From: Hans-Christoph Steiner <hans@eds.org>
Date: Thu, 5 Jun 2014 19:50:21 +0000 (-0400)
Subject: update: add stricter checking when updating repo index using rsync
X-Git-Tag: 0.2~38^2~2
X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=0adb2575fe42cc4e65b4dec20a9edfe270266164;p=fdroidserver.git

update: add stricter checking when updating repo index using rsync

rsync uses the modification time and size of the file when deciding whether
to update a file.  These are relatively easy to control in malicious code,
so instead make rsync use a full MD5 checksum when decided whether the
index needs to be updated.  I suppose we could add an option to use
checksum checking on all files, but since the signed repo already provides
a checksum check, it seems not worth the added load on the process.

Also, renamed 'index' to 'indexxml' to make it clear what is the XML and
what is the JAR.
---

diff --git a/fdroidserver/server.py b/fdroidserver/server.py
index 3bf5e581..833a88e0 100644
--- a/fdroidserver/server.py
+++ b/fdroidserver/server.py
@@ -116,23 +116,24 @@ def update_awsbucket(repo_section):
 
 
 def update_serverwebroot(repo_section):
-    rsyncargs = ['rsync', '-u', '-r', '--delete']
+    rsyncargs = ['rsync', '--update', '--recursive', '--delete']
     if options.verbose:
         rsyncargs += ['--verbose']
     if options.quiet:
         rsyncargs += ['--quiet']
-    index = os.path.join(repo_section, 'index.xml')
+    indexxml = os.path.join(repo_section, 'index.xml')
     indexjar = os.path.join(repo_section, 'index.jar')
     # serverwebroot is guaranteed to have a trailing slash in common.py
     if subprocess.call(rsyncargs +
-                       ['--exclude', index, '--exclude', indexjar,
+                       ['--exclude', indexxml, '--exclude', indexjar,
                         repo_section, config['serverwebroot']]) != 0:
         sys.exit(1)
-    if subprocess.call(rsyncargs +
-                       [index, config['serverwebroot'] + repo_section]) != 0:
+    # use stricter checking on the indexes since they provide the signature
+    rsyncargs += ['--checksum']
+    sectionpath = config['serverwebroot'] + repo_section
+    if subprocess.call(rsyncargs + [indexxml, sectionpath]) != 0:
         sys.exit(1)
-    if subprocess.call(rsyncargs +
-                       [indexjar, config['serverwebroot'] + repo_section]) != 0:
+    if subprocess.call(rsyncargs + [indexjar, sectionpath]) != 0:
         sys.exit(1)