Send patches - preferably formatted by git format-patch - to patches at archlinux32 dot org.
summaryrefslogtreecommitdiff
path: root/lib/libalpm/dload.c
AgeCommit message (Collapse)Author
2019-03-01Sanitize file name received from Content-Disposition headerAndrew Gregory
When installing a remote package with "pacman -U <url>", pacman renames the downloaded package file to match the name given in the Content-Disposition header. However, pacman does not sanitize this name, which may contain slashes, before calling rename(). A malicious server (or a network MitM if downloading over HTTP) can send a content-disposition header to make pacman place the file anywhere in the filesystem, potentially leading to arbitrary root code execution. Notably, this bypasses pacman's package signature checking. For example, a malicious package-hosting server (or a network man-in-the-middle, if downloading over HTTP) could serve the following header: Content-Disposition: filename=../../../../../../usr/share/libalpm/hooks/evil.hook and pacman would move the downloaded file to /usr/share/libalpm/hooks/evil.hook. This invocation of "pacman -U" would later fail, unable to find the downloaded package in the cache directory, but the hook file would remain in place. The commands in the malicious hook would then be run (as root) the next time any package is installed. Discovered-by: Adam Suhl <asuhl@mit.edu> Signed-off-by: Allan McRae <allan@archlinux.org>
2019-02-07libalpm: prevent 301 redirect loop from hanging the processMark Ulrich
If a mirror responds with a 301 redirect to itself, it will create an infinite redirect loop. This will cause pacman to hang, unresponsive to even a SIGINT. The result is pacman being unable to sync or download any package from a particular repo if its current mirror is stuck in a redirect loop. Setting libcurl's MAXREDIRS option effectively prevents a redirect loop from hanging the process. Signed-off-by: Mark Ulrich <mark.ulrich.86@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2018-10-17alpm: Fix SIGINT handling re: aborting downloadOlivier Brunel
Upon receiving SIGINT a flag is set to abort the (curl) download. However, since it was never reset/initialized, if a front-end doesn't actually exit on SIGINT, and later tries any operation that needs to perform a new download, said download would always get aborted right away due to the flag not having been reset.
2018-10-17alpm: Do not raise SIGINT when filesize goes over limitOlivier Brunel
Variable dload_interrupted is used both to abort a download because SIGINT was caught, and when a file limit is reached. But raising SIGINT is only meant to happen in the first case. Signed-off-by: Olivier Brunel <jjk@jjacky.com>
2018-08-10libalpm/dload.c: add case for CURLE_COULDNT_RESOLVE_HOSTMichael Straube
Add a case for curl error 'Could not resolve host'. An attempt to fix FS#48285. Signed-off-by: Michael Straube <straubem@gmx.de> Signed-off-by: Allan McRae <allan@archlinux.org>
2018-06-18libalpm/dload.c: fix filename in license headerMichael Straube
The filename in the license header did not match the actual filename as in the other files. Hopefully this is not too nit-picky. Signed-off-by: Michael Straube <straubem@gmx.de> Signed-off-by: Allan McRae <allan@archlinux.org>
2018-05-14Remove all modelines from the projectEli Schwartz
Many of these are pointless (e.g. there is no need to explicitly turn on spellchecking and language dictionaries for the manpages by default). The only useful modelines are the ones enforcing the project coding standards for indentation style (and "maybe" filetype/syntax, but everything except the asciidoc manpages and makepkg.conf is already autodetected), and indent style can be applied more easily with .editorconfig Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org>
2018-03-14Update coyrights for 2018Allan McRae
make update-copyright OLD=2017 NEW=201 Signed-off-by: Allan McRae <allan@archlinux.org>
2018-01-06dload: ensure callback is always initialized onceAndrew Gregory
Frontends rely on an initialization call for setup between downloads. Checking for intialization after checking for a completed download can skip initialization in cases where files are small enough to be downloaded all at once (FS#56408). Relying on previous download size can result in multiple initializations if there are multiple non-transfer events prior to the download starting (fS#56468). Introduce a new cb_initialized variable to the payload struct and use it to ensure that the callback is initialized exactly once prior to any actual events. Fixes FS#56408, FS#56468 Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-01-13Introduce a 'disable-download-timeout' optionChristian Hesse
