hashdeep icon indicating copy to clipboard operation
hashdeep copied to clipboard

Published 20 hours ago verified publisher icon jessek

FILEFORMAT incorrectly states one entry per line

Open paulhargreaves opened this issue 6 years ago • 5 comments

If any filenames have a newline then the output is multiple line, but the FILEFORMAT states 'Each line should contain a series of comma separated values corresponding to the columns listed in the file header.'

To reproduce: (Linux)

$ f="$(echo -e "foo\nbar")"; echo "HELLO" >> "$f"
$ hashdeep foo*
%%%% HASHDEEP-1.0
%%%% size,md5,sha256,filename
## Invoked from: /tmp/hashexam
## $ hashdeep foo
bar
## 
6,0084467710d2fc9d8a306e14efbe6d0f,3b09aeb6f5f5336beb205d7f720371bc927cd46c21922e334d47ba264acb5ba4,/tmp/hashexam/foo
bar
$

paulhargreaves avatar May 08 '18 06:05 paulhargreaves

I just encountered this when my scripts caught a failing audit.

For a test case, I ran: hashdeep -r SectionInfoCaches > 2018may11a12.csums Here is the resulting file: https://gist.github.com/ethus3h/3291029ce0533c6af042a88d1f7be2f2

Then, I ran: hashdeep -rvvk 2018may11a12.csums -a SectionInfoCaches with the result:

/nvme0n1p5/SectionInfoCaches/FRCCache{
    NoteCollectionPrimaryIdentifier = "BB1037FC-049E-40C7-9D15-2731C90F95B2";
    NoteCollectionSecondaryIdentifier = "imap:/[email protected]/Notes";
    NoteCollectionType = Store;
}/sectionInfo: Moved from /nvme0n1p5/SectionInfoCaches/FRCCache{
: Known file not used
: Known file not used
: Known file not used
: Known file not used
hashdeep: Audit failed
   Input files examined: 0
  Known files expecting: 0
          Files matched: 1
Files partially matched: 0
            Files moved: 1
        New files found: 0
  Known files not found: 4

Here is a tar file of the folder I tested on: https://github.com/ethus3h/personal/raw/825ffffa9f252a1067c3cff92e968965adaa2d11/2018may11a12n3.tar

ethus3h avatar May 12 '18 05:05 ethus3h

Aha, it turns out there is an undocumented -0 option to use null for the separator. This prevents this issue. I think all that is needed is adding it to the manpage.

ethus3h avatar Sep 19 '18 03:09 ethus3h

Well, as it turns out, auditing hashdeep files created using -0 isn't implemented. I guess that's why it's not documented...

ethus3h avatar Sep 22 '18 07:09 ethus3h

I think it would need to be implemented around https://github.com/jessek/hashdeep/blob/877613493ff44807888ce1928129574be393cbb0/src/files.cpp#L558.

ethus3h avatar Sep 22 '18 07:09 ethus3h

Related to the undocumented option:

Escape hashes and filenames with '\n' and '\\', support -z / --zero #389

HaleTom avatar Sep 17 '19 07:09 HaleTom