The implementation contains both data races on single-word memory
accesses as well as multiple-word memory accesses which can result
in observing torn writes. It is unsafe and unsalvageable without
wrapping every access to global state into a mutex, or else stopping
request processing during a reload. Both are invasive options.
Since the server restarts very quickly, remove the handler to fix this.
For If-Modified-Since checks on the last change marker, only ever send
timestamps that we previously received from the server. This sidesteps
issues like races and anything dealing with clock precision.
Also make the code simpler to follow: handleFilterUpdates() now owns
lastRefresh, and refresh() now owns lastChanged.
Also retry with an exponential backoff if we fail to refresh the cache.
All sends to accessCh are non-blocking and are not affected.
V12-Ref: F-77198
This addresses an authorization bypass (which could occur only on
Windows).
A more principled way to do this would be to use `os.Root.OpenRoot`
and scope the actual filesystem operations per-domain. However, I
prototyped this and it was complicated enough that it wasn't clear
whether this would not introduce new issues.
V12-Ref: F-77209
Before this commit, the reader opened by `GetBlob` was not closed.
This does not matter for the current implementation of the S3 backend,
but for the FS backend the file descriptor was only closed by
the `os.file` finalizer.
V12-Ref: F-77205
This avoids exhausting RAM when reading e.g. a repository with a single
extremely large file. Note that there is still a risk of exhausting
space in `/tmp`.
V12-Ref: F-77211
In Go, unsized channels are unbuffered and require the sender and
the receiver to rendezvous, or the sender blocks. If the receiver
never listens the sender cannot know this.
In Rust, unsized channels have an unbounded buffer and sending into
a channel with no receiver returns an error.
I got confused by the difference in semantics.
V12-Ref: F-77239
Before this commit, if `backend.AppendAuditLog` failed, the request
would proceed anyway. This is contrary to the explicit contract and
design intent.
If Go had `#[must_use]`, this would not have happened :/
V12-Ref: F-77170
This cleans up resources that would otherwise be tied up by Caddy
endpoint requests where the originating TLS connection to Caddy has
went away.
V12-Ref: F-77195
Use PUT to upload the following tar file (`unzstd | base64 -d`):
KLUv/QRY7QIAcoQOFLCnDQ0QaaURkYASyN1LJveuZAKkXivfoQMXZ5MhIGJAXHUWHclJufKB
PLvNDSbmD81Htf9W1f/3BgsA/QPwwAuojAHiDA8mpAEqhsJB8IUcTATEusLVn0AbU7ZnkA==
After this commit it should no longer crash the handler.
V12-Ref: F-77219
To reproduce, use PUT to upload this archive (`unzstd | base64 -d`):
KLUv/QRY7QIAxAJhL2IAMDAwMDY0NDAwMDAwMDEAADAwNzU2MAAgMAB1c3RhcgAwAGEAMzM3
YREA/UEF/EC9Y0AdDJBP8GDCTaDGBxATkAAd3gJoMPAbJANAciACGDTAsXKZngAR/m3nXA==
then issue any PATCH request to that site.
After this commit, the server returns "malformed manifest (not
a directory)" instead of "assignment to entry in nil map".
While ideally incoming manifests should be checked for consistency
regardless of how they're uploaded, in practice this is only a self-DoS
so it's probably not worth fixing.
V12-Ref: F-77244
Pull request number was compared, but pull request owner and repository
name were not. As a result you could overwrite any preview site with
the matching PR number.
This functionality is feature-gated and there are no known usable
deployments at the moment.
V12-Ref: F-77256
The old function did not even draw a histogram (it was a bar chart),
and would essentially always overcount sizes.
The new function is always accurate and just as useful at a glance.
It provides two modes, `text` (optionally colorized) and `json`.
This helps avoid incorrect behavior on typos and notifies end users
that a feature has been stabilized and removed. It also helps us avoid
reusing feature names by accident.
This commit includes no behavioral changes, only cosmetic ones:
* Renames the concept to "existence cache".
* Makes log messages more concise.
* Adds written rationale for the module.
* Renames feature to `existence-cache`.