Use pushd/popd and create random temporary directory to prevent potential backdoor binary injection.

Signed-off-by: Dan Schaper <dan.schaper@pi-hole.net>
This commit is contained in:
Dan Schaper 2018-02-22 20:13:38 -08:00
parent f14184df30
commit 4606693e62
No known key found for this signature in database
GPG Key ID: B4FF14C01CC08DC0
1 changed files with 12 additions and 15 deletions

View File

@ -1734,17 +1734,14 @@ clone_or_update_repos() {
fi fi
} }
# Download and install FTL binary # Download FTL binary to random temp directory and install FTL binary
FTLinstall() { FTLinstall() {
# Local, named variables # Local, named variables
local binary="${1}" local binary="${1}"
local latesttag local latesttag
local orig_dir
local str="Downloading and Installing FTL" local str="Downloading and Installing FTL"
echo -ne " ${INFO} ${str}..." echo -ne " ${INFO} ${str}..."
# Get the current working directory
orig_dir="${PWD}"
# Find the latest version tag for FTL # Find the latest version tag for FTL
latesttag=$(curl -sI https://github.com/pi-hole/FTL/releases/latest | grep "Location" | awk -F '/' '{print $NF}') latesttag=$(curl -sI https://github.com/pi-hole/FTL/releases/latest | grep "Location" | awk -F '/' '{print $NF}')
# Tags should always start with v, check for that. # Tags should always start with v, check for that.
@ -1754,44 +1751,44 @@ FTLinstall() {
return 1 return 1
fi fi
# Move into the temp ftl directory
pushd "$(mktmp -d)" || { echo "Unable to make temporary directory for FTL binary download"; return 1; }
# Always replace pihole-FTL.service # Always replace pihole-FTL.service
install -T -m 0755 "${PI_HOLE_LOCAL_REPO}/advanced/pihole-FTL.service" "/etc/init.d/pihole-FTL" install -T -m 0755 "${PI_HOLE_LOCAL_REPO}/advanced/pihole-FTL.service" "/etc/init.d/pihole-FTL"
# If the download worked, # If the download worked,
if curl -sSL --fail "https://github.com/pi-hole/FTL/releases/download/${latesttag%$'\r'}/${binary}" -o "/tmp/${binary}"; then if curl -sSL --fail "https://github.com/pi-hole/FTL/releases/download/${latesttag%$'\r'}/${binary}" -o "${binary}"; then
# get sha1 of the binary we just downloaded for verification. # get sha1 of the binary we just downloaded for verification.
curl -sSL --fail "https://github.com/pi-hole/FTL/releases/download/${latesttag%$'\r'}/${binary}.sha1" -o "/tmp/${binary}.sha1" curl -sSL --fail "https://github.com/pi-hole/FTL/releases/download/${latesttag%$'\r'}/${binary}.sha1" -o "${binary}.sha1"
# Move into the temp directory
cd /tmp
# If we downloaded binary file (as opposed to text), # If we downloaded binary file (as opposed to text),
if sha1sum --status --quiet -c "${binary}".sha1; then if sha1sum --status --quiet -c "${binary}".sha1; then
echo -n "transferred... " echo -n "transferred... "
# Stop FTL # Stop FTL
stop_service pihole-FTL &> /dev/null stop_service pihole-FTL &> /dev/null
# Install the new version with the correct permissions # Install the new version with the correct permissions
install -T -m 0755 /tmp/${binary} /usr/bin/pihole-FTL install -T -m 0755 "${binary}" /usr/bin/pihole-FTL
# Remove the tempoary file
rm /tmp/${binary} /tmp/${binary}.sha1
# Move back into the original directory the user was in # Move back into the original directory the user was in
cd "${orig_dir}" popd || { echo "Unable to return to original directory after FTL binary download."; return 1; }
# Install the FTL service # Install the FTL service
echo -e "${OVER} ${TICK} ${str}" echo -e "${OVER} ${TICK} ${str}"
return 0 return 0
# Otherise, # Otherise,
else else
# the download failed, so just go back to the original directory
popd || { echo "Unable to return to original directory after FTL binary download."; return 1; }
echo -e "${OVER} ${CROSS} ${str}" echo -e "${OVER} ${CROSS} ${str}"
echo -e " ${COL_LIGHT_RED}Error: Download of binary from Github failed${COL_NC}" echo -e " ${COL_LIGHT_RED}Error: Download of binary from Github failed${COL_NC}"
# the download failed, so just go back to the original directory
cd "${orig_dir}"
return 1 return 1
fi fi
# Otherwise, # Otherwise,
else else
cd "${orig_dir}" popd || { echo "Unable to return to original directory after FTL binary download."; return 1; }
echo -e "${OVER} ${CROSS} ${str}" echo -e "${OVER} ${CROSS} ${str}"
# The URL could not be found # The URL could not be found
echo -e " ${COL_LIGHT_RED}Error: URL not found${COL_NC}" echo -e " ${COL_LIGHT_RED}Error: URL not found${COL_NC}"
return 1
fi fi
} }