apt: update patches

***

This commit contains further changes to user agent string in addition
to introduced in fd66e2fe29.

Now it will send installation prefix obtained by /proc/self/exe. It
should resist patching `apt` with sed or in other way. Reminding that
installation prefix provided in user agent http header is intended for
distinguishing Termux from derivatives.

Here are sample lines from my mirror logs showing usage of Termux repo
by third-party projects:
```
162.158.103.43 - - [21/Jan/2021:09:46:43 +0200] "GET /dists/stable/Release HTTP/1.1" 304 0 "-" "Termux-PKG/1.0 mirror-checker (termux-tools 0.104) Termux (pl.sviete.dom; install-prefix:/data/data/pl.sviete.dom/files/usr)"
162.158.210.8 - - [20/Jan/2021:06:24:54 +0200] "GET /dists/stable/InRelease HTTP/1.1" 404 146 "-" "Debian APT-HTTP/1.3 (2.1.15) Termux (vn.vhn.vsc; install-prefix:/data/data/vn.vhn.vsc/files/usr)"
162.158.210.142 - - [20/Jan/2021:06:24:54 +0200] "GET /dists/stable/Release.gpg HTTP/1.1" 304 0 "-" "Debian APT-HTTP/1.3 (2.1.15) Termux (vn.vhn.vsc; install-prefix:/data/data/vn.vhn.vsc/files/usr)"
```

***

CloudFlare firewall for termux.org and termux-mirror.ml hosts would be
adjusted to block all requests which do not have install-prefix set or
if the latter doesn't match one of the Termux.
This commit is contained in:
Leonid Pliushch 2021-02-03 22:19:43 +02:00
parent df64cf9d76
commit c061024982
No known key found for this signature in database
GPG Key ID: 45F2964132545795
2 changed files with 63 additions and 27 deletions

