From b636822d73410795cdc46d4722f7225c0f463fd3 Mon Sep 17 00:00:00 2001 From: Tristan Sloughter Date: Tue, 12 May 2015 09:38:22 -0500 Subject: check md5sum of package against that sent by s3 --- src/rebar_fetch.erl | 4 ++++ src/rebar_pkg_resource.erl | 17 +++++++++++++---- 2 files changed, 17 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/rebar_fetch.erl b/src/rebar_fetch.erl index 16840eb..75970ed 100644 --- a/src/rebar_fetch.erl +++ b/src/rebar_fetch.erl @@ -43,6 +43,8 @@ download_source(AppDir, Source, State) -> verify_and_extract(File, Source, AppDir1, State) end catch + _:bad_etag -> + throw(?PRV_ERROR({bad_etag, Source})); C:T -> ?DEBUG("rebar_fetch exception ~p ~p ~p", [C, T, erlang:get_stacktrace()]), throw(?PRV_ERROR({fetch_fail, Source})) @@ -59,6 +61,8 @@ needs_update(AppDir, Source, State) -> true end. +format_error({bad_etag, Source}) -> + io_lib:format("MD5 Checksum comparison failed for: ~p", [Source]); format_error({fetch_fail, Source}) -> io_lib:format("Failed to fetch and copy dep: ~p", [Source]); format_error({bad_checksum, File}) -> diff --git a/src/rebar_pkg_resource.erl b/src/rebar_pkg_resource.erl index 92e6cd4..9b430d2 100644 --- a/src/rebar_pkg_resource.erl +++ b/src/rebar_pkg_resource.erl @@ -37,9 +37,17 @@ download(_Dir, {pkg, Name, Vsn}, State) -> case request(Url, etag(Path)) of {ok, cached} -> {tarball, Path}; - {ok, Binary} -> + {ok, Binary, EtagHeader} -> file:write_file(Path, Binary), - {tarball, Path}; + Etag = etag(Path), + case EtagHeader =:= Etag of + true -> + {tarball, Path}; + false -> + ?DEBUG("Bad md5sum for ~s of ~s comparing to ~s sent by server", + [Path, Etag, EtagHeader]), + throw(bad_etag) + end; error -> case filelib:is_regular(Path) of true -> @@ -68,9 +76,10 @@ request(Url, ETag) -> case httpc:request(get, {Url, [{"if-none-match", ETag} || ETag =/= false]}, [{relaxed, true}], [{body_format, binary}]) of - {ok, {{_Version, 200, _Reason}, _Headers, Body}} -> + {ok, {{_Version, 200, _Reason}, Headers, Body}} -> + {"etag", ETag1} = lists:keyfind("etag", 1, Headers), ?DEBUG("Successfully downloaded ~s", [Url]), - {ok, Body}; + {ok, Body, string:strip(ETag1, both, $")}; {ok, {{_Version, 304, _Reason}, _Headers, _Body}} -> ?DEBUG("Cached copy of ~s still valid", [Url]), {ok, cached}; -- cgit v1.1