packages/wget
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2024-10524 and backport related patches

Browse Source
This commit is contained in:
xingwei 2024-12-03 08:42:44 +00:00
parent 7810917b25
commit 5d6792710d
5 changed files with 422 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

183
backport-CVE-2024-10524.patch Normal file
View File

@ -0,0 +1,183 @@
From c419542d956a2607bbce5df64b9d378a8588d778 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Sun, 27 Oct 2024 19:53:14 +0100
Subject: [PATCH] Fix CVE-2024-10524 (drop support for shorthand URLs)
* doc/wget.texi: Add documentation for removed support for shorthand URLs.
* src/html-url.c (src/html-url.c): Call maybe_prepend_scheme.
* src/main.c (main): Likewise.
* src/retr.c (getproxy): Likewise.
* src/url.c: Rename definition of rewrite_shorthand_url to maybe_prepend_scheme,
add new function is_valid_port.
* src/url.h: Rename declaration of rewrite_shorthand_url to maybe_prepend_scheme.
Reported-by: Goni Golan <gonig@jfrog.com>
diff --git a/doc/wget.texi b/doc/wget.texi
index 1d026d72..d46da375 100644
--- a/doc/wget.texi
+++ b/doc/wget.texi
@@ -314,8 +314,8 @@ for text files. Here is an example:
ftp://host/directory/file;type=a
@end example
-Two alternative variants of @sc{url} specification are also supported,
-because of historical (hysterical?) reasons and their widespreaded use.
+The two alternative variants of @sc{url} specifications are no longer
+supported because of security considerations:
@sc{ftp}-only syntax (supported by @code{NcFTP}):
@example
@@ -327,12 +327,8 @@ host:/dir/file
host[:port]/dir/file
@end example
-These two alternative forms are deprecated, and may cease being
-supported in the future.
-
-If you do not understand the difference between these notations, or do
-not know which one to use, just use the plain ordinary format you use
-with your favorite browser, like @code{Lynx} or @code{Netscape}.
+These two alternative forms have been deprecated long time ago,
+and support is removed with version 1.22.0.
@c man begin OPTIONS
diff --git a/src/html-url.c b/src/html-url.c
index 8e960092..99914943 100644
--- a/src/html-url.c
+++ b/src/html-url.c
@@ -932,7 +932,7 @@ get_urls_file (const char *file, bool *read_again)
url_text = merged;
}
- new_url = rewrite_shorthand_url (url_text);
+ new_url = maybe_prepend_scheme (url_text);
if (new_url)
{
xfree (url_text);
diff --git a/src/main.c b/src/main.c
index 77b1a0b6..6858d2da 100644
--- a/src/main.c
+++ b/src/main.c
@@ -2126,7 +2126,7 @@ only if outputting to a regular file.\n"));
struct iri *iri = iri_new ();
struct url *url_parsed;
- t = rewrite_shorthand_url (argv[optind]);
+ t = maybe_prepend_scheme (argv[optind]);
if (!t)
t = argv[optind];
diff --git a/src/retr.c b/src/retr.c
index 5422963c..26eb9f17 100644
--- a/src/retr.c
+++ b/src/retr.c
@@ -1546,7 +1546,7 @@ getproxy (struct url *u)
/* Handle shorthands. `rewritten_storage' is a kludge to allow
getproxy() to return static storage. */
