#include <apt-pkg/fileutl.h>
#include <apt-pkg/sha1.h>
#include <apt-pkg/tagfile.h>
-#include <apt-pkg/indexrecords.h>
+#include <apt-pkg/metaindex.h>
#include <apt-pkg/acquire.h>
#include <apt-pkg/hashes.h>
#include <apt-pkg/indexfile.h>
return _config->FindDir("Dir::State::lists") + URItoFileName(uri);
}
/*}}}*/
-static std::string GetCompressedFileName(std::string const &URI, std::string const &Name, std::string const &Ext) /*{{{*/
+static std::string GetCompressedFileName(IndexTarget const &Target, std::string const &Name, std::string const &Ext) /*{{{*/
{
if (Ext.empty() || Ext == "uncompressed")
return Name;
// do not reverify cdrom sources as apt-cdrom may rewrite the Packages
// file when its doing the indexcopy
- if (URI.substr(0,6) == "cdrom:")
+ if (Target.URI.substr(0,6) == "cdrom:")
return Name;
// adjust DestFile if its compressed on disk
- if (_config->FindB("Acquire::GzipIndexes",false) == true)
+ if (Target.KeepCompressed == true)
return Name + '.' + Ext;
return Name;
}
}
/*}}}*/
-static bool AllowInsecureRepositories(indexRecords const * const MetaIndexParser, pkgAcqMetaClearSig * const TransactionManager, pkgAcquire::Item * const I) /*{{{*/
+static bool AllowInsecureRepositories(metaIndex const * const MetaIndexParser, pkgAcqMetaClearSig * const TransactionManager, pkgAcquire::Item * const I) /*{{{*/
{
- if(MetaIndexParser->IsAlwaysTrusted() || _config->FindB("Acquire::AllowInsecureRepositories") == true)
+ if(MetaIndexParser->GetTrusted() == metaIndex::TRI_YES || _config->FindB("Acquire::AllowInsecureRepositories") == true)
return true;
_error->Error(_("Use --allow-insecure-repositories to force the update"));
return false;
}
/*}}}*/
-static HashStringList GetExpectedHashesFromFor(indexRecords * const Parser, std::string const &MetaKey)/*{{{*/
+static HashStringList GetExpectedHashesFromFor(metaIndex * const Parser, std::string const &MetaKey)/*{{{*/
{
if (Parser == NULL)
return HashStringList();
- indexRecords::checkSum * const R = Parser->Lookup(MetaKey);
+ metaIndex::checkSum * const R = Parser->Lookup(MetaKey);
if (R == NULL)
return HashStringList();
return R->Hashes;
we can at least trust them for integrity of the download itself.
Only repositories without a Release file can (obviously) not have
hashes – and they are very uncommon and strongly discouraged */
- return TransactionManager->MetaIndexParser != NULL;
+ return TransactionManager->MetaIndexParser != NULL &&
+ TransactionManager->MetaIndexParser->GetLoadedSuccessfully() != metaIndex::TRI_UNSET;
}
HashStringList pkgAcqTransactionItem::GetExpectedHashes() const
{
std::string pkgAcqIndex::GetFinalFilename() const
{
std::string const FinalFile = GetFinalFileNameFromURI(Target.URI);
- return GetCompressedFileName(Target.URI, FinalFile, CurrentCompressionExtension);
+ return GetCompressedFileName(Target, FinalFile, CurrentCompressionExtension);
}
std::string pkgAcqMetaSig::GetFinalFilename() const
{
{
IndexTarget const Target;
public:
- virtual std::string DescURI() const {return Target.URI;};
- virtual HashStringList GetExpectedHashes() const {return HashStringList();};
+ virtual std::string DescURI() const APT_OVERRIDE {return Target.URI;};
+ virtual HashStringList GetExpectedHashes() const APT_OVERRIDE {return HashStringList();};
NoActionItem(pkgAcquire * const Owner, IndexTarget const &Target) :
pkgAcquire::Item(Owner), Target(Target)
{
if(ErrorText.empty())
ErrorText = LookupTag(Message,"Message");
- UsedMirror = LookupTag(Message,"UsedMirror");
if (QueueCounter <= 1)
{
/* This indicates that the file is not available right now but might
FileSize = Size;
}
/*}}}*/
+// Acquire::Item::VerifyDone - check if Item was downloaded OK /*{{{*/
+/* Note that hash-verification is 'hardcoded' in acquire-worker and has
+ * already passed if this method is called. */
+bool pkgAcquire::Item::VerifyDone(std::string const &Message,
+ pkgAcquire::MethodConfig const * const /*Cnf*/)
+{
+ std::string const FileName = LookupTag(Message,"Filename");
+ if (FileName.empty() == true)
+ {
+ Status = StatError;
+ ErrorText = "Method gave a blank filename";
+ return false;
+ }
+
+ return true;
+}
+ /*}}}*/
// Acquire::Item::Done - Item downloaded OK /*{{{*/
-void pkgAcquire::Item::Done(string const &Message, HashStringList const &Hashes,
+void pkgAcquire::Item::Done(string const &/*Message*/, HashStringList const &Hashes,
pkgAcquire::MethodConfig const * const /*Cnf*/)
{
// We just downloaded something..
