rpms/wget
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to latest upstream version due to CVE-2017-13089 CVE-2017-13090

Browse Source 
Signed-off-by: Tomas Hozza <thozza@redhat.com>
This commit is contained in:
Tomas Hozza 2017-10-27 15:01:22 +02:00
parent 9100e0b29c
commit 1d92875e38
10 changed files with 72 additions and 628 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -11,3 +11,4 @@ wget-1.12.tar.bz2
/wget-1.18.tar.xz
/wget-1.19.tar.xz
/wget-1.19.1.tar.xz
/wget-1.19.2.tar.gz

2
sources
View File

@ -1 +1 @@
SHA512 (wget-1.19.1.tar.xz) = 00864d225439bcb7c5af01d7ef19efa615427812d3320ab3f4c8f62c38191e837b1392397843f935d7dc5860a4d0ce89ee31f2730c4a729402f1f2bf3e5f64e5
SHA512 (wget-1.19.2.tar.gz) = a0f8afcc0767a8fd1acd64b1b1b27d177bc938e70cc3709c1b3faa6c1426ec926642cd8e49d292cec0268ee507683539b5152072110106de5a728a03efd8cedd

119
wget-1.17-path.patch
View File

@ -1,6 +1,42 @@
diff -up wget-1.17/doc/sample.wgetrc.munged_for_texi_inclusion.path wget-1.17/doc/sample.wgetrc.munged_for_texi_inclusion
--- wget-1.17/doc/sample.wgetrc.munged_for_texi_inclusion.path 2015-11-15 15:11:06.000000000 +0100
+++ wget-1.17/doc/sample.wgetrc.munged_for_texi_inclusion 2015-11-27 10:39:14.257380430 +0100
diff --git a/NEWS b/NEWS
index 5e01a3c..88c7073 100644
--- a/NEWS
+++ b/NEWS
@@ -893,7 +893,7 @@ distributed with Wget.
** Compiles on pre-ANSI compilers.
-** Global wgetrc now goes to /usr/local/etc (i.e. $sysconfdir).
+** Global wgetrc now goes to /etc (i.e. $sysconfdir).
** Lots of bugfixes.
@@ -956,7 +956,7 @@ Emacs, standalone info, or converted to HTML, dvi or postscript.
** Fixed a long-standing bug, so that Wget now works over SLIP
connections.
-** You can have a system-wide wgetrc (/usr/local/lib/wgetrc by
+** You can have a system-wide wgetrc (/etc/wgetrc by
default). Settings in $HOME/.wgetrc override the global ones, of
course :-)
diff --git a/README b/README
index 61cb2aa..6c9b2fa 100644
--- a/README
+++ b/README
@@ -33,7 +33,7 @@ for socks.
Most of the features are configurable, either through command-line
options, or via initialization file .wgetrc. Wget allows you to
-install a global startup file (/usr/local/etc/wgetrc by default) for
+install a global startup file (/etc/wgetrc by default) for
site settings.
Wget works under almost all Unix variants in use today and, unlike
diff --git a/doc/sample.wgetrc b/doc/sample.wgetrc
index c0d0779..9a73ada 100644
--- a/doc/sample.wgetrc
+++ b/doc/sample.wgetrc
@@ -10,7 +10,7 @@
## Or online here:
## https://www.gnu.org/software/wget/manual/wget.html#Startup-File
@ -19,9 +55,10 @@ diff -up wget-1.17/doc/sample.wgetrc.munged_for_texi_inclusion.path wget-1.17/do