Add command line option ('--disable-download-timeout') and config file option ('DisableDownloadTimeout') to disable defaults for low speed limit and timeout on downloads. Use this if you have issues downloading files with proxy and/or security gateway. Signed-off-by: Christian Hesse <mail@eworm.de> Signed-off-by: Allan McRae <allan@archlinux.org>
2017-01-04alpm_fetch_pkgurl: fix memory leakAllan McRae
Signed-off-by: Allan McRae <allan@archlinux.org>
2017-01-04dload: s/CURLOPT_WRITEHEADER/CURLOPT_HEADERDATA/Dave Reisner
The former is really old, and should be avoided. Signed-off-by: Allan McRae <allan@archlinux.org>
2017-01-04Update copyright yearsAllan McRae
Signed-off-by: Allan McRae <allan@archlinux.org>
2016-12-05Parametrise the different ways in which the payload is resetMartin Kühne
In FS#43434, Downloads which fail and are restarted on a different server will resume and may display a negative download speed. The payload's progress in libalpm was not properly reset which ultimately caused terminal noise because the line width calculation assumes positive download speeds. This patch fixes the incomplete reset of the payload by mimicing what be_sync.c:alpm_db_update() does over in sync.c:download_single_file(). The new dload.c:_alpm_dload_payload_reset_for_retry() extends beyond the current behavior by updating initial_size and prevprogress for this case. This makes pacman reset the progress properly in the next invocation of the callback and display positive download speeds. Fixes FS#43434. Signed-off-by: Martin Kühne <mysatyre@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2016-12-05dload: use curl's keepalive mechanismDave Reisner
This does exactly the same thing as it code it replaces, but punt to curl to do it for brevity. Requires curl 7.25.0, which we already cover. Signed-off-by: Allan McRae <allan@archlinux.org>
2016-10-22Add ALPM_ERR_OK to _alpm_errno_tIvy Foster
This allows functions which return an _alpm_errno_t to always return a genuine _alpm_errno_t for consistency, even in cases where there are no errors. Since ALPM_ERR_OK = 0, their callers can still simply check 'err = some_fn(); if (!err) { ... }'. Signed-off-by: Ivy Foster <ivy.foster@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2016-08-31Replace CURLOPT_PROGRESSFUNCTION with CURLOPT_XFERINFOFUNCTIONIvy Foster
Curl 7.32.0 added CURLOPT_XFERINFOFUNCTION, which deprecates CURLOPT_PROGRESSFUNCTION and means less casting doubles to size_ts for alpm. This change has no user-facing nor frontend-facing effects. Signed-off-by: Ivy Foster <ivy.foster@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2016-08-30Normalize alpm download callback's frontend cb argumentsIvy Foster
When curl calls alpm's dlcb, alpm calls the frontend's cb with the following (dlsize, totalsize) arguments: 0, -1: initialize 0, 0: no change since last call x {x>0, x<y}, y {y>0}: data downloaded, total size known x {x>0}, x: download finished If total size is not known, do not call frontend cb (no change to original behavior); alpm's callback shouldn't be called if there is a download error. See agregory's original spec here: https://wiki.archlinux.org/index.php/User:Apg#download_callback Signed-off-by: Allan McRae <allan@archlinux.org>
2016-01-04Update copyright years for 2016Allan McRae
make update-copyright OLD=2015 NEW=2016 Signed-off-by: Allan McRae <allan@archlinux.org>
2015-11-11Use correct format specifiersRikard Falkeborn
Signed-off-by: Allan McRae <allan@archlinux.org>
2015-02-01Update copyright notices for 2015Allan McRae
Signed-off-by: Allan McRae <allan@archlinux.org>
2014-12-24create_tempfile: fix memory leak on errorAllan McRae
Signed-off-by: Allan McRae <allan@archlinux.org>
2014-10-19dload: mark final_url as constChristian Hesse
Signed-off-by: Allan McRae <allan@archlinux.org>
2014-10-16dload: unlink file on filesize exceeded errorChristian Hesse
On filesize exceeded error pacman leaves a .part file in cache dir, resulting in this error on next try: error: failed to commit transaction (wrong or NULL argument passed) Errors occurred, no packages were upgraded. Unlink the file on error to avoid this.
