Sync from SUSE:SLFO:Main wget revision 37ec7b90613c7626dd79e392a58571e8
This commit is contained in:
parent
af0348558a
commit
0ceb7df7de
@ -1,74 +0,0 @@
|
||||
From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
|
||||
Date: Sun, 2 Jun 2024 12:40:16 +0200
|
||||
Subject: Properly re-implement userinfo parsing (rfc2396)
|
||||
|
||||
* src/url.c (url_skip_credentials): Properly re-implement userinfo parsing (rfc2396)
|
||||
|
||||
The reason why the implementation is based on RFC 2396, an outdated standard,
|
||||
is that the whole file is based on that RFC, and mixing standard here might be
|
||||
dangerous.
|
||||
---
|
||||
src/url.c | 40 ++++++++++++++++++++++++++++++++++------
|
||||
1 file changed, 34 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/url.c b/src/url.c
|
||||
index 69e948b..07c3bc8 100644
|
||||
--- a/src/url.c
|
||||
+++ b/src/url.c
|
||||
@@ -41,6 +41,7 @@ as that of the covered work. */
|
||||
#include "url.h"
|
||||
#include "host.h" /* for is_valid_ipv6_address */
|
||||
#include "c-strcase.h"
|
||||
+#include "c-ctype.h"
|
||||
|
||||
#ifdef HAVE_ICONV
|
||||
# include <iconv.h>
|
||||
@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme)
|
||||
static const char *
|
||||
url_skip_credentials (const char *url)
|
||||
{
|
||||
- /* Look for '@' that comes before terminators, such as '/', '?',
|
||||
- '#', or ';'. */
|
||||
- const char *p = (const char *)strpbrk (url, "@/?#;");
|
||||
- if (!p || *p != '@')
|
||||
- return url;
|
||||
- return p + 1;
|
||||
+ /*
|
||||
+ * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 .
|
||||
+ * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough re-visit.
|
||||
+ *
|
||||
+ * The RFC says
|
||||
+ * server = [ [ userinfo "@" ] hostport ]
|
||||
+ * userinfo = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," )
|
||||
+ * unreserved = alphanum | mark
|
||||
+ * mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
|
||||
+ */
|
||||
+ static const char *allowed = "-_.!~*'();:&=+$,";
|
||||
+
|
||||
+ for (const char *p = url; *p; p++)
|
||||
+ {
|
||||
+ if (c_isalnum(*p))
|
||||
+ continue;
|
||||
+
|
||||
+ if (strchr(allowed, *p))
|
||||
+ continue;
|
||||
+
|
||||
+ if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2]))
|
||||
+ {
|
||||
+ p += 2;
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ if (*p == '@')
|
||||
+ return p + 1;
|
||||
+
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ return url;
|
||||
}
|
||||
|
||||
/* Parse credentials contained in [BEG, END). The region is expected
|
||||
--
|
||||
cgit v1.1
|
||||
BIN
wget-1.24.5.tar.gz
(Stored with Git LFS)
BIN
wget-1.24.5.tar.gz
(Stored with Git LFS)
Binary file not shown.
@ -1,17 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQJDBAABCAAtFiEEa5j2N9h5xSNuJ3xcZP+QqujHCvkFAmXtv7QPHGdwZ0BkYXJu
|
||||
aXIubmV0AAoJEGT/kKroxwr59lwQAKCzs/wa9PmMW4MgcUKXMwixoysi/kl4zwTO
|
||||
V7W3JN80YRyf2kG/wPu6//JmYgeUXwY0x9XbbfwmCsopmCXsXWJlD6BswOrZi+34
|
||||
BFmQOQImfUYurKjA9N/ZiZbCl8i+/WiEW/kRHJ3TCiZ578JAy+H16pM2EJbv/jkE
|
||||
/FBW2gAyNcsu7pGCcv9DjdwJEGySvKklKmv6l/uA9l6wBX8/DqdmjjnMN3YaXot+
|
||||
2HpWZeEDnMhT3++MAYbpPVF76OWTFoyE9WBbPbs2uci75vsghwyF9PLmyqxBRNoE
|
||||
SGpY18DXrx01eXUiXYd5DUNkkFQReWRaMxkURijTgXVvebiXJ4b3Updr5Ds5j6vb
|
||||
adCgyf4zj8hbd41T+an/e3u51D+6+M+jjBGmL0gY/edixZMVb9lS8FiUBD9rjvpe
|
||||
VlNZWOS3C7Wr7iwq39t0R6sZc9GjnxokmcS+xCM3FBLpSg/jOJ0P+WIgVxyScuHa
|
||||
sLcQk0laXWcDwfOzPSjFSEMtDvt4NANhCMxHOi0dh5L+n+KFvFIS9R1mlyKmdLCo
|
||||
O72NS+Ks9zgSLebapGPFutvZlp6mB98f4YWhOyJR3VkfdHrtlWfq9EvofMM+KpB9
|
||||
