[pacman-dev] [PATCH] libalpm: Do a sanity check before manipulating final DB URL
Florian Pritz
bluewind at xinu.at
Thu Apr 16 19:36:54 UTC 2015
On 13.04.2015 21:33, David Macek wrote:
> diff --git a/lib/libalpm/be_sync.c b/lib/libalpm/be_sync.c
> index 20130dc..f30698e 100644
> --- a/lib/libalpm/be_sync.c
> +++ b/lib/libalpm/be_sync.c
> @@ -241,20 +241,27 @@ int SYMEXPORT alpm_db_update(int force, alpm_db_t *db)
> unlink(sigpath);
> free(sigpath);
>
> - /* if we downloaded a DB, we want the .sig from the same server -
> - this information is only available from the internal downloader */
> - if(handle->fetchcb == NULL) {
> +
> + /* check if the final URL from internal downloader looks reasonable */
> + if(final_db_url != NULL) {
> + if(strlen(final_db_url) < 3 || strcmp(final_db_url + strlen(final_db_url) - 3, ".db") != 0) {
> + final_db_url = NULL;
> + }
> + }
> +
> + /* if we downloaded a DB, we want the .sig from the same server */
> + if(final_db_url != NULL) {
> /* print final_db_url into a buffer (leave space for .sig) */
> len = strlen(final_db_url) + 5;
> } else {
> - /* print server + filename into a buffer (leave space for .sig) */
> + /* print server + filename into a buffer (leave space for .db.sig) */
> len = strlen(server) + strlen(db->treename) + 9;
Comment changed, but not the code? If you know where that + 9 comes from
it might be a good idea to replace it with strlen("whatever") which the
compile should optimize out later, but writing it this way makes the
whole thing a lot clearer.
I'll let someone else comment on the rest of the patch.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20150416/84bf9e6f/attachment.asc>
More information about the pacman-dev
mailing list