View File

@ -1,6 +1,6 @@
diff -uNr apt-2.1.11/apt-pkg/contrib/srvrec.cc apt-2.1.11.mod/apt-pkg/contrib/srvrec.cc
--- apt-2.1.11/apt-pkg/contrib/srvrec.cc 2020-10-21 12:53:18.000000000 +0300
+++ apt-2.1.11.mod/apt-pkg/contrib/srvrec.cc 2020-11-05 16:37:46.301044740 +0200
diff -uNr apt-2.1.18/apt-pkg/contrib/srvrec.cc apt-2.1.18.mod/apt-pkg/contrib/srvrec.cc
--- apt-2.1.18/apt-pkg/contrib/srvrec.cc 2021-01-13 18:37:30.000000000 +0200
+++ apt-2.1.18.mod/apt-pkg/contrib/srvrec.cc 2021-02-03 21:38:17.382553856 +0200
@@ -6,6 +6,7 @@
##################################################################### */
@ -14,9 +14,9 @@ diff -uNr apt-2.1.11/apt-pkg/contrib/srvrec.cc apt-2.1.11.mod/apt-pkg/contrib/sr
return selected;
}
+#endif
diff -uNr apt-2.1.11/apt-pkg/contrib/srvrec.h apt-2.1.11.mod/apt-pkg/contrib/srvrec.h
--- apt-2.1.11/apt-pkg/contrib/srvrec.h 2020-10-21 12:53:18.000000000 +0300
+++ apt-2.1.11.mod/apt-pkg/contrib/srvrec.h 2020-11-05 16:37:46.301044740 +0200
diff -uNr apt-2.1.18/apt-pkg/contrib/srvrec.h apt-2.1.18.mod/apt-pkg/contrib/srvrec.h
--- apt-2.1.18/apt-pkg/contrib/srvrec.h 2021-01-13 18:37:30.000000000 +0200
+++ apt-2.1.18.mod/apt-pkg/contrib/srvrec.h 2021-02-03 21:38:17.386553898 +0200
@@ -8,6 +8,7 @@
/*}}}*/
#ifndef SRVREC_H
@ -30,9 +30,9 @@ diff -uNr apt-2.1.11/apt-pkg/contrib/srvrec.h apt-2.1.11.mod/apt-pkg/contrib/srv
#endif
+#endif
diff -uNr apt-2.1.11/cmdline/apt-helper.cc apt-2.1.11.mod/cmdline/apt-helper.cc
--- apt-2.1.11/cmdline/apt-helper.cc 2020-10-21 12:53:18.000000000 +0300
+++ apt-2.1.11.mod/cmdline/apt-helper.cc 2020-11-05 16:37:46.301044740 +0200
diff -uNr apt-2.1.18/cmdline/apt-helper.cc apt-2.1.18.mod/cmdline/apt-helper.cc
--- apt-2.1.18/cmdline/apt-helper.cc 2021-01-13 18:37:30.000000000 +0200
+++ apt-2.1.18.mod/cmdline/apt-helper.cc 2021-02-03 21:38:17.386553898 +0200
@@ -106,6 +106,7 @@
return true;
@ -49,7 +49,7 @@ diff -uNr apt-2.1.11/cmdline/apt-helper.cc apt-2.1.11.mod/cmdline/apt-helper.cc
static const APT::Configuration::Compressor *FindCompressor(std::vector<APT::Configuration::Compressor> const &compressors, std::string const &name) /*{{{*/
{
APT::Configuration::Compressor const * compressor = NULL;
@@ -303,7 +305,9 @@
@@ -311,7 +313,9 @@
{
return {
{"download-file", &DoDownloadFile, _("download the given uri to the target-path")},
@ -59,9 +59,9 @@ diff -uNr apt-2.1.11/cmdline/apt-helper.cc apt-2.1.11.mod/cmdline/apt-helper.cc
{"cat-file", &DoCatFile, _("concatenate files, with automatic decompression")},
{"auto-detect-proxy", &DoAutoDetectProxy, _("detect proxy using apt.conf")},
{"wait-online", &DoWaitOnline, _("wait for system to be online")},
diff -uNr apt-2.1.11/methods/connect.cc apt-2.1.11.mod/methods/connect.cc
--- apt-2.1.11/methods/connect.cc 2020-10-21 12:53:18.000000000 +0300
+++ apt-2.1.11.mod/methods/connect.cc 2020-11-05 16:42:47.459060807 +0200
diff -uNr apt-2.1.18/methods/connect.cc apt-2.1.18.mod/methods/connect.cc
--- apt-2.1.18/methods/connect.cc 2021-01-13 18:37:30.000000000 +0200
+++ apt-2.1.18.mod/methods/connect.cc 2021-02-03 21:41:48.220687372 +0200
@@ -49,7 +49,9 @@
static struct addrinfo *LastHostAddr = 0;
static struct addrinfo *LastUsed = 0;
@ -72,17 +72,18 @@ diff -uNr apt-2.1.11/methods/connect.cc apt-2.1.11.mod/methods/connect.cc
// Set of IP/hostnames that we timed out before or couldn't resolve
static std::set<std::string> bad_addr;
@@ -486,6 +488,9 @@
if (ConnectionAllowed(Service, Host) == false)
return ResultState::FATAL_ERROR;
@@ -486,6 +488,10 @@
// Used by getaddrinfo(); prefer port if given, else fallback to service
std::string ServiceNameOrPort = Port != 0 ? std::to_string(Port) : Service;
+size_t stackSize = 0;
+ size_t stackSize = 0;
+
+#ifndef __ANDROID__
if(LastHost != Host || LastPort != Port)
+
if(LastHost != Host || LastService != ServiceNameOrPort)
{
SrvRecords.clear();
@@ -503,7 +508,6 @@
@@ -503,7 +509,6 @@
}
}
@ -90,7 +91,7 @@ diff -uNr apt-2.1.11/methods/connect.cc apt-2.1.11.mod/methods/connect.cc
// try to connect in the priority order of the srv records
std::string initialHost{std::move(Host)};
auto const initialPort = Port;
@@ -525,6 +529,7 @@
@@ -525,6 +530,7 @@
}
Host = std::move(initialHost);
Port = initialPort;

