Compare commits
No commits in common. "c8-stream-5.3" and "c9s" have entirely different histories.
c8-stream-
...
c9s
1
.fmf/version
Normal file
1
.fmf/version
Normal file
@ -0,0 +1 @@
|
||||
1
|
30
.gitignore
vendored
30
.gitignore
vendored
@ -1 +1,29 @@
|
||||
SOURCES/HTTP-Tiny-0.076.tar.gz
|
||||
/HTTP-Tiny-0.028.tar.gz
|
||||
/HTTP-Tiny-0.029.tar.gz
|
||||
/HTTP-Tiny-0.030.tar.gz
|
||||
/HTTP-Tiny-0.031.tar.gz
|
||||
/HTTP-Tiny-0.032.tar.gz
|
||||
/HTTP-Tiny-0.033.tar.gz
|
||||
/HTTP-Tiny-0.034.tar.gz
|
||||
/HTTP-Tiny-0.035.tar.gz
|
||||
/HTTP-Tiny-0.036.tar.gz
|
||||
/HTTP-Tiny-0.037.tar.gz
|
||||
/HTTP-Tiny-0.038.tar.gz
|
||||
/HTTP-Tiny-0.039.tar.gz
|
||||
/HTTP-Tiny-0.042.tar.gz
|
||||
/HTTP-Tiny-0.043.tar.gz
|
||||
/HTTP-Tiny-0.046.tar.gz
|
||||
/HTTP-Tiny-0.047.tar.gz
|
||||
/HTTP-Tiny-0.048.tar.gz
|
||||
/HTTP-Tiny-0.049.tar.gz
|
||||
/HTTP-Tiny-0.050.tar.gz
|
||||
/HTTP-Tiny-0.051.tar.gz
|
||||
/HTTP-Tiny-0.053.tar.gz
|
||||
/HTTP-Tiny-0.054.tar.gz
|
||||
/HTTP-Tiny-0.056.tar.gz
|
||||
/HTTP-Tiny-0.058.tar.gz
|
||||
/HTTP-Tiny-0.064.tar.gz
|
||||
/HTTP-Tiny-0.068.tar.gz
|
||||
/HTTP-Tiny-0.070.tar.gz
|
||||
/HTTP-Tiny-0.074.tar.gz
|
||||
/HTTP-Tiny-0.076.tar.gz
|
||||
|
@ -1 +0,0 @@
|
||||
2e27950c8cc5643649fac3607ba0082711139dd7 SOURCES/HTTP-Tiny-0.076.tar.gz
|
@ -0,0 +1,569 @@
|
||||
From 77f557ef84698efeb6eed04e4a9704eaf85b741d Mon Sep 17 00:00:00 2001
|
||||
From: Stig Palmquist <git@stig.io>
|
||||
Date: Mon, 5 Jun 2023 16:46:22 +0200
|
||||
Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable
|
||||
insecure default
|
||||
|
||||
- Changes the `verify_SSL` default parameter from `0` to `1`
|
||||
|
||||
Based on patch by Dominic Hargreaves:
|
||||
https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92
|
||||
|
||||
Fixes CVE-2023-31486
|
||||
|
||||
- Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that
|
||||
enables the previous insecure default behaviour if set to `1`.
|
||||
|
||||
This provides a workaround for users who encounter problems with the
|
||||
new `verify_SSL` default.
|
||||
|
||||
Example to disable certificate checks:
|
||||
```
|
||||
$ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl
|
||||
```
|
||||
|
||||
- Updates to documentation:
|
||||
- Describe changing the verify_SSL value
|
||||
- Describe the escape-hatch environment variable
|
||||
- Remove rationale for not enabling verify_SSL
|
||||
- Add missing certificate search paths
|
||||
- Replace "SSL" with "TLS/SSL" where appropriate
|
||||
- Use "machine-in-the-middle" instead of "man-in-the-middle"
|
||||
|
||||
- Update `210_live_ssl.t`
|
||||
- Use github.com, cpan.org and badssl.com hosts for checking
|
||||
certificates.
|
||||
- Add self signed snake-oil certificate for checking failures rather
|
||||
than bypassing the `SSL_verify_callback`
|
||||
- Test `verify_SSL` parameter in addition to low level SSL_options
|
||||
- Test that `PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1` behaves as
|
||||
expected against badssl.com
|
||||
|
||||
- Added `180_verify_SSL.t`
|
||||
- Test that `verify_SSL` default is `1`
|
||||
- Test that `PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT` behaves as expected
|
||||
- Test that using different values for `verify_SSL` and legacy `verify_ssl`
|
||||
doesn't disable cert checks
|
||||
|
||||
Backported from HTTP::Tiny 0.083
|
||||
|
||||
---
|
||||
lib/HTTP/Tiny.pm | 72 ++++++++++++++----------
|
||||
t/180_verify_SSL.t | 109 ++++++++++++++++++++++++++++++++++++
|
||||
t/210_live_ssl.t | 136 ++++++++++++++++++++++++++++++---------------
|
||||
t/snake-oil.crt | 33 +++++++++++
|
||||
4 files changed, 277 insertions(+), 73 deletions(-)
|
||||
create mode 100644 t/180_verify_SSL.t
|
||||
create mode 100644 t/snake-oil.crt
|
||||
|
||||
diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm
|
||||
index 2ece5ca..58be640 100644
|
||||
--- a/lib/HTTP/Tiny.pm
|
||||
+++ b/lib/HTTP/Tiny.pm
|
||||
@@ -39,10 +39,14 @@ sub _croak { require Carp; Carp::croak(@
|
||||
#pod C<$ENV{no_proxy}> —)
|
||||
#pod * C<timeout> — Request timeout in seconds (default is 60) If a socket open,
|
||||
#pod read or write takes longer than the timeout, an exception is thrown.
