diff options
author | Ladislav Hagara | 2011-02-20 02:21:50 +0100 |
---|---|---|
committer | George Sherwood | 2011-02-27 09:27:40 -0600 |
commit | 225d3d0aa8ca0fa3d03fcc5edc5e17371b17d786 (patch) | |
tree | 0e8b6628f05d69f63674b82ec7514a0a5b55d55f | |
parent | 6d237ec8cf1c539a5aca29df7ab46413af38f4f3 (diff) |
wget: wget-1.12-CVE-2010-2252.patch, SECURITY_PATCH=1
(cherry picked from commit e797ab052de2ad1efcff7f7b0aeb73235cf8fb1c)
-rwxr-xr-x | ftp/wget/DETAILS | 1 | ||||
-rw-r--r-- | ftp/wget/HISTORY | 4 | ||||
-rwxr-xr-x | ftp/wget/PRE_BUILD | 3 | ||||
-rw-r--r-- | ftp/wget/wget-1.12-CVE-2010-2252.patch | 155 |
4 files changed, 163 insertions, 0 deletions
diff --git a/ftp/wget/DETAILS b/ftp/wget/DETAILS index 5b288b6d9c..c07596285a 100755 --- a/ftp/wget/DETAILS +++ b/ftp/wget/DETAILS @@ -1,5 +1,6 @@ SPELL=wget VERSION=1.12 + SECURITY_PATCH=1 PATCHLEVEL=0 SOURCE=$SPELL-$VERSION.tar.gz SOURCE_URL[0]=$GNU_URL/$SPELL/$SOURCE diff --git a/ftp/wget/HISTORY b/ftp/wget/HISTORY index 4212ceccfa..84b0ab3adc 100644 --- a/ftp/wget/HISTORY +++ b/ftp/wget/HISTORY @@ -1,3 +1,7 @@ +2011-02-20 Ladislav Hagara <hgr@vabo.cz> + * DETAILS: SECURITY_PATCH=1 + * PRE_BUILD, wget-1.12-CVE-2010-2252.patch: added patch from Arch Linux + 2010-09-09 Ladislav Hagara <hgr@vabo.cz> * CONFIGURE, BUILD: added option to disable IPv6 support diff --git a/ftp/wget/PRE_BUILD b/ftp/wget/PRE_BUILD new file mode 100755 index 0000000000..b337b862f3 --- /dev/null +++ b/ftp/wget/PRE_BUILD @@ -0,0 +1,3 @@ +default_pre_build && +cd $SOURCE_DIRECTORY && +patch -p1 < $SPELL_DIRECTORY/wget-1.12-CVE-2010-2252.patch diff --git a/ftp/wget/wget-1.12-CVE-2010-2252.patch b/ftp/wget/wget-1.12-CVE-2010-2252.patch new file mode 100644 index 0000000000..d1d797a2c9 --- /dev/null +++ b/ftp/wget/wget-1.12-CVE-2010-2252.patch @@ -0,0 +1,155 @@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget~/doc/wget.texi wget/doc/wget.texi +--- wget~/doc/wget.texi 2010-09-05 15:32:44.000000000 +0200 ++++ wget/doc/wget.texi 2010-09-05 15:32:44.000000000 +0200 +@@ -1487,6 +1487,13 @@ + @code{Content-Disposition} headers to describe what the name of a + downloaded file should be. + ++@cindex Trust server names ++@item --trust-server-names ++ ++If this is set to on, on a redirect the last component of the ++redirection URL will be used as the local file name. By default it is ++used the last component in the original URL. ++ + @cindex authentication + @item --auth-no-challenge + +@@ -2797,6 +2804,10 @@ + Turn on recognition of the (non-standard) @samp{Content-Disposition} + HTTP header---if set to @samp{on}, the same as @samp{--content-disposition}. + ++@item trust_server_names = on/off ++If set to on, use the last component of a redirection URL for the local ++file name. ++ + @item continue = on/off + If set to on, force continuation of preexistent partially retrieved + files. See @samp{-c} before setting it. +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget~/src/http.c wget/src/http.c +--- wget~/src/http.c 2010-09-05 15:30:22.000000000 +0200 ++++ wget/src/http.c 2010-09-05 15:32:44.000000000 +0200 +@@ -2410,8 +2410,9 @@ + /* The genuine HTTP loop! This is the part where the retrieval is + retried, and retried, and retried, and... */ + uerr_t +-http_loop (struct url *u, char **newloc, char **local_file, const char *referer, +- int *dt, struct url *proxy, struct iri *iri) ++http_loop (struct url *u, struct url *original_url, char **newloc, ++ char **local_file, const char *referer, int *dt, struct url *proxy, ++ struct iri *iri) + { + int count; + bool got_head = false; /* used for time-stamping and filename detection */ +@@ -2457,7 +2458,8 @@ + } + else if (!opt.content_disposition) + { +- hstat.local_file = url_file_name (u); ++ hstat.local_file = ++ url_file_name (opt.trustservernames ? u : original_url); + got_name = true; + } + +@@ -2497,7 +2499,7 @@ + + /* Send preliminary HEAD request if -N is given and we have an existing + * destination file. */ +- file_name = url_file_name (u); ++ file_name = url_file_name (opt.trustservernames ? u : original_url); + if (opt.timestamping + && !opt.content_disposition + && file_exists_p (file_name)) +@@ -2852,9 +2854,9 @@ + + /* Remember that we downloaded the file for later ".orig" code. */ + if (*dt & ADDED_HTML_EXTENSION) +- downloaded_file(FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file); ++ downloaded_file (FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file); + else +- downloaded_file(FILE_DOWNLOADED_NORMALLY, hstat.local_file); ++ downloaded_file (FILE_DOWNLOADED_NORMALLY, hstat.local_file); + + ret = RETROK; + goto exit; +@@ -2885,9 +2887,9 @@ + + /* Remember that we downloaded the file for later ".orig" code. */ + if (*dt & ADDED_HTML_EXTENSION) +- downloaded_file(FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file); ++ downloaded_file (FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file); + else +- downloaded_file(FILE_DOWNLOADED_NORMALLY, hstat.local_file); ++ downloaded_file (FILE_DOWNLOADED_NORMALLY, hstat.local_file); + + ret = RETROK; + goto exit; +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget~/src/http.h wget/src/http.h +--- wget~/src/http.h 2010-09-05 15:30:22.000000000 +0200 ++++ wget/src/http.h 2010-09-05 15:32:44.000000000 +0200 +@@ -33,8 +33,8 @@ + + struct url; + +-uerr_t http_loop (struct url *, char **, char **, const char *, int *, +- struct url *, struct iri *); ++uerr_t http_loop (struct url *, struct url *, char **, char **, const char *, ++ int *, struct url *, struct iri *); + void save_cookies (void); + void http_cleanup (void); + time_t http_atotm (const char *); +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget~/src/init.c wget/src/init.c +--- wget~/src/init.c 2010-09-05 15:30:22.000000000 +0200 ++++ wget/src/init.c 2010-09-05 15:32:44.000000000 +0200 +@@ -243,6 +243,7 @@ + { "timeout", NULL, cmd_spec_timeout }, + { "timestamping", &opt.timestamping, cmd_boolean }, + { "tries", &opt.ntry, cmd_number_inf }, ++ { "trustservernames", &opt.trustservernames, cmd_boolean }, + { "useproxy", &opt.use_proxy, cmd_boolean }, + { "user", &opt.user, cmd_string }, + { "useragent", NULL, cmd_spec_useragent }, +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget~/src/main.c wget/src/main.c +--- wget~/src/main.c 2010-09-05 15:30:22.000000000 +0200 ++++ wget/src/main.c 2010-09-05 15:32:44.000000000 +0200 +@@ -266,6 +266,7 @@ + { "timeout", 'T', OPT_VALUE, "timeout", -1 }, + { "timestamping", 'N', OPT_BOOLEAN, "timestamping", -1 }, + { "tries", 't', OPT_VALUE, "tries", -1 }, ++ { "trust-server-names", 0, OPT_BOOLEAN, "trustservernames", -1 }, + { "user", 0, OPT_VALUE, "user", -1 }, + { "user-agent", 'U', OPT_VALUE, "useragent", -1 }, + { "verbose", 'v', OPT_BOOLEAN, "verbose", -1 }, +@@ -675,6 +676,8 @@ + N_("\ + -I, --include-directories=LIST list of allowed directories.\n"), + N_("\ ++ --trust-server-names use the name specified by the redirection url last component.\n"), ++ N_("\ + -X, --exclude-directories=LIST list of excluded directories.\n"), + N_("\ + -np, --no-parent don't ascend to the parent directory.\n"), +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget~/src/options.h wget/src/options.h +--- wget~/src/options.h 2010-09-05 15:30:22.000000000 +0200 ++++ wget/src/options.h 2010-09-05 15:32:44.000000000 +0200 +@@ -242,6 +242,7 @@ + char *encoding_remote; + char *locale; + ++ bool trustservernames; + #ifdef __VMS + int ftp_stmlf; /* Force Stream_LF format for binary FTP. */ + #endif /* def __VMS */ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget~/src/retr.c wget/src/retr.c +--- wget~/src/retr.c 2010-09-05 15:30:22.000000000 +0200 ++++ wget/src/retr.c 2010-09-05 15:32:44.000000000 +0200 +@@ -689,7 +689,8 @@ + #endif + || (proxy_url && proxy_url->scheme == SCHEME_HTTP)) + { +- result = http_loop (u, &mynewloc, &local_file, refurl, dt, proxy_url, iri); ++ result = http_loop (u, orig_parsed, &mynewloc, &local_file, refurl, dt, ++ proxy_url, iri); + } + else if (u->scheme == SCHEME_FTP) + { |