Skip to content

Fix checksum matching from Release file #574

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
smira merged 3 commits into from
May 23, 2017
Merged

Fix checksum matching from Release file #574

smira merged 3 commits into from
May 23, 2017

Conversation

@smira
Copy link
Contributor

@smira smira commented May 22, 2017

Fixes #376

Description of the Change

aptly was using naive (and incorrect) way to match checksums for index files in Release with index files which are going to be downloaded.

master version is using simple suffix match against URL in random order of match (if multiple entries match).

This fix brings two changes:

  • longest suffix wins
  • URL is split into base part (which is never matched) and relative part (which is being matched).

Checklist

  • unit-test added (if change is algorithm)
  • functional test added/updated (if change is functional)
  • man page updated (if applicable)
  • bash completion updated (if applicable)
  • documentation updated
  • author name in AUTHORS

@smira smira added the 1.1.0 label May 22, 2017
@smira smira force-pushed the 376-checksum-search-fix branch from 6a5275f to 348cb10 Compare May 22, 2017 22:53
smira added 3 commits May 23, 2017 03:00
@smira
Use longest suffix match to pick up checksum
f0360cf
@smira
Re-work the way checksum matching works against Release file
cafb89f 
Break up URL into base part and relative path. Match checksum against relative path
and never against full URL.

This might be fixing security issue if aptly was incorrectly matching against
wrong part of Release file.
@smira
Add system test for fixed checksum matching
f54e798
@smira smira force-pushed the 376-checksum-search-fix branch from 348cb10 to f54e798 Compare May 23, 2017 00:00
@smira smira merged commit 0d04189 into master May 23, 2017
@smira smira deleted the 376-checksum-search-fix branch May 23, 2017 18:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Size check mismatch errors on certain mirror updates

2 participants

@smira