From 62bfe5b6ca3ccfba6313d3f9ab4cb75a24a5557a Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Wed, 27 Nov 2019 19:57:08 +0100 Subject: Use correct filename on IMS-hit reverify for indices If we have no old Release file, but old indices we can't compare hashsums with the new Release file and hence must request the indices again and have to react to IMS hits if they didn't change. We used to symlink the old index file to the partial directory, but that usually meant that we linked an uncompressed file to a compressed file, which not all uncompressors can deal with transparently resulting in strange failures. We could do without the symlink, but that would require changes in the codepaths dealing with failure as they would rename the file to FAILED. --- apt-pkg/acquire-item.cc | 17 ++---- test/integration/test-apt-update-repeated-ims-hit | 73 +++++++++++++++++++++++ 2 files changed, 79 insertions(+), 11 deletions(-) create mode 100755 test/integration/test-apt-update-repeated-ims-hit diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc index a108eb213..062b39cad 100644 --- a/apt-pkg/acquire-item.cc +++ b/apt-pkg/acquire-item.cc @@ -3265,19 +3265,14 @@ void pkgAcqIndex::StageDownloadDone(string const &Message) // we need to verify the file against the current Release file again // on if-modfied-since hit to avoid a stale attack against us - if(StringToBool(LookupTag(Message,"IMS-Hit"),false) == true) + if (StringToBool(LookupTag(Message, "IMS-Hit"), false)) { - // copy FinalFile into partial/ so that we check the hash again - string const FinalFile = GetExistingFilename(GetFinalFileNameFromURI(Target.URI)); - if (symlink(FinalFile.c_str(), DestFile.c_str()) != 0) - _error->WarningE("pkgAcqIndex::StageDownloadDone", "Symlinking final file %s back to %s failed", FinalFile.c_str(), DestFile.c_str()); - else - { - EraseFileName = DestFile; - Filename = DestFile; - } + Filename = GetExistingFilename(GetFinalFileNameFromURI(Target.URI)); + EraseFileName = DestFile = flCombine(flNotFile(DestFile), flNotDir(Filename)); + if (symlink(Filename.c_str(), DestFile.c_str()) != 0) + _error->WarningE("pkgAcqIndex::StageDownloadDone", "Symlinking file %s to %s failed", Filename.c_str(), DestFile.c_str()); Stage = STAGE_DECOMPRESS_AND_VERIFY; - Desc.URI = "store:" + Filename; + Desc.URI = "store:" + DestFile; QueueURI(Desc); SetActiveSubprocess(::URI(Desc.URI).Access); return; diff --git a/test/integration/test-apt-update-repeated-ims-hit b/test/integration/test-apt-update-repeated-ims-hit new file mode 100755 index 000000000..8630ff5ee --- /dev/null +++ b/test/integration/test-apt-update-repeated-ims-hit @@ -0,0 +1,73 @@ +#!/bin/sh +set -e + +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" +setupenvironment +configarchitecture 'amd64' +configcompression '.' 'bz2' + +echo 'Package: apt +Priority: important +Section: admin +Installed-Size: 5984 +Maintainer: APT Development Team +Architecture: i386 +Version: 0.8.7 +Filename: pool/main/a/apt/apt_0.8.7_i386.deb +Size: 2140230 +MD5sum: 74769bfbcef9ebc4fa74f7a5271b9c08 +Description: Advanced front-end for dpkg +Description-md5: d41ee493aa9fcc6cbc9ce4eb7069959c' > aptarchive/Packages +compressfile aptarchive/Packages + +echo "Package: apt +Description-en: Advanced front-end for dpkg + This is Debian's next generation front-end for the dpkg package manager. + It provides the apt-get utility and APT dselect method that provides a + simpler, safer way to install and upgrade packages. +$MD5Sum" > aptarchive/en +compressfile aptarchive/en + +echo "APT::FTPArchive::Release::Patterns:: \"en\"; +APT::FTPArchive::Release::Patterns:: \"en.*\";" > rootdir/etc/apt/apt.conf.d/ftparchivepattern + +export APT_DONT_SIGN='InRelease' +setupaptarchive --no-update +rm -f aptarchive/Packages aptarchive/en + +rm -f rootdir/etc/apt/trusted.gpg.d/* +sed -i -e 's#^deb #deb [trusted=yes] #' rootdir/etc/apt/sources.list.d/* + +APTARCHIVE="$(readlink -f ./aptarchive)" +GPGERROR="W: GPG error: file:$APTARCHIVE Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5A90D141DBAC8DAE" + +msgmsg 'Running update again does not change result' '0' +testwarningmsg "$GPGERROR" apt update +listcurrentlistsdirectory > lists.before +testsuccess grep 'aptarchive_en$' lists.before +testsuccess grep 'aptarchive_Packages$' lists.before +testsuccess grep 'aptarchive_Release$' lists.before +testfailure grep 'aptarchive_Release.gpg$' lists.before + +for i in $(seq 1 3); do + msgmsg 'Running update again does not change result' "$i" + testwarningmsg "$GPGERROR" apt update +done + +find rootdir/var/lib/apt/lists -name '*Release*' -delete +msgmsg 'Running update with a repository gaining hashsums' +testwarningmsg "$GPGERROR" apt update + +changetowebserver +find aptarchive -name '*Release*' -delete +rm -rf rootdir/var/lib/apt/lists + +msgmsg 'Running update with no indexes' '0' +testsuccess apt update +listcurrentlistsdirectory > lists.before +for i in $(seq 1 3); do + msgmsg 'Running update with no indexes' "$i" + testsuccess apt update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::Transaction=1 + testfileequal lists.before "$(listcurrentlistsdirectory)" +done -- cgit v1.2.3