* src/metalink.c (retrieve_from_metalink): Reject any metalink:file without hashes. Prompt the error and switch to the next file * testenv/Makefile.am: Add new file * testenv/Test-metalink-xml-nohash.py: New file. Metalink/XML with no hashes tests
Prevent SIGSEGV. --- src/metalink.c | 9 +- testenv/Makefile.am | 1 + testenv/Test-metalink-xml-nohash.py | 180 ++++++++++++++++++++++++++++++++++++ 3 files changed, 189 insertions(+), 1 deletion(-) create mode 100755 testenv/Test-metalink-xml-nohash.py diff --git a/src/metalink.c b/src/metalink.c index 16e247d..0c77fa8 100644 --- a/src/metalink.c +++ b/src/metalink.c @@ -368,7 +368,8 @@ retrieve_from_metalink (const metalink_t* metalink) } /* Resources are sorted by priority. */ - for (mres_ptr = mfile->resources; *mres_ptr && !skip_mfile; mres_ptr++) + for (mres_ptr = mfile->resources; + *mres_ptr && mfile->checksums && !skip_mfile; mres_ptr++) { metalink_resource_t *mres = *mres_ptr; metalink_checksum_t **mchksum_ptr, *mchksum; @@ -859,6 +860,12 @@ gpg_skip_verification: } /* endif RETR_OK. */ } /* Iterate over resources. */ + if (!mfile->checksums) + { + logprintf (LOG_NOTQUIET, _("No checksums found.\n")); + retr_err = METALINK_CHKSUM_ERROR; + } + if (retr_err != RETROK) { logprintf (LOG_VERBOSE, _("Failed to download %s. Skipping resource.\n"), diff --git a/testenv/Makefile.am b/testenv/Makefile.am index ff9fe05..725b76b 100644 --- a/testenv/Makefile.am +++ b/testenv/Makefile.am @@ -51,6 +51,7 @@ if METALINK_IS_ENABLED Test-metalink-xml-homeprefix-trust.py \ Test-metalink-xml-emptyprefix-trust.py \ Test-metalink-xml-size.py \ + Test-metalink-xml-nohash.py \ Test-metalink-xml-nourls.py \ Test-metalink-xml-urlbreak.py else diff --git a/testenv/Test-metalink-xml-nohash.py b/testenv/Test-metalink-xml-nohash.py new file mode 100755 index 0000000..3985918 --- /dev/null +++ b/testenv/Test-metalink-xml-nohash.py @@ -0,0 +1,180 @@ +#!/usr/bin/env python3 +from sys import exit +from test.http_test import HTTPTest +from misc.wget_file import WgetFile +import hashlib + +""" + This is to test if Metalink/XML with no hashes generates a SIGSEGV. + + With --trust-server-names, trust the metalink:file names. + + Without --trust-server-names, don't trust the metalink:file names: + use the basename of --input-metalink, and add a sequential number + (e.g. .#1, .#2, etc.). + + Strip the directory from unsafe paths. +""" +############# File Definitions ############################################### +bad = "Ouch!" + +File1 = "Would you like some Tea?" +File1_lowPref = "Do not take this" + +File2 = "This is gonna be good" +File2_lowPref = "Not this one too" +File2_sha256 = hashlib.sha256 (File2.encode ('UTF-8')).hexdigest () + +File3 = "A little more, please" +File3_lowPref = "That's just too much" + +File4 = "Maybe a biscuit?" +File4_lowPref = "No, thanks" +File4_sha256 = hashlib.sha256 (File4.encode ('UTF-8')).hexdigest () + +File5 = "More Tea...?" +File5_lowPref = "I have to go..." + +MetaXml = \ +"""<?xml version="1.0" encoding="utf-8"?> +<metalink version="3.0" xmlns="http://www.metalinker.org/"> + <publisher> + <name>GNU Wget</name> + </publisher> + <license> + <name>GNU GPL</name> + <url>http://www.gnu.org/licenses/gpl.html</url> + </license> + <identity>Wget Test Files</identity> + <version>1.2.3</version> + <description>Wget Test Files description</description> + <files> + <file name="File1"> + <resources> + <url type="http" preference="35">http://{{SRV_HOST}}:{{SRV_PORT}}/wrong_file</url> + <url type="http" preference="40">http://{{SRV_HOST}}:{{SRV_PORT}}/404</url> + <url type="http" preference="25">http://{{SRV_HOST}}:{{SRV_PORT}}/File1_lowPref</url> + <url type="http" preference="30">http://{{SRV_HOST}}:{{SRV_PORT}}/File1</url> + </resources> + </file> + <file