lint: 'validate-uri' reports suspiciously small 200 responses.

* guix/scripts/lint.scm (validate-uri): Upon 200 http-response, check
the 'response-content-length' and emit a warning when it is <= 1000.
* tests/lint.scm (call-with-http-server): Add 'data' parameter.
(with-http-server): Likewise.
(%long-string): New variable.
("home-page: 200"): Pass %LONG-STRING to 'with-http-server'.
("home-page: 404", "source: 200", "source: 404"): Likewise.
("home-page: 200 but short length"): New test.
("source: 200 but short length"): New test.

1 files changed, 16 insertions, 1 deletions

diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm
index b4fdb6f905..d5e9197cc9 100644
--- a/guix/scripts/lint.scm
+++ b/guix/scripts/lint.scm
@@ -359,7 +359,22 @@ warning for PACKAGE mentionning the FIELD."
                 (probe-uri uri #:timeout 3)))     ;wait at most 3 seconds
     (case status
       ((http-response)
-       (or (= 200 (response-code argument))
+       (if (= 200 (response-code argument))
+           (match (response-content-length argument)
+             ((? number? length)
+              ;; As of July 2016, SourceForge returns 200 (instead of 404)
+              ;; with a small HTML page upon failure.  Attempt to detect such
+              ;; malicious behavior.
+              (or (> length 1000)
+                  (begin
+                    (emit-warning package
+                                  (format #f
+                                          (_ "URI ~a returned \
+suspiciously small file (~a bytes)")
+                                          (uri->string uri)
+                                          length))
+                    #f)))
+             (_ #t))
            (begin
              (emit-warning package
                            (format #f