From d4c45145553781418c25343ac1478f62da645851 Mon Sep 17 00:00:00 2001
From: David Kalnischkies <david@kalnischkies.de>
Date: Sun, 13 Mar 2016 22:44:37 +0100
Subject: enforce verify of filesize in 'apt-get source'

The structure we parse the data into has a dedicated size field, but it
tends to be easier to handle it as a (very weak) checksum.
---
 apt-pkg/deb/debsrcrecords.cc                       |  1 +
 .../test-ubuntu-bug-1098738-apt-get-source-md5sum  | 46 ++++++++++++++++++----
 2 files changed, 40 insertions(+), 7 deletions(-)

diff --git a/apt-pkg/deb/debsrcrecords.cc b/apt-pkg/deb/debsrcrecords.cc
index cefaf46ac..e8295debb 100644
--- a/apt-pkg/deb/debsrcrecords.cc
+++ b/apt-pkg/deb/debsrcrecords.cc
@@ -216,6 +216,7 @@ bool debSrcRecordParser::Files2(std::vector<pkgSrcRecords::File2> &List)
 	 F.Path = path;
 	 F.FileSize = strtoull(size.c_str(), NULL, 10);
 	 F.Hashes.push_back(hashString);
+	 F.Hashes.FileSize(F.FileSize);
 
 	 APT_IGNORE_DEPRECATED_PUSH
 	 F.Size = F.FileSize;
diff --git a/test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum b/test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum
index 7ac993d39..b37ca456f 100755
--- a/test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum
+++ b/test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum
@@ -41,6 +41,15 @@ Checksums-Sha256:
  943d3bf22ac661fb0f59bc4ff68cc12b04ff17a838dfcc2537008eb9c7f3770a 3 pkg-sha256-ok_1.0.dsc
  90aebae315675cbf04612de4f7d5874850f48e0b8dd82becbeaa47ca93f5ebfb 3 pkg-sha256-ok_1.0.tar.gz
 
+Package: pkg-size-bad
+Binary: pkg-size-bad
+Version: 1.0
+Maintainer: Joe Sixpack <joe@example.org>
+Architecture: all
+Checksums-Sha256:
+ 943d3bf22ac661fb0f59bc4ff68cc12b04ff17a838dfcc2537008eb9c7f3770a 2 pkg-size-bad_1.0.dsc
+ 90aebae315675cbf04612de4f7d5874850f48e0b8dd82becbeaa47ca93f5ebfb 4 pkg-size-bad_1.0.tar.gz
+
 Package: pkg-sha256-bad
 Binary: pkg-sha256-bad
 Version: 1.0
@@ -151,7 +160,7 @@ EOF
 for x in 'pkg-md5-ok' 'pkg-sha1-ok' 'pkg-sha256-ok' 'pkg-sha256-bad' 'pkg-no-md5' \
 	 'pkg-mixed-ok' 'pkg-mixed-sha1-bad' 'pkg-mixed-sha2-bad' \
 	 'pkg-md5-agree' 'pkg-md5-disagree' 'pkg-sha256-disagree' \
-	 'pkg-md5-bad'; do
+	 'pkg-md5-bad' 'pkg-size-bad'; do
 	echo -n 'dsc' > aptarchive/${x}_1.0.dsc
 	echo -n 'tar' > aptarchive/${x}_1.0.tar.gz
 done
@@ -201,7 +210,23 @@ Download complete and in download only mode" aptget source -d "$@"
 
 testmismatch() {
 	rm -f ${1}_1.0.dsc ${1}_1.0.tar.gz
-	testfailureequal "Reading package lists...
+	local FAILURE
+	if [ "$1" = 'pkg-size-bad' ]; then
+		FAILURE="Reading package lists...
+Need to get 6 B of source archives.
+Get:1 http://localhost:${APTHTTPPORT}  $1 1.0 (dsc) [2 B]
+Err:1 http://localhost:${APTHTTPPORT}  $1 1.0 (dsc)
+  Writing more data than expected (3 > 2)
+Get:2 http://localhost:${APTHTTPPORT}  $1 1.0 (tar) [4 B]
+Err:2 http://localhost:${APTHTTPPORT}  $1 1.0 (tar)
+  Hash Sum mismatch
+E: Failed to fetch http://localhost:${APTHTTPPORT}/${1}_1.0.dsc  Writing more data than expected (3 > 2)
+
+E: Failed to fetch http://localhost:${APTHTTPPORT}/${1}_1.0.tar.gz  Hash Sum mismatch
+
+E: Failed to fetch some archives."
+	else
+		FAILURE="Reading package lists...
 Need to get 6 B of source archives.
 Get:1 http://localhost:${APTHTTPPORT}  $1 1.0 (dsc) [3 B]
 Err:1 http://localhost:${APTHTTPPORT}  $1 1.0 (dsc)
@@ -213,7 +238,10 @@ E: Failed to fetch http://localhost:${APTHTTPPORT}/${1}_1.0.dsc  Hash Sum mismat
 
 E: Failed to fetch http://localhost:${APTHTTPPORT}/${1}_1.0.tar.gz  Hash Sum mismatch
 
-E: Failed to fetch some archives." aptget source -d "$@"
+E: Failed to fetch some archives."
+	fi
+	testfailureequal "$FAILURE" aptget source -d "$@"
+
 	msgtest 'Files were not download as they have hashsum mismatches for' "$1"
 	testfailure --nomsg test -e ${1}_1.0.dsc -a -e ${1}_1.0.tar.gz
 
@@ -228,14 +256,16 @@ Download complete and in download only mode" aptget source -d "$@" -o Acquire::F
 		testfailure --nomsg test -e ${1}_1.0.dsc -a -e ${1}_1.0.tar.gz
 	fi
 
-	rm -f ${1}_1.0.dsc ${1}_1.0.tar.gz
-	testsuccessequal "Reading package lists...
+	if [ "$1" != 'pkg-size-bad' ]; then
+		rm -f ${1}_1.0.dsc ${1}_1.0.tar.gz
+		testsuccessequal "Reading package lists...
 Need to get 6 B of source archives.
 Get:1 http://localhost:${APTHTTPPORT}  $1 1.0 (dsc) [3 B]
 Get:2 http://localhost:${APTHTTPPORT}  $1 1.0 (tar) [3 B]
 Download complete and in download only mode" aptget source --allow-unauthenticated -d "$@" -o Acquire::ForceHash=ROT26
-	msgtest 'Files were downloaded unauthenticated as user allowed it' "$1"
-	testsuccess --nomsg test -e ${1}_1.0.dsc -a -e ${1}_1.0.tar.gz
+		msgtest 'Files were downloaded unauthenticated as user allowed it' "$1"
+		testsuccess --nomsg test -e ${1}_1.0.dsc -a -e ${1}_1.0.tar.gz
+	fi
 }
 
 testnohash pkg-md5-ok
@@ -252,6 +282,8 @@ testok pkg-sha256-bad -o Acquire::ForceHash=MD5Sum
 testnohash pkg-md5-bad
 testmismatch pkg-md5-bad --allow-unauthenticated
 
+testmismatch pkg-size-bad
+
 # not having MD5 sum doesn't mean the file doesn't exist at all …
 testok pkg-no-md5
 testok pkg-no-md5 -o Acquire::ForceHash=SHA256
-- 
cgit v1.2.3