- UsedMirror = LookupTag(Message,"UsedMirror");
if (FileSize == 0)
{
unsigned long long const downloadedSize = Hashes.FileSize();
Status = StatError;
break;
case NotClearsigned:
- errtext = _("Does not start with a cleartext signature");
- Status = StatError;
+ strprintf(errtext, _("Clearsigned file isn't valid, got '%s' (does the network require authentication?)"), "NOSPLIT");
+ Status = StatAuthError;
break;
case MaximumSizeExceeded:
// the method is expected to report a good error for this
_error->Warning(_("An error occurred during the signature "
"verification. The repository is not updated "
"and the previous index files will be used. "
- "GPG error: %s: %s\n"),
+ "GPG error: %s: %s"),
Desc.Description.c_str(),
LookupTag(Message,"Message").c_str());
RunScripts("APT::Update::Auth-Failure");
_error->Error(_("GPG error: %s: %s"),
Desc.Description.c_str(),
LookupTag(Message,"Message").c_str());
- I->Status = StatError;
+ I->Status = StatAuthError;
return true;
} else {
_error->Warning(_("GPG error: %s: %s"),
Header += MaximumSize;
string const FinalFile = GetFinalFilename();
-
struct stat Buf;
if (stat(FinalFile.c_str(),&Buf) == 0)
Header += "\nLast-Modified: " + TimeRFC1123(Buf.st_mtime);
// We have just finished downloading a Release file (it is not
// verified yet)
- string const FileName = LookupTag(Message,"Filename");
- if (FileName.empty() == true)
- {
- I->Status = StatError;
- I->ErrorText = "Method gave a blank filename";
- return false;
- }
-
+ std::string const FileName = LookupTag(Message,"Filename");
if (FileName != I->DestFile && RealFileExists(I->DestFile) == false)
{
I->Local = true;
}
if (RealFileExists(FinalInRelease) || RealFileExists(FinalRelease))
{
- TransactionManager->LastMetaIndexParser = new indexRecords;
- _error->PushToStack();
- if (RealFileExists(FinalInRelease))
- TransactionManager->LastMetaIndexParser->Load(FinalInRelease);
- else
- TransactionManager->LastMetaIndexParser->Load(FinalRelease);
- // its unlikely to happen, but if what we have is bad ignore it
- if (_error->PendingError())
+ TransactionManager->LastMetaIndexParser = TransactionManager->MetaIndexParser->UnloadedClone();
+ if (TransactionManager->LastMetaIndexParser != NULL)
{
- delete TransactionManager->LastMetaIndexParser;
- TransactionManager->LastMetaIndexParser = NULL;
+ _error->PushToStack();
+ if (RealFileExists(FinalInRelease))
+ TransactionManager->LastMetaIndexParser->Load(FinalInRelease, NULL);
+ else
+ TransactionManager->LastMetaIndexParser->Load(FinalRelease, NULL);
+ // its unlikely to happen, but if what we have is bad ignore it
+ if (_error->PendingError())
+ {
+ delete TransactionManager->LastMetaIndexParser;
+ TransactionManager->LastMetaIndexParser = NULL;
+ }
+ _error->RevertToStack();
}
- _error->RevertToStack();
}
}
- if (TransactionManager->MetaIndexParser->Load(DestFile) == false)
+ if (TransactionManager->MetaIndexParser->Load(DestFile, &ErrorText) == false)
{
Status = StatAuthError;
- ErrorText = TransactionManager->MetaIndexParser->ErrorText;
return false;
}
continue;
}
}
+ else if (TransactionManager->IMSHit == true)
+ {
+ // we have the file already, no point in trying to acquire it again
+ new NoActionItem(Owner, *Target);
+ continue;
+ }
}
else
trypdiff = false; // no file to patch
Transformed = "";
}
- if (_config->FindB("Acquire::Check-Valid-Until", true) == true &&
- TransactionManager->MetaIndexParser->GetValidUntil() > 0) {
+ if (TransactionManager->MetaIndexParser->GetValidUntil() > 0)
+ {