|
||||
-#pod * C<verify_SSL> — A boolean that indicates whether to validate the SSL
|
||||
-#pod certificate of an C<https> — connection (default is false)
|
||||
+#pod * C<verify_SSL> — A boolean that indicates whether to validate the TLS/SSL
|
||||
+#pod certificate of an C<https> ? connection (default is true). Changed from false
|
||||
+#pod to true for RHBZ#2228412.
|
||||
#pod * C<SSL_options> — A hashref of C<SSL_*> — options to pass through to
|
||||
#pod L<IO::Socket::SSL>
|
||||
+#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default
|
||||
+#pod certificate verification behavior to not check server identity if set to 1.
|
||||
+#pod Only effective if C<verify_SSL> is not set. Added for RHBZ#2228412.
|
||||
#pod
|
||||
#pod Passing an explicit C<undef> for C<proxy>, C<http_proxy> or C<https_proxy> will
|
||||
#pod prevent getting the corresponding proxies from the environment.
|
||||
@@ -108,11 +112,17 @@ sub timeout {
|
||||
sub new {
|
||||
my($class, %args) = @_;
|
||||
|
||||
+ # Support lower case verify_ssl argument, but only if verify_SSL is not
|
||||
+ # true.
|
||||
+ if ( exists $args{verify_ssl} ) {
|
||||
+ $args{verify_SSL} ||= $args{verify_ssl};
|
||||
+ }
|
||||
+
|
||||
my $self = {
|
||||
max_redirect => 5,
|
||||
timeout => defined $args{timeout} ? $args{timeout} : 60,
|
||||
keep_alive => 1,
|
||||
- verify_SSL => $args{verify_SSL} || $args{verify_ssl} || 0, # no verification by default
|
||||
+ verify_SSL => defined $args{verify_SSL} ? $args{verify_SSL} : _verify_SSL_default(),
|
||||
no_proxy => $ENV{no_proxy},
|
||||
};
|
||||
|
||||
@@ -131,6 +141,13 @@ sub new {
|
||||
return $self;
|
||||
}
|
||||
|
||||
+sub _verify_SSL_default {
|
||||
+ my ($self) = @_;
|
||||
+ # Check if insecure default certificate verification behaviour has been
|
||||
+ # changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1
|
||||
+ return (($ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1;
|
||||
+}
|
||||
+
|
||||
sub _set_proxies {
|
||||
my ($self) = @_;
|
||||
|
||||
@@ -1041,7 +1058,7 @@ sub new {
|
||||
timeout => 60,
|
||||
max_line_size => 16384,
|
||||
max_header_lines => 64,
|
||||
- verify_SSL => 0,
|
||||
+ verify_SSL => HTTP::Tiny::_verify_SSL_default(),
|
||||
SSL_options => {},
|
||||
%args
|
||||
}, $class;
|
||||
@@ -2012,11 +2029,11 @@ proxy
|
||||
timeout
|
||||
verify_SSL
|
||||
|
||||
-=head1 SSL SUPPORT
|
||||
+=head1 TLS/SSL SUPPORT
|
||||
|
||||
Direct C<https> connections are supported only if L<IO::Socket::SSL> 1.56 or
|
||||
greater and L<Net::SSLeay> 1.49 or greater are installed. An exception will be
|
||||
-thrown if new enough versions of these modules are not installed or if the SSL
|
||||
+thrown if new enough versions of these modules are not installed or if the TLS
|
||||
encryption fails. You can also use C<HTTP::Tiny::can_ssl()> utility function
|
||||
that returns boolean to see if the required modules are installed.
|
||||
|
||||
@@ -2024,7 +2041,7 @@ An C<https> connection may be made via a
|
||||
command (i.e. RFC 2817). You may not proxy C<https> via a proxy that itself
|
||||
requires C<https> to communicate.
|
||||
|
||||
-SSL provides two distinct capabilities:
|
||||
+TLS/SSL provides two distinct capabilities:
|
||||
|
||||
=over 4
|
||||
|
||||
@@ -2038,24 +2055,17 @@ Verification of server identity
|
||||
|
||||
=back
|
||||
|
||||
-B<By default, HTTP::Tiny does not verify server identity>.
|
||||
+B<By default, HTTP::Tiny verifies server identity>.
|
||||
|
||||
-Server identity verification is controversial and potentially tricky because it
|
||||
-depends on a (usually paid) third-party Certificate Authority (CA) trust model
|
||||
-to validate a certificate as legitimate. This discriminates against servers
|
||||
-with self-signed certificates or certificates signed by free, community-driven
|
||||
-CA's such as L<CAcert.org|http://cacert.org>.
|
||||
-
|
||||
-By default, HTTP::Tiny does not make any assumptions about your trust model,
|
||||
-threat level or risk tolerance. It just aims to give you an encrypted channel
|
||||
-when you need one.
|
||||
-
|
||||
-Setting the C<verify_SSL> attribute to a true value will make HTTP::Tiny verify
|
||||
-that an SSL connection has a valid SSL certificate corresponding to the host
|
||||
-name of the connection and that the SSL certificate has been verified by a CA.
|
||||
-Assuming you trust the CA, this will protect against a L<man-in-the-middle
|
||||
-attack|http://en.wikipedia.org/wiki/Man-in-the-middle_attack>. If you are
|
||||
-concerned about security, you should enable this option.
|
||||
+This was changed for RHBZ#2228412 due to security concerns. The previous default
|
||||
+behavior can be enabled by setting C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}>
|
||||
+to 1.
