1
0
mirror of https://github.com/pi-hole/pi-hole synced 2024-12-22 23:08:07 +00:00

Verify that we actually downloaded a valid checksum before comparing it to the local one. This covers situations where downloading the checksum from remote might have failed

Signed-off-by: DL6ER <dl6er@dl6er.de>
This commit is contained in:
DL6ER 2024-03-10 08:43:37 +01:00
parent dedaf5432e
commit 2fd0de4743
No known key found for this signature in database
GPG Key ID: 00135ACBD90B28DD

View File

@ -2002,9 +2002,11 @@ FTLcheckUpdate() {
local localSha1 local localSha1
if [[ ! "${ftlBranch}" == "master" ]]; then if [[ ! "${ftlBranch}" == "master" ]]; then
# Check whether or not the binary for this FTL branch actually exists. If not, then there is no update! # This is not the master branch
local path local path
path="${ftlBranch}/${binary}" path="${ftlBranch}/${binary}"
# Check whether or not the binary for this FTL branch actually exists. If not, then there is no update!
# shellcheck disable=SC1090 # shellcheck disable=SC1090
check_download_exists "$path" check_download_exists "$path"
local ret=$? local ret=$?
@ -2023,12 +2025,20 @@ FTLcheckUpdate() {
fi fi
if [[ ${ftlLoc} ]]; then if [[ ${ftlLoc} ]]; then
# We already have a pihole-FTL binary downloaded. # We already have a pihole-FTL binary installed, check if it's the
# Alt branches don't have a tagged version against them, so just confirm the checksum of the local vs remote to decide whether we download or not # same as the remote one
# Alt branches don't have a tagged version against them, so just
# confirm the checksum of the local vs remote to decide whether we
# download or not
remoteSha1=$(curl -sSL --fail "https://ftl.pi-hole.net/${ftlBranch}/${binary}.sha1" | cut -d ' ' -f 1) remoteSha1=$(curl -sSL --fail "https://ftl.pi-hole.net/${ftlBranch}/${binary}.sha1" | cut -d ' ' -f 1)
localSha1=$(sha1sum "$(command -v pihole-FTL)" | cut -d ' ' -f 1) localSha1=$(sha1sum "${ftlLoc}" | cut -d ' ' -f 1)
if [[ "${remoteSha1}" != "${localSha1}" ]]; then # Check we downloaded a valid checksum (no 404 or other error like
# no DNS resolution)
if [[ ! "${remoteSha1}" =~ ^[a-f0-9]{40}$ ]]; then
printf " %b Remote checksum not available, trying to download binary from ftl.pi-hole.net.\\n" "${CROSS}"
return 0
elif [[ "${remoteSha1}" != "${localSha1}" ]]; then
printf " %b Checksums do not match, downloading from ftl.pi-hole.net.\\n" "${INFO}" printf " %b Checksums do not match, downloading from ftl.pi-hole.net.\\n" "${INFO}"
return 0 return 0
else else
@ -2039,7 +2049,10 @@ FTLcheckUpdate() {
return 0 return 0
fi fi
else else
# This is the master branch
if [[ ${ftlLoc} ]]; then if [[ ${ftlLoc} ]]; then
# We already have a pihole-FTL binary installed, check if it's the
# same as the remote one
local FTLversion local FTLversion
FTLversion=$(/usr/bin/pihole-FTL tag) FTLversion=$(/usr/bin/pihole-FTL tag)
local FTLlatesttag local FTLlatesttag
@ -2053,15 +2066,24 @@ FTLcheckUpdate() {
# Check if the installed version matches the latest version # Check if the installed version matches the latest version
if [[ "${FTLversion}" != "${FTLlatesttag}" ]]; then if [[ "${FTLversion}" != "${FTLlatesttag}" ]]; then
# If the installed version does not match the latest version, then download
return 0 return 0
else else
# If the installed version matches the latest version, then
# check the installed sha1sum of the binary vs the remote
# sha1sum. If they do not match, then download
printf " %b Latest FTL Binary already installed (%s). Confirming Checksum...\\n" "${INFO}" "${FTLlatesttag}" printf " %b Latest FTL Binary already installed (%s). Confirming Checksum...\\n" "${INFO}" "${FTLlatesttag}"
remoteSha1=$(curl -sSL --fail "https://github.com/pi-hole/FTL/releases/download/${FTLversion%$'\r'}/${binary}.sha1" | cut -d ' ' -f 1) remoteSha1=$(curl -sSL --fail "https://github.com/pi-hole/FTL/releases/download/${FTLversion%$'\r'}/${binary}.sha1" | cut -d ' ' -f 1)
localSha1=$(sha1sum "$(command -v pihole-FTL)" | cut -d ' ' -f 1) localSha1=$(sha1sum "${ftlLoc}" | cut -d ' ' -f 1)
if [[ "${remoteSha1}" != "${localSha1}" ]]; then # Check we downloaded a valid checksum (no 404 or other error like
printf " %b Corruption detected...\\n" "${INFO}" # no DNS resolution)
if [[ ! "${remoteSha1}" =~ ^[a-f0-9]{40}$ ]]; then
printf " %b Remote checksum not available, trying to redownload binary...\\n" "${CROSS}"
return 0
elif [[ "${remoteSha1}" != "${localSha1}" ]]; then
printf " %b Corruption detected, redownloading binary...\\n" "${CROSS}"
return 0 return 0
else else
printf " %b Checksum correct. No need to download!\\n" "${INFO}" printf " %b Checksum correct. No need to download!\\n" "${INFO}"