2014-10-16dload: use better error message on exceeded file sizeChristian Hesse
Signed-off-by: Allan McRae <allan@archlinux.org>
2014-10-02alpm: Fix wrong xferred/total sizes when resuming downloadsOlivier Brunel
When a package is already partially downloaded in the cache, its download size will only be of what's left to be downloaded. Since pkg->download_size is what's used when calculating the total download size for the totaldl callback, same thing apply. However, the download progress callback was including this initial size, which would thus lead to invalid values (and percentage) used in frontends. That is, the progress bar could e.g. go further than 100% In the case of pacman, there is a sanity check for different historical reason (44a57c89), so before the possible "overflow" was noticed, the total download size/progress reported was wrong. Once caught, the TotalDownload option was ignored and it would use individual file download values as fallback instead. Signed-off-by: Olivier Brunel <jjk@jjacky.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2014-08-04filecache_find_url: dereference the 'filebase' pointerRyo Munakata
Signed-off-by: Ryo Munakata <ryomnktml@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2014-05-22dload: avoid using CURLOPT_FAILONERRORDave Reisner
Use of this flag causes connections to be closed on 404s -- a common occurrence when your config sets DatabaseOptional. Handle the error gracefully, so that the connection can be reused. Signed-off-by: Dave Reisner <dreisner@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org>
2014-01-28Remove ts and sw from vim modeline when noet is setFlorian Pritz
Forcing vim users to view files with a tabstop of 2 seems really unnecessary when noet is set. I find it much easier to read code with ts=4 and I dislike having to override the modeline by hand. Command run: find . -type f -exec sed -i '/vim.* noet/s# ts=2 sw=2##' {} + Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Allan McRae <allan@archlinux.org>
2014-01-06Update copyright years for 2014Allan McRae
Signed-off-by: Allan McRae <allan@archlinux.org>
2013-12-19dload: allow curl to response to any auth challengeDave Reisner
Previously, we only allowed the default of responding to basic auth challenges. Mirrors requiring authorization are far and away the edge case, but there's no sense in preventing access to them. Implements FS#38184. Signed-off-by: Dave Reisner <dreisner@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org>
2013-11-15Fix whitespace and other formatting issuesJason St. John
This commit: -- replaces space-based indents with tabs per the coding standards -- removes extraneous whitespace (e.g. extra spaces between function args) -- adds missing braces for a one-line if statement Signed-off-by: Jason St. John <jstjohn@purdue.edu>
2013-11-08Remove spaces between the opening "if" and the opening parenthesisJason St. John
Signed-off-by: Jason St. John <jstjohn@purdue.edu> Signed-off-by: Allan McRae <allan@archlinux.org>
2013-09-18dload: avoid renaming files downloaded via sync operationsChristian Hesse
If the server redirects from ${repo}.db to ${repo}.db.tar.gz pacman gets this wrong: It saves to new filename and fails when accessing ${repo}.db. We need the remote filename only when downloading remote files with pacman's -U operation. This introduces a new field 'trust_remote_name' to payload. If set pacman downloads to the filename given by the server. The field trust_remote_name is set in alpm_fetch_pkgurl(). Fixes FS#36791 ([pacman] downloads to wrong filename with redirect). [dave: remove redundant assignment leading to memory leak] Signed-off-by: Allan McRae <allan@archlinux.org>
2013-08-21Do not refer to FlySpray numbersAllan McRae
These references to bug numbers assume we will forever be using that bug tracker. It is better to properly comment the code instead (which was done in almost all cases anyway). Signed-off-by: Allan McRae <allan@archlinux.org>
2013-07-22Hide unused parameter warnings when building without libcurlAllan McRae
Signed-off-by: Allan McRae <allan@archlinux.org>
2013-07-05do not check error from close(2)Dave Reisner
On operating systems we support, the behavior is always such that the kernel will do the right thing as far as invalidating the file descriptor, regardless of the eventual return value. Therefore, potentially looping and calling close multiple times is wrong. At best, we call close again on an invalid FD and throw a spurious EBADF error. At worst, we might close an FD which doesn't belong to us when a multi-threaded application opens its own file descriptor between iterations of the loop. Signed-off-by: Dave Reisner <dreisner@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org>
