summaryrefslogtreecommitdiff
path: root/apt-pkg/contrib
AgeCommit message (Collapse)Author
2019-01-28Explicitly remove the whitespaces defined by RFCDavid Kalnischkies
RFC 4880 section 7.1 "Dash-Escaped Text" at the end defines that only space and tab are allowed, so we should remove only these even if due to use complaining (or now failing) you can't really make use of it. Note that strrstrip was removing '\r\n\t ', not other whitespaces like \v or \f and another big reason to do it explicitly here now is to avoid that a future change adding those could have unintended consequences.
2019-01-24Merge and reuse tmp file handling across the boardDavid Kalnischkies
Having many rather similar implementations especially if one is exported while others aren't (and the rest of it not factored out at all) seems suboptimal.
2019-01-23Fail on non-signature lines in Release.gpgDavid Kalnischkies
The exploit for CVE-2019-3462 uses the fact that a Release.gpg file can contain additional content beside the expected detached signature(s). We were passing the file unchecked to gpgv which ignores these extras without complains, so we reuse the same line-reading implementation we use for InRelease splitting to detect if a Release.gpg file contains unexpected data and fail in this case given that we in the previous commit we established that we fail in the similar InRelease case now.
2019-01-23Fail instead of warn for unsigned lines in InReleaseDavid Kalnischkies
The warnings were introduced 2 years ago without any reports from the wild about them actually appearing for anyone, so now seems to be an as good time as any to switch them to errors. This allows rewritting the code by failing earlier instead of trying to keep going which makes the diff a bit hard to follow but should help simplifying reasoning about it. References: 6376dfb8dfb99b9d182c2fb13aa34b2ac89805e3
2019-01-22Remove `register` keywordKhem Raj
In C++17 `register` keyword was removed. Current gcc 8.1.0 produces following warning if `-std=c++17` flag is used: warning: ISO C++17 does not allow 'register' storage class specifier [-Wregister] GCC almost completely ignores `register` keyword, with rare exception of `-O0` when additional copy from/to stack may be generated. For simplicity of the codebase it is better to just remove this problematic keyword where it is not strictly required. See: http://en.cppreference.com/w/cpp/language/storage_duration Signed-off-by: Khem Raj <raj.khem@gmail.com>
2018-12-26configuration: Compare size first during lookupJulian Andres Klode
2018-12-04Override FileFd copy constructor to prevent copyingJulian Andres Klode
FileFd could be copied using the default copy constructor, which does not work, and then causes code to crash.
2018-11-29Use quoted tagnames in config dumpsDavid Kalnischkies
Tagnames in configuration can include spaces (and other nasties) e.g. in repository-specific configuration options due to Origin/Label potentially containing a space. The configuration file format supports parsing quoted as well as encoded spaces, but the output generated by apt-config and other places which might be feedback into apt via parsing (e.g. before calling apt-key in our gpgv method) do not quote and hence produce invalid configuration files. Changing the default to be an encoded tagname ensures that the output of dump can be used as a config file, but other users might not expect this so that is technically a backward-breaking change.
2018-11-25Fix typo reported by codespell in code commentsDavid Kalnischkies
No user visible change expect for some years old changelog entries, so we don't really need to add a new one for this… Reported-By: codespell Gbp-Dch: Ignore
2018-10-14Merge branch 'feature/subkeys' into 'master'Julian Andres Klode
Support subkeys and multiple keyrings in Signed-By options See merge request apt-team/apt!27
2018-10-05Set DPKG_FRONTEND_LOCKED when running {pre,post}-invoke scriptsJulian Andres Klode
Some post-invoke scripts install packages, which fails because the environment variable is not set. This sets the variable for all three kinds of scripts {pre,post-}invoke and pre-install-pkgs, but we will only allow post-invoke at a later time. Gbp-Dch: full
2018-09-11Support multiple keyrings in sources.list Signed-ByDavid Kalnischkies
A user can specify multiple fingerprints for a while now, so its seems counter-intuitive to support only one keyring, especially if this isn't really checked or enforced and while unlikely mixtures of both should work properly, too, instead of a kinda random behaviour.