|
||||
+
|
||||
+Verification is done by checking that that the TLS/SSL connection has a valid
|
||||
+certificate corresponding to the host name of the connection and that the
|
||||
+certificate has been verified by a CA. Assuming you trust the CA, this will
|
||||
+protect against L<machine-in-the-middle
|
||||
+attacks|http://en.wikipedia.org/wiki/Machine-in-the-middle_attack>.
|
||||
|
||||
Certificate verification requires a file containing trusted CA certificates.
|
||||
|
||||
@@ -2063,9 +2073,7 @@ If the environment variable C<SSL_CERT_F
|
||||
will try to find a CA certificate file in that location.
|
||||
|
||||
If the L<Mozilla::CA> module is installed, HTTP::Tiny will use the CA file
|
||||
-included with it as a source of trusted CA's. (This means you trust Mozilla,
|
||||
-the author of Mozilla::CA, the CPAN mirror where you got Mozilla::CA, the
|
||||
-toolchain used to install it, and your operating system security, right?)
|
||||
+included with it as a source of trusted CA's.
|
||||
|
||||
If that module is not available, then HTTP::Tiny will search several
|
||||
system-specific default locations for a CA certificate file:
|
||||
@@ -2084,13 +2092,33 @@ system-specific default locations for a
|
||||
|
||||
/etc/ssl/ca-bundle.pem
|
||||
|
||||
+=item *
|
||||
+
|
||||
+/etc/openssl/certs/ca-certificates.crt
|
||||
+
|
||||
+=item *
|
||||
+
|
||||
+/etc/ssl/cert.pem
|
||||
+
|
||||
+=item *
|
||||
+
|
||||
+/usr/local/share/certs/ca-root-nss.crt
|
||||
+
|
||||
+=item *
|
||||
+
|
||||
+/etc/pki/tls/cacert.pem
|
||||
+
|
||||
+=item *
|
||||
+
|
||||
+/etc/certs/ca-certificates.crt
|
||||
+
|
||||
=back
|
||||
|
||||
An exception will be raised if C<verify_SSL> is true and no CA certificate file
|
||||
is available.
|
||||
|
||||
-If you desire complete control over SSL connections, the C<SSL_options> attribute
|
||||
-lets you provide a hash reference that will be passed through to
|
||||
+If you desire complete control over TLS/SSL connections, the C<SSL_options>
|
||||
+attribute lets you provide a hash reference that will be passed through to
|
||||
C<IO::Socket::SSL::start_SSL()>, overriding any options set by HTTP::Tiny. For
|
||||
example, to provide your own trusted CA file:
|
||||
|
||||
@@ -2100,7 +2128,7 @@ example, to provide your own trusted CA
|
||||
|
||||
The C<SSL_options> attribute could also be used for such things as providing a
|
||||
client certificate for authentication to a server or controlling the choice of
|
||||
-cipher used for the SSL connection. See L<IO::Socket::SSL> documentation for
|
||||
+cipher used for the TLS/SSL connection. See L<IO::Socket::SSL> documentation for
|
||||
details.
|
||||
|
||||
=head1 PROXY SUPPORT
|
||||
diff --git a/t/180_verify_SSL.t b/t/180_verify_SSL.t
|
||||
new file mode 100644
|
||||
index 0000000..d6bc412
|
||||
--- /dev/null
|
||||
+++ b/t/180_verify_SSL.t
|
||||
@@ -0,0 +1,109 @@
|
||||
+#!perl
|
||||
+
|
||||
+use strict;
|
||||
+use warnings;
|
||||
+use Test::More 0.88;
|
||||
+use lib 't';
|
||||
+
|
||||
+use HTTP::Tiny;
|
||||
+
|
||||
+delete $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT};
|
||||
+
|
||||
+{
|
||||
+ my $ht = HTTP::Tiny->new();
|
||||
+ is($ht->verify_SSL, 1, "verify_SSL is 1 by default");
|
||||
+}
|
||||
+
|
||||
+{
|
||||
+ my $ht = HTTP::Tiny->new(
|
||||
+ verify_SSL => 0
|
||||
+ );
|
||||
+ is($ht->verify_SSL, 0, "verify_SSL=>0 sets 0");
|
||||
+}
|
||||
+
|
||||
+{
|
||||
+ my $ht = HTTP::Tiny->new(
|
||||
+ verify_ssl => 0
|
||||
+ );
|
||||
+ is($ht->verify_SSL, 0, "verify_ssl=>0 sets 0");
|
||||
+}
|
||||
+
|
||||
+{
|
||||
+ my $ht = HTTP::Tiny->new(
|
||||
+ verify_SSL => 1,
|
||||
+ verify_ssl => 0
|
||||
+ );
|
||||
+ is($ht->verify_SSL, 1, "verify_SSL=>1 and verify_ssl=>0 sets 1");
|
||||
+}
|
||||
+
|
||||
+{
|
||||
+ my $ht = HTTP::Tiny->new(
|
||||
+ verify_SSL => 0,
|
||||
+ verify_ssl => 1
|
||||
+ );
|
||||
+ is($ht->verify_SSL, 1, "verify_SSL=>0 and verify_ssl=>1 sets 1");
|
||||
+}
|
||||
+
|
||||
+{
|
||||
+ my $ht = HTTP::Tiny->new(
|
||||
+ verify_SSL => 0,
|
||||
+ verify_ssl => 0
|
||||
+ );
|
||||
+ is($ht->verify_SSL, 0, "verify_SSL=>0 and verify_ssl=>0 sets 0");
|
||||
+}
|
||||
+
|
||||
+{
|
||||
