summaryrefslogtreecommitdiff
path: root/apt-pkg/contrib/fileutl.cc
AgeCommit message (Collapse)Author
2019-05-03Prevent shutdown while running dpkgJulian Andres Klode
As long as we are running dpkg, keep an inhibitor that blocks us from shutting down. LP: #1820886
2019-04-30Add 'explicit' to most single argument constructorsJulian Andres Klode
This prevents implicit conversions that we do not want, such as having a FileFd* being converted to a debListParser. Two cases are not yet handled because they require changes in code using them: 1. The classes in hashes.h 2. The URI class - this one is used quite a lot
2019-02-26fileutl: Merge Popen variantsJulian Andres Klode
2019-02-26fileutl: Remove deprecated functions such as gzFd()Julian Andres Klode
2019-02-26sptr: Remove deprecated smart pointer classesJulian Andres Klode
Please use the standard C++ variants instead.
2019-02-04gpgv: Use buffered writes for splitting clearsigned filesJulian Andres Klode
This is safe here, as the code ensures that the file is flushed before it is being used. The next series should probably make GetTempFile() buffer writes by default.
2019-02-01Drop buffered writing from clearsigned message extractionDavid Kalnischkies
It is dropped in the merged code, but the extraction of the clearsigned message code was the only one who had it previously, so the short-desc explains the change from a before-after merge of the branch PoV. It would make sense to enable it, but as we aren't in a time critical paths here we can delay this for after buster to avoid problems. References: 73e3459689c05cd62f15c29d2faddb0fc215ef5e Suggested-By: Julian Andres Klode
2019-01-24Merge and reuse tmp file handling across the boardDavid Kalnischkies
Having many rather similar implementations especially if one is exported while others aren't (and the rest of it not factored out at all) seems suboptimal.
2018-10-05Set DPKG_FRONTEND_LOCKED when running {pre,post}-invoke scriptsJulian Andres Klode
Some post-invoke scripts install packages, which fails because the environment variable is not set. This sets the variable for all three kinds of scripts {pre,post-}invoke and pre-install-pkgs, but we will only allow post-invoke at a later time. Gbp-Dch: full
2018-04-13zstd: Implement support for multi-frame filesJulian Andres Klode
This implements support for multi frame files while keeping error checking for unexpected EOF working correctly. Files with multiple frames are generated by pzstd, for example.
2018-04-13Implement compression level handling for zstdJulian Andres Klode
This is a simplified variant of the code for xz, adapted to support multiple digit integers.
2018-03-12apt-pkg: Add support for zstdJulian Andres Klode
zstd is a compression algorithm developed by facebook. At level 19, it is about 6% worse in size than xz -6, but decompression is multiple times faster, saving about 40% install time, especially with eatmydata on cloud instances.
2018-01-02Support cleartext signed InRelease files with CRLF line endingsDavid Kalnischkies
Commit 89c4c588b275 ("fix from David Kalnischkies for the InRelease gpg verification code (LP: #784473)") amended verification of cleartext signatures by a check whether the file to be verified actually starts with "-----BEGIN PGP SIGNATURE-----\n". However cleartext signed InRelease files have been found in the wild which use \r\n as line ending for this armor header line, presumably generated by a Windows PGP client. Such files are incorrectly deemed unsigned and result in the following (misleading) error: Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?) RFC 4880 specifies in 6.2 Forming ASCII Armor: That is to say, there is always a line ending preceding the starting five dashes, and following the ending five dashes. The header lines, therefore, MUST start at the beginning of a line, and MUST NOT have text other than whitespace following them on the same line. RFC 4880 does not seem to specify whether LF or CRLF is used as line ending for armor headers, but CR is generally considered whitespace (e.g. "man perlrecharclass"), hence using CRLF is legal even under the assumption that LF must be used. SplitClearSignedFile() is stripping whitespace (including CR) on lineend already before matching the string, so StartsWithGPGClearTextSignature() is adapted to use the same ignoring. As the earlier method is responsible for what apt will end up actually parsing nowadays as signed/unsigned this change has no implications for security. Thanks: Lukas Wunner for detailed report & initial patch! References: 89c4c588b275d098af33f36eeddea6fd75068342 Closes: 884922
2017-12-13convert various c-style casts to C++-styleDavid Kalnischkies
gcc was warning about ignored type qualifiers for all of them due to the last 'const', so dropping that and converting to static_cast in the process removes the here harmless warning to avoid hidden real issues in them later on. Reported-By: gcc Gbp-Dch: Ignore
2017-10-22Run the ProxyAutoDetect script in the sandbox againJulian Andres Klode
The previous change moved running the proxy detection program from the method to the main process, so it runs as root and not as _apt. This brings it back into the sandbox. Gbp-Dch: ignore
2017-08-04don't keep configuration files open needlesslyDavid Kalnischkies
Regression-Of: 3317ad864c997f4897756c0a2989c4199e9cda62
2017-07-26show warnings instead of errors if files are unreadableDavid Kalnischkies
We used to fail on unreadable config/preferences/sources files, but at least for sources we didn't in the past and it seems harsh to refuse to work because of a single file, especially as the error messages are inconsistent and end up being silly (like suggesting to run apt update to fix the problem…). LP: #1701852
2017-07-26use FileFd to parse all apt configuration filesDavid Kalnischkies
Using different ways of opening files means we have different behaviour and error messages for them, so by the same for all we can have more uniformity for users and apt developers alike.
