mirror of
https://github.com/dimitri/el-get.git
synced 2024-09-29 04:58:53 +08:00
http-tar, http-zip methods: verify checksum before handling archive
Both the http-tar and http-zip methods are modified to manually verify the checksum before handling the archive. This is a security precaution and also prevents unexpected consequences from attempting to work with a corrupted archive file. The checksum verification code is factored out of el-get-post-install so that the tar and zip methods can verify using the same code as other methods.
This commit is contained in:
parent
4866c13964
commit
091f4b149e
21
el-get.el
21
el-get.el
|
@ -513,16 +513,11 @@ PACKAGE may be either a string or the corresponding symbol."
|
|||
(el-get-do-init package)
|
||||
(run-hook-with-args 'el-get-post-install-hooks package))
|
||||
|
||||
(defun el-get-post-install (package)
|
||||
"Post install PACKAGE. This will get run by a sentinel."
|
||||
(let* ((sync el-get-default-process-sync)
|
||||
(type (el-get-package-type package))
|
||||
(hooks (el-get-method type :install-hook))
|
||||
(commands (el-get-build-commands package))
|
||||
(defun el-get-verify-checksum (package)
|
||||
(let* ((type (el-get-package-type package))
|
||||
(checksum (plist-get (el-get-package-def package) :checksum))
|
||||
(compute-checksum (el-get-method type :compute-checksum)))
|
||||
|
||||
;; check the checksum of the package here, as early as possible
|
||||
(when (and checksum (not compute-checksum))
|
||||
(error
|
||||
"Checksum verification of package %s is not supported with method %s."
|
||||
|
@ -536,7 +531,17 @@ PACKAGE may be either a string or the corresponding symbol."
|
|||
(error "Checksum verification failed. Required: \"%s\", actual: \"%s\"."
|
||||
checksum computed))
|
||||
(el-get-verbose-message "el-get: pakage %s checksum is %s."
|
||||
package computed))))
|
||||
package computed))))))
|
||||
|
||||
(defun el-get-post-install (package)
|
||||
"Post install PACKAGE. This will get run by a sentinel."
|
||||
(let* ((sync el-get-default-process-sync)
|
||||
(type (el-get-package-type package))
|
||||
(hooks (el-get-method type :install-hook))
|
||||
(commands (el-get-build-commands package)))
|
||||
|
||||
;; check the checksum of the package here, as early as possible
|
||||
(el-get-verify-checksum package)
|
||||
|
||||
;; post-install is the right place to run install-hook
|
||||
(run-hook-with-args hooks package)
|
||||
|
|
|
@ -56,7 +56,9 @@
|
|||
do (if (file-directory-p fullpath)
|
||||
(delete-directory fullpath 'recursive)
|
||||
(delete-file fullpath))))
|
||||
;; tar xzf `basename url`
|
||||
;; verify checksum before operating on untrusted data
|
||||
(el-get-verify-checksum package)
|
||||
;; tar xvf `basename url`
|
||||
(let ((el-get-sources '(,@el-get-sources)))
|
||||
(el-get-start-process-list
|
||||
package
|
||||
|
|
|
@ -35,7 +35,9 @@
|
|||
do (if (file-directory-p fullpath)
|
||||
(delete-directory fullpath 'recursive)
|
||||
(delete-file fullpath))))
|
||||
;; zip xzf `basename url`
|
||||
;; verify checksum before operating on untrusted data
|
||||
(el-get-verify-checksum package)
|
||||
;; unzip `basename url`
|
||||
(let ((el-get-sources '(,@el-get-sources)))
|
||||
(el-get-start-process-list
|
||||
package
|
||||
|
|
Loading…
Reference in New Issue
Block a user