## Think well before you change them, since they may reduce wget's
## functionality, and make it behave contrary to the documentation:
##
diff -up wget-1.17/doc/sample.wgetrc.path wget-1.17/doc/sample.wgetrc
--- wget-1.17/doc/sample.wgetrc.path 2015-11-09 16:24:06.000000000 +0100
+++ wget-1.17/doc/sample.wgetrc 2015-11-27 10:39:14.257380430 +0100
diff --git a/doc/sample.wgetrc.munged_for_texi_inclusion b/doc/sample.wgetrc.munged_for_texi_inclusion
index 3c7f2f4..521ef16 100644
--- a/doc/sample.wgetrc.munged_for_texi_inclusion
+++ b/doc/sample.wgetrc.munged_for_texi_inclusion
@@ -10,7 +10,7 @@
## Or online here:
## https://www.gnu.org/software/wget/manual/wget.html#Startup-File
@ -40,9 +77,10 @@ diff -up wget-1.17/doc/sample.wgetrc.path wget-1.17/doc/sample.wgetrc
## Think well before you change them, since they may reduce wget's
## functionality, and make it behave contrary to the documentation:
##
diff -up wget-1.17/doc/wget.info.path wget-1.17/doc/wget.info
--- wget-1.17/doc/wget.info.path 2015-11-15 15:11:08.000000000 +0100
+++ wget-1.17/doc/wget.info 2015-11-27 10:45:42.131452410 +0100
diff --git a/doc/wget.info b/doc/wget.info
index 985b614..3e9b771 100644
--- a/doc/wget.info
+++ b/doc/wget.info
@@ -113,7 +113,7 @@ retrieval through HTTP proxies.
• Most of the features are fully configurable, either through command
line options, or via the initialization file .wgetrc (*note
@ -50,9 +88,9 @@ diff -up wget-1.17/doc/wget.info.path wget-1.17/doc/wget.info
- (/usr/local/etc/wgetrc by default) for site settings. You can
+ (/etc/wgetrc by default) for site settings. You can
also specify the location of a startup file with the config
option.
@@ -2712,8 +2712,8 @@ File: wget.info, Node: Wgetrc Location,
option. To disable the reading of config files, use no-config.
If both config and no-config are given, no-config is ignored.
@@ -2814,8 +2814,8 @@ File: wget.info, Node: Wgetrc Location, Next: Wgetrc Syntax, Prev: Startup Fi
===================
When initializing, Wget will look for a “global” startup file,
@ -63,7 +101,7 @@ diff -up wget-1.17/doc/wget.info.path wget-1.17/doc/wget.info
there, if it exists.
Then it will look for the users file. If the environmental variable
@@ -2724,7 +2724,7 @@ further attempts will be made.
@@ -2826,7 +2826,7 @@ further attempts will be made.
The fact that users settings are loaded after the system-wide ones
means that in case of collision users wgetrc _overrides_ the
@ -72,7 +110,7 @@ diff -up wget-1.17/doc/wget.info.path wget-1.17/doc/wget.info
admins, away!

