always verify content in distributed migration
doc/todo/distributed_migration.mdwn discusses security of distributed migration, and this was identified as necessary to do.
This commit is contained in:
Joey Hess
parent
62ce56c4ea
commit
30c2728d65
2 changed files with 11 additions and 5 deletions
|
|
@ -154,7 +154,7 @@ update oldkey newkey =
|
||||||
Just f -> ActionItemAssociatedFile (AssociatedFile (Just f)) newkey
|
Just f -> ActionItemAssociatedFile (AssociatedFile (Just f)) newkey
|
||||||
Nothing -> ActionItemKey newkey
|
Nothing -> ActionItemKey newkey
|
||||||
starting "migrate" ai (SeekInput []) $
|
starting "migrate" ai (SeekInput []) $
|
||||||
ifM (Command.ReKey.linkKey' oldkey newkey)
|
ifM (Command.ReKey.linkKey' v oldkey newkey)
|
||||||
( do
|
( do
|
||||||
logStatus newkey InfoPresent
|
logStatus newkey InfoPresent
|
||||||
next $ return True
|
next $ return True
|
||||||
|
|
@ -166,3 +166,9 @@ update oldkey newkey =
|
||||||
g <- Annex.gitRepo
|
g <- Annex.gitRepo
|
||||||
firstM (\f -> (== Just newkey) <$> isAnnexLink f) $
|
firstM (\f -> (== Just newkey) <$> isAnnexLink f) $
|
||||||
map (\f -> simplifyPath (fromTopFilePath f g)) fs
|
map (\f -> simplifyPath (fromTopFilePath f g)) fs
|
||||||
|
|
||||||
|
-- Always verify the content agains the newkey, even if
|
||||||
|
-- annex.verify is unset. This is done to prent bad migration
|
||||||
|
-- information maliciously injected into the git-annex branch
|
||||||
|
-- from populating files with the wrong content.
|
||||||
|
v = AlwaysVerify
|
||||||
|
|
|
||||||
|
|
@ -95,7 +95,7 @@ perform file oldkey newkey = do
|
||||||
- to avoid wasting disk space. -}
|
- to avoid wasting disk space. -}
|
||||||
linkKey :: RawFilePath -> Key -> Key -> Annex Bool
|
linkKey :: RawFilePath -> Key -> Key -> Annex Bool
|
||||||
linkKey file oldkey newkey = ifM (isJust <$> isAnnexLink file)
|
linkKey file oldkey newkey = ifM (isJust <$> isAnnexLink file)
|
||||||
( linkKey' oldkey newkey
|
( linkKey' DefaultVerify oldkey newkey
|
||||||
, do
|
, do
|
||||||
{- The file being rekeyed is itself an unlocked file; if
|
{- The file being rekeyed is itself an unlocked file; if
|
||||||
- it's hard linked to the old key, that link must be broken. -}
|
- it's hard linked to the old key, that link must be broken. -}
|
||||||
|
|
@ -126,9 +126,9 @@ linkKey file oldkey newkey = ifM (isJust <$> isAnnexLink file)
|
||||||
- This avoids hard linking to content linked to an
|
- This avoids hard linking to content linked to an
|
||||||
- unlocked file, which would leave the new key unlocked
|
- unlocked file, which would leave the new key unlocked
|
||||||
- and vulnerable to corruption. -}
|
- and vulnerable to corruption. -}
|
||||||
linkKey' :: Key -> Key -> Annex Bool
|
linkKey' :: VerifyConfig -> Key -> Key -> Annex Bool
|
||||||
linkKey' oldkey newkey =
|
linkKey' v oldkey newkey =
|
||||||
getViaTmpFromDisk RetrievalAllKeysSecure DefaultVerify newkey (AssociatedFile Nothing) $ \tmp -> unVerified $ do
|
getViaTmpFromDisk RetrievalAllKeysSecure v newkey (AssociatedFile Nothing) $ \tmp -> unVerified $ do
|
||||||
oldobj <- calcRepo (gitAnnexLocation oldkey)
|
oldobj <- calcRepo (gitAnnexLocation oldkey)
|
||||||
isJust <$> linkOrCopy' (return True) newkey oldobj tmp Nothing
|
isJust <$> linkOrCopy' (return True) newkey oldobj tmp Nothing
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue