Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pip install from internal pypi server containing git links fails with pypi 19.1 #6437

Closed
K377U opened this issue Apr 24, 2019 · 17 comments · Fixed by #6440
Closed

Pip install from internal pypi server containing git links fails with pypi 19.1 #6437

K377U opened this issue Apr 24, 2019 · 17 comments · Fixed by #6440
Labels
auto-locked Outdated issues that have been locked by automation C: finder PackageFinder and index related code C: vcs pip's interaction with version control systems like git, svn and bzr type: bug A confirmed bug or unintended behavior

Comments

@K377U
Copy link

K377U commented Apr 24, 2019

Environment

  • pip version: 19.1
  • Python version: Python 3.6.7
  • OS: Ubuntu 18.04

Description
We have pypi server that contains links to git:

git+ssh://<url>.git@0.1.0.201810251140#egg=<package>-0.1.0.201810251140

pip install <package> fails with

  GitLab: The project you were looking for could not be found.
  fatal: Could not read from remote repository.

  Please make sure you have the correct access rights
  and the repository exists.

Expected behavior
pip install <package> has been working and does work if I install pip<19.1

How to Reproduce

To reproduce this one needs local pypi server.

Add git+ssh://<url>.git@0.1.0.201810251140#egg=<package>-0.1.0.201810251140 style link to pypi server where that version number is a git tag.

Then:

virtualenv --python python3 env
. env/bin/activate
pip install 'pip==19.1'
pip install -vvv <package>

Output:

git clone -q ssh://<url>.git%400.1.0.201810251140 <temp>

Running same with pip<19.1 outputs

git clone -q ssh://<local_path>.git <temp>

It looks like the problem is that %400.1.0.201810251140 left in the git link.

@cjerdonek
Copy link
Member

This looks to be related to this issue: #6245

It looks like @ should be passed as a safe character to urllib_parse.quote().

@nicolasbock Do you have time to take a look?

@K377U
Copy link
Author

K377U commented Apr 24, 2019

I did some debug and end up this location:

index.py

This is the place where @ is changed to %40. It might be that this part should be parsed before here?

@cjerdonek
Copy link
Member

urllib.parse.quote() supports passing "safe" characters that shouldn't be quoted: https://docs.python.org/3/library/urllib.parse.html#urllib.parse.quote
So @ can be added to that I think.

@cjerdonek
Copy link
Member

Alternatively, the URL should be unquoted prior to parsing. (I haven't really looked at the code yet, so I'm just suggesting possibilities.)

@K377U
Copy link
Author

K377U commented Apr 24, 2019

@cjerdonek I tried this

path = urllib_parse.quote(urllib_parse.unquote(result.path), safe="/@")

and it fixes the problem.

@cwharland
Copy link

We are hitting this as well. In our case the private pypi is backed by AWS s3 and uses pre-signed s3 URLs as download links. for pip < 19.1 this works for us while for 19.1 we get 403. We can curl the links just fine.

I don't believe our URLs are quoted upon return from our private pypi service that successfully allows pip to find all the versions. I'm a bit stumped as to the new valid format of the download URL.

@nicolasbock
Copy link
Contributor

@cjerdonek Maybe something like #6440 ?

@cwharland
Copy link

cwharland commented Apr 24, 2019

It seems more related to / perhaps. We're seeing a message like:

ERROR: HTTP error 403 while getting FAILING_URL ( from VALID_URL )

Where the difference is that FAILING_URL has / in the access keys/signed creds and VALID_URL has them correctly as %2F. So the quote change somehow makes it such that the token parts of the URL are now improperly formatted.

our URLs are of the form https://domain_name.org/TOKEN/package_name/package-version.tar.gz

and in the error message it looks as if TOKEN is unquoted.

Update:
Ah I see in #6440 that both / and @ are protected. In that case I'm wondering if the valid auth token character of / will then break the subsequent download.

@nicolasbock
Copy link
Contributor

Do you mean to say that the token has a quoted / which becomes unquoted?

@cwharland
Copy link

Yes. I believe that's what we're observing.

@nicolasbock
Copy link
Contributor

@cwharland Could you create a separate issue? It sounds like it is also caused by #6245 but it's different than the issue with git+ssh URLs. Thanks!

cedk added a commit to cedk/pip that referenced this issue Apr 25, 2019
nicolasbock added a commit to nicolasbock/pip that referenced this issue Apr 25, 2019
Remote URLs that contain a link to a git repository and a tag
reference will have the `@` character converted into `%40`. This is
incorrect.

Fixes: pypa#6437

Signed-off-by: Nicolas Bock <nicolasbock@gmail.com>
@cjerdonek
Copy link
Member

@nicolasbock Thanks again for your quick help with this! 👍

Can you also create a new issue for the slash issue mentioned above, and do you have time to create a PR for that as well? Feel free to let me know if you need advice on the right approach.

@nicolasbock
Copy link
Contributor

No problem @cjerdonek ! I created #6446 .

@K377U
Copy link
Author

K377U commented Apr 25, 2019

Thank you for really quick fix!

@cjerdonek cjerdonek added C: finder PackageFinder and index related code C: vcs pip's interaction with version control systems like git, svn and bzr type: bug A confirmed bug or unintended behavior labels Apr 25, 2019
@cedk
Copy link

cedk commented Apr 26, 2019

Do you think there will be soon a bug-fix release with this fix?

@cjerdonek
Copy link
Member

Yes, I think so.

@lock
Copy link

lock bot commented May 28, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot added the auto-locked Outdated issues that have been locked by automation label May 28, 2019
@lock lock bot locked as resolved and limited conversation to collaborators May 28, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
auto-locked Outdated issues that have been locked by automation C: finder PackageFinder and index related code C: vcs pip's interaction with version control systems like git, svn and bzr type: bug A confirmed bug or unintended behavior
Projects
None yet
5 participants