diff --git a/SOURCES/wget-1.19.5-no_proxy-dot-prefix.patch b/SOURCES/wget-1.19.5-no_proxy-dot-prefix.patch new file mode 100644 index 0000000..c36d6fe --- /dev/null +++ b/SOURCES/wget-1.19.5-no_proxy-dot-prefix.patch @@ -0,0 +1,28 @@ +commit fd85ac9cc623847e9d94d9f9241ab34e2c146cbf +Author: Luiz Angelo Daros de Luca +Date: Thu Oct 25 17:39:52 2018 -0300 + + * src/host.c (sufmatch): Fix dot-prefixed domain matching + + Current sufmatch does not match when domain is dot-prefixed. + The example of no_proxy in man (.mit.edu) does use a dot-prefixed + domain. + + Signed-off-by: Luiz Angelo Daros de Luca + Copyright-paperwork-exempt: Yes + +diff --git a/src/host.c b/src/host.c +index b42cd6e8..2bf848f3 100644 +--- a/src/host.c ++++ b/src/host.c +@@ -1033,8 +1033,9 @@ sufmatch (const char **list, const char *what) + /* Domain or subdomain match + * k == -1: exact match + * k >= 0 && what[k] == '.': subdomain match ++ * k >= 0 && list[i][0] == '.': dot-prefixed subdomain match + */ +- if (j == -1 && (k == -1 || what[k] == '.')) ++ if (j == -1 && (k == -1 || what[k] == '.' || list[i][0] == '.')) + return true; + } + diff --git a/SOURCES/wget-1.19.5-no_proxy-tests.patch b/SOURCES/wget-1.19.5-no_proxy-tests.patch new file mode 100644 index 0000000..b38dcc1 --- /dev/null +++ b/SOURCES/wget-1.19.5-no_proxy-tests.patch @@ -0,0 +1,285 @@ +From dea0f6272889adcff846144fff5714c076067b16 Mon Sep 17 00:00:00 2001 +From: Tomas Hozza +Date: Thu, 7 Nov 2019 12:46:15 +0100 +Subject: [PATCH 1/3] testenv: HTTPTest.begin() should return exit value + +* testenv/test/http_test.py: Ensure that HTTPTest.begin() always retuns a value + +Previously the HTTPTest.begin() method always returned None. However this is not consistent with the begin() implementation of the parent class (BaseTest). This change ensures that HTTPTest.begin() returns a value. + +Signed-off-by: Tomas Hozza +--- + testenv/test/http_test.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/testenv/test/http_test.py b/testenv/test/http_test.py +index fef0c2ef..462ac6e7 100644 +--- a/testenv/test/http_test.py ++++ b/testenv/test/http_test.py +@@ -42,7 +42,7 @@ class HTTPTest(BaseTest): + print_green("Test Passed.") + else: + self.tests_passed = False +- super(HTTPTest, self).begin() ++ return super(HTTPTest, self).begin() + + def instantiate_server_by(self, protocol): + server = {HTTP: HTTPd, +-- +2.21.0 + + +From 7fba12cf25ff7cc352f0f5df7d91670df7035823 Mon Sep 17 00:00:00 2001 +From: Tomas Hozza +Date: Thu, 7 Nov 2019 13:01:44 +0100 +Subject: [PATCH 2/3] testenv: Allow definition of environment variables for + wget execuion + +* testenv/README: Added description for new EnvironmentVariable hook +* testenv/conf/environment_variable.py: Added implementation of EnvironmentVariable hook +* testenv/test/base_test.py: Modified exec_wget() to enable use of EnvironmentVariable hook + +Added new test hook called EnvironmentVariables, for defining environment variables when wget is executed in tests. This is handy for testing environment variables, which are accepted by wget. + +Signed-off-by: Tomas Hozza +--- + testenv/README | 3 +++ + testenv/conf/environment_variables.py | 14 ++++++++++++++ + testenv/test/base_test.py | 6 +++++- + 3 files changed, 22 insertions(+), 1 deletion(-) + create mode 100644 testenv/conf/environment_variables.py + +diff --git a/testenv/README b/testenv/README +index aca8cdda..d4fabddd 100644 +--- a/testenv/README ++++ b/testenv/README +@@ -224,6 +224,9 @@ executed. The currently supported options are: + file. While all Download URL's are passed to Urls, a notable exception is + when in-url authentication is used. In such a case, the URL is specified in + the WgetCommands string. ++ * EnvironmentVariables: A dictionary with key-value items, which will be ++ defined as environment variables during the execution of wget command in ++ test. + + Post-Test Hooks: + ================================================================================ +diff --git a/testenv/conf/environment_variables.py b/testenv/conf/environment_variables.py +new file mode 