GNU bug report logs - #61411
[PATCH] Handle a case where url-basic-auth can crash

Previous Next

Package: emacs;

Reported by: me <at> elken.dev

Date: Sat, 11 Feb 2023 07:44:02 UTC

Severity: normal

Tags: patch

Done: Eli Zaretskii <eliz <at> gnu.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 61411 in the body.
You can then email your comments to 61411 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-gnu-emacs <at> gnu.org:
bug#61411; Package emacs. (Sat, 11 Feb 2023 07:44:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to me <at> elken.dev:
New bug report received and forwarded. Copy sent to bug-gnu-emacs <at> gnu.org. (Sat, 11 Feb 2023 07:44:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: me <at> elken.dev
To: bug-gnu-emacs <at> gnu.org
Subject: [PATCH] Handle a case where url-basic-auth can crash
Date: Sat, 11 Feb 2023 07:43:10 +0000

[Message part 1 (text/plain, inline)]
Hi all,

This seems like a simple patch, in cases where 
'url-request-noninteractive' is set and valid credentials either aren't 
found or the server sends 401 regardless (which is how I found this 
bug), this causes Emacs to crash.

I have copyright assignment assigned, even though this would fall under 
a "trivial change".

Thanks,
Ellis
[0001-Fix-potential-crash-with-url-basic-auth.patch (text/x-diff, attachment)]
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#61411; Package emacs. (Sat, 25 Feb 2023 21:37:02 GMT) Full text and rfc822 format available.

Message #8 received at 61411 <at> debbugs.gnu.org (full text, mbox):

From: me <at> elken.dev
To: 61411 <at> debbugs.gnu.org
Subject: [PATCH] Handle a case where url-basic-auth can crash
Date: Sat, 25 Feb 2023 21:36:37 +0000

Not sure of the etiquette here, but it's been a little bit now so I'm 
just bumping this :)
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#61411; Package emacs. (Sun, 26 Feb 2023 05:30:04 GMT) Full text and rfc822 format available.

Message #11 received at 61411 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: me <at> elken.dev
Cc: 61411 <at> debbugs.gnu.org
Subject: Re: bug#61411: [PATCH] Handle a case where url-basic-auth can crash
Date: Sun, 26 Feb 2023 07:29:29 +0200

> Date: Sat, 25 Feb 2023 21:36:37 +0000
> From: me--- via "Bug reports for GNU Emacs,
>  the Swiss army knife of text editors" <bug-gnu-emacs <at> gnu.org>
> 
> Not sure of the etiquette here, but it's been a little bit now so I'm 
> just bumping this :)

That bug report has no description of the situation where the problem
happens and no reproduction recipe.  Talking about "crash" is also
inaccurate, I think: it just signals an error, right?

So it isn't surprising that bug report got no attention.

Could you please add the missing details?

Thanks.
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#61411; Package emacs. (Sun, 26 Feb 2023 08:53:01 GMT) Full text and rfc822 format available.

Message #14 received at 61411 <at> debbugs.gnu.org (full text, mbox):

From: me <at> elken.dev
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: 61411 <at> debbugs.gnu.org
Subject: Re: bug#61411: [PATCH] Handle a case where url-basic-auth can crash
Date: Sun, 26 Feb 2023 08:52:31 +0000

Hi Eli,

Thanks for responding; I incorrectly assumed because the patch was so 
trivial my description was enough. My bad!

Below is a snippet of elisp that when `M-x eval-buffer`'d crashes an 
`emacs -Q` and causes an `emacs -Q -l repro.el` to freeze indefinitely 
on e444115d026c809395d4d248a99bb467bc87bb1d

(require 'url)
(eval-when-compile (require 'cl-lib))

(cl-defun send-request (endpoint &key verb data headers noninteractive 
json noauth sync callback)
  (let* ((url-request-method (or verb "GET"))
         (url-cookie-trusted-urls '(".*"))
         (url-request-noninteractive noninteractive)
         (url-request-extra-headers
          `(("Referer" . ,endpoint)
	    ("X-CSRF-TOKEN" . nil)
            ("Cookie" . nil)))
         (url-request-data data))
    (if sync
        (with-current-buffer (url-retrieve-synchronously endpoint)
          (funcall (or callback #'identity) url-http-response-status))
      (url-retrieve
       endpoint
       (or callback #'identity)))))

(send-request "https://httpstat.us/401" :noninteractive t :sync t)

The linked API is a simple service used to return various status codes, 
in this instance always a 401 regardless of what authentication is 
passed.

I'm not sure if my patch is the best catch-all solution to the 
underlying issue (I confess, I don't fully understand why this crashes). 
With my simple patch applied though, Emacs continues as expected.

I hope this is enough information now, I apologize for the poor initial 
report. As I already had a patch ready, I didn't think I should have 
used `M-x report-emacs-bug` but I will in future :)
Reply sent to Eli Zaretskii <eliz <at> gnu.org>:
You have taken responsibility. (Thu, 02 Mar 2023 12:38:02 GMT) Full text and rfc822 format available.
Notification sent to me <at> elken.dev:
bug acknowledged by developer. (Thu, 02 Mar 2023 12:38:02 GMT) Full text and rfc822 format available.

Message #19 received at 61411-done <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: me <at> elken.dev
Cc: 61411-done <at> debbugs.gnu.org
Subject: Re: bug#61411: [PATCH] Handle a case where url-basic-auth can crash
Date: Thu, 02 Mar 2023 14:37:12 +0200

> Date: Sun, 26 Feb 2023 08:52:31 +0000
> From: me <at> elken.dev
> Cc: 61411 <at> debbugs.gnu.org
> 
> Thanks for responding; I incorrectly assumed because the patch was so 
> trivial my description was enough. My bad!
> 
> Below is a snippet of elisp that when `M-x eval-buffer`'d crashes an 
> `emacs -Q` and causes an `emacs -Q -l repro.el` to freeze indefinitely 
> on e444115d026c809395d4d248a99bb467bc87bb1d
> 
> (require 'url)
> (eval-when-compile (require 'cl-lib))
> 
> (cl-defun send-request (endpoint &key verb data headers noninteractive 
> json noauth sync callback)
>    (let* ((url-request-method (or verb "GET"))
>           (url-cookie-trusted-urls '(".*"))
>           (url-request-noninteractive noninteractive)
>           (url-request-extra-headers
>            `(("Referer" . ,endpoint)
> 	    ("X-CSRF-TOKEN" . nil)
>              ("Cookie" . nil)))
>           (url-request-data data))
>      (if sync
>          (with-current-buffer (url-retrieve-synchronously endpoint)
>            (funcall (or callback #'identity) url-http-response-status))
>        (url-retrieve
>         endpoint
>         (or callback #'identity)))))
> 
> (send-request "https://httpstat.us/401" :noninteractive t :sync t)
> 
> The linked API is a simple service used to return various status codes, 
> in this instance always a 401 regardless of what authentication is 
> passed.
> 
> I'm not sure if my patch is the best catch-all solution to the 
> underlying issue (I confess, I don't fully understand why this crashes). 
> With my simple patch applied though, Emacs continues as expected.
> 
> I hope this is enough information now, I apologize for the poor initial 
> report. As I already had a patch ready, I didn't think I should have 
> used `M-x report-emacs-bug` but I will in future :)

Thanks, I fixed this in a slightly different manner on the emacs-29
branch, and I'm therefore closing this bug.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Fri, 31 Mar 2023 11:24:05 GMT) Full text and rfc822 format available.
This bug report was last modified 1 year and 25 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.