#513 Undesirable restrictions on scmurl prefix

Created 3 months ago by frostyx
Modified 2 months ago

When submitting a module build from scmurl, there is a check whether the URL has an allowed prefix. See this code snippet from views.py

url = self.data["scmurl"]
if not any(url.startswith(prefix) for prefix in conf.scmurls):
    log.error("The submitted scmurl %r is not allowed" % url)
    raise Forbidden("The submitted scmurl %s is not allowed" % url)

My question is why we want to check such thing? It would be nice if people could build from private servers - at least when MockModuleBuilder or CoprModuleBuilder is used.

If the check is not required, we may want to remove it. Otherwise I would suggest some bool ALLOW_CUSTOM_SCMURLS variable in config which may be by default False if you want and adding it to the code above.

Another option is to support regexes in those prefixes list and for custom scmurls adding just * or something, but I don't like this option very much.

What are your thoughts about that? I am willing to implement it (it is very simple though), but I need some context for it.

+1 to bool for ALLOW_CUSTOM_URLS. We need the SCMURL check to ensure people build modules only from fedora dist-git in fedora.

You could also just put git:// in your configuration of conf.scmurls (which is effectively a wildcard). Would that work for you?

Thank you @ralph,

I think that it is not sufficient. What about URLs starting with http(s):// ?
I suggest PR#515 for solving this.

Edited 2 months ago by frostyx

The PR#515 was merged, so I am closing this issue

2 months ago

Metadata Update from @frostyx:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

Login to comment on this ticket.