From 34ac88cb873ad81f1510e2207c34b6abaa1ae16a Mon Sep 17 00:00:00 2001
From: =?utf8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
Date: Wed, 4 Sep 2019 11:06:52 +0200
Subject: [PATCH] system: reject sysupgrade of invalid firmware images by
 default
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

This validation step can be bypassed by passing "force" argument. This
is very similar to the /sbin/sysupgrade behavior and --force.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
---
 system.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/system.c b/system.c
index 7d7073d..94bef1b 100644
--- a/system.c
+++ b/system.c
@@ -490,6 +490,7 @@ static int validate_firmware_image(struct ubus_context *ctx,
 
 enum {
 	SYSUPGRADE_PATH,
+	SYSUPGRADE_FORCE,
 	SYSUPGRADE_PREFIX,
 	SYSUPGRADE_COMMAND,
 	SYSUPGRADE_OPTIONS,
@@ -498,6 +499,7 @@ enum {
 
 static const struct blobmsg_policy sysupgrade_policy[__SYSUPGRADE_MAX] = {
 	[SYSUPGRADE_PATH] = { .name = "path", .type = BLOBMSG_TYPE_STRING },
+	[SYSUPGRADE_FORCE] = { .name = "force", .type = BLOBMSG_TYPE_BOOL },
 	[SYSUPGRADE_PREFIX] = { .name = "prefix", .type = BLOBMSG_TYPE_STRING },
 	[SYSUPGRADE_COMMAND] = { .name = "command", .type = BLOBMSG_TYPE_STRING },
 	[SYSUPGRADE_OPTIONS] = { .name = "options", .type = BLOBMSG_TYPE_TABLE },
@@ -539,6 +541,9 @@ static int sysupgrade(struct ubus_context *ctx, struct ubus_object *obj,
 		if (!forceable) {
 			fprintf(stderr, "Firmware image is broken and cannot be installed\n");
 			return UBUS_STATUS_NOT_SUPPORTED;
+		} else if (!tb[SYSUPGRADE_FORCE] || !blobmsg_get_bool(tb[SYSUPGRADE_FORCE])) {
+			fprintf(stderr, "Firmware image is invalid\n");
+			return UBUS_STATUS_NOT_SUPPORTED;
 		}
 	}
 
-- 
2.25.1