import UBI perl-HTTP-Tiny-0.076-462.el9

This commit is contained in:
eabdullin 2024-04-30 15:23:31 +00:00
parent 7b27bb57b2
commit dcf6cd34a4
3 changed files with 46 additions and 19 deletions

View File

@ -104,7 +104,7 @@ index 2ece5ca..58be640 100644
+ my ($self) = @_;
+ # Check if insecure default certificate verification behaviour has been
+ # changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1
+ return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1;
+ return (($ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1;
+}
+
sub _set_proxies {
@ -248,7 +248,7 @@ index 0000000..d6bc412
+
+use HTTP::Tiny;
+
+delete $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT};
+delete $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT};
+
+{
+ my $ht = HTTP::Tiny->new();
@ -294,54 +294,54 @@ index 0000000..d6bc412
+}
+
+{
+ local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "1";
+ local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "1";
+ my $ht = HTTP::Tiny->new();
+ is($ht->verify_SSL, 0, "PERL_HTTP_TINY_INSECURE_BY_DEFAULT=1 changes verify_SSL default to 0");
+ is($ht->verify_SSL, 0, "PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 changes verify_SSL default to 0");
+}
+
+{
+ local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "0";
+ local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "0";
+ my $ht = HTTP::Tiny->new();
+ is($ht->verify_SSL, 1, "PERL_HTTP_TINY_INSECURE_BY_DEFAULT=0 keeps verify_SSL default at 1");
+ is($ht->verify_SSL, 1, "PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=0 keeps verify_SSL default at 1");
+}
+
+{
+ local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "False";
+ local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "False";
+ my $ht = HTTP::Tiny->new();
+ is($ht->verify_SSL, 1, "Unsupported PERL_HTTP_TINY_INSECURE_BY_DEFAULT=False keeps verify_SSL default at 1");
+ is($ht->verify_SSL, 1, "Unsupported PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=False keeps verify_SSL default at 1");
+}
+
+{
+ local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "1";
+ local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "1";
+ my $ht = HTTP::Tiny->new(verify_SSL=>1);
+ is($ht->verify_SSL, 1, "PERL_HTTP_TINY_INSECURE_BY_DEFAULT=1 does not override verify_SSL attribute set to 1");
+ is($ht->verify_SSL, 1, "PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 does not override verify_SSL attribute set to 1");
+}
+
+{
+ local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "1";
+ local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "1";
+ my $ht = HTTP::Tiny->new(
+ verify_SSL => 1,
+ verify_ssl => 1
+ );
+ is($ht->verify_SSL, 1, "PERL_HTTP_TINY_INSECURE_BY_DEFAULT=1, verify_SSL=>1 and verify_ssl=>1 sets 1");
+ is($ht->verify_SSL, 1, "PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1, verify_SSL=>1 and verify_ssl=>1 sets 1");
+}
+
+{
+ local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "1";
+ local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "1";
+ my $ht = HTTP::Tiny->new(
+ verify_SSL => 1,
+ verify_ssl => 0
+ );
+ is($ht->verify_SSL, 1, "PERL_HTTP_TINY_INSECURE_BY_DEFAULT=1, verify_SSL=>1 and verify_ssl=>0 sets 1");
+ is($ht->verify_SSL, 1, "PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1, verify_SSL=>1 and verify_ssl=>0 sets 1");
+}
+
+{
+ local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "1";
+ local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "1";
+ my $ht = HTTP::Tiny->new(
+ verify_SSL => 0,
+ verify_ssl => 0
+ );
+ is($ht->verify_SSL, 0, "PERL_HTTP_TINY_INSECURE_BY_DEFAULT=1, verify_SSL=>0 and verify_ssl=>0 sets 0");
+ is($ht->verify_SSL, 0, "PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1, verify_SSL=>0 and verify_ssl=>0 sets 0");
+}
+
+
@ -356,7 +356,7 @@ index 6f80e51..7b84f93 100644
}
use HTTP::Tiny;
+delete $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT};
+delete $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT};
+
plan skip_all => 'Only run for $ENV{AUTOMATED_TESTING}'
unless $ENV{AUTOMATED_TESTING};
@ -428,7 +428,7 @@ index 6f80e51..7b84f93 100644
+});
+
+{
+ local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = 1;
+ local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = 1;
+ test_ssl('https://wrong.host.badssl.com/' => {
+ host => 'wrong.host.badssl.com',
+ pass => { verify_SSL => 0 },

View File

@ -0,0 +1,21 @@
diff -up HTTP-Tiny-0.074/lib/HTTP/Tiny.pm.orig HTTP-Tiny-0.074/lib/HTTP/Tiny.pm
--- HTTP-Tiny-0.074/lib/HTTP/Tiny.pm.orig 2024-01-16 12:26:34.204388229 +0100
+++ HTTP-Tiny-0.074/lib/HTTP/Tiny.pm 2024-01-16 12:29:19.282808545 +0100
@@ -1778,12 +1778,16 @@ C<timeout> — Request timeout in second
=item *
-C<verify_SSL> — A boolean that indicates whether to validate the SSL certificate of an C<https> — connection (default is false)
+C<verify_SSL> — A boolean that indicates whether to validate the SSL certificate of an C<https> — connection (default is true). Changed from false to true for CVE-2023-31486.
=item *
C<SSL_options> — A hashref of C<SSL_*> — options to pass through to L<IO::Socket::SSL>
+=item *
+
+C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> — Changes the default certificate verification behavior to not check server identity if set to 1. Only effective if C<verify_SSL> is not set. Added for CVE-2023-31486.
+
=back
Passing an explicit C<undef> for C<proxy>, C<http_proxy> or C<https_proxy> will

View File

@ -3,7 +3,7 @@
Name: perl-HTTP-Tiny
Version: 0.076
Release: 461%{?dist}
Release: 462%{?dist}
Summary: Small, simple, correct HTTP/1.1 client
License: GPL+ or Artistic
URL: https://metacpan.org/release/HTTP-Tiny
@ -14,6 +14,8 @@ Patch0: HTTP-Tiny-0.070-Croak-on-failed-write-into-a-file.patch
# Change verify_SSL default to 1, add ENV var to enable insecure default
# Fix rhbz#2228412 - CVE-2023-31486
Patch1: HTTP-Tiny-0.076-Change-verify_SSL-default-to-1-add-ENV-var-to-enable.patch
# Fix man page for CVE-2023-31486
Patch2: HTTP-Tiny-0.076-Fix-man-page-for-CVE-2023-31486.patch
BuildArch: noarch
BuildRequires: coreutils
BuildRequires: make
@ -103,6 +105,7 @@ with "%{_libexecdir}/%{name}/test".
%setup -q -n HTTP-Tiny-%{version}
%patch -P0 -p1
%patch -P1 -p1
%patch -P2 -p1
# Help generators to recognize Perl scripts
for F in t/*.t; do
@ -141,6 +144,9 @@ make test
%{_libexecdir}/%{name}
%changelog
* Tue Jan 16 2024 Jitka Plesnikova <jplesnik@redhat.com> - 0.076-462
- Update man page for CVE-2023-31486
* Fri Aug 04 2023 Jitka Plesnikova <jplesnik@redhat.com> - 0.076-461
- Changes the verify_SSL default parameter from 0 to 1 - CVE-2023-31486
- Resolves: rhbz#2228412