#9 some Source URLs are reported as "HTTP Error 403: Forbidden" even though being accessible in Firefox, wget, curl
Closed: Fixed None Opened 8 years ago by kparal.

For some reasons certain Source URLs fail rpmlint checks like this:

glpi.src: W: invalid-url Source0: https://github.com/glpi-project/glpi/releases/download/0.90.3/glpi-0.90.3.tar.gz HTTP Error 403: Forbidden

https://taskotron-dev.fedoraproject.org/artifacts/all/3c36e5d0-00a8-11e6-808f-525400571835/task_output/glpi-0.90.3-1.fc24.log

I can reproduce that locally 100%, both through libtaskotron and rpmlint directly:

$ rpmlint /var/cache/taskotron/glpi-0.90.3-1.fc24.src.rpm 
glpi.src: I: enchant-dictionary-not-found fr
glpi.src: W: invalid-url Source0: https://github.com/glpi-project/glpi/releases/download/0.90.3/glpi-0.90.3.tar.gz HTTP Error 403: Forbidden
1 packages and 0 specfiles checked; 0 errors, 1 warnings.

However, when I try the same URL in any other tool, it works. curl says:

$ curl -I https://github.com/glpi-project/glpi/releases/download/0.90.3/glpi-0.90.3.tar.gz
HTTP/1.1 302 Found
Server: GitHub.com
Date: Tue, 12 Apr 2016 13:39:12 GMT
Content-Type: text/html; charset=utf-8
Status: 302 Found
Cache-Control: no-cache
Vary: X-PJAX
Location: https://github-cloud.s3.amazonaws.com/releases/39182755/6ed6a654-ffc9-11e5-98d0-b22cc90713d8.gz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAISTNZFOVBIJMK3TQ%2F20160412%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20160412T133912Z&X-Amz-Expires=300&X-Amz-Signature=2610c23b5a6a9d72428ca7906205d9aa26b5282c862179e1a9c54f1f1ba27e46&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dglpi-0.90.3.tar.gz&response-content-type=application%2Foctet-stream
X-UA-Compatible: IE=Edge,chrome=1
Set-Cookie: logged_in=no; domain=.github.com; path=/; expires=Sat, 12 Apr 2036 13:39:12 -0000; secure; HttpOnly
Set-Cookie: _gh_sess=eyJzZXNzaW9uX2lkIjoiMDRmNzAzNGM1ZmIzYzdkNWI1MWExYmJiNjU2NDk4MGEiLCJzcHlfcmVwbyI6ImdscGktcHJvamVjdC9nbHBpIiwic3B5X3JlcG9fYXQiOjE0NjA0NjgzNTJ9--8257e29b5eac93ed9567ed6cde2610cad00a4202; path=/; secure; HttpOnly
X-Request-Id: cbad671193a6d1c3a7ca364a1e423547
X-Runtime: 0.017615
Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status.github.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com api.braintreegateway.com client-analytics.braintreegateway.com wss://live.github.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *.gravatar.com *.wp.com checkout.paypal.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
Public-Key-Pins: max-age=5184000; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="RRM1dGqnDFsCJXBTHky16vi1obOlCgFFn/yOhI/y+ho="; pin-sha256="k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws="; pin-sha256="K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q="; pin-sha256="IQBnNBEiFuhj+8x6X8XLgh01V9Ic5/V3IRQLNFFc7v4="; pin-sha256="iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0="; pin-sha256="LvRiGEjRqfzurezaWuj8Wie2gyHMrW5Q06LspMnox7A="; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Vary: Accept-Encoding
X-Served-By: 9835a984a05caa405eb61faaa1546741
X-GitHub-Request-Id: D5AF250A:5EF8:505E09:570CFA80

Another example:

storaged.src: W: invalid-url Source0: https://github.com/storaged-project/storaged/releases/download/storaged-2.5.0/storaged-2.5.0.tar.bz2 HTTP Error 403: Forbidden

https://taskotron-dev.fedoraproject.org/artifacts/all/4d958388-009c-11e6-9d05-525400571835/task_output/storaged-2.5.0-5.fc25.log

Figure out what is different when this is accessed by rpmlint.


Actually,/usr/share/rpmlint/config contains a filter to handle this,but that filter doesn't work,and I have reported a bug about this.
https://bugzilla.redhat.com/show_bug.cgi?id=1359582
Before the bug is fixed,we can manually change addFilter("invalid-url ..github.com/.HTTP Error 403" to "addFilter("invalid-url .github.com/.HTTP Error 403")" in /usr/share/rpmlint/config.

I think it's time for us to close this task,as this bug is fixed rpmlint-1.9-2.fc24:)

Great job, Lili. I can confirm this is fixed now. Closing.

Metadata Update from @kparal:
- Issue tagged with: easyfix

7 years ago

Log in to comment on this ticket.

Metadata