name="File2"> + <verification> + <hash type="sha256">{{FILE2_HASH}}</hash> + </verification> + <resources> + <url type="http" preference="35">http://{{SRV_HOST}}:{{SRV_PORT}}/wrong_file</url> + <url type="http" preference="40">http://{{SRV_HOST}}:{{SRV_PORT}}/404</url> + <url type="http" preference="25">http://{{SRV_HOST}}:{{SRV_PORT}}/File2_lowPref</url> + <url type="http" preference="30">http://{{SRV_HOST}}:{{SRV_PORT}}/File2</url> + </resources> + </file> + <file name="File3"> + <verification> + </verification> + <resources> + <url type="http" preference="35">http://{{SRV_HOST}}:{{SRV_PORT}}/wrong_file</url> + <url type="http" preference="40">http://{{SRV_HOST}}:{{SRV_PORT}}/404</url> + <url type="http" preference="25">http://{{SRV_HOST}}:{{SRV_PORT}}/File3_lowPref</url> + <url type="http" preference="30">http://{{SRV_HOST}}:{{SRV_PORT}}/File3</url> + </resources> + </file> + <file name="File4"> + <verification> + <hash type="sha256">{{FILE4_HASH}}</hash> + </verification> + <resources> + <url type="http" preference="35">http://{{SRV_HOST}}:{{SRV_PORT}}/wrong_file</url> + <url type="http" preference="40">http://{{SRV_HOST}}:{{SRV_PORT}}/404</url> + <url type="http" preference="25">http://{{SRV_HOST}}:{{SRV_PORT}}/File4_lowPref</url> + <url type="http" preference="30">http://{{SRV_HOST}}:{{SRV_PORT}}/File4</url> + </resources> + </file> + <file name="File5"> + <verification> + <hash type="sha256"></hash> + </verification> + <resources> + <url type="http" preference="35">http://{{SRV_HOST}}:{{SRV_PORT}}/wrong_file</url> + <url type="http" preference="40">http://{{SRV_HOST}}:{{SRV_PORT}}/404</url> + <url type="http" preference="25">http://{{SRV_HOST}}:{{SRV_PORT}}/File5_lowPref</url> + <url type="http" preference="30">http://{{SRV_HOST}}:{{SRV_PORT}}/File5</url> + </resources> + </file> + </files> +</metalink> +""" + +wrong_file = WgetFile ("wrong_file", bad) + +File1_orig = WgetFile ("File1", File1) +File1_nono = WgetFile ("File1_lowPref", File1_lowPref) + +File2_orig = WgetFile ("File2", File2) +File2_down = WgetFile ("test.metalink.#2", File2) +File2_nono = WgetFile ("File2_lowPref", File2_lowPref) + +File3_orig = WgetFile ("File3", File3) +File3_nono = WgetFile ("File3_lowPref", File3_lowPref) + +File4_orig = WgetFile ("File4", File4) +File4_down = WgetFile ("test.metalink.#4", File4) +File4_nono = WgetFile ("File4_lowPref", File4_lowPref) + +File5_orig = WgetFile ("File5", File5) +File5_nono = WgetFile ("File5_lowPref", File5_lowPref) + +MetaFile = WgetFile ("test.metalink", MetaXml) + +WGET_OPTIONS = "--input-metalink test.metalink" +WGET_URLS = [[]] + +Files = [[ + wrong_file, + File1_orig, File1_nono, + File2_orig, File2_nono, + File3_orig, File3_nono, + File4_orig, File4_nono, + File5_orig, File5_nono +]] +Existing_Files = [MetaFile] + +ExpectedReturnCode = 1 +ExpectedDownloadedFiles = [ + File2_down, + File4_down, + MetaFile +] + +################ Pre and Post Test Hooks ##################################### +pre_test = { + "ServerFiles" : Files, + "LocalFiles" : Existing_Files +} +test_options = { + "WgetCommands" : WGET_OPTIONS, + "Urls" : WGET_URLS +} +post_test = { + "ExpectedFiles" : ExpectedDownloadedFiles, + "ExpectedRetcode" : ExpectedReturnCode +} + +http_test = HTTPTest ( + pre_hook=pre_test, + test_params=test_options, + post_hook=post_test, +) + +http_test.server_setup() +### Get and use dynamic server sockname +srv_host, srv_port = http_test.servers[0].server_inst.socket.getsockname () + +MetaXml = MetaXml.replace('{{FILE2_HASH}}', File2_sha256) +MetaXml = MetaXml.replace('{{FILE4_HASH}}', File4_sha256) +MetaXml = MetaXml.replace('{{SRV_HOST}}', srv_host) +MetaXml = MetaXml.replace('{{SRV_PORT}}', str (srv_port)) +MetaFile.content = MetaXml + +err = http_test.begin () + +exit (err) -- 2.7.3