[cmake-developers] file(DOWNLOAD) + EXPECTED_HASH security issue
Daniele E. Domenichelli
daniele.domenichelli at gmail.com
Tue Nov 19 10:24:08 EST 2013
Hello all,
After calling file(DOWNLOAD EXPECTED_HASH) I cannot find a way to check
if the hash is correct.
* The command gives an error, but not fatal, therefore the processing
will continue;
* The "STATUS" variable is not set, therefore it is not useful;
* The "faulty" downloaded file is not removed.
So I believe that there is no way to stop CMake, unless you perform
another hash check.
Am I missing something?
I believe this could be a potential security issue on some build
systems, because after using the file(DOWNLOAD) command with
EXPECTED_HASH, users might be thinking that the following code will not
be executed if the hash is wrong, or they might be checking the STATUS
variable, expecting it to be set != 0 if the hash is wrong (as I was
expecting by reading the documentation of the FILE command).
Therefore they might be using the downloaded file during the same CMake
execution, and this might be exploited by some attacker.
I suggest to fix this as soon as possible (perhaps even in the 2.8
series), either failing with a fatal error or setting the STATUS
variable. What do you think?
Cheers,
Daniele
More information about the cmake-developers
mailing list