2018-05-28Use a steady clock source for progress reportingDavid Kalnischkies
Clock changes while apt is running can result in strange reports confusing (and amusing) users. Sadly, to keep the ABI for now the code is a bit more ugly than it would need to be.
2018-05-11don't try SRV requests based on IP addressesDavid Kalnischkies
IP addresses are by definition not a domain so in the best case the requests will just fail; we can do better than that on our own.
2018-05-07Remove obsolete RCS keywordsGuillem Jover
Prompted-by: Jakub Wilk <jwilk@debian.org>
2018-05-05Fix various typos reported by spellcheckersDavid Kalnischkies
Reported-By: codespell & spellintian Gbp-Dch: Ignore
2018-05-05Avoid implicitly promotion of float to doubleDavid Kalnischkies
Reported-By: gcc -Wdouble-promotion Gbp-Dch: Ignore
2018-04-13zstd: Implement support for multi-frame filesJulian Andres Klode
This implements support for multi frame files while keeping error checking for unexpected EOF working correctly. Files with multiple frames are generated by pzstd, for example.
2018-04-13Implement compression level handling for zstdJulian Andres Klode
This is a simplified variant of the code for xz, adapted to support multiple digit integers.
2018-03-12apt-pkg: Add support for zstdJulian Andres Klode
zstd is a compression algorithm developed by facebook. At level 19, it is about 6% worse in size than xz -6, but decompression is multiple times faster, saving about 40% install time, especially with eatmydata on cloud instances.
2018-01-02Support cleartext signed InRelease files with CRLF line endingsDavid Kalnischkies
Commit 89c4c588b275 ("fix from David Kalnischkies for the InRelease gpg verification code (LP: #784473)") amended verification of cleartext signatures by a check whether the file to be verified actually starts with "-----BEGIN PGP SIGNATURE-----\n". However cleartext signed InRelease files have been found in the wild which use \r\n as line ending for this armor header line, presumably generated by a Windows PGP client. Such files are incorrectly deemed unsigned and result in the following (misleading) error: Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?) RFC 4880 specifies in 6.2 Forming ASCII Armor: That is to say, there is always a line ending preceding the starting five dashes, and following the ending five dashes. The header lines, therefore, MUST start at the beginning of a line, and MUST NOT have text other than whitespace following them on the same line. RFC 4880 does not seem to specify whether LF or CRLF is used as line ending for armor headers, but CR is generally considered whitespace (e.g. "man perlrecharclass"), hence using CRLF is legal even under the assumption that LF must be used. SplitClearSignedFile() is stripping whitespace (including CR) on lineend already before matching the string, so StartsWithGPGClearTextSignature() is adapted to use the same ignoring. As the earlier method is responsible for what apt will end up actually parsing nowadays as signed/unsigned this change has no implications for security. Thanks: Lukas Wunner for detailed report & initial patch! References: 89c4c588b275d098af33f36eeddea6fd75068342 Closes: 884922
2017-12-13support multiline values in LookupTagDavid Kalnischkies
LookupTag is a little helper to deal with rfc822-style strings we use in apt e.g. to pass acquire messages around for cases in which our usual rfc822 parser is too heavy. All the fields it had to deal with so far were single line, but if they aren't it should really produce the right output and not just return the first line. Error messages are a prime candidate for becoming multiline as at the moment they are stripped of potential newlines due to the previous insufficiency of LookupTag.
