PHP :: Bug #67540 :: svn.php.net blocking Drupal?

Bug #67540	svn.php.net blocking Drupal?
Submitted:	2014-06-30 00:14 UTC	Modified:	2014-07-05 04:15 UTC
From:	php dot net dot e at salvisberg dot com	Assigned:
Status:	Not a bug	Package:	Website problem
PHP Version:	Irrelevant	OS:
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 27 - 19 = ?
Subscribe to this entry?

[2014-06-30 00:14 UTC] php dot net dot e at salvisberg dot com

Description:
------------
A Drupal module that I'm helping to maintain tries to download the following file:

http://svn.php.net/repository/pear/packages/Mail_mimeDecode/trunk/Mail/mimeDecode.php

I have no trouble downloading it using my web browser, but a user reports in https://www.drupal.org/node/2294753 that the request...

GET /repository/pear/packages/Mail_mimeDecode/trunk/Mail/mimeDecode.php HTTP/1.0
User-Agent: Drupal (+http://drupal.org/)
Host: svn.php.net

... fails with an HTTP forbidden notice.


Indeed, I can easily reproduce that with wget (see Test script). Are you blocking the "Drupal" user agent? Why?


Test script:
---------------
# wget --user-agent=Drupal http://svn.php.net/repository/pear/packages/Mail_mimeDecode/trunk/Mail/mimeDecode.php


Expected result:
----------------
--2014-06-30 02:06:43--  http://svn.php.net/repository/pear/packages/Mail_mimeDecode/trunk/Mail/mimeDecode.php
Resolving svn.php.net... 213.189.17.212
Connecting to svn.php.net|213.189.17.212|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 39143 (38K) [text/plain]
Saving to: `mimeDecode.php'

100%[=================================================================================================>] 39,143      --.-K/s   in 0.01s

2014-06-30 02:06:43 (2.69 MB/s) - `mimeDecode.php' saved [39143/39143]


Actual result:
--------------
--2014-06-30 02:01:51--  http://svn.php.net/repository/pear/packages/Mail_mimeDecode/trunk/Mail/mimeDecode.php
Resolving svn.php.net... 213.189.17.212
Connecting to svn.php.net|213.189.17.212|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2014-06-30 02:01:51 ERROR 403: Forbidden.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-06-30 05:27 UTC] bjori@php.net

-Status: Open +Status: Not a bug

[2014-06-30 05:27 UTC] bjori@php.net

I do indeed recall an issue where we had to block drupal installation from ddosin our svn repository.

It is clearly not cool on your part to be abusing our repository like this - and its not very smart either, as a svn repository is not somewhere you should be sending your production users.


Please use the normal download mechanism offered.

[2014-07-04 21:19 UTC] php dot net dot e at salvisberg dot com

Thank you for your reply and comments. I'm sorry if we have caused you grief -- this was surely a bug and not intentional. I'm not sure why you call it "abusing" though.

One Drupal module that implements a mechanism to download from your svn repository is https://www.drupal.org/project/include. There may be others besides it, and I don't know whether this is the one that ran away, but it's the one we were using.

I see your point about downloading from the svn trunk. I guess, the original developer tried to automate retrieving the dependencies to make it as easy as possible to get up and running quickly without having to deal with pear install and having to wrestle with getting the dependencies to where his module can find them.

In the case of Mail_mimeDecode, downloading from the trunk is probably appropriate though, because there is no current branch / release package.

[2014-07-04 22:46 UTC] tyrael@php.net

it is still a bad practice, because there is no promise that we won remove/rename that file or change it's api in a way that it will be incompatible with the caller.
so I fail to see why couldn't your friend just put that script into his package/app?
btw. if anybody interested in the original reason for blacklisting drupal from svn.php.net:
https://twitter.com/mgdm/status/432907801955147777
https://www.drupal.org/node/2193919
now they are using our json api to fetch the signatures:
http://doc.php.net/downloads/json/php_manual_en.json

[2014-07-04 23:34 UTC] php dot net dot e at salvisberg dot com

Thank you for the links! Since the issue has been identified and resolved, is there any chance that you could lift the ban?

http://svn.php.net/repository/pear/packages/Mail_mimeDecode/trunk/Mail/mimeDecode.php
contains a "BSD license style" license.

drupal.org does not allow uploading content that is not under "GPL version 2 or later" (see https://www.drupal.org/licensing/faq#q4).

The trunk version of mimeDecode.php is 8 months old, the one on GitHub 3 years, and the PEAR package 3.5 years. Downloading the trunk version seems to be the only viable option, even at the risks that you mention.

[2014-07-05 04:15 UTC] bjori@php.net

You are severely misunderstanding the argument from drupal.org - and if you weren't then you were actually breaking the license by downloading it like this "on-demand".

That same FAQ even states that BSD license is OK.

We will not be removing this block as it is in your best interest so we will continue to protect you from doing bad mistakes.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 25 03:01:29 2024 UTC