- rewritten_url = rewrite_shorthand_url (proxy);
+ rewritten_url = maybe_prepend_scheme (proxy);
if (rewritten_url)
return rewritten_url;
diff --git a/src/url.c b/src/url.c
index 07c3bc87..2f27c48a 100644
--- a/src/url.c
+++ b/src/url.c
@@ -594,60 +594,39 @@ parse_credentials (const char *beg, const char *end, char **user, char **passwd)
return true;
}
-/* Used by main.c: detect URLs written using the "shorthand" URL forms
- originally popularized by Netscape and NcFTP. HTTP shorthands look
- like this:
-
- www.foo.com[:port]/dir/file -> http://www.foo.com[:port]/dir/file
- www.foo.com[:port] -> http://www.foo.com[:port]
-
- FTP shorthands look like this:
-
- foo.bar.com:dir/file -> ftp://foo.bar.com/dir/file
- foo.bar.com:/absdir/file -> ftp://foo.bar.com//absdir/file
+static bool is_valid_port(const char *p)
+{
+ unsigned port = (unsigned) atoi (p);
+ if (port == 0 || port > 65535)
+ return false;
- If the URL needs not or cannot be rewritten, return NULL. */
+ int digits = strspn (p, "0123456789");
+ return digits && (p[digits] == '/' || p[digits] == '\0');
+}
+/* Prepend "http://" to url if scheme is missing, otherwise return NULL. */
char *
-rewrite_shorthand_url (const char *url)
+maybe_prepend_scheme (const char *url)
{
- const char *p;
- char *ret;
-
if (url_scheme (url) != SCHEME_INVALID)
return NULL;
- /* Look for a ':' or '/'. The former signifies NcFTP syntax, the
- latter Netscape. */
- p = strpbrk (url, ":/");
+ const char *p = strchr (url, ':');
if (p == url)
return NULL;
/* If we're looking at "://", it means the URL uses a scheme we
don't support, which may include "https" when compiled without
- SSL support. Don't bogusly rewrite such URLs. */
+ SSL support. Don't bogusly prepend "http://" to such URLs. */
if (p && p[0] == ':' && p[1] == '/' && p[2] == '/')
return NULL;
- if (p && *p == ':')
- {
- /* Colon indicates ftp, as in foo.bar.com:path. Check for
- special case of http port number ("localhost:10000"). */
- int digits = strspn (p + 1, "0123456789");
- if (digits && (p[1 + digits] == '/' || p[1 + digits] == '\0'))
- goto http;
-
- /* Turn "foo.bar.com:path" to "ftp://foo.bar.com/path". */
- if ((ret = aprintf ("ftp://%s", url)) != NULL)
- ret[6 + (p - url)] = '/';
- }
- else
- {
- http:
- /* Just prepend "http://" to URL. */
- ret = aprintf ("http://%s", url);
- }
- return ret;
+ if (p && p[0] == ':' && !is_valid_port (p + 1))
+ return NULL;
+
+
+ fprintf(stderr, "Prepended http:// to '%s'\n", url);
+ return aprintf ("http://%s", url);
}
static void split_path (const char *, char **, char **);
diff --git a/src/url.h b/src/url.h
index 2dfbf30b..7796a21c 100644
--- a/src/url.h
+++ b/src/url.h
@@ -128,7 +128,7 @@ char *uri_merge (const char *, const char *);
int mkalldirs (const char *);
-char *rewrite_shorthand_url (const char *);
+char *maybe_prepend_scheme (const char *);
bool schemes_are_similar_p (enum url_scheme a, enum url_scheme b);
bool are_urls_equal (const char *u1, const char *u2);
--
2.33.0

