Pip: Pip install from internal pypi server containing git links fails with pypi 19.1

Created on 24 Apr 2019  路  17Comments  路  Source: pypa/pip

Environment

  • pip version: 19.1
  • Python version: Python 3.6.7
  • OS: Ubuntu 18.04

Description
We have pypi server that contains links to git:

git+ssh://<url>[email protected]#egg=<package>-0.1.0.201810251140

pip install <package> fails with

  GitLab: The project you were looking for could not be found.
  fatal: Could not read from remote repository.

  Please make sure you have the correct access rights
  and the repository exists.

Expected behavior
pip install <package> has been working and does work if I install pip<19.1

How to Reproduce

To reproduce this one needs local pypi server.

Add git+ssh://<url>[email protected]#egg=<package>-0.1.0.201810251140 style link to pypi server where that version number is a git tag.

Then:

virtualenv --python python3 env
. env/bin/activate
pip install 'pip==19.1'
pip install -vvv <package>

Output:

git clone -q ssh://<url>.git%400.1.0.201810251140 <temp>

Running same with pip<19.1 outputs
git clone -q ssh://<local_path>.git <temp>
It looks like the problem is that %400.1.0.201810251140 left in the git link.

finder vcs auto-locked bug
Source
picture K377U
👍1

Most helpful comment

Yes, I think so.

picture cjerdonek on 26 Apr 2019
4

All 17 comments

This looks to be related to this issue: https://github.com/pypa/pip/pull/6245

It looks like @ should be passed as a safe character to urllib_parse.quote().

@nicolasbock Do you have time to take a look?

cjerdonek picture cjerdonek on 24 Apr 2019

I did some debug and end up this location:

index.py

This is the place where @ is changed to %40. It might be that this part should be parsed before here?

K377U picture K377U on 24 Apr 2019

urllib.parse.quote() supports passing "safe" characters that shouldn't be quoted: https://docs.python.org/3/library/urllib.parse.html#urllib.parse.quote
So @ can be added to that I think.

cjerdonek picture cjerdonek on 24 Apr 2019

Alternatively, the URL should be unquoted prior to parsing. (I haven't really looked at the code yet, so I'm just suggesting possibilities.)

cjerdonek picture cjerdonek on 24 Apr 2019

@cjerdonek I tried this

path = urllib_parse.quote(urllib_parse.unquote(result.path), safe="/@")

and it fixes the problem.

K377U picture K377U on 24 Apr 2019

We are hitting this as well. In our case the private pypi is backed by AWS s3 and uses pre-signed s3 URLs as download links. for pip < 19.1 this works for us while for 19.1 we get 403. We can curl the links just fine.

I don't believe our URLs are quoted upon return from our private pypi service that successfully allows pip to find all the versions. I'm a bit stumped as to the new valid format of the download URL.

cwharland picture cwharland on 24 Apr 2019
👍1

@cjerdonek Maybe something like #6440 ?

nicolasbock picture nicolasbock on 24 Apr 2019

It seems more related to / perhaps. We're seeing a message like:

ERROR: HTTP error 403 while getting FAILING_URL ( from VALID_URL )

Where the difference is that FAILING_URL has / in the access keys/signed creds and VALID_URL has them correctly as %2F. So the quote change somehow makes it such that the token parts of the URL are now improperly formatted.

our URLs are of the form https://domain_name.org/TOKEN/package_name/package-version.tar.gz

and in the error message it looks as if TOKEN is unquoted.

Update:
Ah I see in https://github.com/pypa/pip/pull/6440 that both / and @ are protected. In that case I'm wondering if the valid auth token character of / will then break the subsequent download.

cwharland picture cwharland on 24 Apr 2019

Do you mean to say that the token has a quoted / which becomes unquoted?

nicolasbock picture nicolasbock on 24 Apr 2019

Yes. I believe that's what we're observing.

cwharland picture cwharland on 24 Apr 2019

@cwharland Could you create a separate issue? It sounds like it is also caused by #6245 but it's different than the issue with git+ssh URLs. Thanks!

nicolasbock picture nicolasbock on 25 Apr 2019
👍2 👀1

@nicolasbock Thanks again for your quick help with this! 馃憤

Can you also create a new issue for the slash issue mentioned above, and do you have time to create a PR for that as well? Feel free to let me know if you need advice on the right approach.

cjerdonek picture cjerdonek on 25 Apr 2019

No problem @cjerdonek ! I created #6446 .

nicolasbock picture nicolasbock on 25 Apr 2019

Thank you for really quick fix!

K377U picture K377U on 25 Apr 2019

Do you think there will be soon a bug-fix release with this fix?

cedk picture cedk on 26 Apr 2019

Yes, I think so.

cjerdonek picture cjerdonek on 26 Apr 2019
4

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 28 May 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

cjerdonek picture cjerdonek  路  3Comments
jiapei100 picture jiapei100  路  3Comments
dmfigol picture dmfigol  路  3Comments
gyorireka picture gyorireka  路  3Comments
reynoldsnlp picture reynoldsnlp  路  3Comments