100644 +index 00000000..323c051c +--- /dev/null ++++ b/testenv/conf/environment_variables.py +@@ -0,0 +1,14 @@ ++from conf import hook ++ ++""" Test Option: EnvironmentVariables ++This hook is used to define environment variables used for execution of wget ++command in test.""" ++ ++ ++@hook(alias='EnvironmentVariables') ++class URLs: ++ def __init__(self, envs): ++ self.envs = envs ++ ++ def __call__(self, test_obj): ++ test_obj.envs.update(**self.envs) +diff --git a/testenv/test/base_test.py b/testenv/test/base_test.py +index dbf4678f..04a6f748 100644 +--- a/testenv/test/base_test.py ++++ b/testenv/test/base_test.py +@@ -51,6 +51,7 @@ class BaseTest: + + self.wget_options = '' + self.urls = [] ++ self.envs = dict() + + self.tests_passed = True + self.ready = False +@@ -97,12 +98,15 @@ class BaseTest: + cmd_line = self.gen_cmd_line() + params = shlex.split(cmd_line) + print(params) ++ envs = {"HOME": os.getcwd()} ++ envs.update(**self.envs) ++ print(envs) + + if os.getenv("SERVER_WAIT"): + time.sleep(float(os.getenv("SERVER_WAIT"))) + + try: +- ret_code = call(params, env={"HOME": os.getcwd()}) ++ ret_code = call(params, env=envs) + except FileNotFoundError: + raise TestFailed("The Wget Executable does not exist at the " + "expected path.") +-- +2.21.0 + + +From 0d50becc19ba07f34157b2842ca97675cc95fc1a Mon Sep 17 00:00:00 2001 +From: Tomas Hozza +Date: Thu, 7 Nov 2019 13:11:30 +0100 +Subject: [PATCH 3/3] testenv: Add test for handling of no_proxy environment + variable + +* testenv/Test-no_proxy-env.py: Added new test for no_proxy env + +Added new test with 5 cases, which are testing various combinations of no_proxy environment variable definition and requested URLs + +Signed-off-by: Tomas Hozza +--- + testenv/Test-no_proxy-env.py | 142 +++++++++++++++++++++++++++++++++++ + 1 file changed, 142 insertions(+) + create mode 100755 testenv/Test-no_proxy-env.py + +diff --git a/testenv/Test-no_proxy-env.py b/testenv/Test-no_proxy-env.py +new file mode 100755 +index 00000000..ea7f38c4 +--- /dev/null ++++ b/testenv/Test-no_proxy-env.py +@@ -0,0 +1,142 @@ ++#!/usr/bin/env python3 ++from sys import exit ++from test.http_test import HTTPTest ++from test.base_test import HTTP ++from misc.wget_file import WgetFile ++ ++""" ++ This test ensures, that domains with and without leftmost dot defined in ++ no_proxy environment variable are accepted by wget. The idea is to use ++ non-existing proxy server address and detect whether files are downloaded ++ when proxy settings are omitted based on no_proxy environment variable ++ value. ++ ++ current wget's behavior: ++ - "no_proxy=.mit.edu" ++ - will match the domain and subdomains e.g. "www.mit.edu" or "www.subdomain.mit.edu" (Case #4) ++ - will NOT match the host "mit.edu" (Case #3) ++ - "no_proxy=mit.edu" ++ - will match the domain and subdomains e.g. "www.mit.edu" or "www.subdomain.mit.edu" (Case #2) ++ - will match the host "mit.edu" (Case #1) ++ - downside: can not match only the host ++""" ++# File Definitions ++File1 = "Would you like some Tea?" ++File2 = "With lemon or cream?" ++ ++A_File = WgetFile ("File1", File1) ++B_File = WgetFile ("File2", File2) ++ ++WGET_URLS = [["File1", "File2"]] ++WGET_ENVS = { ++ "http_proxy": "nonexisting.localhost:8080", ++ "no_proxy": "working1.localhost,.working2.localhost" ++} ++ ++Servers = [HTTP] ++Files = [[A_File, B_File]] ++ ++ExpectedReturnCodeWorking = 0 ++ExpectedReturnCodeNotWorking = 4 # network error (non-existing proxy address) ++ ++ExpectedDownloadedFilesWorking = [A_File, B_File] ++ ++# Pre and Post Test Hooks ++test_options = { ++ "Urls" : WGET_URLS, ++ "EnvironmentVariables": WGET_ENVS ++} ++post_test_working = { ++ "ExpectedFiles" : ExpectedDownloadedFilesWorking, ++ "ExpectedRetcode" : ExpectedReturnCodeWorking ++} ++post_test_not_working = { ++ "ExpectedRetcode" : ExpectedReturnCodeNotWorking ++} ++ ++# Case #1: ++# - Requested domain matches exactly the domain definition in no_proxy. ++# - Domain definition in no_proxy is NOT dot-prefixed ++# Expected result: proxy settings don't apply and files are