+ local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "1";
|
||||
+ my $ht = HTTP::Tiny->new();
|
||||
+ is($ht->verify_SSL, 0, "PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 changes verify_SSL default to 0");
|
||||
+}
|
||||
+
|
||||
+{
|
||||
+ local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "0";
|
||||
+ my $ht = HTTP::Tiny->new();
|
||||
+ is($ht->verify_SSL, 1, "PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=0 keeps verify_SSL default at 1");
|
||||
+}
|
||||
+
|
||||
+{
|
||||
+ local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "False";
|
||||
+ my $ht = HTTP::Tiny->new();
|
||||
+ is($ht->verify_SSL, 1, "Unsupported PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=False keeps verify_SSL default at 1");
|
||||
+}
|
||||
+
|
||||
+{
|
||||
+ local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "1";
|
||||
+ my $ht = HTTP::Tiny->new(verify_SSL=>1);
|
||||
+ is($ht->verify_SSL, 1, "PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 does not override verify_SSL attribute set to 1");
|
||||
+}
|
||||
+
|
||||
+{
|
||||
+ local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "1";
|
||||
+ my $ht = HTTP::Tiny->new(
|
||||
+ verify_SSL => 1,
|
||||
+ verify_ssl => 1
|
||||
+ );
|
||||
+ is($ht->verify_SSL, 1, "PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1, verify_SSL=>1 and verify_ssl=>1 sets 1");
|
||||
+}
|
||||
+
|
||||
+{
|
||||
+ local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "1";
|
||||
+ my $ht = HTTP::Tiny->new(
|
||||
+ verify_SSL => 1,
|
||||
+ verify_ssl => 0
|
||||
+ );
|
||||
+ is($ht->verify_SSL, 1, "PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1, verify_SSL=>1 and verify_ssl=>0 sets 1");
|
||||
+}
|
||||
+
|
||||
+{
|
||||
+ local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "1";
|
||||
+ my $ht = HTTP::Tiny->new(
|
||||
+ verify_SSL => 0,
|
||||
+ verify_ssl => 0
|
||||
+ );
|
||||
+ is($ht->verify_SSL, 0, "PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1, verify_SSL=>0 and verify_ssl=>0 sets 0");
|
||||
+}
|
||||
+
|
||||
+
|
||||
+
|
||||
+done_testing;
|
||||
+
|
||||
diff --git a/t/210_live_ssl.t b/t/210_live_ssl.t
|
||||
index 6f80e51..7b84f93 100644
|
||||
--- a/t/210_live_ssl.t
|
||||
+++ b/t/210_live_ssl.t
|
||||
@@ -18,6 +18,8 @@ BEGIN {
|
||||
}
|
||||
use HTTP::Tiny;
|
||||
|
||||
+delete $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT};
|
||||
+
|
||||
plan skip_all => 'Only run for $ENV{AUTOMATED_TESTING}'
|
||||
unless $ENV{AUTOMATED_TESTING};
|
||||
|
||||
@@ -27,33 +29,73 @@ if ( can_run('openssl') ) {
|
||||
diag "\nNote: running test with ", qx/openssl version/;
|
||||
}
|
||||
|
||||
-my $data = {
|
||||
- 'https://www.google.ca/' => {
|
||||
- host => 'www.google.ca',
|
||||
- pass => { SSL_verifycn_scheme => 'http', SSL_verifycn_name => 'www.google.ca', SSL_verify_mode => 0x01, SSL_ca_file => Mozilla::CA::SSL_ca_file() },
|
||||
- fail => { SSL_verify_callback => sub { 0 }, SSL_verify_mode => 0x01 },
|
||||
- default_should_yield => '1',
|
||||
- },
|
||||
- 'https://twitter.com/' => {
|
||||
- host => 'twitter.com',
|
||||
- pass => { SSL_verifycn_scheme => 'http', SSL_verifycn_name => 'twitter.com', SSL_verify_mode => 0x01, SSL_ca_file => Mozilla::CA::SSL_ca_file() },
|
||||
- fail => { SSL_verify_callback => sub { 0 }, SSL_verify_mode => 0x01 },
|
||||
- default_should_yield => '1',
|
||||
- },
|
||||
- 'https://github.com/' => {
|
||||
- host => 'github.com',
|
||||
- pass => { SSL_verifycn_scheme => 'http', SSL_verifycn_name => 'github.com', SSL_verify_mode => 0x01, SSL_ca_file => Mozilla::CA::SSL_ca_file() },
|
||||
- fail => { SSL_verify_callback => sub { 0 }, SSL_verify_mode => 0x01 },
|
||||
- default_should_yield => '1',
|
||||
- },
|
||||
- 'https://spinrite.com/' => {
|
||||
- host => 'spinrite.com',
|
||||
- pass => { SSL_verifycn_scheme => 'none', SSL_verifycn_name => 'spinrite.com', SSL_verify_mode => 0x00 },
|
||||
- fail => { SSL_verifycn_scheme => 'http', SSL_verifycn_name => 'spinrite.com', SSL_verify_mode => 0x01, SSL_ca_file => Mozilla::CA::SSL_ca_file() },
|
||||
- default_should_yield => '',
|
||||
- }
|
||||
-};
|
||||
-plan tests => 1+ scalar keys %$data;
|
||||
+test_ssl('https://cpan.org/' => {
|
||||
+ host => 'cpan.org',
