Skip to content

Wrong redirect URL given for a download with -/_ canonicalization #1687

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
alexcrichton opened this issue Mar 21, 2019 · 1 comment · Fixed by #1758
Closed

Wrong redirect URL given for a download with -/_ canonicalization #1687

alexcrichton opened this issue Mar 21, 2019 · 1 comment · Fixed by #1758

Comments

@alexcrichton
Copy link
Member

alexcrichton commented Mar 21, 2019
edited
Loading

I was poking around today at a crate I was working on and was confused that after publishing I was getting a 403 for the tarball for the crate that I wanted to manually inspect. I typed out everything below manually so the bug is definitely on me (not through Cargo or any tooling or anything like that), but figured it was still worth mentioning!

Specifically I was interested in the compiler_builtins crate and forgot whether it was _ or - so I typed out:

$ curl -L https://crates.io/api/v1/crates/compiler-builtins/0.1.8/download | tar xzf -

but that gave me some error about it not being gzip. Next I ran curl -I and it prints out:

$ curl -I https://crates.io/api/v1/crates/compiler-builtins/0.1.8/download | grep Location
Location: https://static.crates.io/crates/compiler-builtins/compiler-builtins-0.1.8.crate

turns out this URL doesn't exist! It should actually be:

$ curl -I https://crates.io/api/v1/crates/compiler_builtins/0.1.8/download | grep Location
Location: https://static.crates.io/crates/compiler_builtins/compiler_builtins-0.1.8.crate

Is this intended to work? If not that's totally fine, but I figure if it was intended to work may be good to know!
@sgrif
Copy link
Contributor

sgrif commented Mar 21, 2019

Given that /api/v1/crates/compiler-builtins works, we should probably make download work as well.

smarnach added a commit to smarnach/crates.io that referenced this issue Jun 4, 2019
@smarnach
Return correct download link for requests for non-standard crate names.
076e7ce 
Fixes rust-lang#1687.

Crates are uploaded to S3 under the name they were first published as, but the download endpoint
always uses the name as written in the request. If these names differ in their use of dashes
vs. underscores, the download endpoint returns an invalid link.

This fix changes the database request that updates the download count to also return the original
crate name.
@smarnach smarnach mentioned this issue Jun 4, 2019
Merged
bors added a commit that referenced this issue Jun 10, 2019
@bors
Auto merge of #1758 - smarnach:download-non-standard-name, r=sgrif
09c3715 
Return correct download link for requests for non-standard crate names.

Fixes #1687.

Crates are uploaded to S3 under the name they were first published as, but the download endpoint always uses the name as written in the request. If these names differ in their use of dashes vs. underscores, the download endpoint returns an invalid link.

To avoid adding another database request for every single crate download, this fix changes the database request that updates the download count to also return the original crate name. We will need to confirm that the performance impact of this change is negligible.
@Turbo87 Turbo87 mentioned this issue Oct 24, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Return correct download link for requests for non-standard crate names. smarnach/crates.io
2 participants
@alexcrichton @sgrif