summaryrefslogtreecommitdiff
path: root/apt-pkg/contrib
Commit message (Collapse)AuthorAgeFilesLines
* Fix and avoid quoting in CommandLine::AsStringDavid Kalnischkies2017-03-191-4/+10
| | | | | | | | | | | | | | | | In the intended usecase where this serves as a hack there is no problem with double/single quotes being present as we write it to a log file only, but nowadays our calling of apt-key produces a temporary config file containing this "setting" as well and suddently quoting is important as the config file syntax is allergic to it. So the fix is to ignore all quoting whatsoever in the input and just quote (with singles) the option values with spaces. That gives us 99% of the time the correct result and the 1% where the quote is an integral element of the option … doesn't exist – or has bigger problems than a log file not containing the quote. Same goes for newlines in values. LP: #1672710
* Don't use -1 fd and AT_SYMLINK_NOFOLLOW for faccessat()Julian Andres Klode2017-02-111-1/+1
| | | | | | | | | | | | | | -1 is not an allowed value for the file descriptor, the only allowed non-file-descriptor value is AT_FDCWD. So use that instead. AT_SYMLINK_NOFOLLOW has a weird semantic: It checks whether we have the specified access on the symbolic link. It also is implemented only by glibc on Linux, so it's inherently non-portable. We should just drop it. Thanks: James Clarke for debugging these issues Reported-by: James Clarke <jrtc27@jrtc27.com>
* avoid malloc if option whitelist is disabled (default)David Kalnischkies2017-01-271-3/+8
| | | | | | | Config options are checked in various paths, so making "useless" memory allocations wastes time and can also cause problems like #852757. The unneeded malloc was added in ae73a2944a89e0d2406a2aab4a4c082e1e9da3f9. (We have no explicit malloc here – its std:string doing this internally)
* fix various typos reported by spellintianDavid Kalnischkies2017-01-197-11/+11
| | | | | | | | Most of them in (old) code comments. The two instances of user visible string changes the po files of the manpages are fixed up as well. Gbp-Dch: Ignore Reported-By: spellintian
* fix various typos reported by codespellDavid Kalnischkies2017-01-191-1/+1
| | | | | | | Nothing in user visible strings. Gbp-Dch: Ignore Reported-By: codespell
* strutl: Provide an APT::String::Join() functionJulian Andres Klode2017-01-172-0/+14
| | | | | Thanks: James Clarke <jrtc27@jrtc27.com> for the implementation Gbp-Dch: ignore
* allow warning generation for non-whitelisted optionsDavid Kalnischkies2016-12-311-1/+160
| | | | | | | | | | | | | | | The idea is simple: Each¹ Find*( call starts with a call check if the given option (with the requested type) exists in the whitelist. The whitelist is specified via our configure-index file so that we have a better chance at keeping it current. the whitelist is loaded via a special (undocumented for now) configuration stanza and if none is loaded the empty whitelist will make it so that no warnings are shown. Much needs to be done still, but that is as good a time as any to take a snapshot of the current state and release it into the wild given that it found some bugs already and has no practical effect on users. ¹ not all in this iteration, but many
* warn if clearsigned file has ignored content partsDavid Kalnischkies2016-12-311-2/+17
| | | | | | | | | | | | | Clearsigned files like InRelease, .dsc, .changes and co can potentially include unsigned or additional messages blocks ignored by gpg in verification, but a potential source of trouble in our own parsing attempts – and an unneeded risk as the usecases for the clearsigned files we deal with do not reasonably include unsigned parts (like emails or some such). This commit changes the silent ignoring to warnings for now to get an impression on how widespread unintended unsigned parts are, but eventually we want to turn these into hard errors.
