conan icon indicating copy to clipboard operation
conan copied to clipboard

Published 20 hours ago verified publisher icon conan-io

[bug] Modify checksums defaults to `None`

Open jgsogo opened this issue 3 years ago • 0 comments

get function (and download) uses this signature def get(conanfile, url, md5='', sha1='', sha256='',...). IMHO it would be better to use defaults None and check always explicitly using if sha256 is not None instead of if sha256.

Changing the approach would prevent some malicious code like in the following conandata.yml:

sources:
  "0.0.18":
    url: "https://blend2d.com/download/blend2d-beta18.zip"
    sha256: ""
  "0.0.17":
    url: "https://blend2d.com/download/blend2d-beta17.zip"
    sha256: "06ee8fb0bea281d09291e498900093139426501a1a7f09dba0ec801dd340635e"

Here, the CCI validation (hooks) is successful because sha256 entry exists and it is a string. Of course, something to improve there, but I think the client would also benefit from this change.

jgsogo avatar Aug 11 '22 09:08 jgsogo