2013-02-24dload: don't download sig if package is found in cacheDave Reisner
Avoids the segfault seen in FS#33911. Signed-off-by: Dave Reisner <dreisner@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org>
2013-01-29dload: pass back the effective URL to callers of _alpm_downloadDave Reisner
I suspect that eventually we're going to end up returning a pointer to an allocated struct to describe the download result, but that's for another patch when the need arises... Fixes FS#33508. Signed-off-by: Dave Reisner <dreisner@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org>
2013-01-29Relax requirement of what constitutes a dead connectionLANGLOIS Olivier PIS -EXT
Users have hit issues behind corporate firewalls that initially throttle downloads to ~1B/sec. Signed-off-by: Olivier Langlois < olivier.pis.langlois@transport.alstom.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2013-01-17dload: avoid showing progress bars on some redirectsDave Reisner
RFC 2616 doesn't forbid a 301 or 302 repsonse from having a body, and servers exist in the wild that show this behavior. In order to prevent pacman from showing a progress bar when we aren't actually downloading a package (and merely following one of these pain in the butt redirects), capture the server response code in the response header, rather than waiting to peel it off the handle after the download has finished. Signed-off-by: Dave Reisner <dreisner@archlinux.org> Reported-by: Alexandre Filgueira <alexfilgueira@cinnarch.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2013-01-03Update copyright year for 2013Allan McRae
Signed-off-by: Allan McRae <allan@archlinux.org>
2012-12-14Plug various minor memory leaksAndrew Gregory
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2012-05-20fix -Wshadow warnings as reported by gcc 4.4.3Dave Reisner
Apparently gcc 4.7 has decided that -Wshadow warnings aren't worth reporting anymore even with the flag enabled. These were found on an Ubuntu 10.04 install. Signed-off-by: Dave Reisner <dreisner@archlinux.org> Signed-off-by: Dan McGee <dan@archlinux.org>
2012-04-12Merge branch 'maint'Dan McGee
2012-04-09Fix issues with unintialized variable value usageDan McGee
Detected by clang scan-build static code analyzer. * Don't attempt to free an uninitialized gpgme key variable * Initialize answer variable before asking frontend a question * Pass by reference instead of value if uninitialized fields are possible in download signal handler code * Ensure we never call strlen() on NULL payload->remote_name value Signed-off-by: Dan McGee <dan@archlinux.org>
2012-03-16Merge branch 'maint'Dan McGee
Conflicts: lib/libalpm/sync.c
2012-03-14dload: reset payload filename members before downloadDave Reisner
To avoid conflicts on reusing a payload after a failed download, ensure that we reset the filename hints in the payload struct prior to the download operation. Signed-off-by: Dave Reisner <dreisner@archlinux.org> Signed-off-by: Dan McGee <dan@archlinux.org>
2012-02-20Merge branch 'maint'Dan McGee
Conflicts: contrib/pacsysclean.in src/pacman/conf.h
2012-02-20Print error message when to-be-downloaded file cannot be createdNagy Gabor
It can happen that the to-be-downloaded file cannot be created in cachedir. For example, I am an -Sup user, and it is comfortable to set --cachedir to /mnt/pendrive, which is a FAT filesystem, so files like capseo-1:0.3-2-i686.pkg.tar.xz cannot be downloaded to there. Before this patch, pacman didn't give clear output about what happens when the download code could not create the necessary file. This can be confusing with -Su. An example output: *** $ sudo pacman -S capseo bochs --cachedir /c/TEMP resolving dependencies... looking for inter-conflicts... Targets (2): bochs-2.4.6-1 capseo-1:0.3-2 Total Download Size: 0.61 MiB Total Installed Size: 2.61 MiB Proceed with installation? [Y/n] :: Retrieving packages from extra... warning: failed to retrieve some files from extra bochs-2.4.6-1-i686 611.5 KiB 118K/s 00:05 [------------------] 97% error: failed to commit transaction (unexpected error) Errors occurred, no packages were upgraded. *** After the patch, pacman will give more informative error message (and pm_errno is set properly): *** error: could not open file '/c/TEMP/capseo-1:0.3-2-i686.pkg.tar.xz.part': Invalid argument error: failed to commit transaction (failed to retrieve some files) *** Unfortunately, the "could not open file" error message is printed for every mirror (that can be dozens of lines), which is ugly, but at least informative... Without modifying the download logic (for example, by introducing -2 return value for _alpm_download() to indicate giving up), this ugliness cannot be eliminated. Signed-off-by: Nagy Gabor <ngaba@bibl.u-szeged.hu> Signed-off-by: Dan McGee <dan@archlinux.org>