* gpgv: Flush the files before checking for errorsJulian Andres Klode2016-12-081-0/+6
| | | | | | | | | | | | | | | | | | This is a follow up to the previous issue where we did not check if getline() returned -1 due to an end of file or due to an error like memory allocation, treating both as end of file. Here we ensure that we also handle buffered writes correctly by flushing the files before checking for any errors in our error stack. Buffered writes themselves were introduced in 1.1.9, but the function was never called with a buffered file from inside apt until commit 46c4043d741cb2c1d54e7f5bfaa234f1b7580f6c which was first released with apt 1.2.10. The function is public, though, so fixing this is a good idea anyway. Affected: >= 1.1.9
* SECURITY UPDATE: gpgv: Check for errors when splitting files (CVE-2016-1252)Julian Andres Klode2016-12-081-1/+22
| | | | | | | | | | | | | | | | | | | | | This fixes a security issue where signatures of the InRelease files could be circumvented in a man-in-the-middle attack, giving attackers the ability to serve any packages they want to a system, in turn giving them root access. It turns out that getline() may not only return EINVAL as stated in the documentation - it might also return in case of an error when allocating memory. This fix not only adds a check that reading worked correctly, it also implicitly checks that all writes worked by reporting any other error that occurred inside the loop and was logged by apt. Affected: >= 0.9.8 Reported-By: Jann Horn <jannh@google.com> Thanks: Jann Horn, Google Project Zero for reporting the issue LP: #1647467
* report apt-key errors via status-fd messagesDavid Kalnischkies2016-11-241-10/+53
| | | | | | | | | | | | | | | | | | | | We report warnings from apt-key this way already since 29c590951f812d9e9c4f17706e34f2c3315fb1f6, so reporting errors seems like a good addition. Most of those errors aren't really from apt-key through, but from the code setting up and actually calling it which used to just print to stderr which might or might not intermix them with (other) progress lines in update calls. Having them as proper error messages in the system means that the errors are actually collected later on for the list instead of ending up with our relatively generic but in those cases bogus hint regarding "is gpgv installed?". The effective difference is minimal as the errors apply mostly to systems which have far worse problems than a not as nice looking error message, which makes this pretty hard to test – but at least now the hint that your system is broken can be read in proper order (= there aren't many valid cases in which the permissions of /tmp are messed up…). LP: #1522988
* Compare size before data when ordering cache bucket entriesJulian Andres Klode2016-11-221-0/+11
| | | | | | | This has the effect of significantly reducing actual string comparisons, and should improve the performance of FindGrp a bit, although it's hardly measureable (callgrind says it uses 10% instructions less now).
* Optimize VersionHash() to not need temporary copy of inputJulian Andres Klode2016-11-222-0/+5
| | | | | | | Stop copying stuff, and just parse the bytes one by-one to the newly created AddCRC16Byte. This improves the instruction count for an update run from 720,850,121 to 455,801,749 according to callgrind.
* Introduce tolower_ascii_unsafe() and use it for hashingJulian Andres Klode2016-11-221-0/+5
| | | | | | | This one has some obvious collisions for non-alphabetical characters, like some control characters also hashing to numbers, but we don't really have those, and these are hash functions which are not collision free to begin with.
* add TMP/TEMP/TEMPDIR to the TMPDIR DropPrivileges danceDavid Kalnischkies2016-11-111-9/+20
| | | | | | | apt tools do not really support these other variables, but tools apt calls might, so lets play save and clean those up as needed. Reported-By: Paul Wise (pabs) on IRC
* reset HOME, USER(NAME), TMPDIR & SHELL in DropPrivilegesDavid Kalnischkies2016-11-091-0/+20
| | | | | | | | | We can't cleanup the environment like e.g. sudo would do as you usually want the environment to "leak" into these helpers, but some variables like HOME should really not have still the value of the root user – it could confuse the helpers (USER) and HOME isn't accessible anyhow. Closes: 842877
* add support for Build-Depends/Conflicts-ArchJohannes Schauer2016-11-091-1/+1
| | | | | | | | | | | | | | These new enum values might cause "interesting" behaviour in tools not expecting them – like an old apt would think a Build-Conflicts-Arch is some sort of Build-Depends – but that can't reasonably be avoided and effects only packages using B-D/C-A so if there is any breakage the tools can easily be adapted. The APT_PKG_RELEASE number is increased so that libapt users can detect the availability of these new enum fields via: #if APT_PKG_ABI > 500 || (APT_PKG_ABI == 500 && APT_PKG_RELEASE >= 1) Closes: #837395
* Do not read stderr from proxy autodetection scriptsJulian Andres Klode2016-10-043-2/+11
| | | | | | | | | | | | | This fixes a regression introduced in commit 8f858d560e3b7b475c623c4e242d1edce246025a don't leak FD in AutoProxyDetect command return parsing which accidentally made the proxy autodetection code also read the scripts output on stderr, not only on stdout when it switched the code from popen() to Popen(). Reported-By: Tim Small <tim@seoss.co.uk>