0bKt+eDvIpkbMhUisAtjE0OwpTSZa1pBogwF3Zwjvb+baGD51EPbh4Al8XlQ8ONE
|
||||
9obMVikI
|
||||
=qpKJ
|
||||
-----END PGP SIGNATURE-----
|
||||
BIN
wget-1.25.0.tar.gz
(Stored with Git LFS)
Normal file
BIN
wget-1.25.0.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
17
wget-1.25.0.tar.gz.sig
Normal file
17
wget-1.25.0.tar.gz.sig
Normal file
@ -0,0 +1,17 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQJDBAABCAAtFiEEa5j2N9h5xSNuJ3xcZP+QqujHCvkFAmcxJnYPHGRhcm5pckBn
|
||||
bnUub3JnAAoJEGT/kKroxwr528sP/2zIABlSq1MwfnKm72+ViZUF+Htd1ctJJBdv
|
||||
7YDO3kUSv9cL+vJHl5/bksRT5btzVBBV8uN87AjUrB/eAwskBhbteNhTMNe0O990
|
||||
st+qpHcH2b/KT0tdMXYT57W5iIv3SIMpDhEHWP6uzTr4YC2T3j22LHO3Ytm30XeM
|
||||
XFAaHLxLCioAyVf+Im/oDrSW+tl882ubL7D23nBkT8Lh2R7XtBTvWof17YPBpkdY
|
||||
KADgG2qSKFi08nCCMJ/k8nC0jsTrANkOC+34Zvp6ri5N9MzPKLOCLumSfwCdyeO/
|
||||
vTGDJDE+Gvo130KUxnXTm7/goaUMaRiwIuPnTHc4+20NWWejZUaVfOYqiSqiNr9l
|
||||
IncvZskH3SqTuygtUTlXKEZePUQ27Cf9AiylEkEzMNb6qMHBiMX6Ql9JQzEocQP9
|
||||
mhP4VaauBKidqADhyDNLLSmyaHuw1nC4oXydQDR5EJ1mNpXPjzd/0p5MjQjwYAOW
|
||||
+NKMF9+iraTl6wELNGB1BkU3Ya1hFVqFe7KvDy5Hk1JO6Fualq4E26S/iEuIZZ/R
|
||||
KEpyqDj4w26OjuMWY5n3M26QGaKiyKpyB0vEtsrMpwwcn+Ue/QVSVXNLTYHNnN9H
|
||||
NrkxPgDFixRyz4aCFOw4cu+pjz6zxeBOJ9sJZ+zajx6JUz6bC7v0CQ/TDmqAct3Y
|
||||
ujdCG5mL
|
||||
=FQTL
|
||||
-----END PGP SIGNATURE-----
|
||||
18
wget.changes
18
wget.changes
@ -1,3 +1,21 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 12 09:22:09 UTC 2024 - Valentin Lefebvre <valentin.lefebvre@suse.com>
|
||||
|
||||
- GNU wget 1.25.0:
|
||||
* New testcase for pathconf truncation
|
||||
* Fix libproxy build with --disable-debug
|
||||
* [BREAKING CHANGE] Support continious reading from stdin pipes
|
||||
* Properly re-implement userinfo parsing (rfc2396)
|
||||
* init: fix -Warray-bounds in setval_internal_tilde
|
||||
* Fix build error on MingW with `G_GETFL` and `F_SETFL` flags
|
||||
* Fix returning uninitialized variable
|
||||
* Fix a static analysis false positive
|
||||
* [BREAKING CHANGE] Fix CVE-2024-10524 (drop support for shorthand URLs)
|
||||
(bsc#1233256)
|
||||
- Remove committed patches
|
||||
* properly-re-implement-userinfo-parsing.patch
|
||||
- Renumber patches
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 11 17:22:46 UTC 2024 - Valentin Lefebvre <valentin.lefebvre@suse.com>
|
||||
|
||||
|
||||
13
wget.spec
13
wget.spec
@ -19,7 +19,7 @@
|
||||
|
||||
%bcond_with regression_tests
|
||||
Name: wget
|
||||
Version: 1.24.5
|
||||
Version: 1.25.0
|
||||
Release: 0
|
||||
Summary: A Tool for Mirroring FTP and HTTP Servers
|
||||
License: GPL-3.0-or-later
|
||||
@ -30,13 +30,12 @@ Source1: https://ftp.gnu.org/gnu/wget/%{name}-%{version}.tar.gz.sig
|
||||
# From https://savannah.gnu.org/project/release-gpgkeys.php?group=wget&download=1
|
||||
Source2: %{name}.keyring
|
||||
Patch0: wgetrc.patch
|
||||
Patch6: wget-1.14-no-ssl-comp.patch
|
||||
Patch1: wget-1.14-no-ssl-comp.patch
|
||||
# PATCH-FIX-OPENSUSE fix pod syntax for perl 5.18 coolo@suse.de
|
||||
Patch7: wget-fix-pod-syntax.diff
|
||||
Patch8: wget-errno-clobber.patch
|
||||
Patch9: remove-env-from-shebang.patch
|
||||
Patch10: wget-do-not-propagate-credentials.patch
|
||||
Patch11: properly-re-implement-userinfo-parsing.patch
|
||||
Patch2: wget-fix-pod-syntax.diff
|
||||
Patch3: wget-errno-clobber.patch
|
||||
Patch4: remove-env-from-shebang.patch
|
||||
Patch5: wget-do-not-propagate-credentials.patch
|
||||
BuildRequires: gpgme-devel >= 0.4.2
|
||||
BuildRequires: libcares-devel
|
||||
BuildRequires: libidn2-devel
|
||||
|
||||
Loading…
Reference in New Issue
Block a user