App-MechaCPAN
view release on metacpan or search on metacpan
lib/App/MechaCPAN.pm view on Meta::CPAN
unless $url =~ m{CHECKSUMS\z}xmsi;
# Even if verification is optional, not downloading the CHECKSUMS is fatal
my $checksums = '';
fetch_file( $url, \$checksums );
$checksums = App::MechaCPAN::_verify_checksums_body($checksums);
# If $CHKSIGS is true, we must verify that CHECKSUMS has a valid signature
# If $CHKSIGS is undef, we will verify that CHECKSUMS has a valid signature
# if possible, but won't throw errors if can't.
# In both cases, the CHECKSUMS is used to validate the checksums of the
# downloaded file
# If $CHKSIGS is otherwise false, we already did an early return above
my $verify_fn = _resolve_verifier();
if ( !defined $verify_fn )
{
die "Could not find verification program and verification was required"
if $CHKSIGS;
logmsg "CHECKSUMS signature not checked: PGP verifier not found";
}
lib/App/MechaCPAN.pm view on Meta::CPAN
if $part eq '..';
}
return 0;
}
# Inspect a tar archive's header entries (no extraction). Returns a
# human-readable reason if any entry would escape the destination dir
# (absolute paths, '..' traversal in names, or symlink/hardlink targets
# pointing outside). Returns undef if the archive is safe.
sub _validate_archive_is_safe
{
my $src = shift;
require Archive::Tar;
# Create a tar iterator. The magic 1 tells it to decompress
my $iter = Archive::Tar->iter( "$src", 1 );
return "could not read archive: $src"
if !defined $iter;
lib/App/MechaCPAN.pm view on Meta::CPAN
if ( !defined $dir )
{
my $descr = ( File::Spec->splitpath($src) )[2];
$dir = humane_tmpdir($descr);
}
die "Could not find destination directory: $dir"
if !-d $dir;
if ( my $reason = _validate_archive_is_safe($src) )
{
croak "Refusing to extract unsafe archive $src: $reason\n";
}
my $orig = cwd;
my $is_complete;
foreach my $inflate_sub (@inflate)
{
local $@;
( run in 2.732 seconds using v1.01-cache-2.11-cpan-6aa56a78535 )