[PATCH] download: handle possibly invalid local tarballs

Petr Štetiar ynezz at true.cz
Thu Nov 19 16:20:50 EST 2020


Currently it's assumed, that already downloaded tarballs are always
fine, so no checksum checking is performed and the tarball is used even
if it might be corrupted.

>From now on, we're going to always check the downloaded tarballs before
considering them valid.

Steps to reproduce:

 1. remove cached tarball

   rm dl/libubox-2020-08-06-9e52171d.tar.xz

 2. download valid tarball again

   make package/libubox/download

 3. invalidate the tarball

   sed -i 's/PKG_MIRROR_HASH:=../PKG_MIRROR_HASH:=ff/' package/libs/libubox/Makefile

 4. now compile with corrupt tarball source

   make package/libubox/{clean,compile}

Signed-off-by: Petr Štetiar <ynezz at true.cz>
---
 include/download.mk |  2 +-
 scripts/download.pl | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/include/download.mk b/include/download.mk
index d393bf390716..7c2de929d347 100644
--- a/include/download.mk
+++ b/include/download.mk
@@ -317,7 +317,7 @@ define Download
   )
   download: $(DL_DIR)/$(FILE)
 
-  $(DL_DIR)/$(FILE):
+  $(DL_DIR)/$(FILE): FORCE
 	mkdir -p $(DL_DIR)
 	$(call locked, \
 		$(if $(DownloadMethod/$(call dl_method,$(URL),$(PROTO))), \
diff --git a/scripts/download.pl b/scripts/download.pl
index cdccae133f49..b51c8f1127e8 100755
--- a/scripts/download.pl
+++ b/scripts/download.pl
@@ -261,6 +261,24 @@ foreach my $mirror (@ARGV) {
 push @mirrors, 'https://sources.openwrt.org';
 push @mirrors, 'https://mirror2.openwrt.org/sources';
 
+if (-f "$target/$filename") {
+	$hash_cmd and do {
+		if (system("cat '$target/$filename' | $hash_cmd > '$target/$filename.hash'")) {
+			die "Failed to generate hash for $filename\n";
+		}
+
+		my $sum = `cat "$target/$filename.hash"`;
+		$sum =~ /^(\w+)\s*/ or die "Could not generate file hash\n";
+		$sum = $1;
+
+		exit 0 if $sum eq $file_hash;
+
+		die "Hash of the local file $filename does not match (file: $sum, requested: $file_hash) - deleting download.\n";
+		unlink "$target/$filename";
+		cleanup();
+	};
+}
+
 while (!-f "$target/$filename") {
 	my $mirror = shift @mirrors;
 	$mirror or die "No more mirrors to try - giving up.\n";



More information about the openwrt-devel mailing list