2017-12-13deal with floats without old-style castDavid Kalnischkies
We have no speed problem with handling floats/doubles in our progress handling, but that shouldn't prevent us from cleaning up the handling slightly to avoid unclean casting to ints. Reported-By: gcc -Wdouble-promotion -Wold-style-cast
2017-12-13avoid some useless casts reported by -Wuseless-castDavid Kalnischkies
The casts are useless, but the reports show some where we can actually improve the code by replacing them with better alternatives like converting whatever int type into a string instead of casting to a specific one which might in the future be too small. Reported-By: gcc -Wuseless-cast
2017-12-13convert various c-style casts to C++-styleDavid Kalnischkies
gcc was warning about ignored type qualifiers for all of them due to the last 'const', so dropping that and converting to static_cast in the process removes the here harmless warning to avoid hidden real issues in them later on. Reported-By: gcc Gbp-Dch: Ignore
2017-12-13deprecate the single-line deprecation ignoring macroDavid Kalnischkies
gcc has problems understanding this construct and additionally thinks it would produce multiple lines and stuff, so to keep using it isn't really worth it for the few instances we have: We can just write the long form there which works better. Reported-By: gcc Gbp-Dch: Ignore
2017-12-13explicitly name token in auth.conf parsing errorDavid Kalnischkies
Reported-By: gcc -Wsign-promo
2017-10-22Run the ProxyAutoDetect script in the sandbox againJulian Andres Klode
The previous change moved running the proxy detection program from the method to the main process, so it runs as root and not as _apt. This brings it back into the sandbox. Gbp-Dch: ignore
2017-08-24Replace APT_CONST with APT_PURE everywhereJulian Andres Klode
As a follow up to the last commit, let's replace APT_CONST with APT_PURE everywhere to clean stuff up.
2017-08-24Redefine APT_CONST to mean APT_PUREJulian Andres Klode
Functions marked with the const attribute may not inspect any global memory. This includes targets of pointers or references passed as arguments. A pure function however is free to inspect memory, but may not have any side effects. The function StringSplit() was marked as const, but took two references to strings. When the second one was passed as a literal as in StringSplit(name, "::") the compiler cleverly figured out that we only inspect the address of "::" (since StringSplit is const) and thus optimized away the "::" content. While patching out individual broken uses of APT_CONST would be possible, this is already the second case, and there might be more, so let's redefine APT_CONST to use the pure attribute, so we don't end up with the same situation again in some time.
2017-08-04don't keep configuration files open needlesslyDavid Kalnischkies
Regression-Of: 3317ad864c997f4897756c0a2989c4199e9cda62
2017-07-26reimplement and document auth.confDavid Kalnischkies
We have support for an netrc-like auth.conf file since 0.7.25 (closing 518473), but it was never documented in apt that it even exists and netrc seems to have fallen out of usage as a manpage for it no longer exists making the feature even more arcane. On top of that the code was a bit of a mess (as it is written in c-style) and as a result the matching of machine tokens to URIs also a bit strange by checking for less specific matches (= without path) first. We now do a single pass over the stanzas. In practice early adopters of the undocumented implementation will not really notice the differences and the 'new' behaviour is simpler to document and more usual for an apt user. Closes: #811181
2017-07-26show warnings instead of errors if files are unreadableDavid Kalnischkies
We used to fail on unreadable config/preferences/sources files, but at least for sources we didn't in the past and it seems harsh to refuse to work because of a single file, especially as the error messages are inconsistent and end up being silly (like suggesting to run apt update to fix the problem…). LP: #1701852
2017-07-26use FileFd to parse all apt configuration filesDavid Kalnischkies
Using different ways of opening files means we have different behaviour and error messages for them, so by the same for all we can have more uniformity for users and apt developers alike.
2017-07-20Fix memory leak in C++-thread-local _error implementationJulian Andres Klode
We can't allocate a pointer here, it would not get released - use an object instead. Gbp-Dch: ignore
2017-07-20Use C++11 threading support instead of pthreadJulian Andres Klode
This makes the code easier to read.
2017-07-12Reformat and sort all includes with clang-formatJulian Andres Klode
This makes it easier to see which headers includes what. The changes were done by running git grep -l '#\s*include' \ | grep -E '.(cc|h)$' \ | xargs sed -i -E 's/(^\s*)#(\s*)include/\1#\2 include/' To modify all include lines by adding a space, and then running ./git-clang-format.sh.
