X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/5c19dc3ae3bd8e40a9c028b0deddd50ff337692c..dd5fb164cf5b32c462296bc65e289e100f74b59a:/OSX/libsecurity_codesigning/lib/singlediskrep.cpp?ds=sidebyside

diff --git a/OSX/libsecurity_codesigning/lib/singlediskrep.cpp b/OSX/libsecurity_codesigning/lib/singlediskrep.cpp
index 5b01b138..2c0cbd27 100644
--- a/OSX/libsecurity_codesigning/lib/singlediskrep.cpp
+++ b/OSX/libsecurity_codesigning/lib/singlediskrep.cpp
@@ -82,6 +82,14 @@ size_t SingleDiskRep::signingLimit()
 	return fd().fileSize();
 }
 
+//
+// No executable segment in non-machO files.
+//
+size_t SingleDiskRep::execSegLimit(const Architecture *)
+{
+	return 0;
+}
+
 //
 // A lazily opened read-only file descriptor for the path.
 //
@@ -89,7 +97,6 @@ FileDesc &SingleDiskRep::fd()
 {
 	if (!mFd)
 		mFd.open(mPath, O_RDONLY);
-
 	return mFd;
 }
 
@@ -101,7 +108,6 @@ void SingleDiskRep::flush()
 	mFd.close();
 }
 
-
 //
 // The recommended identifier of a SingleDiskRep is, absent any better clue,
 // the basename of its path.
@@ -115,10 +121,17 @@ string SingleDiskRep::recommendedIdentifier(const SigningContext &)
 //
 // Paranoid validation
 //
-void SingleDiskRep::strictValidate(const CodeDirectory* cd, const ToleratedErrors& tolerated)
+void SingleDiskRep::strictValidate(const CodeDirectory* cd, const ToleratedErrors& tolerated, SecCSFlags flags)
 {
+	DiskRep::strictValidate(cd, tolerated, flags);
+
+	if (flags & kSecCSRestrictSidebandData)
+		if (fd().hasExtendedAttribute(XATTR_RESOURCEFORK_NAME) || fd().hasExtendedAttribute(XATTR_FINDERINFO_NAME))
+			if (tolerated.find(errSecCSInvalidAssociatedFileData) == tolerated.end())
+				MacOSError::throwMe(errSecCSInvalidAssociatedFileData);
+	
 	// code limit must cover (exactly) the entire file
-	if (cd && cd->codeLimit != signingLimit())
+	if (cd && cd->signingLimit() != signingLimit())
 		MacOSError::throwMe(errSecCSSignatureInvalid);
 }