Hackage responses with 403 for push-cabal

[phadej]

% hackage-cli --verbose push-cabal quickcheck-instances.cabal
Using Hackage credentials for username "phadej"
Pushing "quickcheck-instances.cabal" (quickcheck-instances-0.4~1) [review-mode] ...
Hackage response was (after 0.295 secs):
================================================================================
403 Forbidden
================================================================================

I double checked my password in .netrc, and it the right one; and I was able to do revision through Hackage web interface using the very same credentials.

Things worked around a month ago, something changed, but what?

[andreasabel]

I can confirm this problem.
hackage-cli has not changed.
@gbaz Has something changed on the Hackage side?

[gbaz]

user agent needs to be whitelisted due to new csrf checks haskell/hackage-server#1481

…

Message ID: ***@***.***>

[phadej]

changing user agent is not enough:

% /codetmp/hackage-cli-0.1.0.4/dist-newstyle/build/x86_64-linux/ghc-9.2.8/hackage-cli-0.1.0.4/x/hackage-cli/build/hackage-cli/hackage-cli push-cabal assoc.cabal
Using Hackage credentials for username "phadej"
Pushing "assoc.cabal" (assoc-1.1.1~2) [review-mode] ...
POST /package/assoc-1.1.1/assoc.cabal/edit HTTP/1.1
Host: <default>
User-Agent: The Haskell Stack
Content-Type: multipart/form-data; boundary=4d5bb1565a084d78868ff0178bdf4f61
Content-Length: 1666
Authorization: Basic ..... 
Accept-Encoding: br, gzip
Accept: application/json


Hackage response was (after 0.286 secs):
================================================================================
403 Forbidden
================================================================================

with

diff --git a/src/Main.hs b/src/Main.hs
index c4104f1..3b091cc 100644
--- a/src/Main.hs
+++ b/src/Main.hs
@@ -120,7 +120,7 @@ hcReqLeft = hcReqCnt . to f
 setUA :: RequestBuilder ()
 setUA = setHeader "User-Agent" uaStr
   where
-    uaStr = "hackage-cli/" <> BS8.pack (V.showVersion Paths_hackage_cli.version)
+    uaStr = "The Haskell Stack" -- hackage-cli/" <> BS8.pack (V.showVersion Paths_hackage_cli.version)
 
 hackageSendGET :: ByteString -> ByteString -> HIO ()
 hackageSendGET p a = do
@@ -194,6 +194,8 @@ hackagePostCabal cred (pkgn,pkgv) rawcab dry = do
         setContentType ("multipart/form-data; boundary="<>boundary) -- RFC2388
         setContentLength bodyLen
 
+    liftIO $ print q1
+
     c <- reOpenHConn
 
     liftIO $ sendRequest c q1 (bsBody body)

so apparently the CRLF check actually "works". but it destroys any ability to use cmdline tools do package revisions. I don't like that as package author nor as hackage trustee.

[gbaz]

The PR adding stack to the whitelist has been merged but not deployed. Any other whitelisted user agent will work or a PR to add a new agent to the whitelist can be accepted.

…

On Thu, Apr 16, 2026 at 5:19 PM Oleg Grenrus ***@***.***> wrote: *phadej* left a comment (hackage-trustees/hackage-cli#78) <#78 (comment)> changing user agent is not enough: % /codetmp/hackage-cli-0.1.0.4/dist-newstyle/build/x86_64-linux/ghc-9.2.8/hackage-cli-0.1.0.4/x/hackage-cli/build/hackage-cli/hackage-cli push-cabal assoc.cabal Using Hackage credentials for username "phadej" Pushing "assoc.cabal" (assoc-1.1.1~2) [review-mode] ... POST /package/assoc-1.1.1/assoc.cabal/edit HTTP/1.1 Host: <default> User-Agent: The Haskell Stack Content-Type: multipart/form-data; boundary=4d5bb1565a084d78868ff0178bdf4f61 Content-Length: 1666 Authorization: Basic ..... Accept-Encoding: br, gzip Accept: application/json Hackage response was (after 0.286 secs): ================================================================================ 403 Forbidden ================================================================================ with diff --git a/src/Main.hs b/src/Main.hs index c4104f1..3b091cc 100644 --- a/src/Main.hs +++ b/src/Main.hs @@ -120,7 +120,7 @@ hcReqLeft = hcReqCnt . to f setUA :: RequestBuilder () setUA = setHeader "User-Agent" uaStr where - uaStr = "hackage-cli/" <> BS8.pack (V.showVersion Paths_hackage_cli.version) + uaStr = "The Haskell Stack" -- hackage-cli/" <> BS8.pack (V.showVersion Paths_hackage_cli.version) hackageSendGET :: ByteString -> ByteString -> HIO () hackageSendGET p a = do @@ -194,6 +194,8 @@ hackagePostCabal cred (pkgn,pkgv) rawcab dry = do setContentType ("multipart/form-data; boundary="<>boundary) -- RFC2388 setContentLength bodyLen + liftIO $ print q1 + c <- reOpenHConn liftIO $ sendRequest c q1 (bsBody body) so apparently the CRLF check actually "works". but it destroys any ability to use cmdline tools do package revisions. I don't like that as package author nor as hackage trustee. — Reply to this email directly, view it on GitHub <#78 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAIS3WI2KKXC3EAHZYHHAED4WFE67AVCNFSM6AAAAACX2LKF5OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DENRTGQ4DGOBYHE> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[phadej]

diff --git a/src/Main.hs b/src/Main.hs
index c4104f1..1b5c3fe 100644
--- a/src/Main.hs
+++ b/src/Main.hs
@@ -120,7 +120,7 @@ hcReqLeft = hcReqCnt . to f
 setUA :: RequestBuilder ()
 setUA = setHeader "User-Agent" uaStr
   where
-    uaStr = "hackage-cli/" <> BS8.pack (V.showVersion Paths_hackage_cli.version)
+    uaStr = "cabal-install/3.16.2.0" -- hackage-cli/" <> BS8.pack (V.showVersion Paths_hackage_cli.version)

seems to work. That will do it for me.

I'm not a fan of security through obscurity though, but if it helps then great.

[andreasabel]

I opened

• Add user agent for hackage-cli haskell/hackage-server#1493

[andreasabel]

Workaround: build hackage-cli from this PR:

• Workaround for hackage-server currently not accepting hackage-cli user-agent #79

[andreasabel]

Fixed upstream