@@ -3261,7 +3261,7 @@ its line.
@@ -3369,7 +3369,7 @@ its line.
## Or online here:
## https://www.gnu.org/software/wget/manual/wget.html#Startup-File
##
@ -81,7 +119,7 @@ diff -up wget-1.17/doc/wget.info.path wget-1.17/doc/wget.info
## (global, for all users) or $HOME/.wgetrc (for a single user).
##
## To use the settings in this file, you will have to uncomment them,
@@ -3273,7 +3273,7 @@ its line.
@@ -3381,7 +3381,7 @@ its line.
##
@ -90,18 +128,20 @@ diff -up wget-1.17/doc/wget.info.path wget-1.17/doc/wget.info
## Think well before you change them, since they may reduce wget's
## functionality, and make it behave contrary to the documentation:
##
diff -up wget-1.17/doc/wget.texi.path wget-1.17/doc/wget.texi
--- wget-1.17/doc/wget.texi.path 2015-11-09 16:24:17.000000000 +0100
+++ wget-1.17/doc/wget.texi 2015-11-27 10:39:14.259380425 +0100
@@ -191,14 +191,14 @@ gauge can be customized to your preferen
diff --git a/doc/wget.texi b/doc/wget.texi
index 31aef52..cffdced 100644
--- a/doc/wget.texi
+++ b/doc/wget.texi
@@ -191,7 +191,7 @@ gauge can be customized to your preferences.
Most of the features are fully configurable, either through command line
options, or via the initialization file @file{.wgetrc} (@pxref{Startup
File}). Wget allows you to define @dfn{global} startup files
-(@file{/usr/local/etc/wgetrc} by default) for site settings. You can also
+(@file{/etc/wgetrc} by default) for site settings. You can also
specify the location of a startup file with the --config option.
To disable the reading of config files, use --no-config.
If both --config and --no-config are given, --no-config is ignored.
@@ -200,7 +200,7 @@ If both --config and --no-config are given, --no-config is ignored.
@ignore
@c man begin FILES
@table @samp
@ -110,7 +150,7 @@ diff -up wget-1.17/doc/wget.texi.path wget-1.17/doc/wget.texi
Default location of the @dfn{global} startup file.
@item .wgetrc
@@ -3030,8 +3030,8 @@ commands.
@@ -3143,8 +3143,8 @@ commands.
@cindex location of wgetrc
When initializing, Wget will look for a @dfn{global} startup file,
@ -121,7 +161,7 @@ diff -up wget-1.17/doc/wget.texi.path wget-1.17/doc/wget.texi
from there, if it exists.
Then it will look for the user's file. If the environmental variable
@@ -3042,7 +3042,7 @@ If @code{WGETRC} is not set, Wget will t
@@ -3155,7 +3155,7 @@ If @code{WGETRC} is not set, Wget will try to load @file{$HOME/.wgetrc}.
The fact that user's settings are loaded after the system-wide ones
means that in case of collision user's wgetrc @emph{overrides} the
@ -130,36 +170,3 @@ diff -up wget-1.17/doc/wget.texi.path wget-1.17/doc/wget.texi
Fascist admins, away!
@node Wgetrc Syntax, Wgetrc Commands, Wgetrc Location, Startup File
diff -up wget-1.17/NEWS.path wget-1.17/NEWS
--- wget-1.17/NEWS.path 2015-11-15 15:14:50.000000000 +0100
+++ wget-1.17/NEWS 2015-11-27 10:39:14.259380425 +0100
@@ -782,7 +782,7 @@ distributed with Wget.
** Compiles on pre-ANSI compilers.
-** Global wgetrc now goes to /usr/local/etc (i.e. $sysconfdir).
+** Global wgetrc now goes to /etc (i.e. $sysconfdir).
** Lots of bugfixes.
@@ -845,7 +845,7 @@ Emacs, standalone info, or converted to
** Fixed a long-standing bug, so that Wget now works over SLIP
connections.
-** You can have a system-wide wgetrc (/usr/local/lib/wgetrc by
+** You can have a system-wide wgetrc (/etc/wgetrc by
default). Settings in $HOME/.wgetrc override the global ones, of
course :-)
diff -up wget-1.17/README.path wget-1.17/README
--- wget-1.17/README.path 2015-11-09 16:24:06.000000000 +0100
+++ wget-1.17/README 2015-11-27 10:39:14.259380425 +0100
@@ -33,7 +33,7 @@ for socks.
Most of the features are configurable, either through command-line
options, or via initialization file .wgetrc. Wget allows you to
-install a global startup file (/usr/local/etc/wgetrc by default) for
+install a global startup file (/etc/wgetrc by default) for
site settings.
Wget works under almost all Unix variants in use today and, unlike

