[Git][reproducible-builds/strip-nondeterminism][master] 3 commits: Catch an edge-case where we can't even parse the provided length of an invalid...

Chris Lamb gitlab at salsa.debian.org
Sun Apr 28 11:56:03 CEST 2019



Chris Lamb pushed to branch master at Reproducible Builds / strip-nondeterminism


Commits:
783d44e3 by Chris Lamb at 2019-04-28T09:17:11Z
Catch an edge-case where we can't even parse the provided length of an invalid field within zip files.

- - - - -
b164403e by Chris Lamb at 2019-04-28T09:20:12Z
Check the return status from Archive::Zip when writing file to disk.

- - - - -
f40f5550 by Chris Lamb at 2019-04-28T09:54:40Z
Workaround Archive::Zip's incorrect handling of the localExtraField field by monkey-patching the accessor methods to always return normalised values. This fixes the normalisation of Unix ownership (uid/gid) within .zip archives, .epub files, etc. (Closes: #858431, reproducible-builds/strip-nondeterminism#4)

- - - - -


2 changed files:

- Makefile.PL
- lib/File/StripNondeterminism/handlers/zip.pm


Changes:

=====================================
Makefile.PL
=====================================
@@ -17,6 +17,7 @@ WriteMakefile(
 		'Archive::Cpio'	=> 0, # required to pass tests
 		'Archive::Zip'	=> 0,
 		'Getopt::Long'	=> 0,
+		'Monkey::Patch'	=> 0,
 	},
 	LICENSE		=> "gpl",
 	dist		=> { COMPRESS => 'gzip -9nf', SUFFIX => 'gz', },


=====================================
lib/File/StripNondeterminism/handlers/zip.pm
=====================================
@@ -24,6 +24,7 @@ use warnings;
 use File::Temp;
 use File::StripNondeterminism;
 use Archive::Zip qw/:CONSTANTS :ERROR_CODES/;
+use Monkey::Patch qw/patch_class/;
 
 # A magic number from Archive::Zip for the earliest timestamp that
 # can be represented by a Zip file.  From the Archive::Zip source:
@@ -145,6 +146,10 @@ sub normalize_extra_fields($$) {
 		} else {
 			# Catch invalid field lengths by calculating whether we would
 			# read beyond the end of the file.
+			if (!defined($len)) {
+				warn "strip-nondeterminism: unknown extra field length";
+				return;
+			}
 			if ($pos + $len >= length($field)) {
 				warn "strip-nondeterminism: invalid extra field length ($len)";
 				return;
@@ -213,14 +218,34 @@ sub normalize {
 				? oct(755)
 				: oct(644));
 		}
-		foreach my $x (qw(cdExtraField localExtraField)) {
-			my $result = normalize_extra_fields($canonical_time, $member->$x);
-			return 0 unless defined $result;
-			$member->$x($result);
-		}
 	}
 	my $old_perms = (stat($zip_filename))[2] & oct(7777);
-	$zip->overwrite();
+
+	# Archive::Zip::Member does not handle the localExtraField field (used for
+	# uid/gids) correctly or consistently.
+	#
+	# It does not populate localExtraField in the class upon initial reading of
+	# the file whilst it does for cdExtraField. One can workaround this
+	# manually with calls to _seekToLocalHeader and _readLocalFileHeader but
+	# upon writing to a file back to the disk Archive::Zip will ignore any
+	# stored value of localExtraField (!) and reload it again from the existing
+	# file handle in/around rewindData.
+	#
+	# We therefore monkey-patch the accessor methods of the Member class to
+	# ensure that normalised values are used in this final save.
+	#
+	# <https://salsa.debian.org/reproducible-builds/strip-nondeterminism/issues/4>
+	my @patches = map {
+		patch_class('Archive::Zip::Member', $_, sub {
+			my $fn = shift;
+			my $result = $fn->(@_);
+			return defined($result) ?
+				normalize_extra_fields($canonical_time, $result) : $result;
+		});
+	} qw(cdExtraField localExtraField);
+
+	return 0 unless $zip->overwrite() == AZ_OK;
+	undef @patches; # Remove our monkey patches
 	chmod($old_perms, $zip_filename);
 	return 1;
 }



View it on GitLab: https://salsa.debian.org/reproducible-builds/strip-nondeterminism/compare/52f58c5ba82b3a7d469fd2128ee1bbf47420b5cf...f40f555085eeb086bfd4ee1fca1012550790a12d

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/strip-nondeterminism/compare/52f58c5ba82b3a7d469fd2128ee1bbf47420b5cf...f40f555085eeb086bfd4ee1fca1012550790a12d
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20190428/848e96fe/attachment.html>


More information about the rb-commits mailing list