haskell
diff --git a/‎datafiles/static/hackage.css‎
Lines changed: 8 additions & 0 deletions b/‎datafiles/static/hackage.css‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎datafiles/templates/Html/candidate-page.html.st‎
Lines changed: 12 additions & 8 deletions b/‎datafiles/templates/Html/candidate-page.html.st‎
Lines changed: 12 additions & 8 deletions
diff --git a/‎datafiles/templates/Html/package-page.html.st‎
Lines changed: 9 additions & 1 deletion b/‎datafiles/templates/Html/package-page.html.st‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎flake.nix‎
Lines changed: 2 additions & 0 deletions b/‎flake.nix‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎hackage-server.cabal‎
Lines changed: 3 additions & 3 deletions b/‎hackage-server.cabal‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/Distribution/Server.hs‎
Lines changed: 4 additions & 4 deletions b/‎src/Distribution/Server.hs‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎src/Distribution/Server/Features/Core.hs‎
Lines changed: 8 additions & 8 deletions b/‎src/Distribution/Server/Features/Core.hs‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎src/Distribution/Server/Features/Core/Backup.hs‎
Lines changed: 4 additions & 4 deletions b/‎src/Distribution/Server/Features/Core/Backup.hs‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎src/Distribution/Server/Features/EditCabalFiles.hs‎
Lines changed: 10 additions & 9 deletions b/‎src/Distribution/Server/Features/EditCabalFiles.hs‎
Lines changed: 10 additions & 9 deletions
diff --git a/‎src/Distribution/Server/Features/Html.hs‎
Lines changed: 5 additions & 5 deletions b/‎src/Distribution/Server/Features/Html.hs‎
Lines changed: 5 additions & 5 deletions
@@ -1313,3 +1313,11 @@ p.registration-email {
     background: #222;
   }
 }
+
+
+@media (prefer-color-scheme: dark) {
+  thead th{
+      background-color: #5E5184;
+      color: #e0e0e0;
+  }
+}
@@ -95,21 +95,25 @@
         $if(package.optional.hasHomePage)$
         <tr>
           <th>Home page</th>
-          <td>
-            <a href=$package.optional.homepage$>
-              $package.optional.homepage$
-            </a>
+          <td class="word-wrap">
+            $if(package.optional.homepageIsSafeURI)$
+            <a href="$package.optional.homepage$">$package.optional.homepage$</a>
+            $else$
+            $package.optional.homepage$
+            $endif$
           </td>
         </tr>
         $endif$
 
         $if(package.optional.hasBugTracker)$
         <tr>
           <th>Bug&nbsp;tracker</th>
-          <td>
-            <a href="$package.optional.bugTracker$">
-              $package.optional.bugTracker$
-            </a>
+          <td class="word-wrap">
+            $if(package.optional.bugTrackerIsSafeURI)$
+            <a href="$package.optional.bugTracker$">$package.optional.bugTracker$</a>
+            $else$
+            $package.optional.bugTracker$
+            $endif$
           </td>
         </tr>
         $endif$
 
@@ -203,7 +203,11 @@
             <tr>
               <th>Home page</th>
               <td class="word-wrap">
-                <a href=$package.optional.homepage$>$package.optional.homepage$</a>
+                $if(package.optional.homepageIsSafeURI)$
+                <a href="$package.optional.homepage$">$package.optional.homepage$</a>
+                $else$
+                $package.optional.homepage$
+                $endif$
               </td>
             </tr>
             $endif$
@@ -212,7 +216,11 @@
             <tr>
               <th>Bug&nbsp;tracker</th>
               <td class="word-wrap">
+                $if(package.optional.bugTrackerIsSafeURI)$
                 <a href="$package.optional.bugTracker$">$package.optional.bugTracker$</a>
+                $else$
+                $package.optional.bugTracker$
+                $endif$
               </td>
             </tr>
             $endif$
 
@@ -55,6 +55,8 @@
 
             sandwich.check = false;
 
+            threads.check = false;
+
             unicode-data.check = false;
           };
           packages = {
 
@@ -1,6 +1,6 @@
 cabal-version: 3.0
 name:         hackage-server
-version:      0.5.1
+version:      0.6
 
 category:     Distribution
 synopsis:     The Hackage web server
@@ -149,7 +149,7 @@ common defaults
     , array                  >= 0.5   && < 0.6
     , base                   >= 4.18  && < 4.22
     , binary                 >= 0.8   && < 0.9
-    , bytestring             >= 0.10  && < 0.13
+    , bytestring             >= 0.11.2 && < 0.13
     , containers             >= 0.6.0 && < 0.9
     , deepseq                >= 1.4   && < 1.6
     , directory              >= 1.3   && < 1.4
@@ -228,6 +228,7 @@ library
     Distribution.Server.Framework.BlobStorage
     Distribution.Server.Framework.Cache
     Distribution.Server.Framework.Cron
+    Distribution.Server.Framework.CSRF
     Distribution.Server.Framework.Error
     Distribution.Server.Framework.Logging
     Distribution.Server.Framework.Feature
@@ -364,7 +365,6 @@ library
       Distribution.Server.Features.HaskellPlatform
       Distribution.Server.Features.HaskellPlatform.State
       Distribution.Server.Features.PackageInfoJSON
-      Distribution.Server.Features.PackageInfoJSON.State
       Distribution.Server.Features.Search
       Distribution.Server.Features.Search.BM25F
       Distribution.Server.Features.Search.DocIdSet
 
@@ -32,6 +32,7 @@ import qualified Distribution.Server.Framework.Auth as Auth
 import Distribution.Server.Framework.Templating (TemplatesMode(..))
 import Distribution.Server.Framework.AuthTypes (PasswdPlain(..))
 import Distribution.Server.Framework.HtmlFormWrapper (htmlFormWrapperHack)
+import Distribution.Server.Framework.CSRF (csrfMiddleware)
 
 import Distribution.Server.Framework.Feature as Feature
 import qualified Distribution.Server.Features as Features
@@ -301,10 +302,9 @@ initState server (admin, pass) = do
 impl :: Server -> ServerPart Response
 impl server = logExceptions $
     runServerPartE $
-      handleErrorResponse (serveErrorResponse errHandlers Nothing) $
-        renderServerTree [] serverTree
-          `mplus`
-        fallbackNotFound
+      handleErrorResponse (serveErrorResponse errHandlers Nothing) $ do
+        csrfMiddleware
+        renderServerTree [] serverTree `mplus` fallbackNotFound
   where
     serverTree :: ServerTree (DynamicPath -> ServerPartE Response)
     serverTree =
 
@@ -27,7 +27,7 @@ import qualified Codec.Compression.GZip                             as GZip
 import           Data.Aeson                                         (Value (..), toJSON)
 import qualified Data.Aeson.Key                                     as Key
 import qualified Data.Aeson.KeyMap                                  as KeyMap
-import           Data.ByteString.Lazy                               (ByteString)
+import           Data.ByteString.Lazy                               (LazyByteString, fromStrict)
 import qualified Data.Foldable                                      as Foldable
 import qualified Data.Text                                          as Text
 import           Data.Time.Clock                                    (UTCTime, getCurrentTime)
@@ -130,7 +130,7 @@ data CoreFeature = CoreFeature {
     -- modification time for the tar entry.
     --
     -- This runs a `PackageChangeIndexExtra` hook when done.
-    updateArchiveIndexEntry :: forall m. MonadIO m => FilePath -> ByteString -> UTCTime -> m (),
+    updateArchiveIndexEntry :: forall m. MonadIO m => FilePath -> LazyByteString -> UTCTime -> m (),
 