139
wget-1.19.1-Add-command-line-option-to-disable-use-of-.netrc.patch
View File

@ -1,139 +0,0 @@
From 876def8ebe56d483921cf645371d277b615373e5 Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Fri, 12 May 2017 19:17:32 +0200
Subject: [PATCH 3/4] Add command line option to disable use of .netrc
Although internally code uses option for (not) reading .netrc for
credentials, it was not possible to turn this behavior off on command
line. Note that it was possible to turn it off using wgetrc.
Idea for this change came from Bruce Jerrick (bmj001@gmail.com).
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1425097
Signed-off-by: Tomas Hozza <thozza@redhat.com>
---
doc/wget.texi | 6 ++++
src/main.c | 3 ++
testenv/Makefile.am | 1 +
testenv/Test-auth-basic-no-netrc-fail.py | 59 ++++++++++++++++++++++++++++++++
4 files changed, 69 insertions(+)
create mode 100755 testenv/Test-auth-basic-no-netrc-fail.py
diff --git a/doc/wget.texi b/doc/wget.texi
index a2bf9dc..e4e0bf6 100644
--- a/doc/wget.texi
+++ b/doc/wget.texi
@@ -703,6 +703,12 @@ Before (over)writing a file, back up an existing file by adding a
files are rotated to @samp{.2}, @samp{.3}, and so on, up to
@var{backups} (and lost beyond that).
+@cindex authentication credentials
+@item --no-netrc
+Do not try to obtain credentials from @file{.netrc} file. By default
+@file{.netrc} file is searched for credentials in case none have been
+passed on command line and authentication is required.
+
@cindex continue retrieval
@cindex incomplete downloads
@cindex resume download
diff --git a/src/main.c b/src/main.c
index 8e9d6e9..297499e 100644
--- a/src/main.c
+++ b/src/main.c
@@ -359,6 +359,7 @@ static struct cmdline_option option_data[] =
#endif
{ "method", 0, OPT_VALUE, "method", -1 },
{ "mirror", 'm', OPT_BOOLEAN, "mirror", -1 },
+ { "netrc", 0, OPT_BOOLEAN, "netrc", -1 },
{ "no", 'n', OPT__NO, NULL, required_argument },
{ "no-clobber", 0, OPT_BOOLEAN, "noclobber", -1 },
{ "no-config", 0, OPT_BOOLEAN, "noconfig", -1},
@@ -629,6 +630,8 @@ Download:\n"),
-nc, --no-clobber skip downloads that would download to\n\
existing files (overwriting them)\n"),
N_("\
+ --no-netrc don't try to obtain credentials from .netrc\n"),
+ N_("\
-c, --continue resume getting a partially-downloaded file\n"),
N_("\
--start-pos=OFFSET start downloading from zero-based position OFFSET\n"),
diff --git a/testenv/Makefile.am b/testenv/Makefile.am
index 7104314..ef4158a 100644
--- a/testenv/Makefile.am
+++ b/testenv/Makefile.am
@@ -78,6 +78,7 @@ if HAVE_PYTHON3
Test-auth-basic-netrc.py \
Test-auth-basic-netrc-user-given.py \
Test-auth-basic-netrc-pass-given.py \
+ Test-auth-basic-no-netrc-fail.py \
Test-auth-both.py \
Test-auth-digest.py \
Test-auth-no-challenge.py \
diff --git a/testenv/Test-auth-basic-no-netrc-fail.py b/testenv/Test-auth-basic-no-netrc-fail.py
new file mode 100755
index 0000000..fad15e9
--- /dev/null
+++ b/testenv/Test-auth-basic-no-netrc-fail.py
@@ -0,0 +1,59 @@
+#!/usr/bin/env python3
+from sys import exit
+from test.http_test import HTTPTest
+from misc.wget_file import WgetFile
+
+"""
+ This test ensures that Wget will not use credentials from .netrc
+ when --no-netrc option is specified and Basic authentication is required
+ and fails.
+"""
+############# File Definitions ###############################################
+File1 = "I am an invisble man."
+
+User = "Sauron"
+Password = "TheEye"
+
+File1_rules = {
+ "Authentication" : {
+ "Type" : "Basic",
+ "User" : User,
+ "Pass" : Password
+ }
+}
+
+Netrc = "machine 127.0.0.1\n\tlogin {0}\n\tpassword {1}".format(User, Password)
+
+A_File = WgetFile ("File1", File1, rules=File1_rules)
+Netrc_File = WgetFile (".netrc", Netrc)
+
+WGET_OPTIONS = "--no-netrc"
+WGET_URLS = [["File1"]]
+
+Files = [[A_File]]
+LocalFiles = [Netrc_File]
+
+ExpectedReturnCode = 6
+ExpectedDownloadedFiles = [Netrc_File]
+
+################ Pre and Post Test Hooks #####################################
+pre_test = {
+ "ServerFiles" : Files,
+ "LocalFiles" : LocalFiles
+}
+test_options = {
+ "WgetCommands" : WGET_OPTIONS,
+ "Urls" : WGET_URLS
+}
+post_test = {
+ "ExpectedFiles" : ExpectedDownloadedFiles,
+ "ExpectedRetcode" : ExpectedReturnCode
+}
+
+err = HTTPTest (
+ pre_hook=pre_test,
+ test_params=test_options,
+ post_hook=post_test
+).begin ()
+
+exit (err)
--
2.7.5

275
wget-1.19.1-Added-tests-for-HTTP-authentication-using-credential.patch
View File