2017-07-08fix various typos reported by codespell & spellintianDavid Kalnischkies
Reported-By: codespell & spellintian Gbp-Dch: Ignore
2017-06-30Allow http(s) and socks5h for http and https in proxy auto detectJulian Andres Klode
This makes it possible to write sensible auto detect scripts.
2017-06-26fix some unlikely memory leaks in error casesDavid Kalnischkies
The error cases are just as unlikely as the memory leaks to ever cause real problems, but lets play it safe for correctness. Reported-By: scan-build & clang Gbp-Dch: Ignore
2017-06-26clean archives without changing directoryDavid Kalnischkies
Adopting this change in other frontends will require source changes as well similar to our own changes in apt-private/.
2017-06-26ident a CD without changing directoryDavid Kalnischkies
2017-06-26Avoid chdir in acquire clean with unlinkatDavid Kalnischkies
POSIX.1-2008 gives us a range of *at calls to deal with files including the unlinkat so we can remove a file from a directory based on a path to the file relative to the directory. (In our case here the path we have is just the filename) We avoid changing directories in this way which e.g. fails if the directory we started in no longer exists or is otherwise inaccessible. Closes: 860738
2017-06-26Show permission error if ProxyAutoDetect cmd can't be executedDavid Kalnischkies
As the proxy commands are not executed as root, a user can run into permission errors (s)he isn't expecting – as our switching is an implementation detail – so the error message in that case should really be better than a generic "error code 100" sending the user in the wrong direction as that implies the command was executed, but errored out. Closes: 857885
2017-06-26avoid explicit types for pkg counts by autoDavid Kalnischkies
Changes nothing on the program front and as the datatypes are sufficently comparable fixes no bug either, but problems later on if we ever change the types of those and prevent us using types which are too large for the values we want to store waste (a tiny bit of) resources. Gbp-Dch: Ignore
2017-03-19Fix and avoid quoting in CommandLine::AsStringDavid Kalnischkies
In the intended usecase where this serves as a hack there is no problem with double/single quotes being present as we write it to a log file only, but nowadays our calling of apt-key produces a temporary config file containing this "setting" as well and suddently quoting is important as the config file syntax is allergic to it. So the fix is to ignore all quoting whatsoever in the input and just quote (with singles) the option values with spaces. That gives us 99% of the time the correct result and the 1% where the quote is an integral element of the option … doesn't exist – or has bigger problems than a log file not containing the quote. Same goes for newlines in values. LP: #1672710
2017-02-11Don't use -1 fd and AT_SYMLINK_NOFOLLOW for faccessat()Julian Andres Klode
-1 is not an allowed value for the file descriptor, the only allowed non-file-descriptor value is AT_FDCWD. So use that instead. AT_SYMLINK_NOFOLLOW has a weird semantic: It checks whether we have the specified access on the symbolic link. It also is implemented only by glibc on Linux, so it's inherently non-portable. We should just drop it. Thanks: James Clarke for debugging these issues Reported-by: James Clarke <jrtc27@jrtc27.com>
2017-01-27avoid malloc if option whitelist is disabled (default)David Kalnischkies
Config options are checked in various paths, so making "useless" memory allocations wastes time and can also cause problems like #852757. The unneeded malloc was added in ae73a2944a89e0d2406a2aab4a4c082e1e9da3f9. (We have no explicit malloc here – its std:string doing this internally)
2017-01-19fix various typos reported by spellintianDavid Kalnischkies
Most of them in (old) code comments. The two instances of user visible string changes the po files of the manpages are fixed up as well. Gbp-Dch: Ignore Reported-By: spellintian
2017-01-19fix various typos reported by codespellDavid Kalnischkies
Nothing in user visible strings. Gbp-Dch: Ignore Reported-By: codespell