
|
|
|
backend <- chooseBackend file
|
2017-11-28 21:17:40 +00:00
|
|
|
tmp <- fromRepo $ gitAnnexTmpObjectLocation dummykey
|
2023-03-27 19:10:46 +00:00
|
|
|
let t = (Transfer.Transfer Transfer.Download u (fromKey id dummykey))
|
|
|
|
ok <- Transfer.notifyTransfer Transfer.Download url $ \_w ->
|
|
|
|
Transfer.runTransfer t (Just backend) afile Nothing Transfer.stdRetry $ \p -> do
|
2020-03-06 15:57:15 +00:00
|
|
|
createAnnexDirectory (parentDir tmp)
|
2020-11-03 22:34:27 +00:00
|
|
|
downloader (fromRawFilePath tmp) p
|
2017-11-28 21:17:40 +00:00
|
|
|
if ok
|
2023-03-27 19:10:46 +00:00
|
|
|
then return (Just (tmp, backend))
|
2017-11-28 21:17:40 +00:00
|
|
|
else return Nothing
|
2023-03-27 19:10:46 +00:00
|
|
|
where
|
|
|
|
afile = AssociatedFile (Just file)
|
2017-11-28 21:17:40 +00:00
|
|
|
|
2023-03-27 19:10:46 +00:00
|
|
|
finishDownloadWith :: CanAddFile -> AddUnlockedMatcher -> RawFilePath -> Backend -> UUID -> URLString -> RawFilePath -> Annex Key
|
|
|
|
finishDownloadWith canadd addunlockedmatcher tmp backend u url file = do
|
2017-11-28 21:17:40 +00:00
|
|
|
let source = KeySource
|
2020-11-03 22:34:27 +00:00
|
|
|
{ keyFilename = file
|
|
|
|
, contentLocation = tmp
|
2017-11-28 21:17:40 +00:00
|
|
|
, inodeCache = Nothing
|
|
|
|
}
|
2020-05-15 16:51:09 +00:00
|
|
|
key <- fst <$> genKey source nullMeterUpdate backend
|
2020-09-29 17:00:41 +00:00
|
|
|
addWorkTree canadd addunlockedmatcher u url file key (Just tmp)
|
2020-05-15 16:51:09 +00:00
|
|
|
return key
|
2013-04-11 17:35:52 +00:00
|
|
|
|
2015-01-22 18:52:52 +00:00
|
|
|
{- Adds the url size to the Key. -}
|
|
|
|
addSizeUrlKey :: Url.UrlInfo -> Key -> Key
|
2019-11-22 20:24:04 +00:00
|
|
|
addSizeUrlKey urlinfo key = alterKey key $ \d -> d
|
|
|
|
{ keySize = Url.urlSize urlinfo
|
|
|
|
}
|
2014-01-04 19:38:59 +00:00
|
|
|
|
convert importfeed to youtube-dl
Fully working, including --fast/--relaxed.
Note that, while git-annex addurl --relaxed is not going to check
youtube-dl, I kept git annex importfeed --relaxed checking it.
Thinking is that, let's not break people's importfeed cron jobs, and
importfeed does not typically have to check a large number of new items,
so it's ok if it's a little bit slower when used with youtube playlist
feeds.
importfeed's behavior is also improved (?) when a feed has links in it
to non-media files. Before, those were skipped. Now, the content of the
link is downloaded. This had to be done, because trying to use
youtube-dl is slow, and if those were skipped, it would have to check
every time importfeed was run. While this behavior change may not be
desirable for some feeds, that intersperse links to web pages with
enclosures, it will be desirable for other feeds, that have
non-enclosure directy links to media files.
Remove old quvi modules.
This commit was sponsored by Øyvind Andersen Holm.
2017-11-29 21:05:27 +00:00
|
|
|
{- Adds worktree file to the repository. -}
|
2020-11-03 14:11:04 +00:00
|
|
|
addWorkTree :: CanAddFile -> AddUnlockedMatcher -> UUID -> URLString -> RawFilePath -> Key -> Maybe RawFilePath -> Annex ()
|
2020-09-29 17:00:41 +00:00
|
|
|
addWorkTree _ addunlockedmatcher u url file key mtmp = case mtmp of
|
2015-12-02 19:12:33 +00:00
|
|
|
Nothing -> go
|
|
|
|
Just tmp -> do
|
2022-06-14 20:38:34 +00:00
|
|
|
s <- liftIO $ R.getSymbolicLinkStatus tmp
|
2016-11-22 15:12:33 +00:00
|
|
|
-- Move to final location for large file check.