|
||||
+ pass => { verify_SSL => 1 },
|
||||
+ fail => { verify_SSL => 1, SSL_options => { SSL_ca_file => "t/snake-oil.crt" } },
|
||||
+ default_verify_should_return => !!1,
|
||||
+});
|
||||
+
|
||||
+test_ssl('https://github.com/' => {
|
||||
+ host => 'github.com',
|
||||
+ pass => { verify_SSL => 1 },
|
||||
+ fail => { verify_SSL => 1, SSL_options => { SSL_ca_file => "t/snake-oil.crt" } },
|
||||
+ default_verify_should_return => !!1,
|
||||
+});
|
||||
+
|
||||
+test_ssl('https://wrong.host.badssl.com/' => {
|
||||
+ host => 'wrong.host.badssl.com',
|
||||
+ pass => { SSL_options => { SSL_verifycn_scheme => 'none', SSL_verifycn_name => 'wrong.host.badssl.com', SSL_verify_mode => 0x00 } },
|
||||
+ fail => { SSL_options => { SSL_verifycn_scheme => 'http', SSL_verifycn_name => 'wrong.host.badssl.com', SSL_verify_mode => 0x01, SSL_ca_file => Mozilla::CA::SSL_ca_file() } },
|
||||
+ default_verify_should_return => !!0,
|
||||
+});
|
||||
+
|
||||
+test_ssl('https://untrusted-root.badssl.com/' => {
|
||||
+ host => 'untrusted-root.badssl.com',
|
||||
+ pass => { verify_SSL => 0 },
|
||||
+ fail => { verify_SSL => 1 },
|
||||
+ default_verify_should_return => !!0,
|
||||
+});
|
||||
+
|
||||
+test_ssl('https://mozilla-modern.badssl.com/' => {
|
||||
+ host => 'mozilla-modern.badssl.com',
|
||||
+ pass => { verify_SSL => 1 },
|
||||
+ fail => { verify_SSL => 1, SSL_options => { SSL_ca_file => "t/snake-oil.crt" } },
|
||||
+ default_verify_should_return => !!1,
|
||||
+});
|
||||
+
|
||||
+{
|
||||
+ local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = 1;
|
||||
+ test_ssl('https://wrong.host.badssl.com/' => {
|
||||
+ host => 'wrong.host.badssl.com',
|
||||
+ pass => { verify_SSL => 0 },
|
||||
+ fail => { verify_SSL => 1 },
|
||||
+ default_verify_should_return => !!1,
|
||||
+ });
|
||||
+ test_ssl('https://expired.badssl.com/' => {
|
||||
+ host => 'expired.badssl.com',
|
||||
+ pass => { verify_SSL => 0 },
|
||||
+ fail => { verify_SSL => 1 },
|
||||
+ default_verify_should_return => !!1,
|
||||
+ });
|
||||
+
|
||||
+}
|
||||
+
|
||||
+test_ssl('https://wrong.host.badssl.com/' => {
|
||||
+ host => 'wrong.host.badssl.com',
|
||||
+ pass => { verify_SSL => 0 },
|
||||
+ fail => { verify_SSL => 1 },
|
||||
+ default_verify_should_return => !!0,
|
||||
+});
|
||||
+
|
||||
+test_ssl('https://expired.badssl.com/' => {
|
||||
+ host => 'expired.badssl.com',
|
||||
+ pass => { verify_SSL => 0 },
|
||||
+ fail => { verify_SSL => 1 },
|
||||
+ default_verify_should_return => !!0,
|
||||
+});
|
||||
+
|
||||
+
|
||||
|
||||
subtest "can_ssl" => sub {
|
||||
ok( HTTP::Tiny->can_ssl, "class method" );
|
||||
@@ -69,8 +111,10 @@ subtest "can_ssl" => sub {
|
||||
like( $why, qr/not found or not readable/, "failure reason" );
|
||||
};
|
||||
|
||||
+done_testing();
|
||||
|
||||
-while (my ($url, $data) = each %$data) {
|
||||
+sub test_ssl {
|
||||
+ my ($url, $data) = @_;
|
||||
subtest $url => sub {
|
||||
plan 'skip_all' => 'Internet connection timed out'
|
||||
unless IO::Socket::INET->new(
|
||||
@@ -81,8 +125,8 @@ while (my ($url, $data) = each %$data) {
|
||||
);
|
||||
|
||||
# the default verification
|
||||
- my $response = HTTP::Tiny->new(verify_ssl => 1)->get($url);
|
||||
- is $response->{success}, $data->{default_should_yield}, "Request to $url passed/failed using default as expected"
|
||||
+ my $response = HTTP::Tiny->new()->get($url);
|
||||
+ is $response->{success}, $data->{default_verify_should_return}, "Request to $url passed/failed using default as expected"
|
||||
or do {
|
||||
# $response->{content} = substr $response->{content}, 0, 50;
|
||||
$response->{content} =~ s{\n.*}{}s;
|
||||
@@ -90,21 +134,25 @@ while (my ($url, $data) = each %$data) {
|
||||
};
|
||||
|
||||
# force validation to succeed
|
||||
- my $pass = HTTP::Tiny->new( SSL_options => $data->{pass} )->get($url);
|
||||
- isnt $pass->{status}, '599', "Request to $url completed (forced pass)"
|
||||
- or do {
|
||||
- $pass->{content} =~ s{\n.*}{}s;
|
||||
- diag explain $pass
|
||||
- };
|
||||
- ok $pass->{content}, 'Got some content';
|
||||
+ if ($data->{pass}) {
|
||||
+ my $pass = HTTP::Tiny->new( %{$data->{pass}} )->get($url);
|
||||