* try not to call memcpy with length 0 in hash calculationsDavid Kalnischkies2016-09-018-15/+21
| | | | | | | | | | memcpy is marked as nonnull for its input, but ignores the input anyhow if the declared length is zero. Our SHA2 implementations do this as well, it was "just" MD5 and SHA1 missing, so we add the length check here as well as along the callstack as it is really pointless to do all these method calls for "nothing". Reported-By: gcc -fsanitize=undefined
* Base256ToNum: Fix uninitialized valueJulian Andres Klode2016-08-311-1/+2
| | | | | | | | | | If the inner Base256ToNum() returned false, it did not set Num to a new value, causing it to be uninitialized, and thus might have caused the function to exit despite a good result. Also document why the Res = Num, if (Res != Num) magic is done. Reported-By: valgrind
* Make directory paths configurableJulian Andres Klode2016-08-261-1/+1
| | | | | | | This allows other vendors to use different paths, or to build your own APT in /opt for testing. Note that this uses + 1 in some places, as the paths we receive are absolute, but we need to strip of the initial /.
* Use C locale instead of C.UTF-8 for protocol stringsJulian Andres Klode2016-08-261-2/+2
| | | | | | The C.UTF-8 locale is not portable, so we need to use C, otherwise we crash on other systems. We can use std::locale::classic() for that, which might also be a bit cheaper than using locale("C").
* Add missing includes and external definitionsJulian Andres Klode2016-08-261-0/+1
| | | | | | | | | | | | | | | Several modules use std::array without including the array header. Bad modules. Some modules use STDOUT_FILENO and friends, or close() without including unistd.h, where they are defined. One module also uses WIFEXITED() without including sys/wait.h. Finally, environ is not specified to be defined in unistd.h. We are required to define it ourselves according to POSIX, so let's do that.
* drop incorrect const attribute from DirectoryExistsDavid Kalnischkies2016-08-121-1/+1
| | | | | | | | | | | | | | | | | Since its existence in 2010 DirectoryExists was always marked with this attribute, but for no real reason. Arguably a check for the existence of the file is not modifying global state, so theoretically this shouldn't be a problem. It is wrong from a logical point of view through as between two calls the directory could be created so the promise we made to the compiler that it could remove the second call would be wrong, so API wise it is wrong. It's a bit mysterious that this is only observeable on ppc64el and can be fixed by reordering code ever so slightly, but in the end its more our fault for adding this attribute than the compilers fault for doing something silly based on the attribute. LP: 1473674
* fileutl: empty file support: Avoid fstat() on -1 fd and check resultJulian Andres Klode2016-08-121-2/+3
| | | | | When checking if a file is empty, we forget to check that fstat() actually worked.
* ensure a good clock() value for usage and testsDavid Kalnischkies2016-08-121-1/+1
| | | | | | | | | | | We use clock() as a very cheap way of getting a "random" value, but the manpage warns that this could return -1, so we should be dealing with this. Additionally, e.g. on hurd-i386 the value increases only slowly – to slow for our fast running tests for randomness hence producing the same range in both samples, so we introduce a simple busy-wait loop (as clock is counting processor time used by the program) in the test which delays the second sample just enough making our randomness a bit more predictable.
* Merge branch 'feature/methods'David Kalnischkies2016-08-112-0/+32
|\
| * implement socks5h proxy support for http methodDavid Kalnischkies2016-08-102-0/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Socks support is a requested feature in sofar that the internet is actually believing Acquire::socks::Proxy would exist. It doesn't and this commit isn't adding it as that isn't how our configuration works, but it allows Acquire::http::Proxy="socks5h://…". The HTTPS method was changed already to support socks proxies (all versions) via curl. This commit implements only SOCKS5 (RFC1928) with no auth or pass&user auth (RFC1929), but not GSSAPI which is required by the RFC. The 'h' in the protocol name further indicates that DNS resolution is delegated to the socks proxy rather than performed locally. The implementation works and was tested with Tor as socks proxy for which implementing socks5h only can actually be considered a feature. Closes: 744934
* | allow user@host (aka: no password) in URI parsingDavid Kalnischkies2016-08-101-7/+9
|/ | | | If the URI had no password the username was ignored
* ExecGPGV: Pass current config state to apt-key via temp fileJulian Andres Klode2016-08-031-0/+23
| | | | | | | Create a temporary configuration file with a dump of our configuration and pass that to apt-key. LP: #1607283
* ExecGPGV: Fork in all casesJulian Andres Klode2016-08-031-43/+34
|
* ExecGPGV: Rework file removal on exit()Julian Andres Klode2016-08-031-28/+23
| | | | Create a local exiter object which cleans up files on exit.