@ -1,275 +0,0 @@
From 17960b57d51ffb19b2b20df3e53da42c555f022c Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Fri, 12 May 2017 19:17:30 +0200
Subject: [PATCH 1/4] Added tests for HTTP authentication using credentials
from .netrc
Getting credentials from .netrc has been broken from time to time, thus
adding a test coverage to prevent regressions.
Also added setting of "HOME" environment variable when executing wget,
to make sure LocalFiles like .netrc, which are created just for the
test, are actually used.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
---
testenv/Makefile.am | 3 ++
testenv/Test-auth-basic-netrc-pass-given.py | 68 +++++++++++++++++++++++++++++
testenv/Test-auth-basic-netrc-user-given.py | 68 +++++++++++++++++++++++++++++
testenv/Test-auth-basic-netrc.py | 66 ++++++++++++++++++++++++++++
testenv/test/base_test.py | 2 +-
5 files changed, 206 insertions(+), 1 deletion(-)
create mode 100755 testenv/Test-auth-basic-netrc-pass-given.py
create mode 100755 testenv/Test-auth-basic-netrc-user-given.py
create mode 100755 testenv/Test-auth-basic-netrc.py
diff --git a/testenv/Makefile.am b/testenv/Makefile.am
index 3febec7..7104314 100644
--- a/testenv/Makefile.am
+++ b/testenv/Makefile.am
@@ -75,6 +75,9 @@ if HAVE_PYTHON3
TESTS = Test-504.py \
Test-auth-basic-fail.py \
Test-auth-basic.py \
+ Test-auth-basic-netrc.py \
+ Test-auth-basic-netrc-user-given.py \
+ Test-auth-basic-netrc-pass-given.py \
Test-auth-both.py \
Test-auth-digest.py \
Test-auth-no-challenge.py \
diff --git a/testenv/Test-auth-basic-netrc-pass-given.py b/testenv/Test-auth-basic-netrc-pass-given.py
new file mode 100755
index 0000000..43dfe34
--- /dev/null
+++ b/testenv/Test-auth-basic-netrc-pass-given.py
@@ -0,0 +1,68 @@
+#!/usr/bin/env python3
+from sys import exit
+from test.http_test import HTTPTest
+from misc.wget_file import WgetFile
+
+"""
+ This test ensures Wget uses credentials from .netrc for Basic Authorization Negotiation.
+ In this case we test that .netrc credentials are used in case only
+ password is given on the command line.
+ Also, we ensure that Wget saves the host after a successful auth and
+ doesn't wait for a challenge the second time.
+"""
+############# File Definitions ###############################################
+File1 = "I am an invisble man."
+File2 = "I too am an invisible man."
+
+User = "Sauron"
+Password = "TheEye"
+
+File1_rules = {
+ "Authentication" : {
+ "Type" : "Basic",
+ "User" : User,
+ "Pass" : Password
+ }
+}
+File2_rules = {
+ "ExpectHeader" : {
+ "Authorization" : "Basic U2F1cm9uOlRoZUV5ZQ=="
+ }
+}
+
+Netrc = "machine 127.0.0.1\n\tlogin {0}".format(User)
+
+A_File = WgetFile ("File1", File1, rules=File1_rules)
+B_File = WgetFile ("File2", File2, rules=File2_rules)
+Netrc_File = WgetFile (".netrc", Netrc)
+
+WGET_OPTIONS = "--password={0}".format(Password)
+WGET_URLS = [["File1", "File2"]]
+
+Files = [[A_File, B_File]]
+LocalFiles = [Netrc_File]
+
+ExpectedReturnCode = 0
+ExpectedDownloadedFiles = [A_File, B_File, Netrc_File]
+
+################ Pre and Post Test Hooks #####################################
+pre_test = {
+ "ServerFiles" : Files,
+ "LocalFiles" : LocalFiles
+}
+test_options = {
+ "WgetCommands" : WGET_OPTIONS,
+ "Urls" : WGET_URLS
+}
+post_test = {
+ "ExpectedFiles" : ExpectedDownloadedFiles,
+ "ExpectedRetcode" : ExpectedReturnCode
+}
+
+err = HTTPTest (
+ pre_hook=pre_test,
+ test_params=test_options,
+ post_hook=post_test
+).begin ()
+
+exit (err)
diff --git a/testenv/Test-auth-basic-netrc-user-given.py b/testenv/Test-auth-basic-netrc-user-given.py
new file mode 100755
index 0000000..57b6148
--- /dev/null
+++ b/testenv/Test-auth-basic-netrc-user-given.py
@@ -0,0 +1,68 @@
+#!/usr/bin/env python3
+from sys import exit
+from test.http_test import HTTPTest
+from misc.wget_file import WgetFile
+
+"""
+ This test ensures Wget uses credentials from .netrc for Basic Authorization Negotiation.
