summaryrefslogtreecommitdiff
path: root/apt-pkg/acquire-method.cc
AgeCommit message (Collapse)Author
2019-01-18SECURITY UPDATE: content injection in http method (CVE-2019-3462)Julian Andres Klode
This fixes a security issue that can be exploited to inject arbritrary debs or other files into a signed repository as followed: (1) Server sends a redirect to somewhere%0a<headers for the apt method> (where %0a is \n encoded) (2) apt method decodes the redirect (because the method encodes the URLs before sending them out), writting something like somewhere\n <headers> into its output (3) apt then uses the headers injected for validation purposes. Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec LP: #1812353
2017-01-19fix various typos reported by spellintianDavid Kalnischkies
Most of them in (old) code comments. The two instances of user visible string changes the po files of the manpages are fixed up as well. Gbp-Dch: Ignore Reported-By: spellintian
2016-07-06report all instead of first error up the acquire chainDavid Kalnischkies
If we don't give a specific error to report up it is likely that all error currently in the error stack are equally important, so reporting just one could turn out to be confusing e.g. if name resolution failed in a SRV record list.
2016-07-02use +0000 instead of UTC by default as timezone in outputDavid Kalnischkies
All apt versions support numeric as well as 3-character timezones just fine and its actually hard to write code which doesn't "accidently" accepts it. So why change? Documenting the Date/Valid-Until fields in the Release file is easy to do in terms of referencing the datetime format used e.g. in the Debian changelogs (policy §4.4). This format specifies only the numeric timezones through, not the nowadays obsolete 3-character ones, so in the interest of least surprise we should use the same format even through it carries a small risk of regression in other clients (which encounter repositories created with apt-ftparchive). In case it is really regressing in practice, the hidden option -o APT::FTPArchive::Release::NumericTimezone=0 can be used to go back to good old UTC as timezone. The EDSP and EIPP protocols use this 'new' format, the text interface used to communicate with the acquire methods does not for compatibility reasons even if none of our methods would be effected and I doubt any other would (in these instances the timezone is 'GMT' as that is what HTTP/1.1 requires). Note that this is only true for apt talking to methods, (libapt-based) methods talking to apt will respond with the 'new' format. It is therefore strongly adviced to support both also in method input.
2016-05-27prevent C++ locale number formatting in text APIsDavid Kalnischkies
Setting the C++ locale via std::locale::global(std::locale("")); which would otherwise default to the default C locale (aka: unaffected by setlocale) effects the formatting of numeric types in IO streams, which for output for humans is perfectly sensible, but breaks our many text interfaces used and parsed by us and others without expecting the numbers to be formatted. Closes: #825396
2016-01-26act on various suggestions from cppcheckDavid Kalnischkies
Reported-By: cppcheck Git-Dch: Ignore
2015-08-10make all d-pointer * const pointersDavid Kalnischkies
Doing this disables the implicit copy assignment operator (among others) which would cause hovac if used on the classes as it would just copy the pointer, not the data the d-pointer points to. For most of the classes we don't need a copy assignment operator anyway and in many classes it was broken before as many contain a pointer of some sort. Only for our Cacheset Container interfaces we define an explicit copy assignment operator which could later be implemented to copy the data from one d-pointer to the other if we need it. Git-Dch: Ignore
2015-06-16add d-pointer, virtual destructors and de-inline de/constructorsDavid Kalnischkies
To have a chance to keep the ABI for a while we need all three to team up. One of them missing and we might loose, so ensuring that they are available is a very tedious but needed task once in a while. Git-Dch: Ignore
2015-06-09check patch hashes in rred worker instead of in the handlerDavid Kalnischkies
rred is responsible for unpacking and reading the patch files in one go, but we currently only have hashes for the uncompressed patch files, so the handler read the entire patch file before dispatching it to the worker which would read it again – both with an implicit uncompress. Worse, while the workers operate in parallel the handler is the central orchestration unit, so having it busy with work means the workers do (potentially) nothing. This means rred is working with 'untrusted' data, which is bad. Yet, having the unpack in the handler meant that the untrusted uncompress was done as root which isn't better either. Now, we have it at least contained in a binary which we can harden a bit better. In the long run, we want hashes for the compressed patch files through to be safe.
2015-06-09rework hashsum verification in the acquire systemDavid Kalnischkies
Having every item having its own code to verify the file(s) it handles is an errorprune process and easy to break, especially if items move through various stages (download, uncompress, patching, …). With a giant rework we centralize (most of) the verification to have a better enforcement rate and (hopefully) less chance for bugs, but it breaks the ABI bigtime in exchange – and as we break it anyway, it is broken even harder. It shouldn't effect most frontends as they don't deal with the acquire system at all or implement their own items, but some do and will need to be patched (might be an opportunity to use apt on-board material). The theory is simple: Items implement methods to decide if hashes need to be checked (in this stage) and to return the expected hashes for this item (in this stage). The verification itself is done in worker message passing which has the benefit that a hashsum error is now a proper error for the acquire system rather than a Done() which is later revised to a Failed().