* gpgv: Unlink the correct temp file in error caseJulian Andres Klode2016-08-031-4/+4
| | | | | Previously, when data could be created and sig not, we would unlink sig, not data (and vice versa).
* if the FileFd failed already following calls should fail, tooDavid Kalnischkies2016-07-291-8/+10
| | | | | | There is no point in trying to perform Write/Read on a FileFd which already failed as they aren't going to work as expected, so we should make sure that they fail early on and hard.
* (error) va_list 'args' was opened but not closed by va_end()David Kalnischkies2016-07-272-28/+24
| | | | | Reported-By: cppcheck Gbp-Dch: Ignore
* call flush on the wrapped writebuffered FileFdDavid Kalnischkies2016-07-231-2/+1
| | | | | | | The flush call is a no-op in most FileFd implementations so this isn't as critical as it might sound as the only non-trivial implementation is in the buffered writer, which tends not be used to buffer another buffer…
* ensure Cnf::FindFile doesn't return files below /dev/nullDavid Kalnischkies2016-07-193-9/+22
| | | | | | | Very unlikely, but if the parent is /dev/null, the child empty and the grandchild a value we returned /dev/null/value which doesn't exist, so hardly a problem, but for best operability we should be consistent in our work and return /dev/null always.
* don't change owner/perms/times through file:// symlinksDavid Kalnischkies2016-07-061-1/+4
| | | | | | | | | | | | | If we have files in partial/ from a previous invocation or similar such those could be symlinks created by file:// sources. The code is expecting only real files through and happily changes owner, modification times and permission on the file the symlink points to which tend to be files we have no business in touching in this way. Permissions of symlinks shouldn't be changed, changing owner is usually pointless to, but just to be sure we pick the easy way out and use lchown, check for symlinks before chmod/utimes. Reported-By: Mattia Rizzolo on IRC
* give a descriptive error for pipe tries with 'false'David Kalnischkies2016-07-051-0/+3
| | | | | | | | | | | | | | If libapt has builtin support for a compression type it will create a dummy compressor struct with the Binary set to 'false' as it will catch these before using the generic pipe implementation which uses the Binary. The catching happens based on configured Names through, so you can actually force apt to use the external binaries even if it would usually use the builtin support. That logic fails through if you don't happen to have these external binaries installed as it will fallback to calling 'false', which will end in confusing 'Write error's. So, this is again something you only encounter in constructed testing. Gbp-Dch: Ignore
* use +0000 instead of UTC by default as timezone in outputDavid Kalnischkies2016-07-022-2/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | All apt versions support numeric as well as 3-character timezones just fine and its actually hard to write code which doesn't "accidently" accepts it. So why change? Documenting the Date/Valid-Until fields in the Release file is easy to do in terms of referencing the datetime format used e.g. in the Debian changelogs (policy §4.4). This format specifies only the numeric timezones through, not the nowadays obsolete 3-character ones, so in the interest of least surprise we should use the same format even through it carries a small risk of regression in other clients (which encounter repositories created with apt-ftparchive). In case it is really regressing in practice, the hidden option -o APT::FTPArchive::Release::NumericTimezone=0 can be used to go back to good old UTC as timezone. The EDSP and EIPP protocols use this 'new' format, the text interface used to communicate with the acquire methods does not for compatibility reasons even if none of our methods would be effected and I doubt any other would (in these instances the timezone is 'GMT' as that is what HTTP/1.1 requires). Note that this is only true for apt talking to methods, (libapt-based) methods talking to apt will respond with the 'new' format. It is therefore strongly adviced to support both also in method input.
