diff options
author | Mike Frysinger <vapier@gentoo.org> | 2015-09-14 19:11:12 -0400 |
---|---|---|
committer | Mike Frysinger <vapier@gentoo.org> | 2015-09-14 19:11:18 -0400 |
commit | ed1e5984dd18412d94ee20624acbdfa10c3f994a (patch) | |
tree | 985c15040e85cbbac80a57ef7957385af46f2e36 /net-misc/wget | |
parent | app-backup/obnam: remove old version (diff) | |
download | gentoo-ed1e5984dd18412d94ee20624acbdfa10c3f994a.tar.gz gentoo-ed1e5984dd18412d94ee20624acbdfa10c3f994a.tar.bz2 gentoo-ed1e5984dd18412d94ee20624acbdfa10c3f994a.zip |
net-misc/wget: fix from upstream for pasv ftp behavior #560418
Diffstat (limited to 'net-misc/wget')
-rw-r--r-- | net-misc/wget/files/wget-1.16.3-ftp-pasv-ip.patch | 175 | ||||
-rw-r--r-- | net-misc/wget/wget-1.16.3-r1.ebuild | 91 |
2 files changed, 266 insertions, 0 deletions
diff --git a/net-misc/wget/files/wget-1.16.3-ftp-pasv-ip.patch b/net-misc/wget/files/wget-1.16.3-ftp-pasv-ip.patch new file mode 100644 index 000000000000..566350283e5c --- /dev/null +++ b/net-misc/wget/files/wget-1.16.3-ftp-pasv-ip.patch @@ -0,0 +1,175 @@ +https://bugs.gentoo.org/560418 + +fix from upstream + +From 075d7556964f5a871a73c22ac4b69f5361295099 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de> +Date: Tue, 11 Aug 2015 16:48:08 +0200 +Subject: [PATCH] Fix IP address exposure in FTP code + +* src/ftp.c (getftp): Do not use PORT when PASV fails. +* tests/FTPServer.px: Add pasv_not_supported server flag. +* tests/Makefile.am: Add Test-ftp-pasv-not-supported.px +* tests/Test-ftp-pasv-not-supported.px: New test + +Fix IP address exposure when automatically falling back from +passive mode to active mode (using the PORT command). A behavior that +may be used to expose a client's privacy even when using a proxy. +--- + NEWS | 2 ++ + src/ftp.c | 19 +++++++----- + tests/FTPServer.pm | 8 +++++ + tests/Makefile.am | 3 +- + tests/Test-ftp-pasv-not-supported.px | 60 ++++++++++++++++++++++++++++++++++++ + 5 files changed, 84 insertions(+), 8 deletions(-) + create mode 100755 tests/Test-ftp-pasv-not-supported.px + +diff --git a/src/ftp.c b/src/ftp.c +index 68f1a33..9dab99c 100644 +--- a/src/ftp.c ++++ b/src/ftp.c +@@ -252,7 +252,6 @@ getftp (struct url *u, wgint passed_expected_bytes, wgint *qtyread, + char *respline, *tms; + const char *user, *passwd, *tmrate; + int cmd = con->cmd; +- bool pasv_mode_open = false; + wgint expected_bytes = 0; + bool got_expected_bytes = false; + bool rest_failed = false; +@@ -883,13 +882,19 @@ Error in server response, closing control connection.\n")); + ? CONERROR : CONIMPOSSIBLE); + } + +- pasv_mode_open = true; /* Flag to avoid accept port */ + if (!opt.server_response) + logputs (LOG_VERBOSE, _("done. ")); +- } /* err==FTP_OK */ +- } ++ } ++ else ++ return err; + +- if (!pasv_mode_open) /* Try to use a port command if PASV failed */ ++ /* ++ * We do not want to fall back from PASSIVE mode to ACTIVE mode ! ++ * The reason is the PORT command exposes the client's real IP address ++ * to the server. Bad for someone who relies on privacy via a ftp proxy. ++ */ ++ } ++ else + { + err = ftp_do_port (csock, &local_sock); + /* FTPRERR, WRITEFAILED, bindport (FTPSYSERR), HOSTERR, +@@ -1148,8 +1153,8 @@ Error in server response, closing control connection.\n")); + } + + /* If no transmission was required, then everything is OK. */ +- if (!pasv_mode_open) /* we are not using pasive mode so we need +- to accept */ ++ if (!opt.ftp_pasv) /* we are not using passive mode so we need ++ to accept */ + { + /* Wait for the server to connect to the address we're waiting + at. */ +diff --git a/tests/FTPServer.pm b/tests/FTPServer.pm +index c0a6e47..a5185d6 100644 +--- a/tests/FTPServer.pm ++++ b/tests/FTPServer.pm +@@ -740,6 +740,14 @@ sub run + last; + } + ++ if (defined($self->{_server_behavior}{pasv_not_supported}) ++ && $cmd eq 'PASV') ++ { ++ print {$conn->{socket}} ++ "500 PASV not supported.\r\n"; ++ next; ++ } ++ + # Run the command. + &{$command_table->{$cmd}}($conn, $cmd, $rest); + } +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 5d387aa..daf162f 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -127,7 +127,8 @@ PX_TESTS = \ + Test--start-pos.px \ + Test--start-pos--continue.px \ + Test--httpsonly-r.px \ +- Test-204.px ++ Test-204.px \ ++ Test-ftp-pasv-not-supported.px + + EXTRA_DIST = FTPServer.pm FTPTest.pm HTTPServer.pm HTTPTest.pm \ + WgetTests.pm WgetFeature.pm WgetFeature.cfg $(PX_TESTS) \ +diff --git a/tests/Test-ftp-pasv-not-supported.px b/tests/Test-ftp-pasv-not-supported.px +new file mode 100755 +index 0000000..97d0610 +--- /dev/null ++++ b/tests/Test-ftp-pasv-not-supported.px +@@ -0,0 +1,60 @@ ++#!