|
2020-03-06 15:57:15 +00:00
|
|
|
pruneTmpWorkDirBefore tmp $ \_ -> do
|
2020-11-03 14:11:04 +00:00
|
|
|
createWorkTreeDirectory (P.takeDirectory file)
|
2022-12-20 19:17:50 +00:00
|
|
|
liftIO $ moveFile tmp file
|
2015-12-02 19:12:33 +00:00
|
|
|
largematcher <- largeFilesMatcher
|
2016-11-22 15:12:33 +00:00
|
|
|
large <- checkFileMatcher largematcher file
|
|
|
|
if large
|
|
|
|
then do
|
|
|
|
-- Move back to tmp because addAnnexedFile
|
|
|
|
-- needs the file in a different location
|
|
|
|
-- than the work tree file.
|
2022-12-20 19:17:50 +00:00
|
|
|
liftIO $ moveFile file tmp
|
2016-11-22 15:12:33 +00:00
|
|
|
go
|
2022-08-09 17:46:43 +00:00
|
|
|
else Command.Add.addSmall (DryRun False) file s
|
|
|
|
>>= maybe noop void
|
2015-12-02 19:12:33 +00:00
|
|
|
where
|
|
|
|
go = do
|
2019-01-14 17:03:35 +00:00
|
|
|
maybeShowJSON $ JSONChunk [("key", serializeKey key)]
|
2018-10-04 21:33:25 +00:00
|
|
|
setUrlPresent key url
|
|
|
|
logChange key u InfoPresent
|
2022-06-14 18:40:55 +00:00
|
|
|
ifM (addAnnexedFile addunlockedmatcher file key mtmp)
|
annex.securehashesonly
Cryptographically secure hashes can be forced to be used in a repository,
by setting annex.securehashesonly. This does not prevent the git repository
from containing files with insecure hashes, but it does prevent the content
of such files from being pulled into .git/annex/objects from another
repository.
We want to make sure that at no point does git-annex accept content into
.git/annex/objects that is hashed with an insecure key. Here's how it
was done:
* .git/annex/objects/xx/yy/KEY/ is kept frozen, so nothing can be
written to it normally
* So every place that writes content must call, thawContent or modifyContent.
We can audit for these, and be sure we've considered all cases.
* The main functions are moveAnnex, and linkToAnnex; these were made to
check annex.securehashesonly, and are the main security boundary
for annex.securehashesonly.
* Most other calls to modifyContent deal with other files in the KEY
directory (inode cache etc). The other ones that mess with the content
are:
- Annex.Direct.toDirectGen, in which content already in the
annex directory is moved to the direct mode file, so not relevant.
- fix and lock, which don't add new content
- Command.ReKey.linkKey, which manually unlocks it to make a
copy.
* All other calls to thawContent appear safe.
Made moveAnnex return a Bool, so checked all callsites and made them
deal with a failure in appropriate ways.
linkToAnnex simply returns LinkAnnexFailed; all callsites already deal
with it failing in appropriate ways.
This commit was sponsored by Riku Voipio.
2017-02-27 17:01:32 +00:00
|
|
|
( do
|
|
|
|
when (isJust mtmp) $
|
|
|
|
logStatus key InfoPresent
|
2020-11-03 14:11:04 +00:00
|
|
|
, maybe noop (\tmp -> pruneTmpWorkDirBefore tmp (liftIO . removeWhenExistsWith R.removeLink)) mtmp
|
annex.securehashesonly
Cryptographically secure hashes can be forced to be used in a repository,
by setting annex.securehashesonly. This does not prevent the git repository
from containing files with insecure hashes, but it does prevent the content
of such files from being pulled into .git/annex/objects from another
repository.
We want to make sure that at no point does git-annex accept content into
.git/annex/objects that is hashed with an insecure key. Here's how it
was done:
* .git/annex/objects/xx/yy/KEY/ is kept frozen, so nothing can be
written to it normally
* So every place that writes content must call, thawContent or modifyContent.
We can audit for these, and be sure we've considered all cases.
* The main functions are moveAnnex, and linkToAnnex; these were made to
check annex.securehashesonly, and are the main security boundary
for annex.securehashesonly.
* Most other calls to modifyContent deal with other files in the KEY
directory (inode cache etc). The other ones that mess with the content
are:
- Annex.Direct.toDirectGen, in which content already in the
annex directory is moved to the direct mode file, so not relevant.
- fix and lock, which don't add new content
- Command.ReKey.linkKey, which manually unlocks it to make a
copy.
* All other calls to thawContent appear safe.
Made moveAnnex return a Bool, so checked all callsites and made them
deal with a failure in appropriate ways.
linkToAnnex simply returns LinkAnnexFailed; all callsites already deal
with it failing in appropriate ways.
