From 4e19cbc553350b8146985367ba46514cf50e3393 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Petr=20=C5=A0tetiar?= Date: Thu, 19 Nov 2020 16:32:46 +0100 Subject: [PATCH] download: handle possibly invalid local tarballs MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Currently it's assumed, that already downloaded tarballs are always fine, so no checksum checking is performed and the tarball is used even if it might be corrupted. From now on, we're going to always check the downloaded tarballs before considering them valid. Steps to reproduce: 1. Remove cached tarball rm dl/libubox-2020-08-06-9e52171d.tar.xz 2. Download valid tarball again make package/libubox/download 3. Invalidate the tarball sed -i 's/PKG_MIRROR_HASH:=../PKG_MIRROR_HASH:=ff/' package/libs/libubox/Makefile 4. Now compile with corrupt tarball source make package/libubox/{clean,compile} Signed-off-by: Petr Å tetiar --- include/host-build.mk | 2 ++ include/package.mk | 2 ++ scripts/download.pl | 18 ++++++++++++++++++ 3 files changed, 22 insertions(+) diff --git a/include/host-build.mk b/include/host-build.mk index 7d84ab0f5fc..4ac14051811 100644 --- a/include/host-build.mk +++ b/include/host-build.mk @@ -186,6 +186,8 @@ ifndef DUMP clean-build: host-clean-build endif + $(DL_DIR)/$(FILE): FORCE + $(_host_target)host-prepare: $(HOST_STAMP_PREPARED) $(_host_target)host-configure: $(HOST_STAMP_CONFIGURED) $(_host_target)host-compile: $(HOST_STAMP_BUILT) $(HOST_STAMP_INSTALLED) diff --git a/include/package.mk b/include/package.mk index 50bd838180d..5eb4460db86 100644 --- a/include/package.mk +++ b/include/package.mk @@ -189,6 +189,8 @@ define Build/CoreTargets $(call Build/Autoclean) $(call DefaultTargets) + $(DL_DIR)/$(FILE): FORCE + download: $(foreach hook,$(Hooks/Download), $(call $(hook))$(sep) diff --git a/scripts/download.pl b/scripts/download.pl index 351b06a08b2..2d87f47f842 100755 --- a/scripts/download.pl +++ b/scripts/download.pl @@ -262,6 +262,24 @@ foreach my $mirror (@ARGV) { push @mirrors, 'https://sources.openwrt.org'; push @mirrors, 'https://mirror2.openwrt.org/sources'; +if (-f "$target/$filename") { + $hash_cmd and do { + if (system("cat '$target/$filename' | $hash_cmd > '$target/$filename.hash'")) { + die "Failed to generate hash for $filename\n"; + } + + my $sum = `cat "$target/$filename.hash"`; + $sum =~ /^(\w+)\s*/ or die "Could not generate file hash\n"; + $sum = $1; + + exit 0 if $sum eq $file_hash; + + die "Hash of the local file $filename does not match (file: $sum, requested: $file_hash) - deleting download.\n"; + unlink "$target/$filename"; + cleanup(); + }; +} + while (!-f "$target/$filename") { my $mirror = shift @mirrors; $mirror or die "No more mirrors to try - giving up.\n"; -- 2.30.2