     -- | Notification of package or index changes.
     packageChangeHook :: Hook PackageChange (),
@@ -175,7 +175,7 @@ data PackageChange
     | PackageChangeInfo PackageUpdate PkgInfo PkgInfo
     -- | A file has changed in the package index tar not covered by any of the
     -- other change types.
-    | PackageChangeIndexExtra String ByteString UTCTime
+    | PackageChangeIndexExtra String LazyByteString UTCTime
 
 -- | A predicate to use with `packageChangeHook` and `registerHookJust` for
 -- keeping other features synchronized with the main package index.
@@ -212,7 +212,7 @@ isPackageDeleteVersion             :: Maybe PackageId,
 isPackageChangeCabalFile           :: Maybe (PackageId, CabalFileText),
 isPackageChangeCabalFileUploadInfo :: Maybe (PackageId, UploadInfo),
 isPackageChangeTarball             :: Maybe (PackageId, PkgTarball),
-isPackageIndexExtraChange          :: Maybe (String, ByteString, UTCTime)
+isPackageIndexExtraChange          :: Maybe (String, LazyByteString, UTCTime)
 -}
 
 data CoreResource = CoreResource {
@@ -591,7 +591,7 @@ coreFeature ServerEnv{serverBlobStore = store} UserFeature{..}
           runHook_ packageChangeHook  (PackageChangeInfo PackageUpdatedUploadTime oldpkginfo newpkginfo)
           return True
 
-    updateArchiveIndexEntry :: MonadIO m => FilePath -> ByteString -> UTCTime -> m ()
+    updateArchiveIndexEntry :: MonadIO m => FilePath -> LazyByteString -> UTCTime -> m ()
     updateArchiveIndexEntry entryName entryData entryTime = logTiming maxBound ("updateArchiveIndexEntry " ++ show entryName) $ do
       updateState packagesState $
         AddOtherIndexEntry $ ExtraEntry entryName entryData entryTime
@@ -721,7 +721,7 @@ coreFeature ServerEnv{serverBlobStore = store} UserFeature{..}
       -- check that the cabal name matches the package
       guard (lookup "cabal" dpath == Just (display $ packageName pkginfo))
       let (fileRev, (utime, _uid)) = pkgLatestRevision pkginfo
-          cabalfile = Resource.CabalFile (cabalFileByteString fileRev) utime
+          cabalfile = Resource.CabalFile (fromStrict $ cabalFileByteString fileRev) utime
       return $ toResponse cabalfile
 
     serveCabalFileRevisionsList :: DynamicPath -> ServerPartE Response
@@ -731,7 +731,7 @@ coreFeature ServerEnv{serverBlobStore = store} UserFeature{..}
       let revisions = pkgMetadataRevisions pkginfo
           revisionToObj rev (cabalFileText, (utime, uid)) =
             let uname = userIdToName users uid
-                hash = sha256 (cabalFileByteString cabalFileText)
+                hash = sha256 (fromStrict $ cabalFileByteString cabalFileText)
             in
             Object $ KeyMap.fromList
               [ (Key.fromString "number", Number (fromIntegral rev))
@@ -750,7 +750,7 @@ coreFeature ServerEnv{serverBlobStore = store} UserFeature{..}
       case mrev >>= \rev -> revisions Vec.!? rev of
         Just (fileRev, (utime, _uid)) -> return $ toResponse cabalfile
           where
-            cabalfile = Resource.CabalFile (cabalFileByteString fileRev) utime
+            cabalfile = Resource.CabalFile (fromStrict $ cabalFileByteString fileRev) utime
         Nothing -> errNotFound "Package revision not found"
                      [MText "Cannot parse revision, or revision out of range."]
 