This commit was sponsored by Riku Voipio.
2017-02-27 17:01:32 +00:00
|
|
|
)
|
2022-06-14 18:40:55 +00:00
|
|
|
|
2020-11-03 14:11:04 +00:00
|
|
|
nodownloadWeb :: AddUnlockedMatcher -> DownloadOptions -> URLString -> Url.UrlInfo -> RawFilePath -> Annex (Maybe Key)
|
2019-12-20 19:01:34 +00:00
|
|
|
nodownloadWeb addunlockedmatcher o url urlinfo file
|
2017-11-30 20:48:35 +00:00
|
|
|
| Url.urlExists urlinfo = if rawOption o
|
|
|
|
then nomedia
|
2021-06-27 15:13:38 +00:00
|
|
|
else youtubeDlFileName url >>= \case
|
|
|
|
Right mediafile -> usemedia (toRawFilePath mediafile)
|
2023-05-09 19:49:05 +00:00
|
|
|
Left err -> checkRaw (Just err) o (pure Nothing) nomedia
|
2015-01-22 18:52:52 +00:00
|
|
|
| otherwise = do
|
filter out control characters in warning messages
Converted warning and similar to use StringContainingQuotedPath. Most
warnings are static strings, some do refer to filepaths that need to be
quoted, and others don't need quoting.
Note that, since quote filters out control characters of even
UnquotedString, this makes all warnings safe, even when an attacker
sneaks in a control character in some other way.
When json is being output, no quoting is done, since json gets its own
quoting.
This does, as a side effect, make warning messages in json output not
be indented. The indentation is only needed to offset warning messages
underneath the display of the file they apply to, so that's ok.
Sponsored-by: Brett Eisenberg on Patreon
2023-04-10 18:47:32 +00:00
|
|
|
warning $ UnquotedString $ "unable to access url: " ++ url
|
2015-01-22 18:52:52 +00:00
|
|
|
return Nothing
|
2017-11-30 18:35:25 +00:00
|
|
|
where
|
2017-11-30 20:48:35 +00:00
|
|
|
nomedia = do
|
2024-02-29 17:26:06 +00:00
|
|
|
let key = Backend.URL.fromUrl url (Url.urlSize urlinfo) (verifiableOption o)
|
Added --no-check-gitignore option for finer grained control than using --force.
add, addurl, importfeed, import: Added --no-check-gitignore option
for finer grained control than using --force.
(--force is used for too many different things, and at least one
of these also uses it for something else. I would like to reduce
--force's footprint until it only forces drops or a few other data
losses. For now, --force still disables checking ignores too.)
addunused: Don't check .gitignores when adding files. This is a behavior
change, but I justify it by analogy with git add of a gitignored file
adding it, asking to add all unused files back should add them all back,
not skip some. The old behavior was surprising.
In Command.Lock and Command.ReKey, CheckGitIgnore False does not change
behavior, it only makes explicit what is done. Since these commands are run
on annexed files, the file is already checked into git, so git add won't
check ignores.
2020-09-18 17:12:04 +00:00
|
|
|
nodownloadWeb' o addunlockedmatcher url key file
|
2017-11-30 20:48:35 +00:00
|
|
|
usemedia mediafile = do
|
2020-08-25 16:56:38 +00:00
|
|
|
let dest = youtubeDlDestFile o file mediafile
|
2017-11-30 18:35:25 +00:00
|
|
|
let mediaurl = setDownloader url YoutubeDownloader
|
2024-02-29 17:26:06 +00:00
|
|
|
let mediakey = Backend.URL.fromUrl mediaurl Nothing (verifiableOption o)
|
Added --no-check-gitignore option for finer grained control than using --force.
add, addurl, importfeed, import: Added --no-check-gitignore option
for finer grained control than using --force.
(--force is used for too many different things, and at least one
of these also uses it for something else. I would like to reduce
--force's footprint until it only forces drops or a few other data
losses. For now, --force still disables checking ignores too.)
addunused: Don't check .gitignores when adding files. This is a behavior
change, but I justify it by analogy with git add of a gitignored file
adding it, asking to add all unused files back should add them all back,
not skip some. The old behavior was surprising.
In Command.Lock and Command.ReKey, CheckGitIgnore False does not change
behavior, it only makes explicit what is done. Since these commands are run
on annexed files, the file is already checked into git, so git add won't
check ignores.