+ isnt $pass->{status}, '599', "Request to $url completed (forced pass)"
|
||||
+ or do {
|
||||
+ $pass->{content} =~ s{\n.*}{}s;
|
||||
+ diag explain $pass
|
||||
+ };
|
||||
+ ok $pass->{content}, 'Got some content';
|
||||
+ }
|
||||
|
||||
# force validation to fail
|
||||
- my $fail = HTTP::Tiny->new( SSL_options => $data->{fail} )->get($url);
|
||||
- is $fail->{status}, '599', "Request to $url failed (forced fail)"
|
||||
- or do {
|
||||
- $fail->{content} =~ s{\n.*}{}s;
|
||||
- diag explain [IO::Socket::SSL::errstr(), $fail]
|
||||
- };
|
||||
- ok $fail->{content}, 'Got some content';
|
||||
+ if ($data->{fail}) {
|
||||
+ my $fail = HTTP::Tiny->new( %{$data->{fail}} )->get($url);
|
||||
+ is $fail->{status}, '599', "Request to $url failed (forced fail)"
|
||||
+ or do {
|
||||
+ $fail->{content} =~ s{\n.*}{}s;
|
||||
+ diag explain [IO::Socket::SSL::errstr(), $fail]
|
||||
+ };
|
||||
+ ok $fail->{content}, 'Got some content';
|
||||
+ }
|
||||
};
|
||||
}
|
||||
diff --git a/t/snake-oil.crt b/t/snake-oil.crt
|
||||
new file mode 100644
|
||||
index 0000000..c0a5bdc
|
||||
--- /dev/null
|
||||
+++ b/t/snake-oil.crt
|
||||
@@ -0,0 +1,33 @@
|
||||
+Generated with:
|
||||
+
|
||||
+ openssl req -new -newkey rsa:4096 -x509 -new -nodes -sha256 -days 7300 -keyout /dev/null -out snake-oil.crt -subj '/CN=snake.oil/'
|
||||
+
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIFCTCCAvGgAwIBAgIUUUWe96AgoaW3pyYxlJfMxUMA6bgwDQYJKoZIhvcNAQEL
|
||||
+BQAwFDESMBAGA1UEAwwJc25ha2Uub2lsMB4XDTIzMDUyMTE1NDkxMVoXDTQzMDUx
|
||||
+NjE1NDkxMVowFDESMBAGA1UEAwwJc25ha2Uub2lsMIICIjANBgkqhkiG9w0BAQEF
|
||||
+AAOCAg8AMIICCgKCAgEAnScXg4MGa6CmCFOYzr8ggzqsDAR0CoVdOaqQ6XtRoRcP
|
||||
+PzptoqHDFtr4NqWwmeWAGIcey6CKFZXsm9LvPly/VUDDjctYZig3UoLaoQpygwae
|
||||
+2BgslsfuhwomxXuinatF6bo1vz+EaRpASJyHOBOp3Yvh2cLSXmD+YuTU8rci1IG/
|
||||
+FFmjsrftPsxKFZiI9meAtsGayQGdUIBsEvawhs5y7TDcblPfbBM21sg3touTrfzZ
|
||||
+Yk9dXd7hX3uq5ZX4H9BWcqeGux3speYC2STClnGMl8DqGdAV4XssbFCVqIhvmzrW
|
||||
+L6Ce9vt0x/gxQQB4EYJlvECSqm7IiwO85I8XJ04EzmVU4e2+c1B7WS/swhGLr8JJ
|
||||
+4yk/gbCe98ErU3ccnXPzZznNQXTt2iAQLqa5zNDmxjzyZXhDA1nijg2cJb1RnQVu
|
||||
+m5YrUXOXt9b5664nLCVUf0s/yMqPbcIUA3puAPS6BgDEExnYL48rmTT1gazMO6S5
|
||||
+ZwpycEVkwYUFj364vIHJvQO0xB54dqNul9kMLUwPLmP9H6nBIsGgJhZCAp+WDEzp
|
||||
+Y4eqp0drTlJlpfjd/QOaOsKZgwrqiD0yh35bj43zcVHKaFYGLcS8M1+XlbYNYx90
|
||||
+w7+GpbY+MebCYF//dXAFXzORxdA1XZ30I7CAxAVK5l5cokrMIHJ01kkzYEGA1Y0C
|
||||
+AwEAAaNTMFEwHQYDVR0OBBYEFAyj5N91aOt4TxNEOJ18JUPEBsOyMB8GA1UdIwQY
|
||||
+MBaAFAyj5N91aOt4TxNEOJ18JUPEBsOyMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
|
||||
+hvcNAQELBQADggIBAHGiT2h0SU2tlFmUQ8CzgJ7JRTg91ltRwEvs/SQ/YN7DdDwt
|
||||
+dQy/0nMIeFstdDIkdQyjcAUO92msLzd8AniiwAjynxamiQqdA57+rdhp7oEbFgw+
|
||||
+nF56bG4tiBG1gAIxtY9f2sG/Sqf6UuimxOX43nybG8RdRu8hOh/TQXcj8raa2PMT
|
||||
+pTdphjMJUKSplHtFpbLFuf5FxklpeAYxYAReMzQhVgTzi7fcz3QhT/l6eqK6G05v
|
||||
+gi+QsgesMiGdHKiTtx8N70JFZ+8BzJ0CJDI8PR2XZTLbpKxNfk426hTjJBkRULT5
|
||||
+s7IWuuEO4Bb1p27K2WgHGh0mxFk4POPFmotxupVqzl8g2umcfWLDq0UR3BcRyR3B
|
||||
+GWZNCcDTVLaAsarbSJoY1L/6j4O0RQdgpOWiENLbEcelGprGLBVe4s/NDA6aUYA+
|
||||
+2Dll+0tHe6oKI+RCRoDhhiAH7UVIGQdORzcbY3Fxbf1OlFdpOyXLI751b1DjSYRu
|
||||
+9cVFXZIBRTTiEvGbUfoDEXDmKxpWHkGRel2864FBodcwGv7yW6mC3o6vpOqQFcW7
|
||||
+MjJsFhtVj8PdPmue+ye766PeH45ydDD01nr1I92w6E1C0pEEqRNEpoOGgORyNgit
|
||||
+EZag4DlWFs5MFdlj32haztRgi2dhVuJxlzx4lAmvOoqvGVQVIicN1JSlikBk
|
||||
+-----END CERTIFICATE-----
|
||||
--
|
||||
2.41.0
|
||||
|
21
HTTP-Tiny-0.076-Fix-man-page-for-CVE-2023-31486.patch
Normal file
21
HTTP-Tiny-0.076-Fix-man-page-for-CVE-2023-31486.patch
Normal file
@ -0,0 +1,21 @@
|
||||
diff -up HTTP-Tiny-0.074/lib/HTTP/Tiny.pm.orig HTTP-Tiny-0.074/lib/HTTP/Tiny.pm
|
||||
--- HTTP-Tiny-0.074/lib/HTTP/Tiny.pm.orig 2024-01-16 12:26:34.204388229 +0100
|
||||
+++ HTTP-Tiny-0.074/lib/HTTP/Tiny.pm 2024-01-16 12:29:19.282808545 +0100
|
||||
@@ -1778,12 +1778,16 @@ C<timeout> — Request timeout in second
|
||||
|
||||
=item *
|
||||
|
||||
-C<verify_SSL> — A boolean that indicates whether to validate the SSL certificate of an C<https> — connection (default is false)
|
||||
+C<verify_SSL> — A boolean that indicates whether to validate the SSL certificate of an C<https> — connection (default is true). Changed from false to true for CVE-2023-31486.
