On 13.04.2015 21:33, David Macek wrote:
diff --git a/lib/libalpm/be_sync.c b/lib/libalpm/be_sync.c index 20130dc..f30698e 100644 --- a/lib/libalpm/be_sync.c +++ b/lib/libalpm/be_sync.c @@ -241,20 +241,27 @@ int SYMEXPORT alpm_db_update(int force, alpm_db_t *db) unlink(sigpath); free(sigpath);
- /* if we downloaded a DB, we want the .sig from the same server - - this information is only available from the internal downloader */ - if(handle->fetchcb == NULL) { + + /* check if the final URL from internal downloader looks reasonable */ + if(final_db_url != NULL) { + if(strlen(final_db_url) < 3 || strcmp(final_db_url + strlen(final_db_url) - 3, ".db") != 0) { + final_db_url = NULL; + } + } + + /* if we downloaded a DB, we want the .sig from the same server */ + if(final_db_url != NULL) { /* print final_db_url into a buffer (leave space for .sig) */ len = strlen(final_db_url) + 5; } else { - /* print server + filename into a buffer (leave space for .sig) */ + /* print server + filename into a buffer (leave space for .db.sig) */ len = strlen(server) + strlen(db->treename) + 9;
Comment changed, but not the code? If you know where that + 9 comes from it might be a good idea to replace it with strlen("whatever") which the compile should optimize out later, but writing it this way makes the whole thing a lot clearer. I'll let someone else comment on the rest of the patch.