From 091f4b149eb8c70fda6aa6ddd826880bdf609a46 Mon Sep 17 00:00:00 2001 From: anthony cantor Date: Sun, 8 Mar 2015 19:27:06 -0700 Subject: [PATCH] http-tar, http-zip methods: verify checksum before handling archive Both the http-tar and http-zip methods are modified to manually verify the checksum before handling the archive. This is a security precaution and also prevents unexpected consequences from attempting to work with a corrupted archive file. The checksum verification code is factored out of el-get-post-install so that the tar and zip methods can verify using the same code as other methods. --- el-get.el | 21 +++++++++++++-------- methods/el-get-http-tar.el | 4 +++- methods/el-get-http-zip.el | 4 +++- 3 files changed, 19 insertions(+), 10 deletions(-) diff --git a/el-get.el b/el-get.el index 055197ff..1086f23a 100644 --- a/el-get.el +++ b/el-get.el @@ -513,16 +513,11 @@ PACKAGE may be either a string or the corresponding symbol." (el-get-do-init package) (run-hook-with-args 'el-get-post-install-hooks package)) -(defun el-get-post-install (package) - "Post install PACKAGE. This will get run by a sentinel." - (let* ((sync el-get-default-process-sync) - (type (el-get-package-type package)) - (hooks (el-get-method type :install-hook)) - (commands (el-get-build-commands package)) +(defun el-get-verify-checksum (package) + (let* ((type (el-get-package-type package)) (checksum (plist-get (el-get-package-def package) :checksum)) (compute-checksum (el-get-method type :compute-checksum))) - ;; check the checksum of the package here, as early as possible (when (and checksum (not compute-checksum)) (error "Checksum verification of package %s is not supported with method %s." @@ -536,7 +531,17 @@ PACKAGE may be either a string or the corresponding symbol." (error "Checksum verification failed. Required: \"%s\", actual: \"%s\"." checksum computed)) (el-get-verbose-message "el-get: pakage %s checksum is %s." - package computed)))) + package computed)))))) + +(defun el-get-post-install (package) + "Post install PACKAGE. This will get run by a sentinel." + (let* ((sync el-get-default-process-sync) + (type (el-get-package-type package)) + (hooks (el-get-method type :install-hook)) + (commands (el-get-build-commands package))) + + ;; check the checksum of the package here, as early as possible + (el-get-verify-checksum package) ;; post-install is the right place to run install-hook (run-hook-with-args hooks package) diff --git a/methods/el-get-http-tar.el b/methods/el-get-http-tar.el index d956e16e..82d57c80 100644 --- a/methods/el-get-http-tar.el +++ b/methods/el-get-http-tar.el @@ -56,7 +56,9 @@ do (if (file-directory-p fullpath) (delete-directory fullpath 'recursive) (delete-file fullpath)))) - ;; tar xzf `basename url` + ;; verify checksum before operating on untrusted data + (el-get-verify-checksum package) + ;; tar xvf `basename url` (let ((el-get-sources '(,@el-get-sources))) (el-get-start-process-list package diff --git a/methods/el-get-http-zip.el b/methods/el-get-http-zip.el index 236e8a9d..aa97210f 100644 --- a/methods/el-get-http-zip.el +++ b/methods/el-get-http-zip.el @@ -35,7 +35,9 @@ do (if (file-directory-p fullpath) (delete-directory fullpath 'recursive) (delete-file fullpath)))) - ;; zip xzf `basename url` + ;; verify checksum before operating on untrusted data + (el-get-verify-checksum package) + ;; unzip `basename url` (let ((el-get-sources '(,@el-get-sources))) (el-get-start-process-list package