downloaded. ++pre_case_1 = { ++ "ServerFiles" : Files, ++ "Domains" : ["working1.localhost"] ++} ++ ++err_case_1 = HTTPTest ( ++ pre_hook=pre_case_1, ++ test_params=test_options, ++ post_hook=post_test_working, ++ protocols=Servers ++).begin () ++ ++# Case #2: ++# - Requested domain is sub-domain of a domain definition in no_proxy. ++# - Domain definition in no_proxy is NOT dot-prefixed ++# Expected result: proxy settings don't apply and files are downloaded. ++pre_case_2 = { ++ "ServerFiles" : Files, ++ "Domains" : ["www.working1.localhost"] ++} ++ ++err_case_2 = HTTPTest ( ++ pre_hook=pre_case_2, ++ test_params=test_options, ++ post_hook=post_test_working, ++ protocols=Servers ++).begin () ++ ++# Case #3: ++# - Requested domain matches exactly the domain definition in no_proxy, ++# except for the leftmost dot (".") in no_proxy domain definition. ++# - Domain definition in no_proxy IS dot-prefixed ++# Expected result: proxy settings apply and files are downloaded. This is ++# due to the mismatch in leftmost dot. ++# NOTE: This is inconsistent with curl's behavior, but has less drawbacks. ++pre_case_3 = { ++ "ServerFiles" : Files, ++ "Domains" : ["working2.localhost"] ++} ++ ++err_case_3 = HTTPTest ( ++ pre_hook=pre_case_3, ++ test_params=test_options, ++ post_hook=post_test_not_working, ++ protocols=Servers ++).begin () ++ ++# Case #4: ++# - Requested domain is sub-domain of a domain definition in no_proxy. ++# - Domain definition in no_proxy IS dot-prefixed ++# Expected result: proxy settings don't apply and files are downloaded. ++pre_case_4 = { ++ "ServerFiles" : Files, ++ "Domains" : ["www.working2.localhost"] ++} ++ ++err_case_4 = HTTPTest ( ++ pre_hook=pre_case_4, ++ test_params=test_options, ++ post_hook=post_test_working, ++ protocols=Servers ++).begin () ++ ++# Case #5 ++# - Requested domain does not match a domain definition in no_proxy. ++# - Requested domain is NOT sub-domain of a domain definition in no_proxy. ++# Expected result: proxy settings apply and files are NOT downloaded due to ++# network error when using proxy with non-existing URL. ++pre_case_5 = { ++ "ServerFiles" : Files, ++ "Domains" : ["www.example.localhost"] ++} ++ ++err_case_5 = HTTPTest ( ++ pre_hook=pre_case_5, ++ test_params=test_options, ++ post_hook=post_test_not_working, ++ protocols=Servers ++).begin () ++ ++# Combine error codes from all test cases ++exit (max(err_case_1, err_case_2, err_case_3, err_case_4, err_case_5)) +-- +2.21.0 + diff --git a/SPECS/wget.spec b/SPECS/wget.spec index 1444747..10200c1 100644 --- a/SPECS/wget.spec +++ b/SPECS/wget.spec @@ -1,7 +1,7 @@ Summary: A utility for retrieving files using the HTTP or FTP protocols Name: wget Version: 1.19.5 -Release: 7%{?dist}.1 +Release: 8%{?dist}.1 License: GPLv3+ Group: Applications/Internet Url: http://www.gnu.org/software/wget/ @@ -17,6 +17,9 @@ Patch7: wget-1.19.5-Dont-save-userpw-with---xattr.patch # http://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c # http://git.savannah.gnu.org/cgit/wget.git/commit/?id=562eacb76a2b64d5dc80a443f0f739bc9ef76c17 Patch8: wget-1.19.5-CVE-2019-5953.patch +# http://git.savannah.gnu.org/cgit/wget.git/commit/?id=fd85ac9cc623847e9d94d9f9241ab34e2c146cbf +Patch9: wget-1.19.5-no_proxy-dot-prefix.patch +Patch10: wget-1.19.5-no_proxy-tests.patch Provides: webclient Provides: bundled(gnulib) @@ -50,6 +53,8 @@ grep "PACKAGE_STRING='wget .* (Red Hat modified)'" configure || exit 1 %patch6 -p1 -b .no_xattr_by_default %patch7 -p1 -b .no_userpw_in_xattr %patch8 -p1 -b .CVE-2019-5953 +%patch9 -p1 -b .no_proxy-dot-prefix +%patch10 -p1 -b .no_proxy-test %build %configure \ @@ -96,8 +101,11 @@ rm -rf $RPM_BUILD_ROOT %{_infodir}/* %changelog -* Sun Apr 07 2019 Tomas Hozza - 1.19.5-7.1 -- Fix CVE-2019-5953 (#1696735) +* Thu Nov 21 2019 Tomáš Hozza - 1.19.5-8.1 +- Fix issue with dot-prefixed domain names in no_proxy ENV (#1772821) + +* Sun Apr 07 2019 Tomas Hozza - 1.19.5-8 +- Fix CVE-2019-5953 (#1696736) * Thu Jan 10 2019 Tomas Hozza - 1.19.5-7 - Fix information exposure in set_file_metadata function in xattr.c (CVE-2018-20483)