 
@@ -98,7 +98,7 @@ doPackageImport (PartialIndex packages updatelog) entry = case entry of
         list <- importCSV "tarball.csv" bs >>= importTarballMetadata fp
         return $ partial { partialTarballUpload = list }
       [other] | Just version <- extractVersion other (packageName pkgId) ".cabal" ->
-        return $ partial { partialCabal = (version, CabalFileText bs):partialCabal partial }
+        return $ partial { partialCabal = (version, CabalFileText $ BS.toStrict bs) : partialCabal partial }
       _ -> return partial
     return $! PartialIndex (Map.insert pkgId partial' packages) updatelog
   BackupBlob filename@["package",pkgStr,other] blobId -> do
@@ -198,7 +198,7 @@ partialToFullPkg (pkgId, PartialPkg{..}) = do
         filename = display pkgId ++ ".cabal"
 
     case runParseResult $ parseGenericPackageDescription $
-         BS.toStrict $ cabalFileByteString latestCabalFile of
+         cabalFileByteString latestCabalFile of
       (_, Left (_, errs)) -> fail $ unlines (map (showPError filename) $ toList errs)
       (_, Right _)        -> return ()
 
@@ -322,8 +322,8 @@ cabalListToExport pkgId cabalInfos =
     cabalName = display (packageName pkgId) ++ ".cabal"
 
     blobEntry :: (Int, CabalFileText) -> BackupEntry
-    blobEntry (0, CabalFileText bs) = BackupByteString (pkgPath pkgId cabalName) bs
-    blobEntry (n, CabalFileText bs) = BackupByteString (pkgPath pkgId (cabalName ++ "-" ++ show n)) bs
+    blobEntry (0, CabalFileText bs) = BackupByteString (pkgPath pkgId cabalName) (BS.fromStrict bs)
+    blobEntry (n, CabalFileText bs) = BackupByteString (pkgPath pkgId (cabalName ++ "-" ++ show n)) (BS.fromStrict bs)
 
     cabalMetadata :: CSV
     cabalMetadata =
 
@@ -23,7 +23,8 @@ import Distribution.Server.Util.CabalRevisions
          (Change(..), diffCabalRevisions, insertRevisionField)
 import Text.StringTemplate.Classes (SElem(SM))
 
-import Data.ByteString.Lazy (ByteString)
+import Data.ByteString (StrictByteString)
+import Data.ByteString.Lazy (LazyByteString)
 import qualified Data.ByteString.Lazy as BS.L
 import qualified Data.Map as Map
 import Data.Time (getCurrentTime)
@@ -84,7 +85,7 @@ editCabalFilesFeature _env templates
         ok $ toResponse $ template
           [ "pkgid"     $= pkgid
           , "cabalfile" $= insertRevisionField (pkgNumRevisions pkg)
-                             (cabalFileByteString (pkgLatestCabalFileText pkg))
+                             (BS.L.fromStrict (cabalFileByteString (pkgLatestCabalFileText pkg)))
           ]
 
     serveEditCabalFilePost :: DynamicPath -> ServerPartE Response
@@ -98,11 +99,11 @@ editCabalFilesFeature _env templates
         uid <- guardAuthorised [ InGroup (maintainersGroup pkgname)
                                , InGroup trusteesGroup ]
         let oldVersion = cabalFileByteString (pkgLatestCabalFileText pkg)
-        newRevision <- getCabalFile
+        newRevision <- BS.L.toStrict <$> getCabalFile
         shouldPublish <- getPublish
         case diffCabalRevisionsByteString oldVersion newRevision of
           Left errs ->
-            responseTemplate template pkgid newRevision
+            responseTemplate template pkgid (BS.L.fromStrict newRevision)
                              shouldPublish [errs] []
 
           Right changes
@@ -117,7 +118,7 @@ editCabalFilesFeature _env templates
                   , "changes"   $= changes
                   ]
             | otherwise ->
-                responseTemplate template pkgid newRevision
+                responseTemplate template pkgid (BS.L.fromStrict newRevision)
                                  shouldPublish [] changes
 
        where
@@ -126,7 +127,7 @@ editCabalFilesFeature _env templates
                                (look "publish" >> return True)
 
          responseTemplate :: ([TemplateAttr] -> Template) -> PackageId
-                          -> ByteString -> Bool -> [String] -> [Change]
+                          -> LazyByteString -> Bool -> [String] -> [Change]
                           -> ServerPartE Response
          responseTemplate template pkgid cabalFile publish errors changes =
            ok $ toResponse $ template
@@ -139,11 +140,11 @@ editCabalFilesFeature _env templates
 