2020-09-18 17:12:04 +00:00
|
|
|
nodownloadWeb' o addunlockedmatcher mediaurl mediakey dest
|
2017-11-30 18:35:25 +00:00
|
|
|
|
2020-11-03 14:11:04 +00:00
|
|
|
youtubeDlDestFile :: DownloadOptions -> RawFilePath -> RawFilePath -> RawFilePath
|
2020-08-25 16:56:38 +00:00
|
|
|
youtubeDlDestFile o destfile mediafile
|
|
|
|
| isJust (fileOption o) = destfile
|
2020-11-03 14:11:04 +00:00
|
|
|
| otherwise = P.takeFileName mediafile
|
2020-08-25 16:56:38 +00:00
|
|
|
|
2020-11-03 14:11:04 +00:00
|
|
|
nodownloadWeb' :: DownloadOptions -> AddUnlockedMatcher -> URLString -> Key -> RawFilePath -> Annex (Maybe Key)
|
2020-09-29 17:00:41 +00:00
|
|
|
nodownloadWeb' o addunlockedmatcher url key file = checkCanAdd o file $ \canadd -> do
|
2023-04-10 21:03:41 +00:00
|
|
|
showDestinationFile file
|
2020-03-06 15:57:15 +00:00
|
|
|
createWorkTreeDirectory (parentDir file)
|
2020-09-29 17:00:41 +00:00
|
|
|
addWorkTree canadd addunlockedmatcher webUUID url file key Nothing
|
2017-11-30 18:35:25 +00:00
|
|
|
return (Just key)
|
2011-08-06 18:57:22 +00:00
|
|
|
|
Fix a few bugs involving filenames that are at or near the filesystem's maximum filename length limit.
Started with a problem when running addurl on a really long url,
because the whole url is munged into the filename. Ended up doing
a fairly extensive review for places where filenames could get too large,
although it's hard to say I'm not missed any..
Backend.Url had a 128 character limit, which is fine when the limit is 255,
but not if it's a lot shorter on some systems. So check the pathconf()
limit. Note that this could result in fromUrl creating different keys
for the same url, if run on systems with different limits. I don't see
this is likely to cause any problems. That can already happen when using
addurl --fast, or if the content of an url changes.
Both Command.AddUrl and Backend.Url assumed that urls don't contain a
lot of multi-byte unicode, and would fail to truncate an url that did
properly.
A few places use a filename as the template to make a temp file.
While that's nice in that the temp file name can be easily related back to
the original filename, it could lead to `git annex add` failing to add a
filename that was at or close to the maximum length.
Note that in Command.Add.lockdown, the template is still derived from the
filename, just with enough space left to turn it into a temp file.
This is an important optimisation, because the assistant may lock down
a bunch of files all at once, and using the same template for all of them
would cause openTempFile to iterate through the same set of names,
looking for an unused temp file. I'm not very happy with the relatedTemplate
hack, but it avoids that slowdown.
Backend.WORM does not limit the filename stored in the key.
I have not tried to change that; so git annex add will fail on really long
filenames when using the WORM backend. It seems better to preserve the
invariant that a WORM key always contains the complete filename, since
the filename is the only unique material in the key, other than mtime and
size. Since nobody has complained about add failing (I think I saw it
once?) on WORM, probably it's ok, or nobody but me uses it.
There may be compatability problems if using git annex addurl --fast
or the WORM backend on a system with the 255 limit and then trying to use
that repo in a system with a smaller limit. I have not tried to deal with
those.
This commit was sponsored by Alexander Brem. Thanks!
