From a082912c191f59af11d7f38a458dd27d66036943 Mon Sep 17 00:00:00 2001 From: Daniel Bachhuber Date: Tue, 1 Nov 2016 14:21:28 -0700 Subject: [PATCH] Verify release hash when updating --- features/cli.feature | 22 +++++++++++++++++++--- php/commands/cli.php | 16 +++++++++++++++- 2 files changed, 34 insertions(+), 4 deletions(-) diff --git a/features/cli.feature b/features/cli.feature index 83fd15d637..a26272c6b5 100644 --- a/features/cli.feature +++ b/features/cli.feature @@ -44,6 +44,10 @@ Feature: `wp cli` tasks When I run `{PHAR_PATH} cli update --yes` Then STDOUT should contain: + """ + md5 hash verified: + """ + And STDOUT should contain: """ Success: """ @@ -73,9 +77,13 @@ Feature: `wp cli` tasks When I run `{PHAR_PATH} cli update --patch --yes` Then STDOUT should contain: - """ - Success: Updated WP-CLI to 0.14.1 - """ + """ + md5 hash verified: 3f5fa2fda8457a9a5dc9875f17a3716d + """ + And STDOUT should contain: + """ + Success: Updated WP-CLI to 0.14.1 + """ And STDERR should be empty And the return code should be 0 @@ -108,6 +116,10 @@ Feature: `wp cli` tasks When I run `{PHAR_PATH} cli update --nightly --yes` Then STDOUT should contain: + """ + md5 hash verified: + """ + And STDOUT should contain: """ Success: Updated WP-CLI to the latest nightly release. """ @@ -133,6 +145,10 @@ Feature: `wp cli` tasks """ You have version 0.14.0. Would you like to update to the latest stable release? [y/n] """ + And STDOUT should contain: + """ + md5 hash verified: + """ And STDOUT should contain: """ Success: Updated WP-CLI to the latest stable release. diff --git a/php/commands/cli.php b/php/commands/cli.php index 73c3f53f50..462a128121 100644 --- a/php/commands/cli.php +++ b/php/commands/cli.php @@ -241,9 +241,11 @@ public function update( $_, $assoc_args ) { if ( Utils\get_flag_value( $assoc_args, 'nightly' ) ) { WP_CLI::confirm( sprintf( 'You have version %s. Would you like to update to the latest nightly?', WP_CLI_VERSION ), $assoc_args ); $download_url = 'https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli-nightly.phar'; + $md5_url = 'https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli-nightly.phar.md5'; } else if ( Utils\get_flag_value( $assoc_args, 'stable' ) ) { WP_CLI::confirm( sprintf( 'You have version %s. Would you like to update to the latest stable release?', WP_CLI_VERSION ), $assoc_args ); $download_url = 'https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar'; + $md5_url = 'https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar.md5'; } else { $updates = $this->get_updates( $assoc_args ); @@ -259,7 +261,7 @@ public function update( $_, $assoc_args ) { WP_CLI::confirm( sprintf( 'You have version %s. Would you like to update to %s?', WP_CLI_VERSION, $newest['version'] ), $assoc_args ); $download_url = $newest['package_url']; - + $md5_url = str_replace( '.phar', '.phar.md5', $download_url ); } WP_CLI::log( sprintf( 'Downloading from %s...', $download_url ) ); @@ -274,6 +276,18 @@ public function update( $_, $assoc_args ) { Utils\http_request( 'GET', $download_url, null, $headers, $options ); + $md5_response = Utils\http_request( 'GET', $md5_url ); + if ( 20 != substr( $md5_response->status_code, 0, 2 ) ) { + WP_CLI::error( "Couldn't access md5 hash for release (HTTP code {$md5_response->status_code})." ); + } + $md5_file = md5_file( $temp ); + $release_hash = trim( $md5_response->body ); + if ( $md5_file === $release_hash ) { + WP_CLI::log( 'md5 hash verified: ' . $release_hash ); + } else { + WP_CLI::error( "md5 hash for download ({$md5_file}) is different than the release hash ({$release_hash})." ); + } + $allow_root = WP_CLI::get_runner()->config['allow-root'] ? '--allow-root' : ''; $php_binary = WP_CLI::get_php_binary(); $process = WP_CLI\Process::create( "{$php_binary} $temp --info {$allow_root}" );