Harden signature verification process

This mostly boils down to making sure control_started and
data_started are consistently used to gate actions, instead of
relying whether on file names start with a '.'.

None of the weaknesses this fixes are exploitable, but they
might have become so after changes to seemingly-unrelated code,
so it's good to clean them up.

1 files changed, 13 insertions, 15 deletions

diff --git a/src/database.c b/src/database.c
index 713e57b..d7abcca 100644
--- a/src/database.c
+++ b/src/database.c
@@ -2388,7 +2388,19 @@ static int apk_db_install_archive_entry(void *_ctx,
 	if (r <= 0)
 		return r;
 
-	r = 0;
+	/* Package metainfo and script processing */
+	if (ctx->sctx.control_started && !ctx->sctx.data_started) {
+		if (strcmp(ae->name, ".PKGINFO") == 0) {
+			apk_blob_t l, token = APK_BLOB_STR("\n");
+			while (!APK_BLOB_IS_NULL(l = apk_istream_get_delim(is, token)))
+				read_info_line(ctx, l);
+			return 0;
+		}
+		if (ae->name[0] == '.')
+			type = apk_script_type(&ae->name[1]);
+		if (type == APK_SCRIPT_INVALID)
+			return 0;
+	}
 
 	/* Sanity check the file name */
 	if (ae->name[0] == '/' ||
@@ -2402,20 +2414,6 @@ static int apk_db_install_archive_entry(void *_ctx,
 		return 0;
 	}
 
-	/* Package metainfo and script processing */
-	if (ae->name[0] == '.') {
-		/* APK 2.0 format */
-		if (strcmp(ae->name, ".PKGINFO") == 0) {
-			apk_blob_t l, token = APK_BLOB_STR("\n");
-			while (!APK_BLOB_IS_NULL(l = apk_istream_get_delim(is, token)))
-				read_info_line(ctx, l);
-			return 0;
-		}
-		type = apk_script_type(&ae->name[1]);
-		if (type == APK_SCRIPT_INVALID)
-			return 0;
-	}
-
 	/* Handle script */
 	if (type != APK_SCRIPT_INVALID) {
 		apk_ipkg_add_script(ipkg, is, type, ae->size);