/usr/bin/env perl ++ ++use strict; ++use warnings; ++ ++use FTPTest; ++ ++# This test checks whether Wget *does not* fall back from passive mode to ++# active mode using a PORT command. Wget <= 1.16.3 made a fallback exposing ++# the client's real IP address to the remote FTP server. ++# ++# This behavior circumvents expected privacy when using a proxy / proxy network (e.g. Tor). ++# ++# Wget >= 1.16.4 does it right. This test checks it. ++ ++############################################################################### ++ ++# From bug report 10.08.2015 from tomtidaly@sigaint.org ++my $afile = <<EOF; ++FTP PORT command code in v1.16.3? ++ ++In the past it could be possible for a site over http connection to ++redirect wget to FPT using FTP PORT command so the site gets the real IP ++of the computer even when wget proxy command is in use I believe: ++https://lists.torproject.org/pipermail/tor-talk/2012-April/024040.html ++ ++Is that code still present in wget v1.16.3? It was present in v1.13.4. ++EOF ++ ++$afile =~ s/\n/\r\n/g; ++ ++ ++# code, msg, headers, content ++my %urls = ( ++ '/afile.txt' => { ++ content => $afile, ++ }, ++); ++ ++my $cmdline = $WgetTest::WGETPATH . " -S ftp://localhost:{{port}}/afile.txt"; ++ ++my $expected_error_code = 8; ++ ++my %expected_downloaded_files = ( ++ 'afile.txt' => { ++ content => $afile, ++ }, ++); ++ ++############################################################################### ++ ++my $the_test = FTPTest->new ( ++ server_behavior => {pasv_not_supported => 1}, ++ input => \%urls, ++ cmdline => $cmdline, ++ errcode => $expected_error_code, ++ output => \%expected_downloaded_files); ++exit !$the_test->run(); ++ ++# vim: et ts=4 sw=4 +-- +2.5.1 + diff --git a/net-misc/wget/wget-1.16.3-r1.ebuild b/net-misc/wget/wget-1.16.3-r1.ebuild new file mode 100644 index 000000000000..d3ac2f850344 --- /dev/null +++ b/net-misc/wget/wget-1.16.3-r1.ebuild @@ -0,0 +1,91 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI="4" +PYTHON_COMPAT=( python{3_3,3_4} ) + +inherit flag-o-matic python-any-r1 toolchain-funcs autotools + +DESCRIPTION="Network utility to retrieve files from the WWW" +HOMEPAGE="https://www.gnu.org/software/wget/" +SRC_URI="mirror://gnu/wget/${P}.tar.xz" + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +IUSE="debug gnutls idn ipv6 nls ntlm pcre +ssl static test uuid zlib" + +LIB_DEPEND="idn? ( net-dns/libidn[static-libs(+)] ) + pcre? ( dev-libs/libpcre[static-libs(+)] ) + ssl? ( + gnutls? ( net-libs/gnutls[static-libs(+)] ) + !gnutls? ( dev-libs/openssl:0[static-libs(+)] ) + ) + uuid? ( sys-apps/util-linux[static-libs(+)] ) + zlib? ( sys-libs/zlib[static-libs(+)] )" +RDEPEND="!static? ( ${LIB_DEPEND//\[static-libs(+)]} )" +DEPEND="${RDEPEND} + app-arch/xz-utils + virtual/pkgconfig + static? ( ${LIB_DEPEND} ) + test? ( + ${PYTHON_DEPS} + dev-lang/perl + dev-perl/HTTP-Daemon + dev-perl/HTTP-Message + dev-perl/IO-Socket-SSL + ) + nls? ( sys-devel/gettext )" + +REQUIRED_USE="ntlm? ( !gnutls ssl ) gnutls? ( ssl )" + +DOCS=( AUTHORS MAILING-LIST NEWS README doc/sample.wgetrc ) + +pkg_setup() { + use test && python-any-r1_pkg_setup +} + +src_prepare() { + epatch "${FILESDIR}"/${P}-ftp-pasv-ip.patch #560418 +} + +src_configure() { + # fix compilation on Solaris, we need filio.h for FIONBIO as used in + # the included gnutls -- force ioctl.h to include this header + [[ ${CHOST} == *-solaris* ]] && append-cppflags -DBSD_COMP=1 + + if use static ; then + append-ldflags -static + tc-export PKG_CONFIG + PKG_CONFIG+=" --static" + fi + econf \ + --disable-assert \ + --disable-rpath \ + $(use_with ssl ssl $(usex gnutls gnutls openssl)) \ + $(use_enable ssl opie) \ + $(use_enable ssl digest) \ + $(use_enable idn iri) \ + $(use_enable ipv6) \ + $(use_enable nls) \ + $(use_enable ntlm) \ + $(use_enable pcre) \ + $(use_enable debug) \ + $(use_with uuid libuuid) \ + $(use_with zlib) +} + +src_test() { + emake check +} + +src_install() { + default + + sed -i \ + -e "s:/usr/local/etc:${EPREFIX}/etc:g" \ + "${ED}"/etc/wgetrc \ + "${ED}"/usr/share/man/man1/wget.1 \ + "${ED}"/usr/share/info/wget.info +} |