[systemd-devel] [PATCH 1/5] shared/import-util: tag renamed to reference to support v2 pull by digest
Pavel Odvody
podvody at redhat.com
Fri May 15 07:48:39 PDT 2015
On Fri, 2015-05-15 at 15:56 +0200, Lennart Poettering wrote:
> On Fri, 15.05.15 15:32, Pavel Odvody (podvody at redhat.com) wrote:
>
> > > > + else if (!startswith(ref, "sha256"))
> > > > + return false;
> > > > +
> > > > + else if (!in_charset(colon + 1, "0123456789abcdef"))
> > > > + return false;
> > >
> > >
> > > Hmm, how precisely do this refs look, can you provide some examples?
> > >
> > > Right now you do not validate anything between "sha256" and the first
> > > ":", that's not intended, is it?
> > >
> > > Lennart
> > >
> >
> > You're right, there's a blind spot, the digest reference looks like
> > this:
> >
> > sha256:7266a84a67d01165f222eac5785fed00791eb3aec0fd8a18086b76310280d9da
> >
> > Thanks for catching this.
>
> Does the the part after the colon have a variable length? Or isn't it
> fixed length for the "sha256:" prefix? If it's fixed size it should
> probably be verified, too.
>
> If it's variable size, does it have a minimum and maximum size?
> Presumably, right? I figure it definitely can't have zero length,
> right?
>
> Lennart
>
yes, sha256 - 256bits / 8 = 64bytes (can easily extrapolate other SHAs)
Zero-length/invalid value would be an error resulting in 404.
But I wonder whether we want to do that level of validation as the check
is mostly sanity.
Something like this?
typedef struct HashInfo {
char *name;
size_t length;
} HashInfo;
static HashInfo hashes[] = {
{"sha256", 64},
{"sha384", 96},
{"sha512", 128},
...
};
What do you think?
--
Pavel Odvody <podvody at redhat.com>
Software Engineer - EMEA ENG Developer Experience
5EC1 95C1 8E08 5BD9 9BBF 9241 3AFA 3A66 024F F68D
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150515/9a05dffb/attachment.sig>
More information about the systemd-devel
mailing list