2017-07-12Reformat and sort all includes with clang-formatJulian Andres Klode
This makes it easier to see which headers includes what. The changes were done by running git grep -l '#\s*include' \ | grep -E '.(cc|h)$' \ | xargs sed -i -E 's/(^\s*)#(\s*)include/\1#\2 include/' To modify all include lines by adding a space, and then running ./git-clang-format.sh.
2017-06-26fix some unlikely memory leaks in error casesDavid Kalnischkies
The error cases are just as unlikely as the memory leaks to ever cause real problems, but lets play it safe for correctness. Reported-By: scan-build & clang Gbp-Dch: Ignore
2017-06-26Avoid chdir in acquire clean with unlinkatDavid Kalnischkies
POSIX.1-2008 gives us a range of *at calls to deal with files including the unlinkat so we can remove a file from a directory based on a path to the file relative to the directory. (In our case here the path we have is just the filename) We avoid changing directories in this way which e.g. fails if the directory we started in no longer exists or is otherwise inaccessible. Closes: 860738
2017-02-11Don't use -1 fd and AT_SYMLINK_NOFOLLOW for faccessat()Julian Andres Klode
-1 is not an allowed value for the file descriptor, the only allowed non-file-descriptor value is AT_FDCWD. So use that instead. AT_SYMLINK_NOFOLLOW has a weird semantic: It checks whether we have the specified access on the symbolic link. It also is implemented only by glibc on Linux, so it's inherently non-portable. We should just drop it. Thanks: James Clarke for debugging these issues Reported-by: James Clarke <jrtc27@jrtc27.com>
2016-11-11add TMP/TEMP/TEMPDIR to the TMPDIR DropPrivileges danceDavid Kalnischkies
apt tools do not really support these other variables, but tools apt calls might, so lets play save and clean those up as needed. Reported-By: Paul Wise (pabs) on IRC
2016-11-09reset HOME, USER(NAME), TMPDIR & SHELL in DropPrivilegesDavid Kalnischkies
We can't cleanup the environment like e.g. sudo would do as you usually want the environment to "leak" into these helpers, but some variables like HOME should really not have still the value of the root user – it could confuse the helpers (USER) and HOME isn't accessible anyhow. Closes: 842877
2016-10-04Do not read stderr from proxy autodetection scriptsJulian Andres Klode
This fixes a regression introduced in commit 8f858d560e3b7b475c623c4e242d1edce246025a don't leak FD in AutoProxyDetect command return parsing which accidentally made the proxy autodetection code also read the scripts output on stderr, not only on stdout when it switched the code from popen() to Popen(). Reported-By: Tim Small <tim@seoss.co.uk>
2016-08-12fileutl: empty file support: Avoid fstat() on -1 fd and check resultJulian Andres Klode
When checking if a file is empty, we forget to check that fstat() actually worked.
2016-08-10implement socks5h proxy support for http methodDavid Kalnischkies
Socks support is a requested feature in sofar that the internet is actually believing Acquire::socks::Proxy would exist. It doesn't and this commit isn't adding it as that isn't how our configuration works, but it allows Acquire::http::Proxy="socks5h://…". The HTTPS method was changed already to support socks proxies (all versions) via curl. This commit implements only SOCKS5 (RFC1928) with no auth or pass&user auth (RFC1929), but not GSSAPI which is required by the RFC. The 'h' in the protocol name further indicates that DNS resolution is delegated to the socks proxy rather than performed locally. The implementation works and was tested with Tor as socks proxy for which implementing socks5h only can actually be considered a feature. Closes: 744934
2016-07-29if the FileFd failed already following calls should fail, tooDavid Kalnischkies
There is no point in trying to perform Write/Read on a FileFd which already failed as they aren't going to work as expected, so we should make sure that they fail early on and hard.
2016-07-27(error) va_list 'args' was opened but not closed by va_end()David Kalnischkies
Reported-By: cppcheck Gbp-Dch: Ignore
2016-07-23call flush on the wrapped writebuffered FileFdDavid Kalnischkies
The flush call is a no-op in most FileFd implementations so this isn't as critical as it might sound as the only non-trivial implementation is in the buffered writer, which tends not be used to buffer another buffer…
2016-07-19ensure Cnf::FindFile doesn't return files below /dev/nullDavid Kalnischkies
Very unlikely, but if the parent is /dev/null, the child empty and the grandchild a value we returned /dev/null/value which doesn't exist, so hardly a problem, but for best operability we should be consistent in our work and return /dev/null always.