|
||||
|
||||
=item *
|
||||
|
||||
C<SSL_options> — A hashref of C<SSL_*> — options to pass through to L<IO::Socket::SSL>
|
||||
|
||||
+=item *
|
||||
+
|
||||
+C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> — Changes the default certificate verification behavior to not check server identity if set to 1. Only effective if C<verify_SSL> is not set. Added for CVE-2023-31486.
|
||||
+
|
||||
=back
|
||||
|
||||
Passing an explicit C<undef> for C<proxy>, C<http_proxy> or C<https_proxy> will
|
7
gating.yaml
Normal file
7
gating.yaml
Normal file
@ -0,0 +1,7 @@
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-9
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
|
||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
|
2
perl-HTTP-Tiny.rpmlintrc
Normal file
2
perl-HTTP-Tiny.rpmlintrc
Normal file
@ -0,0 +1,2 @@
|
||||
from Config import *
|
||||
addFilter("spelling-error .* UserAgent");
|
@ -1,6 +1,9 @@
|
||||
# Run optional test
|
||||
%bcond_without perl_HTTP_Tiny_enables_optional_deps
|
||||
|
||||
Name: perl-HTTP-Tiny
|
||||
Version: 0.076
|
||||
Release: 439%{?dist}
|
||||
Release: 462%{?dist}
|
||||
Summary: Small, simple, correct HTTP/1.1 client
|
||||
License: GPL+ or Artistic
|
||||
URL: https://metacpan.org/release/HTTP-Tiny
|
||||
@ -8,10 +11,17 @@ Source0: https://cpan.metacpan.org/authors/id/D/DA/DAGOLDEN/HTTP-Tiny-%{v
|
||||
# Check for write failure, bug #1031096, refused by upstream,
|
||||
# <https://github.com/chansen/p5-http-tiny/issues/32>
|
||||
Patch0: HTTP-Tiny-0.070-Croak-on-failed-write-into-a-file.patch
|
||||
# Change verify_SSL default to 1, add ENV var to enable insecure default
|
||||
# Fix rhbz#2228412 - CVE-2023-31486
|
||||
Patch1: HTTP-Tiny-0.076-Change-verify_SSL-default-to-1-add-ENV-var-to-enable.patch
|
||||
# Fix man page for CVE-2023-31486
|
||||
Patch2: HTTP-Tiny-0.076-Fix-man-page-for-CVE-2023-31486.patch
|
||||
BuildArch: noarch
|
||||
BuildRequires: coreutils
|
||||
BuildRequires: make
|
||||
BuildRequires: perl-generators
|
||||
BuildRequires: perl-interpreter
|
||||
BuildRequires: perl(Config)
|
||||
BuildRequires: perl(ExtUtils::MakeMaker) >= 6.76
|
||||
BuildRequires: perl(strict)
|
||||
BuildRequires: perl(warnings)
|
||||
@ -49,11 +59,24 @@ Requires: perl(bytes)
|
||||
Requires: perl(Carp)
|
||||
Requires: perl(Fcntl)
|
||||
Recommends: perl(IO::Socket::IP) >= 0.32
|
||||
%if !%{defined perl_bootstrap}
|
||||
Requires: perl(IO::Socket::SSL) >= 1.56
|
||||
Requires: perl(Mozilla::CA)
|
||||
Requires: perl(Net::SSLeay) >= 1.49
|
||||
%else
|
||||
Recommends: perl(IO::Socket::SSL) >= 1.56
|
||||
Requires: perl(MIME::Base64)
|
||||
Recommends: perl(Mozilla::CA)
|
||||
Recommends: perl(Net::SSLeay) >= 1.49
|
||||
%endif
|
||||
Requires: perl(MIME::Base64)
|
||||
Requires: perl(Time::Local)
|
||||
|
||||
# Filter modules bundled for tests
|
||||
%global __provides_exclude_from %{?__provides_exclude_from:%__provides_exclude_from|}^%{_libexecdir}
|
||||
%global __requires_exclude %{?__requires_exclude:%__requires_exclude|}^perl\\(Util\\)
|
||||
%global __requires_exclude %{__requires_exclude}|^perl\\(BrokenCookieJar\\)
|
||||
%global __requires_exclude %{__requires_exclude}|^perl\\(SimpleCookieJar\\)
|
||||
|
||||
%description
|
||||
This is a very simple HTTP/1.1 client, designed for doing simple GET requests
|
||||
without the overhead of a large framework like LWP::UserAgent.
