git.ipfire.org Git - thirdparty/patchwork.git/commit

author	Daniel Axtens <dja@axtens.net>
	Sat, 17 Feb 2018 01:54:51 +0000 (12:54 +1100)
committer	Daniel Axtens <daniel.axtens@canonical.com>
	Tue, 6 Mar 2018 14:32:42 +0000 (01:32 +1100)
commit	f78161a552960301be5b9d70be51319105ff094a
tree	528b2c94bfe063c142513ed782bdf4ca6328def2	tree \| snapshot
parent	f66261edb50b961bec65b8902726545d4998472f	commit \| diff

parser: close a TOCTTOU bug on Person creation

find_author looks up a person by email, and if they do not exist,
creates a Person model, which may be saved later if the message
contains something valuable.

Multiple simultaneous processes can race here: both can do the SELECT,
find there is no Person, and create the model. One will succeed in
saving, the other will get an IntegrityError.

Reduce the window by making find_author into get_or_create_author, and
plumb that through. (Remove a test that specifically required find_author
to *not* create).

More importantly, cover the case where we lose the race, by using
get_or_create which handles the race case, catching the IntegrityError
internally and fetching the winning Person model.

Reviewed-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
[dja: post review cleanup of now-unused import]
Signed-off-by: Daniel Axtens <dja@axtens.net>

patchwork/parser.py		diff \| blob \| blame \| history
patchwork/tests/test_parser.py		diff \| blob \| blame \| history