time_t const invalid_since = time(NULL) - TransactionManager->MetaIndexParser->GetValidUntil();
if (invalid_since > 0)
{
TransactionManager->IMSHit = true;
unlink(DestFile.c_str());
PartialFile = DestFile = GetFinalFilename();
- delete TransactionManager->MetaIndexParser;
- TransactionManager->MetaIndexParser = TransactionManager->LastMetaIndexParser;
+ // load the 'old' file in the 'new' one instead of flipping pointers as
+ // the new one isn't owned by us, while the old one is so cleanup would be confused.
+ TransactionManager->MetaIndexParser->swapLoad(TransactionManager->LastMetaIndexParser);
+ delete TransactionManager->LastMetaIndexParser;
TransactionManager->LastMetaIndexParser = NULL;
}
if (_config->FindB("Debug::pkgAcquire::Auth", false))
{
- std::cerr << "Got Codename: " << TransactionManager->MetaIndexParser->GetDist() << std::endl;
+ std::cerr << "Got Codename: " << TransactionManager->MetaIndexParser->GetCodename() << std::endl;
std::cerr << "Expecting Dist: " << TransactionManager->MetaIndexParser->GetExpectedDist() << std::endl;
std::cerr << "Transformed Dist: " << Transformed << std::endl;
}
// Status = StatAuthError;
// ErrorText = "Conflicting distribution; expected "
// + MetaIndexParser->GetExpectedDist() + " but got "
-// + MetaIndexParser->GetDist();
+// + MetaIndexParser->GetCodename();
// return false;
if (!Transformed.empty())
{
_error->Warning(_("Conflicting distribution: %s (expected %s but got %s)"),
Desc.Description.c_str(),
Transformed.c_str(),
- TransactionManager->MetaIndexParser->GetDist().c_str());
+ TransactionManager->MetaIndexParser->GetCodename().c_str());
}
}
IndexTarget const &ClearsignedTarget,
IndexTarget const &DetachedDataTarget, IndexTarget const &DetachedSigTarget,
std::vector<IndexTarget> const &IndexTargets,
- indexRecords * const MetaIndexParser) :
+ metaIndex * const MetaIndexParser) :
pkgAcqMetaIndex(Owner, this, ClearsignedTarget, DetachedSigTarget, IndexTargets),
d(NULL), ClearsignedTarget(ClearsignedTarget),
DetachedDataTarget(DetachedDataTarget),
/*}}}*/
pkgAcqMetaClearSig::~pkgAcqMetaClearSig() /*{{{*/
{
- if (MetaIndexParser != NULL)
- delete MetaIndexParser;
if (LastMetaIndexParser != NULL)
delete LastMetaIndexParser;
}
{
string Header = pkgAcqMetaBase::Custom600Headers();
Header += "\nFail-Ignore: true";
+ std::string const key = TransactionManager->MetaIndexParser->GetSignedBy();
+ if (key.empty() == false)
+ Header += "\nSigned-By: " + key;
+
return Header;
}
/*}}}*/
+bool pkgAcqMetaClearSig::VerifyDone(std::string const &Message,
+ pkgAcquire::MethodConfig const * const Cnf)
+{
+ Item::VerifyDone(Message, Cnf);
+
+ if (FileExists(DestFile) && !StartsWithGPGClearTextSignature(DestFile))
+ return RenameOnError(NotClearsigned);
+
+ return true;
+}
// pkgAcqMetaClearSig::Done - We got a file /*{{{*/
void pkgAcqMetaClearSig::Done(std::string const &Message,
HashStringList const &Hashes,
{
Item::Done(Message, Hashes, Cnf);
- // if we expect a ClearTextSignature (InRelease), ensure that
- // this is what we get and if not fail to queue a
- // Release/Release.gpg, see #346386
- if (FileExists(DestFile) && !StartsWithGPGClearTextSignature(DestFile))
- {
- pkgAcquire::Item::Failed(Message, Cnf);
- RenameOnError(NotClearsigned);
- TransactionManager->AbortTransaction();
- return;
- }
-
if(AuthPass == false)
{
if(CheckDownloadDone(this, Message, Hashes) == true)
if (AuthPass == false)
{
+ if (Status == StatAuthError)
+ {
+ // if we expected a ClearTextSignature (InRelease) and got a file,
+ // but it wasn't valid we end up here (see VerifyDone).