2016-07-06don't change owner/perms/times through file:// symlinksDavid Kalnischkies
If we have files in partial/ from a previous invocation or similar such those could be symlinks created by file:// sources. The code is expecting only real files through and happily changes owner, modification times and permission on the file the symlink points to which tend to be files we have no business in touching in this way. Permissions of symlinks shouldn't be changed, changing owner is usually pointless to, but just to be sure we pick the easy way out and use lchown, check for symlinks before chmod/utimes. Reported-By: Mattia Rizzolo on IRC
2016-07-05give a descriptive error for pipe tries with 'false'David Kalnischkies
If libapt has builtin support for a compression type it will create a dummy compressor struct with the Binary set to 'false' as it will catch these before using the generic pipe implementation which uses the Binary. The catching happens based on configured Names through, so you can actually force apt to use the external binaries even if it would usually use the builtin support. That logic fails through if you don't happen to have these external binaries installed as it will fallback to calling 'false', which will end in confusing 'Write error's. So, this is again something you only encounter in constructed testing. Gbp-Dch: Ignore
2016-06-29don't do atomic overrides with failed filesDavid Kalnischkies
We deploy atomic renames for some files, but these renames also happen if something about the file failed which isn't really the point of the exercise… Closes: 828908
2016-06-10don't leak an FD in lz4 (de)compressionDavid Kalnischkies
Seen first in #826783, but as this buglog also shows leaked uncompressed files as well we don't close it just yet.
2016-06-10do not hang on piped input in PipedFileFdPrivateDavid Kalnischkies
This effects only compressors configured on the fly (rather then the inbuilt ones as they use a library).
2016-04-28FileFd: avoid further writing if file failedDavid Kalnischkies
If the file is in a failed state there is no point in trying to flush out the buffers as the file is to be discarded anyhow & its likely all this flushing is producing is additional error messages. Git-Dch: Ignore
2016-04-03consistently add APT_OVERRIDE as method markerDavid Kalnischkies
Some methods had it missing, some used the keyword directly, which isn't a problem as it is a cc file, but for consistency lets stick to our macro for now. Git-Dch: Ignore
2016-03-06Fix lzma write support to handle "try again" caseColin Watson
The liblzma-based write code needs the same tweaks that the read code already has to cope with the situation where lzma_code returns zero the first time through because avail_out is zero, but will do more work if called again. This ports the read tweaks to the write code as closely as possible (including matching comments etc.). Closes: #751688
2016-02-10Set seekpos to 0 after reopening files in Seek()Julian Andres Klode
If we just reopened the file, we also need to reset the current seek position when we reset the buffer, otherwise the code will not try to seek to the position given to Skip (from 0), but will try to seek to old offset + the position given to skip. Closes: #812994, #813000
2016-02-04Use some semantically more correct buffer operationsJulian Andres Klode
When writing into the buffer write to free() bytes starting at getend(), instead of buffersize_max bytes at get() -> get() is a read pointer. This makes no difference in practice though, as we reset the buffer before the call, so start = end = 0. Gbp-Dch: ignore
2016-02-04Correctly report write errors when flushing buffered writerJulian Andres Klode
We cannot just return false without setting an error, as InternalWrite does not set one itself.
2016-02-01Do not buffer writes larger than the buffer if possibleJulian Andres Klode
It makes no sense to split a large block into multiple small blocks, so when we have the chance to write them unbuffered, do so.
2016-02-01BufferedWriteFileFdPrivate: Simplify InternalWrite()Julian Andres Klode
We do not need the loop, FileFd::Private() handles this for us. Gbp-Dch: ignore
2016-02-01simple_buffer::write: Use free() instead of maxsize - size()Julian Andres Klode
We want to check whether the amount of free space is smaller than the requested write size. Checking maxsize - size() is incorrect for bufferstart >= 0, as size() = end - start. Gbp-Dch: ignore
2016-01-30fix "Mismatched free() / delete / delete []" in simple_bufferStefan Bühler
2016-01-07CopyFile: Use 64 * 1024 instead of 64000 as buffer sizeJulian Andres Klode
This is a multiple of the page size and thus results in less page faults, speeding up copying. Also, while we're at at, unify all uses of that size in a constant variable APT_BUFFER_SIZE.
2016-01-07FileFd: (native) LZ4 supportJulian Andres Klode
Implement native support for LZ4 compression, using the official lz4 library.
2016-01-03simple_compressor: Provide some accessors for end and freeJulian Andres Klode
This makes code easier to read, and somewhat more correct. Gbp-Dch: ignore
2016-01-03simple_buffer: Allow buffer size to changeJulian Andres Klode
Gbp-Dch: ignore