* don't do atomic overrides with failed filesDavid Kalnischkies2016-06-291-1/+1
| | | | | | | | We deploy atomic renames for some files, but these renames also happen if something about the file failed which isn't really the point of the exercise… Closes: 828908
* Revert "travis: use gcc-5 instead of gcc(-4.8)"David Kalnischkies2016-06-291-1/+4
| | | | | | | | | | | | | | | This reverts commit 2b8221d66a8284042fc53c7bbb14bb9750e9137f. Avoiding the use of GCC >= 5 stuff lets use go back to 4.8 simplifying the travis setup again as well as reducing the backport requirements in general. This is possible because the std::get_time use requiring GCC >= 5 in 9febc2b238e1e322dce1f94ecbed46d595893b52 was replaced by handrolling it in 1d742e01470bba27715a8191c50adde4b39c2f19, so the remaining uses are just small conviniences we can do without. Gbp-Dch: Ignore
* imbue datetime parsing with C.UTF-8 localeDavid Kalnischkies2016-06-251-0/+2
| | | | | | | | | | | | | | | | | | | Rewritten in 9febc2b238e1e322dce1f94ecbed46d595893b52 for c++ locales usage and rewritten again in 1d742e01470bba27715a8191c50adde4b39c2f19 to avoid a currently present stdlibc++6 bug in the std::get_time implementation. The later implementation uses still stringstreams for parsing, but forgot to explicitly reset the locale to something sane (for parsing english dates that is), so date and especially the parsing of a number is depending on the locale. Turns out, the French (among others) format their numbers with space as thousand separator so for some reason the stdlibc++6 thinks its a good idea to interpret the entire datetime string as a single number instead of realizing that in "25 Jun …" the later parts can't reasonably be part of that number even through there are spaces there… Workaround is hence: LC_NUMERIC=C.UTF-8 Closes: 828011
* implement and document DIRECT for auto-detect-proxyDavid Kalnischkies2016-06-201-6/+13
| | | | | | | There is a subtile difference between an empty setting and "DIRECT" in the configuration as the later overrides the generic settings while the earlier does not. Also, non-zero exitcodes should really be reported as an error rather than silently discarded.
* do not error if auto-detect-proxy cmd has no outputDavid Kalnischkies2016-06-201-1/+1
| | | | | | | | | | | Regression introduced in 8f858d560e3b7b475c623c4e242d1edce246025a. Commands are probably better of always having output through as the fall through to the generic proxy settings is likely not intended. As documenting and implementing this more consistently is kind of a regression through, it is split off into the next commit. Closes: 827713
* avoid std::get_time usage to sidestep libstdc++6 bugDavid Kalnischkies2016-06-171-36/+77
| | | | | | | | | | | | | | | | As reported upstream in https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71556 the implementation of std::get_time is currently not as accepting as strptime is, especially in how hours should be formatted. Just reverting 9febc2b238e1e322dce1f94ecbed46d595893b52 would be possible, but then we would reopen the problems fixed by it, so instead I opted here for a rewrite of the parsing logic which makes this method a lot longer, but at least it provides the same benefits as the rewrite in std::get_time was intended to give us and decouples us from the fix of the issue in the standard library implementation of GCC. LP: 1593583
* don't use FindFile for external Dir::Bin commandsDavid Kalnischkies2016-06-141-1/+1
| | | | | | | | | | We usually use absolute paths to specific the location of dpkg, apt-key and the like, but there is nothing wrong with using just the command name and instead let exec(3) make the lookup in PATH. We had a wild mixture before, so opting for the more accepting option out of the two seems about right especially as it makes no difference in the default case as apt uses absolute paths.
* don't leak FD in AutoProxyDetect command return parsingDavid Kalnischkies2016-06-101-35/+20
| | | | | Just closing the fd would be enough, but while we are at it we can also use the Popen interface to have an easier time with this.
* don't leak an FD in lz4 (de)compressionDavid Kalnischkies2016-06-101-1/+6
| | | | | Seen first in #826783, but as this buglog also shows leaked uncompressed files as well we don't close it just yet.
* do not hang on piped input in PipedFileFdPrivateDavid Kalnischkies2016-06-101-0/+5
| | | | | This effects only compressors configured on the fly (rather then the inbuilt ones as they use a library).