diff options
author | emaste <emaste@FreeBSD.org> | 2016-12-09 17:21:59 +0000 |
---|---|---|
committer | emaste <emaste@FreeBSD.org> | 2016-12-09 17:21:59 +0000 |
commit | 2bf9c38c43a95678a41a9dfb95771cc939e116fc (patch) | |
tree | abad5643719b1069d33e984d10af4e27d9aaa30e | |
parent | 710f9f13d715fbe927db6ab3db1e97f4eecd3835 (diff) | |
download | FreeBSD-src-2bf9c38c43a95678a41a9dfb95771cc939e116fc.zip FreeBSD-src-2bf9c38c43a95678a41a9dfb95771cc939e116fc.tar.gz |
MFC r306825: portsnap: use lam on the known good hash list
This change is equivalent to the approach committed in r306417, but if
sed has a bug it could be exploited by the untrusted tar file. Instead,
generate the expected tar content and compare that with find's output.
Submitted by: cperciva (in review D8052)
-rw-r--r-- | usr.sbin/portsnap/portsnap/portsnap.sh | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/usr.sbin/portsnap/portsnap/portsnap.sh b/usr.sbin/portsnap/portsnap/portsnap.sh index 501c530..0e16370 100644 --- a/usr.sbin/portsnap/portsnap/portsnap.sh +++ b/usr.sbin/portsnap/portsnap/portsnap.sh @@ -691,8 +691,9 @@ fetch_snapshot() { fetch_index_sanity || return 1 # Verify the snapshot contents cut -f 2 -d '|' INDEX.new | fetch_snapshot_verify || return 1 - cut -f 2 -d '|' tINDEX.new INDEX.new | sort -u > files.expected - find snap -mindepth 1 | sed -E 's^snap/(.*)\.gz^\1^' | sort > files.snap + cut -f 2 -d '|' tINDEX.new INDEX.new | sort -u | + lam -s 'snap/' - -s '.gz' > files.expected + find snap -mindepth 1 | sort > files.snap if ! cmp -s files.expected files.snap; then echo "unexpected files in snapshot." return 1 |