+ In this case we test that .netrc credentials are used in case only
+ user login is given on the command line.
+ Also, we ensure that Wget saves the host after a successful auth and
+ doesn't wait for a challenge the second time.
+"""
+############# File Definitions ###############################################
+File1 = "I am an invisble man."
+File2 = "I too am an invisible man."
+
+User = "Sauron"
+Password = "TheEye"
+
+File1_rules = {
+ "Authentication" : {
+ "Type" : "Basic",
+ "User" : User,
+ "Pass" : Password
+ }
+}
+File2_rules = {
+ "ExpectHeader" : {
+ "Authorization" : "Basic U2F1cm9uOlRoZUV5ZQ=="
+ }
+}
+
+Netrc = "machine 127.0.0.1\n\tlogin {0}\n\tpassword {1}".format(User, Password)
+
+A_File = WgetFile ("File1", File1, rules=File1_rules)
+B_File = WgetFile ("File2", File2, rules=File2_rules)
+Netrc_File = WgetFile (".netrc", Netrc)
+
+WGET_OPTIONS = "--user={0}".format(User)
+WGET_URLS = [["File1", "File2"]]
+
+Files = [[A_File, B_File]]
+LocalFiles = [Netrc_File]
+
+ExpectedReturnCode = 0
+ExpectedDownloadedFiles = [A_File, B_File, Netrc_File]
+
+################ Pre and Post Test Hooks #####################################
+pre_test = {
+ "ServerFiles" : Files,
+ "LocalFiles" : LocalFiles
+}
+test_options = {
+ "WgetCommands" : WGET_OPTIONS,
+ "Urls" : WGET_URLS
+}
+post_test = {
+ "ExpectedFiles" : ExpectedDownloadedFiles,
+ "ExpectedRetcode" : ExpectedReturnCode
+}
+
+err = HTTPTest (
+ pre_hook=pre_test,
+ test_params=test_options,
+ post_hook=post_test
+).begin ()
+
+exit (err)
diff --git a/testenv/Test-auth-basic-netrc.py b/testenv/Test-auth-basic-netrc.py
new file mode 100755
index 0000000..5710fe7
--- /dev/null
+++ b/testenv/Test-auth-basic-netrc.py
@@ -0,0 +1,66 @@
+#!/usr/bin/env python3
+from sys import exit
+from test.http_test import HTTPTest
+from misc.wget_file import WgetFile
+
+"""
+ This test ensures Wget uses credentials from .netrc for Basic Authorization Negotiation.
+ In this case we test that .netrc credentials are used in case no user
+ login and no password is given on the command line.
+ Also, we ensure that Wget saves the host after a successful auth and
+ doesn't wait for a challenge the second time.
+"""
+############# File Definitions ###############################################
+File1 = "I am an invisble man."
+File2 = "I too am an invisible man."
+
+User = "Sauron"
+Password = "TheEye"
+
+File1_rules = {
+ "Authentication" : {
+ "Type" : "Basic",
+ "User" : User,
+ "Pass" : Password
+ }
+}
+File2_rules = {
+ "ExpectHeader" : {
+ "Authorization" : "Basic U2F1cm9uOlRoZUV5ZQ=="
+ }
+}
+
+Netrc = "machine 127.0.0.1\n\tlogin {0}\n\tpassword {1}".format(User, Password)
+
+A_File = WgetFile ("File1", File1, rules=File1_rules)
+B_File = WgetFile ("File2", File2, rules=File2_rules)
+Netrc_File = WgetFile (".netrc", Netrc)
+
+WGET_URLS = [["File1", "File2"]]
+
+Files = [[A_File, B_File]]
+LocalFiles = [Netrc_File]
+
+ExpectedReturnCode = 0
+ExpectedDownloadedFiles = [A_File, B_File, Netrc_File]
+
+################ Pre and Post Test Hooks #####################################
+pre_test = {
+ "ServerFiles" : Files,
+ "LocalFiles" : LocalFiles
+}
+test_options = {
+ "Urls" : WGET_URLS
+}
+post_test = {
+ "ExpectedFiles" : ExpectedDownloadedFiles,
+ "ExpectedRetcode" : ExpectedReturnCode
+}
+
+err = HTTPTest (
+ pre_hook=pre_test,
+ test_params=test_options,
+ post_hook=post_test
+).begin ()
+
+exit (err)
diff --git a/testenv/test/base_test.py b/testenv/test/base_test.py
index b0087e9..bb706d8 100644
--- a/testenv/test/base_test.py
+++ b/testenv/test/base_test.py
@@ -102,7 +102,7 @@ class BaseTest:
time.sleep(float(os.getenv("SERVER_WAIT")))
try:
- ret_code = call(params)
+ ret_code = call(params, env={"HOME": os.getcwd()})
except FileNotFoundError:
raise TestFailed("The Wget Executable does not exist at the "
"expected path.")
--
2.7.5

