Revert unintended spec change re version number syntax #5138
Comments
phadej
added a commit
that referenced
this issue
Mar 3, 2019
- #163 Also resolves #5138 Introduce PkgconfigVersion and PkgconfigVersionRange - `PkgconfigVersion` is compared with `rpmvercmp` - `PkgconfigVersionRange` is subset of `VersionRange` - with `cabal-version` before 3.0 it's parsed like `VersionRange`, where version digits are arbitrary integral (leading spaces allowed) - starting from cabal spec 3.0 `== x.y.*` and `^>=` (and set `{ .. }`) are disallowed. Yet, the version literals syntax is relaxed to accept alphanumerical + `-.` strings. E.g. openssl's `1.1.0h` is accepted. Lax `PkgconfigVersion` parser is also used to parse `pkg-config --modversion` output.
phadej
added a commit
that referenced
this issue
Mar 3, 2019
- Don't accept leading zeros in Version or VersionRange - Fixes #163 (pkg-config uses a more general version scheme) - Also resolves #5138 - `PkgconfigVersion` is compared with `rpmvercmp` - `PkgconfigVersionRange` is subset of `VersionRange` - with `cabal-version` before 3.0 it's parsed like `VersionRange`, where version digits are arbitrary integral (leading spaces allowed) - starting from cabal spec 3.0 `== x.y.*` and `^>=` (and set `{ .. }`) are disallowed. Yet, the version literals syntax is relaxed to accept alphanumerical + `-.` strings. E.g. openssl's `1.1.0h` is accepted. - Lax `PkgconfigVersion` parser is also used to parse `pkg-config --modversion` output.
phadej
added a commit
that referenced
this issue
Mar 3, 2019
- Don't accept leading zeros in Version or VersionRange - Fixes #163 (pkg-config uses a more general version scheme) - Also resolves #5138 - `PkgconfigVersion` is compared with `rpmvercmp` - `PkgconfigVersionRange` is subset of `VersionRange` - with `cabal-version` before 3.0 it's parsed like `VersionRange`, where version digits are arbitrary integral (leading spaces allowed) - starting from cabal spec 3.0 `== x.y.*` and `^>=` (and set `{ .. }`) are disallowed. Yet, the version literals syntax is relaxed to accept alphanumerical + `-.` strings. E.g. openssl's `1.1.0h` is accepted. - Lax `PkgconfigVersion` parser is also used to parse `pkg-config --modversion` output.
phadej
added a commit
that referenced
this issue
Mar 3, 2019
- Don't accept leading zeros in Version or VersionRange - Fixes #163 (pkg-config uses a more general version scheme) - Also resolves #5138 - `PkgconfigVersion` is compared with `rpmvercmp` - `PkgconfigVersionRange` is subset of `VersionRange` - with `cabal-version` before 3.0 it's parsed like `VersionRange`, where version digits are arbitrary integral (leading spaces allowed) - starting from cabal spec 3.0 `== x.y.*` and `^>=` (and set `{ .. }`) are disallowed. Yet, the version literals syntax is relaxed to accept alphanumerical + `-.` strings. E.g. openssl's `1.1.0h` is accepted. - Lax `PkgconfigVersion` parser is also used to parse `pkg-config --modversion` output.
phadej
added a commit
that referenced
this issue
Mar 3, 2019
- Don't accept leading zeros in Version or VersionRange - Fixes #163 (pkg-config uses a more general version scheme) - Also resolves #5138 - `PkgconfigVersion` is compared with `rpmvercmp` - `PkgconfigVersionRange` is subset of `VersionRange` - with `cabal-version` before 3.0 it's parsed like `VersionRange`, where version digits are arbitrary integral (leading spaces allowed) - starting from cabal spec 3.0 `== x.y.*` and `^>=` (and set `{ .. }`) are disallowed. Yet, the version literals syntax is relaxed to accept alphanumerical + `-.` strings. E.g. openssl's `1.1.0h` is accepted. - Lax `PkgconfigVersion` parser is also used to parse `pkg-config --modversion` output.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
#5092 hghlighted an issue where a change in cabal 1.24 resulted in an unintended change to the cabal specification, specifically relaxing the version parser to unintentionally allow for denormalised version numbers (which are not isomorphic to
NonEmpty Natural(where strictly speaking,Naturalhas an upper bound)).Since there's little benefit to allow denormalisation, and it mostly causes subtly problems as e.g. it would violate an implicit assumption code may have head about version numbers round-tripping loss-free, causes trouble to older parsers, complicates the parser as it needs to support and keep track whether it encountered a denormalised version number, this may offer an opportunity for denial of service attacks and/or exploits (I've got more planned in this area, but I don't want to discuss this publicly before we don't have counter measures in place), but most importantly, this wasn't an intentional change to the spec to begin with, we shall consider this spec change to be a bug, and act accordingly.
Measures that were taken already
00-index.tarindex will not be exposed to the original revisions which featured the invalid.cabalfiles.cabal checkcomplain about invalid.cabalfiles.cabalfiles with the invalid syntax to enter the index from now on.Next steps
Since
cabal > 1.24currently happily tolerate denormal version numbers, and hackage now actively prevents from more invalid entries entering the package index, the next steps are not "urgent", and can be done whenever convenient:.cabalrevisions which have become part of the01-index.tarindex, as well as are included in the original.tar.gzto cabal's parser quirk-DBcabal checkwarnings).The text was updated successfully, but these errors were encountered: