http-tar, http-zip methods: verify checksum before handling archive

Both the http-tar and http-zip methods are modified to manually verify the checksum before handling the archive. This is a security precaution and also prevents unexpected consequences from attempting to work with a corrupted archive file. The checksum verification code is factored out of el-get-post-install so that the tar and zip methods can verify using the same code as other methods.
2024-09-29 04:58:53 +08:00 · 2015-03-08 19:27:06 -07:00 · 2015-03-08 19:27:06 -07:00 · 091f4b149e
commit 091f4b149e
parent 4866c13964
3 changed files with 19 additions and 10 deletions
--- a/el-get.el
+++ b/el-get.el
@ -513,16 +513,11 @@ PACKAGE may be either a string or the corresponding symbol."
  (el-get-do-init package)
  (run-hook-with-args 'el-get-post-install-hooks package))

-(defun el-get-post-install (package)
-  "Post install PACKAGE. This will get run by a sentinel."
-  (let* ((sync             el-get-default-process-sync)
-         (type             (el-get-package-type package))
-         (hooks            (el-get-method type :install-hook))
-         (commands         (el-get-build-commands package))
+(defun el-get-verify-checksum (package)
+  (let* ((type             (el-get-package-type package))
         (checksum         (plist-get (el-get-package-def package) :checksum))
         (compute-checksum (el-get-method type :compute-checksum)))

-    ;; check the checksum of the package here, as early as possible
    (when (and checksum (not compute-checksum))
      (error
       "Checksum verification of package %s is not supported with method %s."
@ -536,7 +531,17 @@ PACKAGE may be either a string or the corresponding symbol."
              (error "Checksum verification failed. Required: \"%s\", actual: \"%s\"."
                     checksum computed))
          (el-get-verbose-message "el-get: pakage %s checksum is %s."
-                                  package computed))))
+                                  package computed))))))
+
+(defun el-get-post-install (package)
+  "Post install PACKAGE. This will get run by a sentinel."
+  (let* ((sync             el-get-default-process-sync)
+         (type             (el-get-package-type package))
+         (hooks            (el-get-method type :install-hook))
+         (commands         (el-get-build-commands package)))
+
+    ;; check the checksum of the package here, as early as possible
+    (el-get-verify-checksum package)

    ;; post-install is the right place to run install-hook
    (run-hook-with-args hooks package)
--- a/methods/el-get-http-tar.el
+++ b/methods/el-get-http-tar.el
@ -56,7 +56,9 @@
                          do (if (file-directory-p fullpath)
                                 (delete-directory fullpath 'recursive)
                               (delete-file fullpath))))
-                  ;; tar xzf `basename url`
+                  ;; verify checksum before operating on untrusted data
+                  (el-get-verify-checksum package)
+                  ;; tar xvf `basename url`
                  (let ((el-get-sources '(,@el-get-sources)))
                    (el-get-start-process-list
                     package
--- a/methods/el-get-http-zip.el
+++ b/methods/el-get-http-zip.el
@ -35,7 +35,9 @@
                          do (if (file-directory-p fullpath)
                                 (delete-directory fullpath 'recursive)
                               (delete-file fullpath))))
-                  ;; zip xzf `basename url`
+                  ;; verify checksum before operating on untrusted data
+                  (el-get-verify-checksum package)
+                  ;; unzip `basename url`
                  (let ((el-get-sources '(,@el-get-sources)))
                    (el-get-start-process-list
                     package