[PATCH] download: handle possibly invalid local tarballs

Thu, 19 Nov 2020 13:27:36 -0800 

Currently it's assumed, that already downloaded tarballs are always
fine, so no checksum checking is performed and the tarball is used even
if it might be corrupted.

From now on, we're going to always check the downloaded tarballs before
considering them valid.

Steps to reproduce:

 1. remove cached tarball

   rm dl/libubox-2020-08-06-9e52171d.tar.xz

 2. download valid tarball again

   make package/libubox/download

 3. invalidate the tarball

   sed -i 's/PKG_MIRROR_HASH:=../PKG_MIRROR_HASH:=ff/' 
package/libs/libubox/Makefile

 4. now compile with corrupt tarball source

   make package/libubox/{clean,compile}

Signed-off-by: Petr Štetiar <yn...@true.cz>
---
 include/download.mk |  2 +-
 scripts/download.pl | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/include/download.mk b/include/download.mk
index d393bf390716..7c2de929d347 100644
--- a/include/download.mk
+++ b/include/download.mk
@@ -317,7 +317,7 @@ define Download
   )
   download: $(DL_DIR)/$(FILE)
 
-  $(DL_DIR)/$(FILE):
+  $(DL_DIR)/$(FILE): FORCE
        mkdir -p $(DL_DIR)
        $(call locked, \
                $(if $(DownloadMethod/$(call dl_method,$(URL),$(PROTO))), \
diff --git a/scripts/download.pl b/scripts/download.pl
index cdccae133f49..b51c8f1127e8 100755
--- a/scripts/download.pl
+++ b/scripts/download.pl
@@ -261,6 +261,24 @@ foreach my $mirror (@ARGV) {
 push @mirrors, 'https://sources.openwrt.org';
 push @mirrors, 'https://mirror2.openwrt.org/sources';
 
+if (-f "$target/$filename") {
+       $hash_cmd and do {
+               if (system("cat '$target/$filename' | $hash_cmd > 
'$target/$filename.hash'")) {
+                       die "Failed to generate hash for $filename\n";
+               }
+
+               my $sum = `cat "$target/$filename.hash"`;
+               $sum =~ /^(\w+)\s*/ or die "Could not generate file hash\n";
+               $sum = $1;
+
+               exit 0 if $sum eq $file_hash;
+
+               die "Hash of the local file $filename does not match (file: 
$sum, requested: $file_hash) - deleting download.\n";
+               unlink "$target/$filename";
+               cleanup();
+       };
+}
+
 while (!-f "$target/$filename") {
        my $mirror = shift @mirrors;
        $mirror or die "No more mirrors to try - giving up.\n";

_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to