From 71203dbf00cbb259fb59e8daf0543a45394b6623 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Thu, 12 May 2016 10:04:19 +0200 Subject: Normalize Signed-By values by removing trailing commas everywhere This fixes comparisons where either the stored or the input string have a trailing comma. --- apt-pkg/deb/debmetaindex.cc | 15 +++++++++---- .../test-releasefile-verification-noflat | 25 ++++++++++++++++++++++ 2 files changed, 36 insertions(+), 4 deletions(-) create mode 100755 test/integration/test-releasefile-verification-noflat diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc index 71aee3f72..f756cdb1f 100644 --- a/apt-pkg/deb/debmetaindex.cc +++ b/apt-pkg/deb/debmetaindex.cc @@ -687,12 +687,19 @@ bool debReleaseIndex::SetSignedBy(std::string const &pSignedBy) std::stringstream os; std::copy(fingers.begin(), fingers.end(), std::ostream_iterator(os, ",")); SignedBy = os.str(); - while (SignedBy[SignedBy.size() - 1] == ',') - SignedBy.resize(SignedBy.size() - 1); } + // Normalize the string: Remove trailing commas + while (SignedBy[SignedBy.size() - 1] == ',') + SignedBy.resize(SignedBy.size() - 1); + } + else { + // Only compare normalized strings + auto pSignedByView = APT::StringView(pSignedBy); + while (pSignedByView[pSignedByView.size() - 1] == ',') + pSignedByView = pSignedByView.substr(0, pSignedByView.size() - 1); + if (pSignedByView != SignedBy) + return _error->Error(_("Conflicting values set for option %s regarding source %s %s: %s != %s"), "Signed-By", URI.c_str(), Dist.c_str(), SignedBy.c_str(), pSignedByView.to_string().c_str()); } - else if (SignedBy != pSignedBy) - return _error->Error(_("Conflicting values set for option %s regarding source %s %s: %s != %s"), "Signed-By", URI.c_str(), Dist.c_str(), SignedBy.c_str(), pSignedBy.c_str()); return true; } /*}}}*/ diff --git a/test/integration/test-releasefile-verification-noflat b/test/integration/test-releasefile-verification-noflat new file mode 100755 index 000000000..3953c6492 --- /dev/null +++ b/test/integration/test-releasefile-verification-noflat @@ -0,0 +1,25 @@ +#!/bin/sh +set -e + +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" + +setupenvironment +configarchitecture "i386" + +export APT_DONT_SIGN='Release.gpg' +insertpackage 'unstable' 'foo' 'i386' '1.0' +setupaptarchive "now" "now + 1 year" +changetowebserver + +SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')" + +testsuccess aptget update + +msgmsg 'Warm archive with signed-by' 'Joe Sixpack' +sed -i "/^Valid-Until: / a\ +Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release +touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release +testsuccessequal "Get:1 http://localhost:${APTHTTPPORT} unstable InRelease [$(stat -c '%s' 'aptarchive/dists/unstable/InRelease') B] +Reading package lists..." aptget update +testsuccess aptcache show foo -- cgit v1.2.3