Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
Current implementation assumes extraction of zip archive before verification.
Extraction of an unvalidated zip-file might be a problem of itself (think zipbomb, invalid filenames).
Proposed resolution
Instead of using a single file (which has benefits from not needing to download as many files), use two. The csig file validates the zip file.
Remaining tasks
User interface changes
API changes
Data model changes
Release notes snippet
Comment | File | Size | Author |
---|---|---|---|
#15 | 3093782-13.patch | 8.77 KB | heddn |
| |||
#13 | 3093782-13.patch | 8.77 KB | heddn |
|
Comments
Comment #2
drummDrupal.org’s in-place-updates being served no longer have the
checksumlist.csig
file. The same path as the.zip
files, likehttps://www.drupal.org/in-place-updates/drupal/drupal-8.7.4-to-8.7.5.zip
, with.csig
appended, now serves the signed hash of the zip file. For example,https://www.drupal.org/in-place-updates/drupal/drupal-8.7.4-to-8.7.5.zip.csig
.Comment #3
drummTo reduce HTTP requests, maybe using the zip archive comment to store the signing is possible. Attached is an example.
If PHP code can safely extract that note, strip the note from the file, and get the same
eb14f40fb…
shasum before extraction, this will work.Comment #4
drummAnd a sample with a base64-encoded archive comment.
Comment #5
heddnWe ran into issues adding the CSIG as a comment to the zip file. PHP vs posix ZIP doesn't save the file in the same format. And we have to strip the CSIG from the zip comment before hashing it. Otherwise it doesn't pass validation. But stripping it via PHP seems to rewrite the entire zip file in a slightly different format. Since the files are binary, it is hard to say exactly what is different. So we're back to downloading 2 distinct artifacts. One for the zip file and for the csig validation of the zip archive.
Comment #6
heddnComment #10
heddnAdding credit from slack discussions.
Comment #12
heddnLanded this on 8.x and rolled an alpha4. Next up a 7.x backport and new alpha there too.
Comment #13
heddnComment #14
heddnComment #15
heddnComment #17
heddnComment #19
heddn7.x alpha3 is now also tagged.