summaryrefslogtreecommitdiff
path: root/methods
Commit message (Collapse)AuthorAgeFilesLines
* keep trying with next if connection to a SRV host failedDavid Kalnischkies2016-07-061-7/+23
| | | | | | | | | | | | Instead of only trying the first host we get via SRV, we try them all as we are supposed to and if that isn't working we try to connect to the host itself as if we hadn't seen any SRV records. This was already the intend of the old code, but it failed to hide earlier problems for the next call, which would unconditionally fail then resulting in an all around failure to connect. With proper stacking we can also keep the error messages of each call around (and in the order tried) so if the entire connection fails we can report all the things we have tried while we discard the entire stack if something works out in the end.
* report all instead of first error up the acquire chainDavid Kalnischkies2016-07-061-1/+7
| | | | | | | If we don't give a specific error to report up it is likely that all error currently in the error stack are equally important, so reporting just one could turn out to be confusing e.g. if name resolution failed in a SRV record list.
* don't change owner/perms/times through file:// symlinksDavid Kalnischkies2016-07-063-21/+35
| | | | | | | | | | | | | If we have files in partial/ from a previous invocation or similar such those could be symlinks created by file:// sources. The code is expecting only real files through and happily changes owner, modification times and permission on the file the symlink points to which tend to be files we have no business in touching in this way. Permissions of symlinks shouldn't be changed, changing owner is usually pointless to, but just to be sure we pick the easy way out and use lchown, check for symlinks before chmod/utimes. Reported-By: Mattia Rizzolo on IRC
* avoid 416 response teardown binding to null pointerDavid Kalnischkies2016-07-054-10/+12
| | | | | | | | | | methods/http.cc:640:13: runtime error: reference binding to null pointer of type 'struct FileFd' This reference is never used in the cases it has a nullptr, so the practical difference is non-existent, but its a bug still. Reported-By: gcc -fsanitize=undefined
* use +0000 instead of UTC by default as timezone in outputDavid Kalnischkies2016-07-022-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | All apt versions support numeric as well as 3-character timezones just fine and its actually hard to write code which doesn't "accidently" accepts it. So why change? Documenting the Date/Valid-Until fields in the Release file is easy to do in terms of referencing the datetime format used e.g. in the Debian changelogs (policy §4.4). This format specifies only the numeric timezones through, not the nowadays obsolete 3-character ones, so in the interest of least surprise we should use the same format even through it carries a small risk of regression in other clients (which encounter repositories created with apt-ftparchive). In case it is really regressing in practice, the hidden option -o APT::FTPArchive::Release::NumericTimezone=0 can be used to go back to good old UTC as timezone. The EDSP and EIPP protocols use this 'new' format, the text interface used to communicate with the acquire methods does not for compatibility reasons even if none of our methods would be effected and I doubt any other would (in these instances the timezone is 'GMT' as that is what HTTP/1.1 requires). Note that this is only true for apt talking to methods, (libapt-based) methods talking to apt will respond with the 'new' format. It is therefore strongly adviced to support both also in method input.
* close server if parsing of header field failedDavid Kalnischkies2016-06-271-0/+1
| | | | | | Seen in #828011 if we fail to parse a header field like Last-Modified we end up interpreting the data as response header for coming requests in case we don't rotate to a new server in DNS rotation.
* methods/ftp: Cope with weird PASV responsesJulian Andres Klode2016-06-271-2/+15
| | | | | | | | | | | | wu-ftpd sends the response without parens, whereas we expect them. I did not test the patch, but it should work. I added another return true if Pos is still npos after the second find to make sure we don't add npos to the string. Thanks: Lukasz Stelmach for the initial patch Closes: #420940
* http: don't hang on redirect with length + connection closeDavid Kalnischkies2016-06-151-4/+4
| | | | | | | | Most servers who close the connection do not send a content-length as this is redundant information usually, but some might and while testing with our server and with 'aptwebserver::response-header::Connection' set to 'close' I noticed that http hangs after a redirect in such cases, so if we have the information, just use it instead of discarding it.
* ignore std::locale exeception on non-existent "" localeDavid Kalnischkies2016-06-021-1/+5
| | | | | | | | In 8b79c94af7f7cf2e5e5342294bc6e5a908cacabf changing to usage of C++ way of setting the locale causes us to be terminated in case of usage of an ungenerated locale as LC_ALL (or similar) – but we don't want to fail here, we just want to carry on as before with setlocale which we call in that case just for good measure.
* use std::locale::global instead of setlocaleDavid Kalnischkies2016-05-2820-77/+24
| | | | | | We use a wild mixture of C and C++ ways of generating output, so having a consistent world-view in both styles sounds like a good idea and should help in preventing regressions.
* prevent C++ locale number formatting in text APIsDavid Kalnischkies2016-05-272-3/+3
| | | | | | | | | | | Setting the C++ locale via std::locale::global(std::locale("")); which would otherwise default to the default C locale (aka: unaffected by setlocale) effects the formatting of numeric types in IO streams, which for output for humans is perfectly sensible, but breaks our many text interfaces used and parsed by us and others without expecting the numbers to be formatted. Closes: #825396
* gpgv: show always webportal error on NODATADavid Kalnischkies2016-05-081-12/+21
| | | | | | | | | | | | | | | | | gpg doesn't give use a UID on NODATA, which we were "expecting" (but not using for anything), but just an error number. Instead of collecting these as badsigners which will trigger a "invald signature" error with remarks like "NODATA 1" we instead adapt a message similar to the NODATA error of a clearsigned file (which is actually not reached anymore as we split them up, which fails with a NOSPLIT error, which uses the same general error message). In other words: Not a security relevant change, just a user experience improvement as we now point them to the most likely cause of the problem instead of saying "invalid signature" which would point them in the direction of the archive being broken (for everyone) instead. Closes: 823746
* support multiple fingerprints in signed-byDavid Kalnischkies2016-05-011-13/+17
| | | | | A keyring file can include multiple keys, so its only fair for transitions and such to support multiple fingerprints as well.
* gpgv: cleanup statusfd parsing a bitDavid Kalnischkies2016-05-011-57/+45
| | | | | | | | | | | We parse the messages we receive into two big categories: Most of the messages have a keyid as well as a userid and as they are errors we want to show the userids as well. The other category is also errors, but have no userid (like NO_PUBKEY). Explicitly expressing this in code should make it a bit easier to look at and it also help in dropping additional fields or just the newline at the end consistently. Git-Dch: Ignore
* don't show NO_PUBKEY warning if repo is signed by another keyDavid Kalnischkies2016-05-011-4/+4
| | | | | | | | | | | | | | | Daniel Kahn Gillmor highlights in the bugreport that security isn't improving by having the user import additional keys – especially as importing keys securely is hard. The bugreport was initially about dropping the warning to a notice, but in given the previously mentioned observation and the fact that we weren't printing a warning (or a notice) for expired or revoked keys providing a signature we drop it completely as the code to display a message if this was the only key is in another path – and is considered critical. Closes: 618445
* gpgv: handle expired sig as worthlessDavid Kalnischkies2016-05-011-0/+7
| | | | | | | Signatures on data can have an expiration date, too, which we hadn't handled previously explicitly (no problem – gpg still has a non-zero exit code so apt notices the invalid signature) so the error message wasn't as helpful as it could be (aka mentioning the key signing it).
* gpgv: use EXPKEYSIG instead of KEYEXPIREDDavid Kalnischkies2016-05-011-3/+3
| | | | | | The upstream documentation says about KEYEXPIRED: "This status line is not very useful". Indeed, it doesn't mention which key is expired, and suggests to use the other message which does.
* refactored no_proxy code to work regardless of where https proxy is setPatrick Cable2016-04-271-6/+6
| | | | | | | | when using the https transport mechanism, $no_proxy is ignored if apt is getting it's proxy information from $https_proxy (as opposed to Acquire::https::Proxy somewhere in apt config). if the source of proxy information is Acquire::https::Proxy set in apt.conf (or apt.conf.d), then $no_proxy is honored.
* don't ask server if we have entire file in partial/David Kalnischkies2016-04-251-24/+54
| | | | | | | | | | | | We have this situation in cases were parts of the transaction are refused (e.g. in a hashsum mismatch) and rerun the update (e.g. in the hope that we get a mirror which is synced this time). Previously we would ask the server with an if-range and in the best case recieve a 416 in response (less featureful server might end up giving us the entire file again or we get the wrong file this time giving us a hashsum mismatch…), which is a waste of time if we know already by checking the hashsums that we got the complete and correct file.
* allow uncompressed files to be empty in store againDavid Kalnischkies2016-04-141-1/+1
| | | | | | | With the previous fix for file applied we can again hit repositories which contain uncompressed empty files, which since the introduction of the central store: method wasn't accounted for anymore as we forbid empty compressed files.
* fix Alt-Filename handling of file methodDavid Kalnischkies2016-04-141-1/+1
| | | | | | | | | | A silly of-by-one error in the stripping of the extension to check for the uncompressed filename broken in an attempt to support all compressions in commit a09f6eb8fc67cd2d836019f448f18580396185e5. Fixing this highlights also mistakes in the handling of the Alt-Filename in libapt which would cause apt to remove the file from the repository (if root has the needed rights – aka the disk isn't readonly or similar)
* Allow lowering trust level of a hash via configJulian Andres Klode2016-03-281-12/+12
| | | | | | Introduces APT::Hashes::<NAME> with entries Untrusted and Weak which can be set to true to cause the hash to be treated as untrusted and/or weak.
* handle gpgv's weak-digests ERRSIGDavid Kalnischkies2016-03-221-7/+50
| | | | | | | | | | | Our own gpgv method can declare a digest algorithm as untrusted and handles these as worthless signatures. If gpgv comes with inbuilt untrusted (which is called weak in official terminology) which it e.g. does for MD5 in recent versions we should handle it in the same way. To check this we use the most uncommon still fully trusted hash as a configureable one via a hidden config option to toggle through all of the three states a hash can be in.
* properly check for "all good sigs are weak"David Kalnischkies2016-03-211-9/+14
| | | | | | | | | | Using erase(pos) is invalid in our case here as pos must be a valid and derefenceable iterator, which isn't the case for an end-iterator (like if we had no good signature). The problem runs deeper still through as VALIDSIG is a keyid while GOODSIG is just a longid so comparing them will always fail. Closes: 818910
* Make the weak signature message less ambigiousJulian Andres Klode2016-03-161-1/+1
| | | | | | | | There was a complaint that, in the previous message, the key fingerprint could be mistaken for a SHA1 digest due to the (SHA1) after it. Gbp-Dch: ignore
* methods/gpgv: Rewrite error handling and messageJulian Andres Klode2016-03-161-19/+50
| | | | | | | This should be easy to extend in the future and allow us to simplify the error handling cases somewhat. Thanks: Ron Lee for wording suggestions
* methods/gpgv: Warn about SHA1 (and RIPEMD-160)Julian Andres Klode2016-03-151-3/+29
| | | | | | | We will drop support for those in the future. Also adjust the std::array to be a std::vector, as that's easier to maintain.
* apt-pkg/acquire-worker.cc: Introduce 104 Warning messageJulian Andres Klode2016-03-151-0/+8
| | | | | | | | | This can be used by workers to send warnings to the main program. The messages will be passed to _error->Warning() by APT with the URI prepended. We are not going to make that really public now, as the interface might change a bit.
* methods/gpgv: Correctly handle weak signatures with multiple keysJulian Andres Klode2016-03-151-1/+6
| | | | | | | | | | | | We added weak signatures to BadSigners, meaning that a Release file signed by both a weak signature and a strong signature would be rejected; preventing people from migrating from DSA to RSA keys in a sane way. Instead of using BadSigners, treat weak signatures like expired keys: They are no good signatures, and they are worthless. Gbp-Dch: ignore
* methods/gpgv: Reject weak digest algorithmsJulian Andres Klode2016-03-141-0/+16
| | | | | This keeps a list of weak digest algorithms. For now, only MD5 is disabled, as SHA1 breaks to many repos.
* Revert "Handle ERRSIG in the gpgv method like BADSIG"Julian Andres Klode2016-03-141-7/+0
| | | | | | | | This reverts commit 76a71a1237d22c1990efbc19ce0e02aacf572576. That commit broke the test suite. Gbp-Dch: ignore
* Handle ERRSIG in the gpgv method like BADSIGJulian Andres Klode2016-03-141-0/+7
| | | | | | | | | | | | ERRSIG is created whenever a key uses an unknown/weak digest algorithm, for example. This allows us to report a more useful error than just "unknown apt-key error.": The following signatures were invalid: ERRSIG 13B00F1FD2C19886 1 2 01 1457609403 5 While still not being the best reportable error message, it's better than unknown apt-key error and hopefully redirects users to complain to their repository owners.
* rred: If there were I/O errors, failJulian Andres Klode2016-02-041-0/+5
| | | | | We basically ignored errors from writing and flushing, let's not do that.
* act on various suggestions from cppcheckDavid Kalnischkies2016-01-262-1/+6
| | | | | Reported-By: cppcheck Git-Dch: Ignore
* Only enable pipelining if server is HTTP/1.1Julian Andres Klode2016-01-122-1/+10
| | | | | | | Just enabling it for anyone breaks with HTTP/1.0 servers and proxies sometimes. Closes: #810796
* allow pdiff bootstrap from all supported compressorsDavid Kalnischkies2016-01-081-2/+2
| | | | | | | There is no reason to enforce that the file we start the bootstrap with is compressed with a compressor which is available online. This allows us to change the on-disk format as well as deals with repositories adding/removing support for a specific compressor.
* use one 'store' method to rule all (de)compressorsDavid Kalnischkies2016-01-082-37/+45
| | | | | | | | | | | Adding a new compressor method meant adding a new method as well – even if that boilt down to just linking to our generalized decompressor with a new name. That is unneeded busywork if we can instead just call the generalized decompressor and let it figure out which compressor to use based on the filenames rather than by program name. For compatibility we ship still 'gzip', 'bzip2' and co, but they are just links to our "new" 'store' method.
* rred: Run in parallelJulian Andres Klode2016-01-071-1/+1
| | | | | Remove the SingleInstance flag so we can use the new randomized queue feature to run parallel.
* Do not remove a not working SrvRecords server twiceMichael Vogt2016-01-051-3/+1
| | | | | | | The PopFromSrvRecs() already removed the entry from the active list, so the extra SrvRecords.erase() was incorrect. Git-Dch: ignore
* rred: Use buffered writesJulian Andres Klode2015-12-271-3/+7
| | | | | Buffered writes improve performance a lot, given that we spent about 78% of the time in _write.
* rred: Only call pkgInitConfig() in test modeJulian Andres Klode2015-12-271-2/+2
| | | | | | | This accidentally slipped in in a previous commit, but it should be used only for testing mode. Reported-By: David Kalnischkies <david@kalnischkies.de>
* Convert most callers of isspace() to isspace_ascii()Julian Andres Klode2015-12-273-2/+5
| | | | | This converts all callers that read machine-generated data, callers that might work with user input are not converted.
* rred: Allow passing files as arguments for compressor testingJulian Andres Klode2015-12-261-2/+14
| | | | | | | | This introduces a -t mode in which the first argument is input, the second is output and the remaining are diffs. This allows us to test patching compressed files, which are detected using their file extension.
* disable privilege dropping for rsh/ssh method by defaultDavid Kalnischkies2015-11-281-0/+4
| | | | | | | | | ssh expects various configuration bits to be usable like known hosts, possibly keys and co. Setting this up needs some user work for probably not a whole lot of benefits, so instead of forcing it upon users on upgrade disable dropping for it by default. Closes: 806511
* fix program name detection in rsh methodDavid Kalnischkies2015-11-282-6/+6
| | | | Regression intoduced in 23e64f6d0facf9610c1042326ad9850e071e8349
* ignore lost+found in private directory cleanupDavid Kalnischkies2015-11-191-0/+1
| | | | | | | | | | In ce1f3a2c we started warning about failing unlinking, which we consistently do for directories. That isn't a problem as directories usually aren't in the places we do want to clean up – with the potential exeception of "lost+found", so lets ignore it like we ignore our own partial/ subdirectory. Closes: 805424
* activate AI_IDN by default to support IDN domainsDavid Kalnischkies2015-11-051-0/+2
| | | | | | | AI_IDN is a glibc extension, but we can worry about this at the time actually anyone is seriously trying apt on non-glibc systems. Closes: 763437
* apply various suggestions made by cppcheckDavid Kalnischkies2015-11-057-12/+10
| | | | | Reported-By: cppcheck Git-Dch: Ignore
* allow acquire method specific options via Binary scopeDavid Kalnischkies2015-11-0512-109/+65
| | | | | | | | Allows users who know what they are getting themselves into with this trick to e.g. disable privilege dropping for e.g. file:// until they can fix up the permissions on those repositories. It helps also the test framework and people with a similar setup (= me) to run in less modified environments.
* drop privileges in copy:// method as we do for file://David Kalnischkies2015-11-053-38/+54
| | | | | | | | | | | Continueing on the track of dropping privileges in all methods, lets drop it in copy, too, as the reasoning for it is very similar to file and the interaction between the too quiet interesting as copy kinda surfed as a fallback for file not being able to read the file. Both now show a better error message as well as it was previously claiming to have a hashsum mismatch, given that it couldn't read the file. Git-Dch: Ignore