From 61ce2ca1bbf4f8042c77e50a37297003bdebd01d Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Fri, 2 Dec 2011 09:49:30 +0100 Subject: contrib/paclist: Add "--help" command line parameter Be consistent with all other contrib scripts and support the "--help" command line switch. Fixes FS#27258. Signed-off-by: Lukas Fleischer Signed-off-by: Dan McGee --- contrib/paclist.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/paclist.in b/contrib/paclist.in index 84144f78..06b06f2c 100755 --- a/contrib/paclist.in +++ b/contrib/paclist.in @@ -27,7 +27,7 @@ if ! type gettext &>/dev/null; then } fi -if [[ -z $1 ]]; then +if [[ -z $1 || $1 = -@(h|-help) ]]; then printf '%s - List all packages installed from a given repo\n' "${0##*/}" printf 'Usage: %s \n' "${0##*/}" printf 'Example: %s testing\n' "${0##*/}" -- cgit v1.2.3 From d85d0ddcfeab6212a588e50529744277f0ca48bb Mon Sep 17 00:00:00 2001 From: Dan McGee Date: Mon, 5 Dec 2011 10:06:12 -0600 Subject: Enforce signature download size limit on -U operations We had a 16 KiB limit on database signatures, we should do the same here too to have a slight sanity check, even if we can't do so for the package itself yet. Signed-off-by: Dan McGee --- lib/libalpm/dload.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/libalpm/dload.c b/lib/libalpm/dload.c index efd469d5..29285903 100644 --- a/lib/libalpm/dload.c +++ b/lib/libalpm/dload.c @@ -604,6 +604,9 @@ char SYMEXPORT *alpm_fetch_pkgurl(alpm_handle_t *handle, const char *url) payload.force = 1; payload.errors_ok = (handle->siglevel & ALPM_SIG_PACKAGE_OPTIONAL); + /* set hard upper limit of 16KiB */ + payload.max_size = 16 * 1024; + ret = _alpm_download(&payload, cachedir, &sig_final_file); if(ret == -1 && !payload.errors_ok) { _alpm_log(handle, ALPM_LOG_WARNING, -- cgit v1.2.3 From 17e0be9e6a5ed1cf5611e23d3c9debd0a3248077 Mon Sep 17 00:00:00 2001 From: Dan McGee Date: Mon, 5 Dec 2011 10:07:40 -0600 Subject: repo-add: enforce maximum .sig file size This prevents user error in adding a file generated via `gpg --sign` rather than `--detach-sign`, for example. The same 16KiB limit is used we use in our pacman download code. The section is moved above the checksum generation to avoid presenting info messages to the user if the signature isn't valid. Addresses a shortcoming pointed out in FS#27453. Signed-off-by: Dan McGee --- scripts/repo-add.sh.in | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in index 5e1d7702..4708086c 100644 --- a/scripts/repo-add.sh.in +++ b/scripts/repo-add.sh.in @@ -245,7 +245,7 @@ db_write_entry() { local pkgfile="$1" local -a _groups _licenses _replaces _depends _conflicts _provides _optdepends local pkgname pkgver pkgdesc csize size url arch builddate packager \ - md5sum sha256sum pgpsig + md5sum sha256sum pgpsig pgpsigsize # read info from the zipped package local line var val @@ -284,6 +284,17 @@ db_write_entry() { fi fi + # compute base64'd PGP signature + if [[ -f "$pkgfile.sig" ]]; then + pgpsigsize=$(@SIZECMD@ "$pkgfile.sig") + if (( pgpsigsize > 16384 )); then + error "$(gettext "Invalid package signature file '%s'.")" "$pkgfile.sig" + return 1 + fi + msg2 "$(gettext "Adding package signature...")" + pgpsig=$(openssl base64 -in "$pkgfile.sig" | tr -d '\n') + fi + csize=$(@SIZECMD@ "$pkgfile") # compute checksums @@ -293,12 +304,6 @@ db_write_entry() { sha256sum="$(openssl dgst -sha256 "$pkgfile")" sha256sum="${sha256sum##* }" - # compute base64'd PGP signature - if [[ -f "$pkgfile.sig" ]]; then - msg2 "$(gettext "Adding package signature...")" - pgpsig=$(openssl base64 -in "$pkgfile.sig" | tr -d '\n') - fi - # remove an existing entry if it exists, ignore failures db_remove_entry "$pkgname" -- cgit v1.2.3 From 6a1d3948a670184f01a697efe55b91b4ccdcb51d Mon Sep 17 00:00:00 2001 From: Dan McGee Date: Mon, 5 Dec 2011 23:20:08 -0600 Subject: Use correct size in memset We were using the size of a pointer, not the size of the whole archive_read_buffer struct. Thanks to Clang/LLVM 3.0 and Allan/Dave in IRC for finding this one. Signed-off-by: Dan McGee --- lib/libalpm/util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/libalpm/util.c b/lib/libalpm/util.c index c89f3c9c..ad15d937 100644 --- a/lib/libalpm/util.c +++ b/lib/libalpm/util.c @@ -1000,7 +1000,7 @@ cleanup: { int ret = b->ret; FREE(b->line); - memset(b, 0, sizeof(b)); + memset(b, 0, sizeof(struct archive_read_buffer)); return ret; } } -- cgit v1.2.3