download: handle possibly invalid local tarballs
authorPetr Štetiar <ynezz@true.cz>
Thu, 19 Nov 2020 15:32:46 +0000 (16:32 +0100)
committerPetr Štetiar <ynezz@true.cz>
Sat, 5 Dec 2020 19:50:19 +0000 (20:50 +0100)
Currently it's assumed, that already downloaded tarballs are always
fine, so no checksum checking is performed and the tarball is used even
if it might be corrupted.

From now on, we're going to always check the downloaded tarballs before
considering them valid.

Steps to reproduce:

 1. Remove cached tarball

   rm dl/libubox-2020-08-06-9e52171d.tar.xz

 2. Download valid tarball again

   make package/libubox/download

 3. Invalidate the tarball

   sed -i 's/PKG_MIRROR_HASH:=../PKG_MIRROR_HASH:=ff/' package/libs/libubox/Makefile

 4. Now compile with corrupt tarball source

   make package/libubox/{clean,compile}

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 4e19cbc553350b8146985367ba46514cf50e3393)

include/host-build.mk
include/package.mk
scripts/download.pl

index 827ea6bbfb1be72e38309de3fe48435e3aa8172f..79a9b1f8d605ca48e41001ad0177ca53c7e84fb9 100644 (file)
@@ -184,6 +184,8 @@ ifndef DUMP
     clean-build: host-clean-build
   endif
 
+  $(DL_DIR)/$(FILE): FORCE
+
   $(_host_target)host-prepare: $(HOST_STAMP_PREPARED)
   $(_host_target)host-configure: $(HOST_STAMP_CONFIGURED)
   $(_host_target)host-compile: $(HOST_STAMP_BUILT) $(HOST_STAMP_INSTALLED)
index c541f6edf7a967bb317c87b8a5c63ce98cb0673a..f6aa5ea8d03d0f51a08b74019bf30b12b027ad96 100644 (file)
@@ -185,6 +185,8 @@ define Build/CoreTargets
   $(call Build/Autoclean)
   $(call DefaultTargets)
 
+  $(DL_DIR)/$(FILE): FORCE
+
   download:
        $(foreach hook,$(Hooks/Download),
                $(call $(hook))$(sep)
index 5739c20ceae992d70f45e072861baa538eb797e8..c1623bf91fe01b3096a710e72f3167bd9e242163 100755 (executable)
@@ -263,6 +263,24 @@ foreach my $mirror (@ARGV) {
 push @mirrors, 'https://sources.openwrt.org';
 push @mirrors, 'https://mirror2.openwrt.org/sources';
 
+if (-f "$target/$filename") {
+       $hash_cmd and do {
+               if (system("cat '$target/$filename' | $hash_cmd > '$target/$filename.hash'")) {
+                       die "Failed to generate hash for $filename\n";
+               }
+
+               my $sum = `cat "$target/$filename.hash"`;
+               $sum =~ /^(\w+)\s*/ or die "Could not generate file hash\n";
+               $sum = $1;
+
+               exit 0 if $sum eq $file_hash;
+
+               die "Hash of the local file $filename does not match (file: $sum, requested: $file_hash) - deleting download.\n";
+               unlink "$target/$filename";
+               cleanup();
+       };
+}
+
 while (!-f "$target/$filename") {
        my $mirror = shift @mirrors;
        $mirror or die "No more mirrors to try - giving up.\n";