37
wget-1.19.1-CVE-2017-6508.patch
View File

@ -1,37 +0,0 @@
From 4d729e322fae359a1aefaafec1144764a54e8ad4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Mon, 6 Mar 2017 10:04:22 +0100
Subject: [PATCH] Fix CRLF injection in Wget host part
* src/url.c (url_parse): Reject control characters in host part of URL
Reported-by: Orange Tsai
---
src/url.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/url.c b/src/url.c
index 8f8ff0b..7d36b27 100644
--- a/src/url.c
+++ b/src/url.c
@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode)
url_unescape (u->host);
host_modified = true;
+ /* check for invalid control characters in host name */
+ for (p = u->host; *p; p++)
+ {
+ if (c_iscntrl(*p))
+ {
+ url_free(u);
+ error_code = PE_INVALID_HOST_NAME;
+ goto error;
+ }
+ }
+
/* Apply IDNA regardless of iri->utf8_encode status */
if (opt.enable_iri && iri)
{
--
2.7.4

30
wget-1.19.1-Fix-two-Metalink-tests-if-HOME-is-changed.patch
View File

@ -1,30 +0,0 @@
From 5d4ada1b7b0b79f8053f3d6ffddda2e2c66d9dce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Tue, 16 May 2017 10:24:52 +0200
Subject: [PATCH 4/4] Fix two Metalink tests if $HOME is changed
* conf/expected_files.py (gen_local_fs_snapshot): Skip processing
of 'pubring.kbx'
---
testenv/conf/expected_files.py | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/testenv/conf/expected_files.py b/testenv/conf/expected_files.py
index 5362771..4e3ace9 100644
--- a/testenv/conf/expected_files.py
+++ b/testenv/conf/expected_files.py
@@ -24,6 +24,11 @@ class ExpectedFiles:
snapshot = {}
for parent, dirs, files in os.walk('.'):
for name in files:
+ # pubring.kbx will be created by libgpgme if $HOME doesn't contain the .gnupg directory.
+ # setting $HOME to CWD (in base_test.py) breaks two Metalink tests, so we skip this file here.
+ if name == 'pubring.kbx':
+ continue
+
f = {'content': ''}
file_path = os.path.join(parent, name)
with open(file_path) as fp:
--
2.7.5

38
wget-1.19.1-Fixed-getting-of-credentials-from-.netrc.patch
View File

@ -1,38 +0,0 @@
From f8c3df1f40f09dd61078436614d06e7ad818536e Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Fri, 12 May 2017 19:17:31 +0200
Subject: [PATCH 2/4] Fixed getting of credentials from .netrc
There seemed to be a copy&paste error in http.c code, which decides
whether to get credentials from .netrc. In ftp.c "user" and "pass"
variables are char*, while in http.c, these are char**. For this reason
they should be dereferenced when determining if password and user login
is set to some value.
Also since both variables are dereferenced on lines above the changed
code, it does not really make sense to check if they are NULL.
This patch is based on fix from Bruce Jerrick <bmj001@gmail.com>.
Fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=1425097
Signed-off-by: Tomas Hozza <thozza@redhat.com>
---
src/http.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/http.c b/src/http.c
index 8b77a10..323f559 100644
--- a/src/http.c
+++ b/src/http.c
@@ -1900,7 +1900,7 @@ initialize_request (const struct url *u, struct http_stat *hs, int *dt, struct u
*passwd = NULL;
/* Check for ~/.netrc if none of the above match */
- if (opt.netrc && (!user || (!passwd || !*passwd)))
+ if (opt.netrc && (!*user || !*passwd))
search_netrc (u->host, (const char **) user, (const char **) passwd, 0);
/* We only do "site-wide" authentication with "global" user/password
--
2.7.5

