def test__4_1(self):
''' Verify normalize() result when input is absolute path '''
self.assertEqual(utils_path.normalize('/foo/bar/../baz'),
''.join([os.sep, 'foo', os.sep, 'baz']))
self.assertEqual(utils_path.normalize('/foo/bar/../../baz'),
''.join([os.sep, 'baz']))
self.assertEqual(utils_path.normalize('/foo/bar/../../../baz'),
''.join([os.sep, 'baz']))
self.assertEqual(utils_path.normalize('/foo/bar/../../../../baz'),
''.join([os.sep, 'baz']))
def test__4_2__and__4_3(self):
''' Verify normalize() result when input is relative path '''
# 4.2 the starting node is the parent of foo
self.assertEqual(utils_path.normalize('foo/bar/../baz'),
os.sep.join(['foo', 'baz']))
self.assertEqual(utils_path.normalize('foo/bar/../../baz'),
'baz')
# 4.3 the starting node is ABOVE the parent of foo
self.assertEqual(utils_path.normalize('foo/bar/../../../baz'),
os.sep.join(['..', 'baz']))
self.assertEqual(utils_path.normalize('foo/bar/../../../../baz'),
os.sep.join(['..', '..', 'baz']))
def dgst_verify(signature, tarball, key=None):
'''
Call OpenSSL to verify the signature. The public key
is ``VERSIONDIR/pubkey.pem``. We assume the signature
algorithm is SHA256.
'''
if not utils_hier.OPENSSL:
raise RuntimeError('updater_verify: No OPENSSL defined')
if not key:
key = os.sep.join([utils_hier.VERSIONDIR, 'pubkey.pem'])
#
# By default subprocess.call() does not invoke the shell and
# passes the command line to execve(). We set the command to
# invoke and many arguments, but the caller "controls" some
# other arguments. In the common case, when we're invoked by
# updater_runner.py, arguments are verified. Still, for
# additional correctness, here we also make sure we receive
# file names below BASEDIR.
#
# TODO Here we can be even more paranoid^H^H obsessed by
# correctness, and we can check (a) that we have received
# normalized paths and (b) that signature, tarball, and
# key follow certain patterns.
#
for path in (signature, tarball, key):
path = utils_path.normalize(path)
if not path.startswith(utils_hier.BASEDIR):
raise RuntimeError('updater_verify: passed path outside of BASEDIR')
#
# We control the file names, typically. If they're not controlled,
# above there is code that restricts them inside BASEDIR. Note that
# the ``-verify`` switch should ensure that files are read and checked,
# and not written. Still, files we are going to verify may have
# been crafted to crash openssl and run arbitratry code. For this
# reason, I wonder whether it makes sense to run the openssl subpro-
# cess with reduced privileges.
#
cmdline = [utils_hier.OPENSSL, 'dgst', '-sha256', '-verify', key,
'-signature', signature, tarball]
__logging_info('updater_verify: exec: %s', str(cmdline))
retval = subprocess.call(cmdline)
if retval != 0:
raise RuntimeError('updater_verify: signature does not match')
def test__3(self):
''' Make sure that normalize() converts / to \\ on windows '''
if os.name == 'nt':
self.assertEqual(utils_path.normalize('foo/bar'), r'foo\bar')
def test__2(self):
''' Make sure that normalize() simplifies redundant up-level refs '''
self.assertEqual(utils_path.normalize('/foo/bar/../baz'),
os.sep.join(['', 'foo', 'baz']))
def test__1(self):
''' Make sure that normalize() collapses multiple slashes '''
self.assertEqual(utils_path.normalize('/foo////bar'),
os.sep.join(['', 'foo', 'bar']))
