git.ipfire.org Git - thirdparty/patchwork.git/commit

author	Daniel Axtens <dja@axtens.net>
	Sat, 17 Feb 2018 01:54:51 +0000 (12:54 +1100)
committer	Daniel Axtens <daniel.axtens@canonical.com>
	Tue, 6 Mar 2018 14:23:49 +0000 (01:23 +1100)
commit	c4eca471a4a2cc3a2438e3ee6061df8988a251a6
tree	59c21595d6c7bcd083762541cc0083be815027f6	tree \| snapshot
parent	7079b3cf867ba86606f91890c523ce3343b03287	commit \| diff

parser: close a TOCTTOU bug on Person creation

find_author looks up a person by email, and if they do not exist,
creates a Person model, which may be saved later if the message
contains something valuable.

Multiple simultaneous processes can race here: both can do the SELECT,
find there is no Person, and create the model. One will succeed in
saving, the other will get an IntegrityError.

Reduce the window by making find_author into get_or_create_author, and
plumb that through. (Remove a test that specifically required find_author
to *not* create).

More importantly, cover the case where we lose the race, by using
get_or_create which handles the race case, catching the IntegrityError
internally and fetching the winning Person model.

Reviewed-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
[dja: post review cleanup of now-unused import]
Signed-off-by: Daniel Axtens <dja@axtens.net>

patchwork/parser.py		diff \| blob \| blame \| history
patchwork/tests/test_parser.py		diff \| blob \| blame \| history