+ // As these is usually called by web-portals we do not try Release/Release.gpg
+ // as this is gonna fail anyway and instead abort our try (LP#346386)
+ TransactionManager->AbortTransaction();
+ return;
+ }
+
// Queue the 'old' InRelease file for removal if we try Release.gpg
// as otherwise the file will stay around and gives a false-auth
// impression (CVE-2012-0214)
// open the last Release if we have it
if (TransactionManager->IMSHit == false)
{
- TransactionManager->LastMetaIndexParser = new indexRecords;
- _error->PushToStack();
- if (RealFileExists(FinalInRelease))
- TransactionManager->LastMetaIndexParser->Load(FinalInRelease);
- else
- TransactionManager->LastMetaIndexParser->Load(FinalRelease);
- // its unlikely to happen, but if what we have is bad ignore it
- if (_error->PendingError())
+ TransactionManager->LastMetaIndexParser = TransactionManager->MetaIndexParser->UnloadedClone();
+ if (TransactionManager->LastMetaIndexParser != NULL)
{
- delete TransactionManager->LastMetaIndexParser;
- TransactionManager->LastMetaIndexParser = NULL;
+ _error->PushToStack();
+ if (RealFileExists(FinalInRelease))
+ TransactionManager->LastMetaIndexParser->Load(FinalInRelease, NULL);
+ else
+ TransactionManager->LastMetaIndexParser->Load(FinalRelease, NULL);
+ // its unlikely to happen, but if what we have is bad ignore it
+ if (_error->PendingError())
+ {
+ delete TransactionManager->LastMetaIndexParser;
+ TransactionManager->LastMetaIndexParser = NULL;
+ }
+ _error->RevertToStack();
}
- _error->RevertToStack();
}
}
// we parse the indexes here because at this point the user wanted
// a repository that may potentially harm him
- if (TransactionManager->MetaIndexParser->Load(PartialRelease) == false || VerifyVendor(Message) == false)
+ if (TransactionManager->MetaIndexParser->Load(PartialRelease, &ErrorText) == false || VerifyVendor(Message) == false)
/* expired Release files are still a problem you need extra force for */;
else
QueueIndexes(true);
{
// ensure old Release files are removed
TransactionManager->TransactionStageRemoval(this, GetFinalFilename());
- delete TransactionManager->MetaIndexParser;
- TransactionManager->MetaIndexParser = NULL;
// queue without any kind of hashsum support
QueueIndexes(false);
/*}}}*/
pkgAcqMetaSig::~pkgAcqMetaSig() /*{{{*/
{
+}
+ /*}}}*/
+// pkgAcqMetaSig::Custom600Headers - Insert custom request headers /*{{{*/
+std::string pkgAcqMetaSig::Custom600Headers() const
+{
+ std::string Header = pkgAcqTransactionItem::Custom600Headers();
+ std::string const key = TransactionManager->MetaIndexParser->GetSignedBy();
+ if (key.empty() == false)
+ Header += "\nSigned-By: " + key;
+ return Header;
}
/*}}}*/
// AcqMetaSig::Done - The signature was downloaded/verified /*{{{*/
// open the last Release if we have it
if (TransactionManager->IMSHit == false)
{
- TransactionManager->LastMetaIndexParser = new indexRecords;
- _error->PushToStack();
- if (RealFileExists(FinalInRelease))
- TransactionManager->LastMetaIndexParser->Load(FinalInRelease);
- else
- TransactionManager->LastMetaIndexParser->Load(FinalRelease);
- // its unlikely to happen, but if what we have is bad ignore it
- if (_error->PendingError())
+ TransactionManager->LastMetaIndexParser = TransactionManager->MetaIndexParser->UnloadedClone();