|
||||
@ -62,9 +85,33 @@ It is more correct and more complete than HTTP::Lite. It supports proxies
|
||||
(currently only non-authenticating ones) and redirection. It also correctly
|
||||
resumes after EINTR.
|
||||
|
||||
%package tests
|
||||
Summary: Tests for %{name}
|
||||
Requires: %{name} = %{?epoch:%{epoch}:}%{version}-%{release}
|
||||
Requires: perl-Test-Harness
|
||||
%if %{with perl_HTTP_Tiny_enables_optional_deps} && !%{defined perl_bootstrap}
|
||||
Requires: openssl
|
||||
Requires: perl(IO::Socket::IP) >= 0.32
|
||||
Requires: perl(IO::Socket::SSL) >= 1.56
|
||||
Requires: perl(Mozilla::CA)
|
||||
Requires: perl(Net::SSLeay) >= 1.49
|
||||
%endif
|
||||
|
||||
%description tests
|
||||
Tests from %{name}. Execute them
|
||||
with "%{_libexecdir}/%{name}/test".
|
||||
|
||||
%prep
|
||||
%setup -q -n HTTP-Tiny-%{version}
|
||||
%patch0 -p1
|
||||
%patch -P0 -p1
|
||||
%patch -P1 -p1
|
||||
%patch -P2 -p1
|
||||
|
||||
# Help generators to recognize Perl scripts
|
||||
for F in t/*.t; do
|
||||
perl -i -MConfig -ple 'print $Config{startperl} if $. == 1 && !s{\A#!.*perl\b}{$Config{startperl}}' "$F"
|
||||
chmod +x "$F"
|
||||
done
|
||||
|
||||
%build
|
||||
perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1
|
||||
@ -74,7 +121,17 @@ make %{?_smp_mflags}
|
||||
make pure_install DESTDIR='%{buildroot}'
|
||||
%{_fixperms} '%{buildroot}'/*
|
||||
|
||||
# Install tests
|
||||
mkdir -p %{buildroot}%{_libexecdir}/%{name}
|
||||
cp -a t corpus %{buildroot}%{_libexecdir}/%{name}
|
||||
cat > %{buildroot}%{_libexecdir}/%{name}/test << 'EOF'
|
||||
#!/bin/sh
|
||||
cd %{_libexecdir}/%{name} && AUTOMATED_TESTING=1 exec prove -I . -j "$(getconf _NPROCESSORS_ONLN)"
|
||||
EOF
|
||||
chmod +x %{buildroot}%{_libexecdir}/%{name}/test
|
||||
|
||||
%check
|
||||
export HARNESS_OPTIONS=j$(perl -e 'if ($ARGV[0] =~ /.*-j([0-9][0-9]*).*/) {print $1} else {print 1}' -- '%{?_smp_mflags}')
|
||||
make test
|
||||
|
||||
%files
|
||||
@ -83,7 +140,36 @@ make test
|
||||
%{perl_vendorlib}/*
|
||||
%{_mandir}/man3/*
|
||||
|
||||
%files tests
|
||||
%{_libexecdir}/%{name}
|
||||
|
||||
%changelog
|
||||
* Tue Jan 16 2024 Jitka Plesnikova <jplesnik@redhat.com> - 0.076-462
|
||||
- Update man page for CVE-2023-31486
|
||||
|
||||
* Fri Aug 04 2023 Jitka Plesnikova <jplesnik@redhat.com> - 0.076-461
|
||||
- Changes the verify_SSL default parameter from 0 to 1 - CVE-2023-31486
|
||||
- Resolves: rhbz#2228412
|
||||
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.076-460
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.076-459
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.076-458
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.076-457
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Mon Jun 22 2020 Jitka Plesnikova <jplesnik@redhat.com> - 0.076-456
|
||||
- Increase release to favour standalone package
|
||||
|
||||
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.076-440
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.076-439
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
5
plans/sanity.fmf
Normal file
5
plans/sanity.fmf
Normal file
@ -0,0 +1,5 @@
|
||||
summary: Sanity tests
|
||||
discover:
|
||||
how: fmf
|
||||
execute:
|
||||
how: tmt
|
1
sources
Normal file
1
sources
Normal file
@ -0,0 +1 @@
|
||||
SHA512 (HTTP-Tiny-0.076.tar.gz) = c6703c1b46f5b02fdde1b51286d77ac1bb4f8e6bc5928fd237d68d284642e6afc1f8cbffec1af375b81e849f4c04e2fd6b40b5cf0663ea503c0e7308a5e35a0b
|
10
tests/upstream-tests.fmf
Normal file
10
tests/upstream-tests.fmf
Normal file
@ -0,0 +1,10 @@
|
||||
summary: Upstream tests
|
||||
component: perl-HTTP-Tiny
|
||||
require: perl-HTTP-Tiny-tests
|
||||
test: /usr/libexec/perl-HTTP-Tiny/test
|
||||
tag:
|
||||
- Tier1
|
||||
- rhel-buildroot
|
||||
tier: '1'
|
||||
extra-nitrate: TC#0615666
|
||||
id: 4101208f-2fe5-4c09-8059-536ee913b40d
|
Loading…
Reference in New Issue
Block a user