 
 -- | Wrapper around 'diffCabalRevisions' which operates on
--- 'ByteString' decoded with lenient UTF8 and with any leading BOM
+-- 'LazyByteString' decoded with lenient UTF8 and with any leading BOM
 -- stripped.
-diffCabalRevisionsByteString :: ByteString -> ByteString -> Either String [Change]
+diffCabalRevisionsByteString :: StrictByteString -> StrictByteString -> Either String [Change]
 diffCabalRevisionsByteString oldRevision newRevision =
-    maybe (diffCabalRevisions (BS.L.toStrict oldRevision) (BS.L.toStrict newRevision))
+    maybe (diffCabalRevisions oldRevision newRevision)
           Left
           parseSpecVerCheck
   where
 
@@ -68,7 +68,7 @@ import qualified Data.Map as Map
 import qualified Data.Set as Set
 import qualified Data.Vector as Vec
 import qualified Data.Text as T
-import qualified Data.ByteString.Lazy.Char8 as BS (ByteString)
+import qualified Data.ByteString.Lazy as BS (LazyByteString, fromStrict)
 import qualified Network.URI as URI
 
 import Text.XHtml.Strict
@@ -650,7 +650,7 @@ mkHtmlCore ServerEnv{serverBaseURI, serverBlobStore}
         pkgVotes      <- pkgNumVotes pkgname
         pkgScore      <- pkgNumScore pkgname
         auth          <- checkAuthenticated
-        userRating    <- case auth of Just (uid,_) -> pkgUserVote pkgname uid; _ -> return Nothing
+        userRating    <- case auth of Just uid -> pkgUserVote pkgname uid; _ -> return Nothing
         mdoctarblob   <- queryDocumentation realpkg
         tags          <- queryTagsForPackage pkgname
         rdeps         <- queryReverseDeps pkgname
@@ -812,9 +812,9 @@ mkHtmlCore ServerEnv{serverBaseURI, serverBlobStore}
             start []          = []
             start (curr:rest) = go curr rest
 
-            go curr [] = [(sha256 (cabalFileByteString (fst curr)), [])]
+            go curr [] = [(sha256 (BS.fromStrict (cabalFileByteString (fst curr))), [])]
             go curr (prev:rest) =
-                ( sha256 (cabalFileByteString (fst curr))
+                ( sha256 (BS.fromStrict (cabalFileByteString (fst curr)))
                 , changes curr prev )
                 : go prev rest
 
@@ -849,7 +849,7 @@ mkHtmlCore ServerEnv{serverBaseURI, serverBlobStore}
 
 
 -- | Common helper used by 'serveCandidatePage' and 'servePackagePage'
-makeReadme :: MonadIO m => PackageRender -> m (Maybe BS.ByteString)
+makeReadme :: MonadIO m => PackageRender -> m (Maybe BS.LazyByteString)
 makeReadme render = case rendReadme render of
   Just (tarfile, _, offset, _) ->
         either (\_err -> return Nothing) (return . Just . snd) =<<
Original file line number	Diff line number	Diff line change
`@@ -1313,3 +1313,11 @@ p.registration-email {`
`1313`	`1313`	`background: #222;`
`1314`	`1314`	`}`
`1315`	`1315`	`}`
	`1316`	`+`
	`1317`	`+`
	`1318`	`+@media (prefer-color-scheme: dark) {`
	`1319`	`+ thead th{`
	`1320`	`+ background-color: #5E5184;`
	`1321`	`+ color: #e0e0e0;`
	`1322`	`+ }`
	`1323`	`+}`