+ if (TransactionManager->LastMetaIndexParser != NULL)
{
- delete TransactionManager->LastMetaIndexParser;
- TransactionManager->LastMetaIndexParser = NULL;
+ _error->PushToStack();
+ if (RealFileExists(FinalInRelease))
+ TransactionManager->LastMetaIndexParser->Load(FinalInRelease, NULL);
+ else
+ TransactionManager->LastMetaIndexParser->Load(FinalRelease, NULL);
+ // its unlikely to happen, but if what we have is bad ignore it
+ if (_error->PendingError())
+ {
+ delete TransactionManager->LastMetaIndexParser;
+ TransactionManager->LastMetaIndexParser = NULL;
+ }
+ _error->RevertToStack();
}
- _error->RevertToStack();
}
}
// we parse the indexes here because at this point the user wanted
// a repository that may potentially harm him
- if (TransactionManager->MetaIndexParser->Load(MetaIndex->DestFile) == false || MetaIndex->VerifyVendor(Message) == false)
+ if (TransactionManager->MetaIndexParser->Load(MetaIndex->DestFile, &ErrorText) == false || MetaIndex->VerifyVendor(Message) == false)
/* expired Release files are still a problem you need extra force for */;
else
MetaIndex->QueueIndexes(true);
{
// update destfile to *not* include the compression extension when doing
// a reverify (as its uncompressed on disk already)
- DestFile = GetCompressedFileName(Target.URI, GetPartialFileNameFromURI(Target.URI), CurrentCompressionExtension);
+ DestFile = GetCompressedFileName(Target, GetPartialFileNameFromURI(Target.URI), CurrentCompressionExtension);
// copy FinalFile into partial/ so that we check the hash again
string FinalFile = GetFinalFilename();
Complete = true;
// Handle the unzipd case
- string FileName = LookupTag(Message,"Alt-Filename");
+ std::string FileName = LookupTag(Message,"Alt-Filename");
if (FileName.empty() == false)
{
Stage = STAGE_DECOMPRESS_AND_VERIFY;
SetActiveSubprocess("copy");
return;
}
-
FileName = LookupTag(Message,"Filename");
- if (FileName.empty() == true)
- {
- Status = StatError;
- ErrorText = "Method gave a blank filename";
- }
// Methods like e.g. "file:" will give us a (compressed) FileName that is
// not the "DestFile" we set, in this case we uncompress from the local file
return;
}
- // If we have compressed indexes enabled, queue for hash verification
- if (_config->FindB("Acquire::GzipIndexes",false))
+ // If we want compressed indexes, just copy in place for hash verification
+ if (Target.KeepCompressed == true)
{
DestFile = GetPartialFileNameFromURI(Target.URI + '.' + CurrentCompressionExtension);
EraseFileName = "";
Item::Done(Message, Hashes, Cfg);
// Grab the output filename
- string FileName = LookupTag(Message,"Filename");
- if (FileName.empty() == true)
- {
- Status = StatError;
- ErrorText = "Method gave a blank filename";
- return;
- }
-
- // Reference filename
+ std::string const FileName = LookupTag(Message,"Filename");
if (DestFile != FileName && RealFileExists(DestFile) == false)
{
StoreFilename = DestFile = FileName;
{
Item::Done(Message,CalcHashes,Cnf);
- string FileName = LookupTag(Message,"Filename");
- if (FileName.empty() == true)
- {
- Status = StatError;
- ErrorText = "Method gave a blank filename";
- return;
- }
-
+ std::string const FileName = LookupTag(Message,"Filename");
Complete = true;
// The files timestamp matches
projects / apt.git / blobdiff