2013-07-30 21:49:11 +00:00
|
|
|
url2file :: URI -> Maybe Int -> Int -> FilePath
|
|
|
|
url2file url pathdepth pathmax = case pathdepth of
|
2013-10-05 17:32:42 +00:00
|
|
|
Nothing -> truncateFilePath pathmax $ sanitizeFilePath fullurl
|
2012-02-16 16:25:19 +00:00
|
|
|
Just depth
|
2013-07-05 16:46:38 +00:00
|
|
|
| depth >= length urlbits -> frombits id
|
2012-02-16 18:26:53 +00:00
|
|
|
| depth > 0 -> frombits $ drop depth
|
2012-02-16 18:28:17 +00:00
|
|
|
| depth < 0 -> frombits $ reverse . take (negate depth) . reverse
|
2016-11-16 01:29:54 +00:00
|
|
|
| otherwise -> giveup "bad --pathdepth"
|
2012-11-12 05:05:04 +00:00
|
|
|
where
|
2014-12-08 23:14:24 +00:00
|
|
|
fullurl = concat
|
|
|
|
[ maybe "" uriRegName (uriAuthority url)
|
|
|
|
, uriPath url
|
|
|
|
, uriQuery url
|
|
|
|
]
|
2013-04-23 00:24:53 +00:00
|
|
|
frombits a = intercalate "/" $ a urlbits
|
2013-10-05 17:30:13 +00:00
|
|
|
urlbits = map (truncateFilePath pathmax . sanitizeFilePath) $
|
2017-01-31 22:40:42 +00:00
|
|
|
filter (not . null) $ splitc '/' fullurl
|
2014-12-11 20:09:56 +00:00
|
|
|
|
|
|
|
urlString2file :: URLString -> Maybe Int -> Int -> FilePath
|
|
|
|
urlString2file s pathdepth pathmax = case Url.parseURIRelaxed s of
|
2016-11-16 01:29:54 +00:00
|
|
|
Nothing -> giveup $ "bad uri " ++ s
|
2014-12-11 20:09:56 +00:00
|
|
|
Just u -> url2file u pathdepth pathmax
|
2015-07-21 16:50:05 +00:00
|
|
|
|
|
|
|
adjustFile :: AddUrlOptions -> FilePath -> FilePath
|
|
|
|
adjustFile o = addprefix . addsuffix
|
|
|
|
where
|
|
|
|
addprefix f = maybe f (++ f) (prefixOption o)
|
|
|
|
addsuffix f = maybe f (f ++) (suffixOption o)
|
2016-09-21 21:21:48 +00:00
|
|
|
|
2020-09-29 17:00:41 +00:00
|
|
|
data CanAddFile = CanAddFile
|
|
|
|
|
2020-11-03 14:11:04 +00:00
|
|
|
checkCanAdd :: DownloadOptions -> RawFilePath -> (CanAddFile -> Annex (Maybe a)) -> Annex (Maybe a)
|
|
|
|
checkCanAdd o file a = ifM (isJust <$> (liftIO $ catchMaybeIO $ R.getSymbolicLinkStatus file))
|
2016-09-21 21:21:48 +00:00
|
|
|
( do
|
filter out control characters in warning messages
Converted warning and similar to use StringContainingQuotedPath. Most
warnings are static strings, some do refer to filepaths that need to be
quoted, and others don't need quoting.
Note that, since quote filters out control characters of even
UnquotedString, this makes all warnings safe, even when an attacker
sneaks in a control character in some other way.
When json is being output, no quoting is done, since json gets its own
quoting.
This does, as a side effect, make warning messages in json output not
be indented. The indentation is only needed to offset warning messages
underneath the display of the file they apply to, so that's ok.
Sponsored-by: Brett Eisenberg on Patreon
2023-04-10 18:47:32 +00:00
|
|
|
warning $ QuotedPath file <> " already exists; not overwriting"
|
2016-09-21 21:21:48 +00:00
|
|
|
return Nothing
|
Added --no-check-gitignore option for finer grained control than using --force.
add, addurl, importfeed, import: Added --no-check-gitignore option
for finer grained control than using --force.
(--force is used for too many different things, and at least one
of these also uses it for something else. I would like to reduce
--force's footprint until it only forces drops or a few other data
losses. For now, --force still disables checking ignores too.)
addunused: Don't check .gitignores when adding files. This is a behavior
change, but I justify it by analogy with git add of a gitignored file
adding it, asking to add all unused files back should add them all back,
not skip some. The old behavior was surprising.
In Command.Lock and Command.ReKey, CheckGitIgnore False does not change
behavior, it only makes explicit what is done. Since these commands are run
on annexed files, the file is already checked into git, so git add won't
check ignores.
2020-09-18 17:12:04 +00:00
|
|
|
, ifM (checkIgnored (checkGitIgnoreOption o) file)
|
2016-09-21 21:21:48 +00:00
|
|
|
( do
|
filter out control characters in warning messages
Converted warning and similar to use StringContainingQuotedPath. Most
warnings are static strings, some do refer to filepaths that need to be
quoted, and others don't need quoting.
Note that, since quote filters out control characters of even
UnquotedString, this makes all warnings safe, even when an attacker
sneaks in a control character in some other way.
When json is being output, no quoting is done, since json gets its own
quoting.
This does, as a side effect, make warning messages in json output not
be indented. The indentation is only needed to offset warning messages
underneath the display of the file they apply to, so that's ok.
Sponsored-by: Brett Eisenberg on Patreon
2023-04-10 18:47:32 +00:00
|
|
|
warning $ "not adding " <> QuotedPath file <> " which is .gitignored (use --no-check-gitignore to override)"
|
2016-09-21 21:21:48 +00:00
|
|
|
return Nothing
|
2020-09-29 17:00:41 +00:00
|
|
|
, a CanAddFile
|
2016-09-21 21:21:48 +00:00
|
|
|
)
|
|
|
|
)
|