X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/e3d460c9de4426da6c630c3ae3f46173a99f82d8..dd5fb164cf5b32c462296bc65e289e100f74b59a:/OSX/libsecurity_codesigning/lib/singlediskrep.cpp?ds=sidebyside

diff --git a/OSX/libsecurity_codesigning/lib/singlediskrep.cpp b/OSX/libsecurity_codesigning/lib/singlediskrep.cpp
index 84c5a781..2c0cbd27 100644
--- a/OSX/libsecurity_codesigning/lib/singlediskrep.cpp
+++ b/OSX/libsecurity_codesigning/lib/singlediskrep.cpp
@@ -82,6 +82,14 @@ size_t SingleDiskRep::signingLimit()
 	return fd().fileSize();
 }
 
+//
+// No executable segment in non-machO files.
+//
+size_t SingleDiskRep::execSegLimit(const Architecture *)
+{
+	return 0;
+}
+
 //
 // A lazily opened read-only file descriptor for the path.
 //
@@ -89,7 +97,6 @@ FileDesc &SingleDiskRep::fd()
 {
 	if (!mFd)
 		mFd.open(mPath, O_RDONLY);
-
 	return mFd;
 }
 
@@ -101,7 +108,6 @@ void SingleDiskRep::flush()
 	mFd.close();
 }
 
-
 //
 // The recommended identifier of a SingleDiskRep is, absent any better clue,
 // the basename of its path.
@@ -118,6 +124,11 @@ string SingleDiskRep::recommendedIdentifier(const SigningContext &)
 void SingleDiskRep::strictValidate(const CodeDirectory* cd, const ToleratedErrors& tolerated, SecCSFlags flags)
 {
 	DiskRep::strictValidate(cd, tolerated, flags);
+
+	if (flags & kSecCSRestrictSidebandData)
+		if (fd().hasExtendedAttribute(XATTR_RESOURCEFORK_NAME) || fd().hasExtendedAttribute(XATTR_FINDERINFO_NAME))
+			if (tolerated.find(errSecCSInvalidAssociatedFileData) == tolerated.end())
+				MacOSError::throwMe(errSecCSInvalidAssociatedFileData);
 	
 	// code limit must cover (exactly) the entire file
 	if (cd && cd->signingLimit() != signingLimit())