[tahoe-dev] [tahoe-lafs] #705: "tahoe mv" unlinks the target even when it is a directory

tahoe-lafs trac at allmydata.org
Wed Jul 15 19:22:02 PDT 2009 

#705: "tahoe mv" unlinks the target even when it is a directory
-------------------------------+--------------------------------------------
 Reporter:  zooko              |           Owner:       
     Type:  defect             |          Status:  new  
 Priority:  critical           |       Milestone:  1.5.0
Component:  code-frontend-cli  |         Version:  1.4.1
 Keywords:  reliability        |   Launchpad_bug:       
-------------------------------+--------------------------------------------
Changes (by zooko):

  * keywords:  reliability review => reliability


Comment:

 The comment "# we should probably pick some output that is more
 informative, and
 # put that here" can be removed from the test patch.

 Hm, the implementation works by using {{{urllib.urlopen()}}} to send a
 query for the metadata ({{{?t=json}}} and then test whether the target
 exists and if so whether it is a directory.  If that test passes then it
 goes ahead and does the {{{HTTP PUT}}} to overwrite the target.

 The problem with this is that there is a race condition, also known as a
 TOCTTOU ("Time Of Check To Time Of Use") issue, where the object under the
 target name may be non-existent or be a file at the time the check
 happens, but be a directory when the subsequent PUT happens.

 A safer implementation would extend the semantics of the PUT to tell the
 webapi server "except don't do it if the target turns out to be a
 directory".  Hm, I guess 'tahoe mv' really ought to be using {{{POST
 /uri/$DIRCAP/[SUBDIRS../]?t=rename}}} anyway instead of {{{PUT}}}.   Hm, I
 see that that {{{POST}}} command has an undocumented (in
 [source:docs/frontends/webapi.txt]) 'replace' option indicating whether it
 should replace if there is already a child under the target name or abort.
 [source:src/allmydata/web/directory.py at 20090715025814-92b7f-
 d4af644430e5daef6d6ad57cc550c8faceaeb2cf#L327]

 I guess the right implementation of this ticket is to extend that webapi
 command with a {{{replace=only_files}}} option which will abort if there
 is a child under the target name and that child is a directory.

 Unsetting the 'review' keyword.  Kevan: what do you think?  I don't want
 to punt this issue out of 1.5 because it is a potentially data-losing ui
 issue.

-- 
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/705#comment:16>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid

More information about the tahoe-dev mailing list