165
backport-src-main.c-main-Code-clean-reduce-allocations.patch Normal file
View File

@ -0,0 +1,165 @@
From 8610b0b355b56c87b9326a71beb21934b15dd17d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Fri, 14 Feb 2020 11:14:02 +0100
Subject: [PATCH] * src/main.c (main): Code clean, reduce allocations
diff --git a/src/main.c b/src/main.c
index 16df0671..6158c8de 100644
--- a/src/main.c
+++ b/src/main.c
@@ -1348,9 +1348,9 @@ int cleaned_up;
int
main (int argc, char **argv)
{
- char **url, **t, *p;
+ char *p;
int i, ret, longindex;
- int nurl;
+ int nurls;
int retconf;
int argstring_length;
bool use_userconfig = false;
@@ -1567,7 +1567,7 @@ main (int argc, char **argv)
longindex = -1;
}
- nurl = argc - optind;
+ nurls = argc - optind;
/* Initialize logging ASAP. */
log_init (opt.lfilename, append_to_log);
@@ -1651,7 +1651,7 @@ Can't timestamp and not clobber old files at the same time.\n"));
if (opt.output_document)
{
if ((opt.convert_links || opt.convert_file_only)
- && (nurl > 1 || opt.page_requisites || opt.recursive))
+ && (nurls > 1 || opt.page_requisites || opt.recursive))
{
fputs (_("\
Cannot specify both -k or --convert-file-only and -O if multiple URLs are given, or in combination\n\
@@ -1761,7 +1761,7 @@ for details.\n\n"));
opt.always_rest = false;
}
- if (!nurl && !opt.input_filename
+ if (!nurls && !opt.input_filename
#ifdef HAVE_METALINK
&& !opt.input_metalink
#endif
@@ -1931,23 +1931,6 @@ for details.\n\n"));
if (opt.show_progress)
set_progress_implementation (opt.progress_type);
- /* Fill in the arguments. */
- url = xmalloc (sizeof (char *) * (nurl + 1));
- if (url == NULL)
- {
- fprintf (stderr, _("Memory allocation problem\n"));
- exit (WGET_EXIT_PARSE_ERROR);
- }
- for (i = 0; i < nurl; i++, optind++)
- {
- char *rewritten = rewrite_shorthand_url (argv[optind]);
- if (rewritten)
- url[i] = rewritten;
- else
- url[i] = argv[optind];
- }
- url[i] = NULL;
-
/* Open WARC file. */
if (opt.warc_filename != 0)
warc_init ();
@@ -2110,8 +2093,9 @@ only if outputting to a regular file.\n"));
#endif
/* Retrieve the URLs from argument list. */
- for (t = url; *t; t++)
+ for (i = 0; i < nurls; i++, optind++)
{
+ char *t;
char *filename = NULL, *redirected_URL = NULL;
int dt, url_err;
/* Need to do a new struct iri every time, because
@@ -2120,13 +2104,17 @@ only if outputting to a regular file.\n"));
struct iri *iri = iri_new ();
struct url *url_parsed;
+ t = rewrite_shorthand_url (argv[optind]);
+ if (!t)
+ t = argv[optind];
+
set_uri_encoding (iri, opt.locale, true);
- url_parsed = url_parse (*t, &url_err, iri, true);
+ url_parsed = url_parse (t, &url_err, iri, true);
if (!url_parsed)
{
- char *error = url_error (*t, url_err);
- logprintf (LOG_NOTQUIET, "%s: %s.\n",*t, error);
+ char *error = url_error (t, url_err);
+ logprintf (LOG_NOTQUIET, "%s: %s.\n",t, error);
xfree (error);
inform_exit_status (URLERROR);
}
@@ -2137,9 +2125,9 @@ only if outputting to a regular file.\n"));
use_askpass (url_parsed);
if ((opt.recursive || opt.page_requisites)
- && ((url_scheme (*t) != SCHEME_FTP
+ && ((url_scheme (t) != SCHEME_FTP
#ifdef HAVE_SSL
- && url_scheme (*t) != SCHEME_FTPS
+ && url_scheme (t) != SCHEME_FTPS
#endif
)
|| url_uses_proxy (url_parsed)))
@@ -2147,9 +2135,9 @@ only if outputting to a regular file.\n"));
int old_follow_ftp = opt.follow_ftp;
/* Turn opt.follow_ftp on in case of recursive FTP retrieval */
- if (url_scheme (*t) == SCHEME_FTP
+ if (url_scheme (t) == SCHEME_FTP
#ifdef HAVE_SSL
- || url_scheme (*t) == SCHEME_FTPS
+ || url_scheme (t) == SCHEME_FTPS
#endif
)
opt.follow_ftp = 1;
@@ -2160,7 +2148,7 @@ only if outputting to a regular file.\n"));
}
else
{
- retrieve_url (url_parsed, *t, &filename, &redirected_URL, NULL,
+ retrieve_url (url_parsed, t, &filename, &redirected_URL, NULL,
&dt, opt.recursive, iri, true);
}
@@ -2175,10 +2163,12 @@ only if outputting to a regular file.\n"));
xfree (filename);
url_free (url_parsed);
}
+
iri_free (iri);
- }
- xfree(url);
+ if (t != argv[optind])
+ xfree (t);
+ }
/* And then from the input file, if any. */
if (opt.input_filename)
@@ -2249,7 +2239,7 @@ only if outputting to a regular file.\n"));
/* Print the downloaded sum. */
if ((opt.recursive || opt.page_requisites
- || nurl > 1
+ || nurls > 1
|| (opt.input_filename && total_downloaded_bytes != 0))
&&
total_downloaded_bytes != 0)
--
2.33.0

