http-tar, http-zip methods: verify checksum before handling archive

Both the http-tar and http-zip methods are modified to manually verify the checksum before handling the archive. This is a security precaution and also prevents unexpected consequences from attempting to work with a corrupted archive file. The checksum verification code is factored out of el-get-post-install so that the tar and zip methods can verify using the same code as other methods.
dimitri · Mar 9, 2015 · 091f4b1 · 091f4b1
1 parent 4866c13
commit 091f4b1
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 10 deletions.
diff --git a/el-get.el b/el-get.el
@@ -513,16 +513,11 @@ PACKAGE may be either a string or the corresponding symbol."
   (el-get-do-init package)
   (run-hook-with-args 'el-get-post-install-hooks package))
 
-(defun el-get-post-install (package)
-  "Post install PACKAGE. This will get run by a sentinel."
-  (let* ((sync             el-get-default-process-sync)
-         (type             (el-get-package-type package))
-         (hooks            (el-get-method type :install-hook))
-         (commands         (el-get-build-commands package))
+(defun el-get-verify-checksum (package)
+  (let* ((type             (el-get-package-type package))
          (checksum         (plist-get (el-get-package-def package) :checksum))
          (compute-checksum (el-get-method type :compute-checksum)))
 
-    ;; check the checksum of the package here, as early as possible
     (when (and checksum (not compute-checksum))
       (error
        "Checksum verification of package %s is not supported with method %s."
@@ -536,7 +531,17 @@ PACKAGE may be either a string or the corresponding symbol."
               (error "Checksum verification failed. Required: \"%s\", actual: \"%s\"."
                      checksum computed))
           (el-get-verbose-message "el-get: pakage %s checksum is %s."
-                                  package computed))))
+                                  package computed))))))
+
+(defun el-get-post-install (package)
+  "Post install PACKAGE. This will get run by a sentinel."
+  (let* ((sync             el-get-default-process-sync)
+         (type             (el-get-package-type package))
+         (hooks            (el-get-method type :install-hook))
+         (commands         (el-get-build-commands package)))
+
+    ;; check the checksum of the package here, as early as possible
+    (el-get-verify-checksum package)
 
     ;; post-install is the right place to run install-hook
     (run-hook-with-args hooks package)

diff --git a/methods/el-get-http-tar.el b/methods/el-get-http-tar.el
@@ -56,7 +56,9 @@
                           do (if (file-directory-p fullpath)
                                  (delete-directory fullpath 'recursive)
                                (delete-file fullpath))))
-                  ;; tar xzf `basename url`
+                  ;; verify checksum before operating on untrusted data
+                  (el-get-verify-checksum package)
+                  ;; tar xvf `basename url`
                   (let ((el-get-sources '(,@el-get-sources)))
                     (el-get-start-process-list
                      package

diff --git a/methods/el-get-http-zip.el b/methods/el-get-http-zip.el
@@ -35,7 +35,9 @@
                           do (if (file-directory-p fullpath)
                                  (delete-directory fullpath 'recursive)
                                (delete-file fullpath))))
-                  ;; zip xzf `basename url`
+                  ;; verify checksum before operating on untrusted data
+                  (el-get-verify-checksum package)
+                  ;; unzip `basename url`
                   (let ((el-get-sources '(,@el-get-sources)))
                     (el-get-start-process-list
                      package