[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] [thandy/master] Add lengths to the timestamp file.
This might break old clients, but AFAICT there are no clients running versions
prior to 15 Dec. It's necessary to avoid some DOS attacks.
---
TODO | 2 +-
lib/thandy/ServerCLI.py | 14 ++++++++------
lib/thandy/formats.py | 13 ++++++++-----
3 files changed, 17 insertions(+), 12 deletions(-)
diff --git a/TODO b/TODO
index e4a2fa1..6fec3a3 100644
--- a/TODO
+++ b/TODO
@@ -33,7 +33,7 @@ o Decouple install from check: they are not necessarily related.
believable value to make sure we don't download too much
o Include lengths in generated packages and bundles
. Specify use of length field.
- - Once everybody has been wanted to update their clients, include
+ o Once everybody has been wanted to update their clients, include
lengths in timestamp files.
- Make lengths mandatory
- Maybe make lengths enforced for purposes other than a maximum
diff --git a/lib/thandy/ServerCLI.py b/lib/thandy/ServerCLI.py
index d9c0f04..9212846 100644
--- a/lib/thandy/ServerCLI.py
+++ b/lib/thandy/ServerCLI.py
@@ -24,7 +24,8 @@ def snarf(fname):
def snarfObj(fname):
f = open(fname, 'r')
try:
- return json.load(f)
+ length = os.fstat(f.fileno()).st_size
+ return json.load(f), length
finally:
f.close()
@@ -127,12 +128,12 @@ def timestamp(args):
tsFname = os.path.join(repo, "meta/timestamp.txt")
try:
- mObj = snarfObj(os.path.join(repo, "meta/mirrors.txt"))
+ mObj, mLen = snarfObj(os.path.join(repo, "meta/mirrors.txt"))
except OSError:
print "No mirror list!"
sys.exit(1)
try:
- kObj = snarfObj(os.path.join(repo, "meta/keys.txt"))
+ kObj, kLen = snarfObj(os.path.join(repo, "meta/keys.txt"))
except OSError:
print "No key list!"
sys.exit(1)
@@ -142,7 +143,7 @@ def timestamp(args):
for fn in fns:
fn = os.path.join(dirpath, fn)
try:
- bObj = snarfObj(fn)
+ bObj, bLen = snarfObj(fn)
except (ValueError, OSError, IOError), e:
print "(Couldn't read bundle-like %s: %s)"%(fn, e)
continue
@@ -154,10 +155,11 @@ def timestamp(args):
if r != "bundle":
print "%s was not a good bundle"%fn
continue
- bundles.append(bObj['signed'])
+ bundles.append((bObj['signed'], bLen))
timestamp = thandy.formats.makeTimestampObj(
- mObj['signed'], kObj['signed'], bundles)
+ mObj['signed'], mLen, kObj['signed'], kLen,
+ bundles)
signable = thandy.formats.makeSignable(timestamp)
keydb = thandy.formats.Keylist()
diff --git a/lib/thandy/formats.py b/lib/thandy/formats.py
index b82bf05..5429d5c 100644
--- a/lib/thandy/formats.py
+++ b/lib/thandy/formats.py
@@ -794,19 +794,22 @@ def getBundleKey(bundlePath):
idx = bundlePath.rindex("/")
return bundlePath[:idx+1]
-def makeTimestampObj(mirrorlist_obj, keylist_obj,
+def makeTimestampObj(mirrorlist_obj, mirrorlist_len,
+ keylist_obj, keylist_len,
bundle_objs):
result = { '_type' : 'Timestamp',
'at' : formatTime(time.time()) }
result['m'] = [ mirrorlist_obj['ts'],
- formatHash(getDigest(mirrorlist_obj)) ]
+ formatHash(getDigest(mirrorlist_obj)),
+ mirrorlist_len ]
result['k'] = [ keylist_obj['ts'],
- formatHash(getDigest(keylist_obj)) ]
+ formatHash(getDigest(keylist_obj)),
+ keylist_len ]
result['b'] = bundles = {}
- for bundle in bundle_objs:
+ for bundle, bundleLen in bundle_objs:
k = getBundleKey(bundle['location'])
v = bundle['version']
- entry = [ v, bundle['location'], bundle['at'], formatHash(getDigest(bundle)) ]
+ entry = [ v, bundle['location'], bundle['at'], formatHash(getDigest(bundle)), bundleLen ]
if not bundles.has_key(k) or versionIsNewer(v, bundles[k][0]):
bundles[k] = entry
--
1.5.6.5