40
backport-src-main.c-main-Remove-use-of-alloca.patch Normal file
View File

@ -0,0 +1,40 @@
From f460e1d04963dce88b9711002c655497a8a22390 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Thu, 13 Feb 2020 15:17:27 +0100
Subject: [PATCH] * src/main.c (main): Remove use of alloca
diff --git a/src/main.c b/src/main.c
index 4d595ef0..3b6e49fc 100644
--- a/src/main.c
+++ b/src/main.c
@@ -1934,7 +1934,7 @@ for details.\n\n"));
set_progress_implementation (opt.progress_type);
/* Fill in the arguments. */
- url = alloca_array (char *, nurl + 1);
+ url = xmalloc (sizeof (char *) * (nurl + 1));
if (url == NULL)
{
fprintf (stderr, _("Memory allocation problem\n"));
@@ -1946,7 +1946,7 @@ for details.\n\n"));
if (rewritten)
url[i] = rewritten;
else
- url[i] = xstrdup (argv[optind]);
+ url[i] = argv[optind];
}
url[i] = NULL;
@@ -2180,6 +2180,8 @@ only if outputting to a regular file.\n"));
iri_free (iri);
}
+ xfree(url);
+
/* And then from the input file, if any. */
if (opt.input_filename)
{
--
2.33.0

23
backport-src-url.c-maybe_prepend_scheme-Print-message-only-in.patch Normal file
View File

@ -0,0 +1,23 @@
From d98df662121977f3d3ba69d0cfbd4d3322714f2d Mon Sep 17 00:00:00 2001
From: Darshit Shah <darnir@gnu.org>
Date: Fri, 15 Nov 2024 22:28:41 +0100
Subject: [PATCH] * src/url.c (maybe_prepend_scheme): Print message only in
verbose mode
diff --git a/src/url.c b/src/url.c
index 2f27c48a..913db4f1 100644
--- a/src/url.c
+++ b/src/url.c
@@ -625,7 +625,7 @@ maybe_prepend_scheme (const char *url)
return NULL;
- fprintf(stderr, "Prepended http:// to '%s'\n", url);
+ logprintf (LOG_VERBOSE, _ ("Prepended http:// to '%s'\n"), url);
return aprintf ("http://%s", url);
}
--
2.33.0

12
wget.spec
View File

@ -1,6 +1,6 @@
Name: wget
Version: 1.20.3
Release: 5
Release: 6
Summary: A package for retrieving files using HTTP, HTTPS, FTP and FTPS the most widely-used Internet protocols.
License: GPLv3+
Url: http://www.gnu.org/software/wget/
@ -16,6 +16,10 @@ Patch6006: calc_rate-fix-division-by-zero.patch
Patch6007: print-row-stats-fix-two-integer-overflows.patch
Patch6008: dot-draw-avoid-integer-overflows.patch
Patch6009: fix-and-cleanup-progress-bar-code.patch
Patch6010: backport-src-main.c-main-Remove-use-of-alloca.patch
Patch6011: backport-src-main.c-main-Code-clean-reduce-allocations.patch
Patch6012: backport-CVE-2024-10524.patch
Patch6013: backport-src-url.c-maybe_prepend_scheme-Print-message-only-in.patch
Patch9000: avoid-triggering-signed-integer-overflow.patch
@ -68,6 +72,12 @@ make check
%{_infodir}/*
%changelog
* Tue Dec 03 2024 xingwei <xingwei14@h-partners> -1.20.3-6
- Type:CVES
- ID:NA
- SUG:NA
- DESC:fix CVE-2024-10524 and backport related patches
* Sun Jun 16 2024 xuchenchen <xuchenchen@kylinos.cn> -1.20.3-5
- Type:CVES
- ID:NA