[cmake-developers] file(DOWNLOAD) + EXPECTED_HASH security issue

[Brad King]

On 11/19/2013 10:24 AM, Daniele E. Domenichelli wrote:
> After calling file(DOWNLOAD EXPECTED_HASH) I cannot find a way to check
> if the hash is correct.
> 
> * The command gives an error, but not fatal, therefore the processing
> will continue;

IIRC the use case for which this was built put file(DOWNLOAD) inside
a script invoked with "cmake -P" (see ExternalProject).  That will
still exit with a bad code and the caller will see it.

> * The "STATUS" variable is not set, therefore it is not useful;
> * The "faulty" downloaded file is not removed.
> 
> So I believe that there is no way to stop CMake, unless you perform
> another hash check.

The "this->SetError/return false" logic for these errors should be
replaced by "this->IssueMessage(cmake::FATAL_ERROR,...)/return true"
to switch it to a fatal error.  The signature should be extended
to provide an option to get the error information back without
causing a CMake Error so that the caller can handle it.

> I suggest to fix this as soon as possible (perhaps even in the 2.8
> series), either failing with a fatal error or setting the STATUS
> variable. What do you think?

The feature was originally built as EXPECTED_MD5 which is definitely
*not a security check* but rather a corruption check.  It was then
generalized to EXPECTED_HASH just because other hashes algorithms
are now available, so only then did it become useful for security.
The above fix is a change in behavior which IMO does not belong in
a tweak release.

-Brad