[stable-2.7] Fix checksum file parsing in get_url (#53685) (#53694)

* [stable-2.7] Fix checksum file parsing in get_url (#53685)

* Fix checksum file parsing. Fixes #48790

* guard invalid int conversion

Co-Authored-By: sivel <matt@sivel.net>

* Remove extra newline.
(cherry picked from commit 77217fdd24)

Co-authored-by: Matt Martz <matt@sivel.net>

* Remove use of undefined variable
This commit is contained in:
Matt Martz 2019-03-18 14:40:31 -05:00 committed by Toshio Kuratomi
parent 81d893d6ee
commit 166ef9f668
2 changed files with 37 additions and 25 deletions

View file

@ -0,0 +1,4 @@
bugfixes:
- get_url - Fix issue with checksum validation when using a file to ensure we skip lines in the file that
do not contain exactly 2 parts. Also restrict exception handling to the minimum number of
necessary lines (https://github.com/ansible/ansible/issues/48790)

View file

@ -443,34 +443,42 @@ def main():
if checksum: if checksum:
try: try:
algorithm, checksum = checksum.split(':', 1) algorithm, checksum = checksum.split(':', 1)
if checksum.startswith('http://') or checksum.startswith('https://') or checksum.startswith('ftp://'):
checksum_url = checksum
# download checksum file to checksum_tmpsrc
checksum_tmpsrc, checksum_info = url_get(module, checksum_url, dest, use_proxy, last_mod_time, force, timeout, headers, tmp_dest)
with open(checksum_tmpsrc) as f:
lines = [line.rstrip('\n') for line in f]
os.remove(checksum_tmpsrc)
lines = dict(s.split(None, 1) for s in lines)
filename = url_filename(url)
# Look through each line in the checksum file for a hash corresponding to
# the filename in the url, returning the first hash that is found.
for cksum in (s for (s, f) in lines.items() if f.strip('./') == filename):
checksum = cksum
break
else:
checksum = None
if checksum is None:
module.fail_json("Unable to find a checksum for file '%s' in '%s'" % (filename, checksum_url))
# Remove any non-alphanumeric characters, including the infamous
# Unicode zero-width space
checksum = re.sub(r'\W+', '', checksum).lower()
# Ensure the checksum portion is a hexdigest
int(checksum, 16)
except ValueError: except ValueError:
module.fail_json(msg="The checksum parameter has to be in format <algorithm>:<checksum>") module.fail_json(msg="The checksum parameter has to be in format <algorithm>:<checksum>")
if checksum.startswith('http://') or checksum.startswith('https://') or checksum.startswith('ftp://'):
checksum_url = checksum
# download checksum file to checksum_tmpsrc
checksum_tmpsrc, checksum_info = url_get(module, checksum_url, dest, use_proxy, last_mod_time, force, timeout, headers, tmp_dest)
with open(checksum_tmpsrc) as f:
lines = [line.rstrip('\n') for line in f]
os.remove(checksum_tmpsrc)
checksum_map = {}
for line in lines:
parts = line.split(None, 1)
if len(parts) == 2:
checksum_map[parts[0]] = parts[1]
filename = url_filename(url)
# Look through each line in the checksum file for a hash corresponding to
# the filename in the url, returning the first hash that is found.
for cksum in (s for (s, f) in checksum_map.items() if f.strip('./') == filename):
checksum = cksum
break
else:
checksum = None
if checksum is None:
module.fail_json(msg="Unable to find a checksum for file '%s' in '%s'" % (filename, checksum_url))
# Remove any non-alphanumeric characters, including the infamous
# Unicode zero-width space
checksum = re.sub(r'\W+', '', checksum).lower()
# Ensure the checksum portion is a hexdigest
try:
int(checksum, 16)
except ValueError:
module.fail_json(msg='The checksum format is invalid')
if not dest_is_dir and os.path.exists(dest): if not dest_is_dir and os.path.exists(dest):
checksum_mismatch = False checksum_mismatch = False