21
wget-1.19.1-skip-failing-https-tests.patch
View File

@ -1,21 +0,0 @@
diff --git a/testenv/Makefile.am b/testenv/Makefile.am
index ef4158a..a534e77 100644
--- a/testenv/Makefile.am
+++ b/testenv/Makefile.am
@@ -96,16 +96,12 @@ if HAVE_PYTHON3
Test-cookie.py \
Test-Head.py \
Test-hsts.py \
- Test--https.py \
Test--https-crl.py \
Test-missing-scheme-retval.py \
Test-O.py \
- Test-pinnedpubkey-der-https.py \
Test-pinnedpubkey-der-no-check-https.py \
- Test-pinnedpubkey-hash-https.py \
Test-pinnedpubkey-hash-no-check-fail-https.py \
Test-pinnedpubkey-pem-fail-https.py \
- Test-pinnedpubkey-pem-https.py \
Test-Post.py \
Test-recursive-basic.py \
Test-recursive-include.py \

38
wget.spec
View File

@ -1,27 +1,13 @@
Summary: A utility for retrieving files using the HTTP or FTP protocols
Name: wget
Version: 1.19.1
Release: 6%{?dist}
Version: 1.19.2
Release: 1%{?dist}
License: GPLv3+
Group: Applications/Internet
Url: http://www.gnu.org/software/wget/
Source: ftp://ftp.gnu.org/gnu/wget/wget-%{version}.tar.xz
Source: ftp://ftp.gnu.org/gnu/wget/wget-%{version}.tar.gz
Patch1: wget-1.17-path.patch
# http://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4
Patch2: wget-1.19.1-CVE-2017-6508.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1425097
# 4 upstream commits total
# http://git.savannah.gnu.org/cgit/wget.git/commit/?id=17960b57d51ffb19b2b20df3e53da42c555f022c
Patch3: wget-1.19.1-Added-tests-for-HTTP-authentication-using-credential.patch
# http://git.savannah.gnu.org/cgit/wget.git/commit/?id=f8c3df1f40f09dd61078436614d06e7ad818536e
Patch4: wget-1.19.1-Fixed-getting-of-credentials-from-.netrc.patch
# http://git.savannah.gnu.org/cgit/wget.git/commit/?id=876def8ebe56d483921cf645371d277b615373e5
patch5: wget-1.19.1-Add-command-line-option-to-disable-use-of-.netrc.patch
# http://git.savannah.gnu.org/cgit/wget.git/commit/?id=5d4ada1b7b0b79f8053f3d6ffddda2e2c66d9dce
Patch6: wget-1.19.1-Fix-two-Metalink-tests-if-HOME-is-changed.patch
# http://lists.gnu.org/archive/html/bug-wget/2017-06/msg00009.html
Patch7: wget-1.19.1-skip-failing-https-tests.patch
Provides: webclient
Provides: bundled(gnulib)
@ -29,10 +15,7 @@ Requires(post): /sbin/install-info
Requires(preun): /sbin/install-info
# needed for test suite
BuildRequires: perl-HTTP-Daemon, python3
BuildRequires: gnutls-devel, pkgconfig, texinfo, gettext, autoconf, libidn2-devel, libuuid-devel, perl-podlators, libpsl-devel, libmetalink-devel
# needed because of added test in Patch3. Need to remove this after rebase
BuildRequires: automake
BuildRequires: gpgme-devel
BuildRequires: gnutls-devel, pkgconfig, texinfo, gettext, autoconf, libidn2-devel, libuuid-devel, perl-podlators, libpsl-devel, libmetalink-devel, gpgme-devel
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%description
@ -52,18 +35,8 @@ sed -i "s|\(PACKAGE_STRING='wget .*\)'|\1 (Red Hat modified)'|" configure
grep "PACKAGE_STRING='wget .* (Red Hat modified)'" configure || exit 1
%patch1 -p1 -b .path
%patch2 -p1 -b .CVE-2017-6508
%patch3 -p1 -b .netrc_1
%patch4 -p1 -b .netrc_2
%patch5 -p1 -b .netrc_3
%patch6 -p1 -b .netrc_4
%patch7 -p1 -b .failing-tests
sed -i 's|/{{port|/{\\{port|' tests/*.{pm,px}
%build
aclocal
autoreconf
%configure \
--with-ssl=gnutls \
--with-libpsl \
@ -108,6 +81,9 @@ rm -rf $RPM_BUILD_ROOT
%{_infodir}/*
%changelog
* Fri Oct 27 2017 Tomas Hozza <thozza@redhat.com> - 1.19.2-1
- Update to latest upstream version due to CVE-2017-13089 CVE-2017-13090
* Mon Oct 09 2017 Troy Dawson <tdawson@redhat.com> - 1.19.1-6
- Fix FTBFS (#1499876)