2014-10-13do not inline virtual destructors with d-pointersDavid Kalnischkies
Reimplementing an inline method is opening a can of worms we don't want to open if we ever want to us a d-pointer in those classes, so we do the only thing which can save us from hell: move the destructors into the cc sources and we are good. Technically not an ABI break as the methods inline or not do the same (nothing), so a program compiled against the old version still works with the new version (beside that this version is still in experimental, so nothing really has been build against this library anyway). Git-Dch: Ignore
2014-10-08Merge remote-tracking branch 'mvo/feature/expected-size' into ↵Michael Vogt
debian/experimental
2014-10-08Merge remote-tracking branch 'mvo/feature/acq-trans' into debian/experimentalMichael Vogt
2014-10-08Merge remote-tracking branch 'donkult/feature/acq-trans' into ↵Michael Vogt
feature/expected-size
2014-10-07do not show IP in output of testcasesDavid Kalnischkies
On travis-ci connect.cc detects a rotation, triggering it store the IP which is later appended to the error message, which is all nice and great if we deal with a real server, but in the testcases it just triggers failures as strings do not match. Git-Dch: Ignore
2014-10-07make expected-size a maximum-size check as this is what we want at this pointMichael Vogt
2014-10-07Rename DropPrivs() to DropPrivileges()Michael Vogt
Git-Dch: ignore
2014-10-06make http size check workMichael Vogt
2014-09-24methods: Fail if we cannot drop privilegesJulian Andres Klode
2014-08-26Pass ExpectedSize to tthe backend methodMichael Vogt
This ensures that we can stop downloading if the server send too much data by accident (or by a malicious attempt)
2014-05-09tell download methods the expected hashesDavid Kalnischkies
Now that we have all hashes in the acquire system, pass the info down to the methods, so that it can use it in the request and/or to precheck the response.
2014-05-09use HashStringList in the acquire systemDavid Kalnischkies
It is not very extensible to have the supported Hashes hardcoded everywhere and especially if it is part of virtual method names. It is also possible that a method does not support the 'best' hash (yet), so we might end up not being able to verify a file even though we have a common subset of supported hashes. And those are just two of the cases in which it is handy to have a more dynamic selection. The downside is that this is a MAJOR API break, but the HashStringList has a string constructor for compatibility, so with a bit of luck the few frontends playing with the acquire system directly are okay.
2014-03-13cleanup headers and especially #includes everywhereDavid Kalnischkies
Beside being a bit cleaner it hopefully also resolves oddball problems I have with high levels of parallel jobs. Git-Dch: Ignore Reported-By: iwyu (include-what-you-use)
2012-05-14* apt-pkg/acquire*.cc:Raphael Geissert
- handle redirections in the worker with the right method instead of in the method the redirection occured in (Closes: #668111) * methods/http.cc: - forbid redirects to change protocol
2012-05-14* apt-pkg/acquire-methods.cc:David Kalnischkies
- factor out into private Dequeue() to fix access to deleted pointer
2011-10-30merge with my debian-sid branchDavid Kalnischkies
2011-09-21convert a few for-loop char finds to proper strchr and memchrDavid Kalnischkies
2011-09-13merge with debian/experimentalDavid Kalnischkies
2011-09-13reorder includes: add <config.h> if needed and include it at firstDavid Kalnischkies
2011-08-15merged from the debian-sid branchMichael Vogt
2011-08-11cppcheck complains about some possible speed improvements which could beDavid Kalnischkies
done on the mirco-optimazation level, so lets fix them: (performance) Possible inefficient checking for emptiness. (performance) Prefer prefix ++/-- operators for non-primitive types.
2011-08-11cppcheck is right that the check for preventing null deference of QueryDavid Kalnischkies
is redundant in Redirect() as we can't reach the code with null anyway [apt-pkg/acquire-method.cc:433]: (error) Possible null pointer dereference: Queue - otherwise it is redundant to check if Queue is null at line 425
2011-06-08merge lp:~mvo/apt/sha512-template to add support for sha512Michael Vogt
2011-05-10fix order of CurrentURI and UsedMirror in Status() and Log()David Kalnischkies
2011-04-16* apt-pkg/acquire-method.cc:David Kalnischkies
- write directly to stdout instead of creating the message in memory first before writing to avoid hitting limits
2011-03-15apt-pkg/acquire-method.cc: fix copy/paste errorMichael Vogt
2011-03-14* mirror method:Michael Vogt
- when downloading data, show the mirror being used
2011-02-25add sha512 support in the client now as wellMichael Vogt
2010-06-09merged from lp:~donkult/apt/sidMichael Vogt
2010-06-09move the users away from the deprecated StrToTime() methodDavid Kalnischkies
2010-06-02implement Fail-Ignore bool in FetchItem that tells the method that a failure ↵Michael Vogt
of this item is ok and does not need to be tried on all mirrors
2009-07-30merged from debianMichael Vogt
2009-06-30add the various foldmarkers in apt-pkg & cmdline (no code change)David Kalnischkies
2009-04-09* apt-pkg/contrib/strutl.cc:Michael Vogt
- fix TimeToStr i18n (LP: #289807) * [ABI break] merge support for http redirects, thanks to Jeff Licquia and Anthony Towns * [ABI break] use int for the package IDs (thanks to Steve Cotton) * apt-pkg/pkgcache.cc: - do not run "dpkg --configure pkg" if pkg is in trigger-awaited state (LP: #322955) * methods/https.cc: - add Acquire::https::AllowRedirect support * Clarify the --help for 'purge' (LP: #243948) * cmdline/apt-get.cc - fix "apt-get source pkg" if there is a binary package and a source package of the same name but from different packages (LP: #330103) * cmdline/acqprogress.cc: - Call pkgAcquireStatus::Pulse even if quiet, so that we still get dlstatus messages on the status-fd (LP: #290234).
2009-02-02* [ABI break] merge support for http redirects, thanks toMichael Vogt
Jeff Licquia and Anthony Towns * [ABI break] use int for the package IDs (thanks to Steve Cotton) - Galician updated. Closes: #509151 - Catalan updated. Closes: #509375 - Vietnamese updated. Closes: #509422 - Traditional Chinese added. Closes: #510664 * COPYING: - Actualized. Removed obsolete Qt section, added GPLv2 clause. (Closes: #440049, #509337) * Clarify the --help for 'purge' (LP: #243948)
2007-08-03* apt-inst/contrib/extracttar.cc:Michael Vogt
- fix fd leak for zero size files (thanks to Bill Broadley for reporting this bug) * apt-pkg/acquire-item.cc: - remove zero size files on I-M-S hit * methods/https.cc: - only send LastModified if we actually have one - send range request with if-range - delete failed downloads * apt-pkg/deb/dpkgpm.{cc,h}: - merged dpkg-log branch, this lets you specify a Dir::Log::Terminal file to log dpkg output to (ABI break) * merged apt--sha256 branch to fully support the new sha256 checksums in the Packages and Release files (ABI break) * Applied patch from Aurelien Jarno <aurel32@debian.org> to fix wrong directory downloading on non-linux architectures (closes: #435597) * Applied patch from Guillem Jover <guillem@debian.org> to use * Applied patch from Guillem Jover <guillem@debian.org> to add support to add lzma support (closes: #408201) * methods/makefile: - install lzma symlink method (for full lzma support) * debian/control: - suggest "lzma" * Simplified HttpMethod::Fetch on http.cc removing Tail variable; * Fix pipeline handling on http.cc (closes: #413324) * Fix building to properly support binNMUs. Thanks to Daniel Schepler <schepler@math.unipd.it> by the patch (closes: #359634) * Fix example for Install-{Recommends,Suggests} options on configure-index example file. Thanks to Peter Eisentraut <peter_e@gmx.net> by the patch (closes: #432223) * fixed compile errors with g++ 4.3 (thanks to Daniel Burrows, closes: #429378) * fixes in the auto-mark code (thanks to Daniel Burrows) * fix FTFBFS by changing build-depends to libcurl4-gnutls-dev (closes: #428363) * cmdline/apt-get.cc: - fix InstallTask code when a pkgRecord ends with a single '\n' (thanks to Soren Hansen for reporting) * merged from Christian Perrier: * vi.po: completed to 532t, again. Closes: #429899 * gl.po: completed to 532t. Closes: #429506 * vi.po: completed to 532t. Closes: #428672 * Update all PO and the POT. Gives 514t14f4u for formerly complete translations * fr.po: completed to 532t * ku.po, uk.po, LINGUAS: reintegrate those translations which disappeared from the BZR repositories
2007-07-30* apt-pkg/acquire-item.{cc,h}:Michael Vogt
- rename "hash" into ExpectedHash in pkgAcqFile, pkgAcqIndex - add missing HashSum() call to class pkgAcqIndex - use the data provided by acquire-method (and send via the {SHA256,SHA1,MD5Sum}-Hash tag when comparing the hash, this avoids calculating the hash twice (just like old libapt) * apt-pkg/acquire-method.cc: - send MD5Sum-Hash tag to libapt to be consistant with HashString::SupportedHashes() * apt-pkg/acquire-worker.cc: - check with "Owner->HashSum().HashType()" what hash the frontend is expecting and pass it to pkgAcquireItem::Done() in the new HashString format - add some debugging output * apt-pkg/contrib/hashes.cc: - fix off-by-one error when constructing a HashString from a single input string * apt-pkg/contrib/hashes.h: - add "HashType()" method * apt-pkg/init.h, apt-pkg/makefile, methods/makefile: - break ABI
2007-07-30* apt-pkg/acquire-method.{cc,h}:Michael Vogt
- transfert sha256 sum between libapt and method too
2007-06-09* merged apt--no-pragmaMichael Vogt
2007-06-08* remove all the remaining #pragma implementationMichael Vogt