-
-
Notifications
You must be signed in to change notification settings - Fork 6.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix issue on truncated certdata.txt file that happens sometimes #1577
Conversation
…tually completed succesfully as it has happened that the file was truncated on download and did not contain all certificates expected
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cool. I approve of these changes, even if the directory check is highly dependent on the serving software providing that directory listing in that format, which makes this feature risking to break in a future when that change. Still I think it can serve a use until then.
But please also update docs/mk-ca-bundle.1 to describe the new option!
I think a better fix, possibly in addition to this, is to check that curl doesn't exit with a non-zero return code. This site provides Your size check is also probably better done as a |
I disagree. This to me is a bug. The server provides a content length. If there's a truncation attack CURLE_RECV_ERROR or CURLE_PARTIAL_FILE would happen. It is our mistake for not catching it. I appreciate the contribution but I'd rather we just fix the bug, I can't see any reason to allow a partial certdata. diff --git a/lib/mk-ca-bundle.pl b/lib/mk-ca-bundle.pl
index 9574f1d..cc36c76 100755
--- a/lib/mk-ca-bundle.pl
+++ b/lib/mk-ca-bundle.pl
@@ -310,7 +310,7 @@ if(!$opt_n) {
my $proto = !$opt_k ? "--proto =https" : "";
my $quiet = $opt_q ? "-s" : "";
my @out = `curl -w %{response_code} $proto $quiet -o "$txt" "$url"`;
- if(@out && $out[0] == 200) {
+ if(!$? && @out && $out[0] == 200) {
$fetched = 1;
report "Downloaded $txt";
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm changing my view on this. We should primarily check the return code .
- No longer allow partial downloads of certdata. Prior to this change partial downloads were (erroneously?) allowed since only the server code was checked to be 200. Bug: #1577 Reported-by: Matteo B.
it is possible that sometimes the certdata.txt may not be downloaded correctly, unfortunately there is no checksum available on the file as it is considered a "will always work 100%" but it's happened that the certdata.txt file was downloaded only partially and mk-ca-bundle.pl accepted the file (since it makes no check as of now) and the resulting .crt did not contain all certificates expected
"Added parameter -e to verify that the download of the certdata.txt actually completed succesfully as it has happened that the file was truncated on download and did not contain all certificates expected"