View File

@ -1,22 +1,57 @@
diff -uNr apt-2.1.14/methods/http.cc apt-2.1.14.mod/methods/http.cc
--- apt-2.1.14/methods/http.cc 2020-12-15 15:07:36.000000000 +0200
+++ apt-2.1.14.mod/methods/http.cc 2020-12-24 16:23:15.722168489 +0200
@@ -341,7 +341,7 @@
diff -uNr apt-2.1.18/methods/http.cc apt-2.1.18.mod/methods/http.cc
--- apt-2.1.18/methods/http.cc 2021-01-13 18:37:30.000000000 +0200
+++ apt-2.1.18.mod/methods/http.cc 2021-02-03 22:06:04.242782879 +0200
@@ -341,7 +341,26 @@
Req << "Proxy-Authorization: Basic "
<< Base64Encode(Proxy.User + ":" + Proxy.Password) << "\r\n";
- Req << "User-Agent: " << Owner->ConfigFind("User-Agent", "Debian APT-HTTP/1.3 (" PACKAGE_VERSION ")") << "\r\n";
+ Req << "User-Agent: Debian APT-HTTP/1.3 (" PACKAGE_VERSION ") Termux (@TERMUX_APP_PACKAGE@; install-prefix:@TERMUX_PREFIX@)" << "\r\n";
+ // Determine the actual installation prefix to send as part of user-agent string.
+ // Mirrors can use this information to distinguish legit Termux installations from
+ // third parties using Termux repositories.
+ char binPath[PATH_MAX] = {0};
+ ssize_t binPathLen = readlink("/proc/self/exe", binPath, sizeof(binPath)-1);
+ if (binPathLen != -1) {
+ binPath[binPathLen] = '\0';
+
+ char *aptMethodsSub = strstr(binPath, "/lib/apt/methods");
+ if (aptMethodsSub) {
+ // Cut /lib/apt/methods.. from prefix, if possible.
+ aptMethodsSub[0] = '\0';
+ }
+ } else {
+ // Use hardcoded as fallback.
+ // Mostly useless as will help to detect only binary-patched apt.
+ strncpy(binPath, "@TERMUX_PREFIX@", PATH_MAX - 1);
+ }
+
+ Req << "User-Agent: Debian APT-HTTP/1.3 (" PACKAGE_VERSION ") Termux (@TERMUX_APP_PACKAGE@; install-prefix:" << binPath <<")" << "\r\n";
Req << "\r\n";
@@ -955,8 +955,7 @@
@@ -954,8 +973,23 @@
Req << "Authorization: Basic "
<< Base64Encode(Uri.User + ":" + Uri.Password) << "\r\n";
- Req << "User-Agent: " << ConfigFind("User-Agent",
- "Debian APT-HTTP/1.3 (" PACKAGE_VERSION ")");
+ Req << "User-Agent: Debian APT-HTTP/1.3 (" PACKAGE_VERSION ") Termux (@TERMUX_APP_PACKAGE@; install-prefix:@TERMUX_PREFIX@)";
+ char binPath[PATH_MAX] = {0};
+ ssize_t binPathLen = readlink("/proc/self/exe", binPath, sizeof(binPath)-1);
+ if (binPathLen != -1) {
+ binPath[binPathLen] = '\0';
+
+ char *aptMethodsSub = strstr(binPath, "/lib/apt/methods");
+ if (aptMethodsSub) {
+ // Cut /lib/apt/methods.. from prefix, if possible.
+ aptMethodsSub[0] = '\0';
+ }
+ } else {
+ // Use hardcoded as fallback.
+ // Mostly useless as will help to detect only binary-patched apt.
+ strncpy(binPath, "@TERMUX_PREFIX@", PATH_MAX - 1);
+ }
+
+ Req << "User-Agent: Debian APT-HTTP/1.3 (" PACKAGE_VERSION ") Termux (@TERMUX_APP_PACKAGE@; install-prefix:" << binPath << ")";
#ifdef HAVE_SYSTEMD
if (ConfigFindB("User-Agent-Non-Interactive", false))