[pacman-dev] [PATCH] libalpm: Do a sanity check before manipulating final DB URL

David Macek david.macek.0 at gmail.com
Mon Apr 13 19:33:36 UTC 2015 

The change in commit 9d96bed9d6b57 causes download errors for the .db.sig file
in case the final URL for the .db file contains query strings or other
unexpected stuff. This commit isn't intended to be a total solution, but it
should eliminate the problem in the most obvious cases.
---

Please comment.

Does anyone know if there's a case when the final URL doesn't end in ".db", but it's still reasonable to append ".sig" to it? Is there a case when the final URL ends with ".db.tar.xz", for example?

 lib/libalpm/be_sync.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/lib/libalpm/be_sync.c b/lib/libalpm/be_sync.c
index 20130dc..f30698e 100644
--- a/lib/libalpm/be_sync.c
+++ b/lib/libalpm/be_sync.c
@@ -241,20 +241,27 @@ int SYMEXPORT alpm_db_update(int force, alpm_db_t *db)
 			unlink(sigpath);
 			free(sigpath);
 
-			/* if we downloaded a DB, we want the .sig from the same server -
-			   this information is only available from the internal downloader */
-			if(handle->fetchcb == NULL) {
+
+			/* check if the final URL from internal downloader looks reasonable */
+			if(final_db_url != NULL) {
+				if(strlen(final_db_url) < 3 || strcmp(final_db_url + strlen(final_db_url) - 3, ".db") != 0) {
+					final_db_url = NULL;
+				}
+			}
+
+			/* if we downloaded a DB, we want the .sig from the same server */
+			if(final_db_url != NULL) {
 				/* print final_db_url into a buffer (leave space for .sig) */
 				len = strlen(final_db_url) + 5;
 			} else {
-				/* print server + filename into a buffer (leave space for .sig) */
+				/* print server + filename into a buffer (leave space for .db.sig) */
 				len = strlen(server) + strlen(db->treename) + 9;
 			}
 
 			/* TODO fix leak syncpath and umask unset */
 			MALLOC(payload.fileurl, len, RET_ERR(handle, ALPM_ERR_MEMORY, -1));
 
-			if(handle->fetchcb == NULL) {
+			if(final_db_url != NULL) {
 				snprintf(payload.fileurl, len, "%s.sig", final_db_url);
 			} else {
 				snprintf(payload.fileurl, len, "%s/%s.db.sig", server, db->treename);
-- 
2.3.5

-- 
David Macek

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4234 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20150413/2c8488ce/attachment.p7s>

More information about the pacman-dev mailing list