diff options
| author | David Kalnischkies <david@kalnischkies.de> | 2016-03-13 22:44:37 +0100 |
|---|---|---|
| committer | David Kalnischkies <david@kalnischkies.de> | 2016-03-14 11:54:08 +0100 |
| commit | d4c45145553781418c25343ac1478f62da645851 (patch) | |
| tree | de57731f933c6fe05c4fbabf4147399984895a5d | |
| parent | b7a1076f18022cbeb7baf4d82ab8bae0f725a573 (diff) | |
enforce verify of filesize in 'apt-get source'
The structure we parse the data into has a dedicated size field, but it
tends to be easier to handle it as a (very weak) checksum.
| -rw-r--r-- | apt-pkg/deb/debsrcrecords.cc | 1 | ||||
| -rwxr-xr-x | test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum | 46 |
2 files changed, 40 insertions, 7 deletions
diff --git a/apt-pkg/deb/debsrcrecords.cc b/apt-pkg/deb/debsrcrecords.cc index cefaf46ac..e8295debb 100644 --- a/apt-pkg/deb/debsrcrecords.cc +++ b/apt-pkg/deb/debsrcrecords.cc @@ -216,6 +216,7 @@ bool debSrcRecordParser::Files2(std::vector<pkgSrcRecords::File2> &List) F.Path = path; F.FileSize = strtoull(size.c_str(), NULL, 10); F.Hashes.push_back(hashString); + F.Hashes.FileSize(F.FileSize); APT_IGNORE_DEPRECATED_PUSH F.Size = F.FileSize; diff --git a/test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum b/test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum index 7ac993d39..b37ca456f 100755 --- a/test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum +++ b/test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum @@ -41,6 +41,15 @@ Checksums-Sha256: 943d3bf22ac661fb0f59bc4ff68cc12b04ff17a838dfcc2537008eb9c7f3770a 3 pkg-sha256-ok_1.0.dsc 90aebae315675cbf04612de4f7d5874850f48e0b8dd82becbeaa47ca93f5ebfb 3 pkg-sha256-ok_1.0.tar.gz +Package: pkg-size-bad +Binary: pkg-size-bad +Version: 1.0 +Maintainer: Joe Sixpack <joe@example.org> +Architecture: all +Checksums-Sha256: + 943d3bf22ac661fb0f59bc4ff68cc12b04ff17a838dfcc2537008eb9c7f3770a 2 pkg-size-bad_1.0.dsc + 90aebae315675cbf04612de4f7d5874850f48e0b8dd82becbeaa47ca93f5ebfb 4 pkg-size-bad_1.0.tar.gz + Package: pkg-sha256-bad Binary: pkg-sha256-bad Version: 1.0 @@ -151,7 +160,7 @@ EOF for x in 'pkg-md5-ok' 'pkg-sha1-ok' 'pkg-sha256-ok' 'pkg-sha256-bad' 'pkg-no-md5' \ 'pkg-mixed-ok' 'pkg-mixed-sha1-bad' 'pkg-mixed-sha2-bad' \ 'pkg-md5-agree' 'pkg-md5-disagree' 'pkg-sha256-disagree' \ - 'pkg-md5-bad'; do + 'pkg-md5-bad' 'pkg-size-bad'; do echo -n 'dsc' > aptarchive/${x}_1.0.dsc echo -n 'tar' > aptarchive/${x}_1.0.tar.gz done @@ -201,7 +210,23 @@ Download complete and in download only mode" aptget source -d "$@" testmismatch() { rm -f ${1}_1.0.dsc ${1}_1.0.tar.gz - testfailureequal "Reading package lists... + local FAILURE + if [ "$1" = 'pkg-size-bad' ]; then + FAILURE="Reading package lists... +Need to get 6 B of source archives. +Get:1 http://localhost:${APTHTTPPORT} $1 1.0 (dsc) [2 B] +Err:1 http://localhost:${APTHTTPPORT} $1 1.0 (dsc) + Writing more data than expected (3 > 2) +Get:2 http://localhost:${APTHTTPPORT} $1 1.0 (tar) [4 B] +Err:2 http://localhost:${APTHTTPPORT} $1 1.0 (tar) + Hash Sum mismatch +E: Failed to fetch http://localhost:${APTHTTPPORT}/${1}_1.0.dsc Writing more data than expected (3 > 2) + +E: Failed to fetch http://localhost:${APTHTTPPORT}/${1}_1.0.tar.gz Hash Sum mismatch + +E: Failed to fetch some archives." + else + FAILURE="Reading package lists... Need to get 6 B of source archives. Get:1 http://localhost:${APTHTTPPORT} $1 1.0 (dsc) [3 B] Err:1 http://localhost:${APTHTTPPORT} $1 1.0 (dsc) @@ -213,7 +238,10 @@ E: Failed to fetch http://localhost:${APTHTTPPORT}/${1}_1.0.dsc Hash Sum mismat E: Failed to fetch http://localhost:${APTHTTPPORT}/${1}_1.0.tar.gz Hash Sum mismatch -E: Failed to fetch some archives." aptget source -d "$@" +E: Failed to fetch some archives." + fi + testfailureequal "$FAILURE" aptget source -d "$@" + msgtest 'Files were not download as they have hashsum mismatches for' "$1" testfailure --nomsg test -e ${1}_1.0.dsc -a -e ${1}_1.0.tar.gz @@ -228,14 +256,16 @@ Download complete and in download only mode" aptget source -d "$@" -o Acquire::F testfailure --nomsg test -e ${1}_1.0.dsc -a -e ${1}_1.0.tar.gz fi - rm -f ${1}_1.0.dsc ${1}_1.0.tar.gz - testsuccessequal "Reading package lists... + if [ "$1" != 'pkg-size-bad' ]; then + rm -f ${1}_1.0.dsc ${1}_1.0.tar.gz + testsuccessequal "Reading package lists... Need to get 6 B of source archives. Get:1 http://localhost:${APTHTTPPORT} $1 1.0 (dsc) [3 B] Get:2 http://localhost:${APTHTTPPORT} $1 1.0 (tar) [3 B] Download complete and in download only mode" aptget source --allow-unauthenticated -d "$@" -o Acquire::ForceHash=ROT26 - msgtest 'Files were downloaded unauthenticated as user allowed it' "$1" - testsuccess --nomsg test -e ${1}_1.0.dsc -a -e ${1}_1.0.tar.gz + msgtest 'Files were downloaded unauthenticated as user allowed it' "$1" + testsuccess --nomsg test -e ${1}_1.0.dsc -a -e ${1}_1.0.tar.gz + fi } testnohash pkg-md5-ok @@ -252,6 +282,8 @@ testok pkg-sha256-bad -o Acquire::ForceHash=MD5Sum testnohash pkg-md5-bad testmismatch pkg-md5-bad --allow-unauthenticated +testmismatch pkg-size-bad + # not having MD5 sum doesn't mean the file doesn't exist at all … testok pkg-no-md5 testok pkg-no-md5 -o Acquire::ForceHash=SHA256 |