SECURITY: fix a security issue in the update-checking mechanism (upstream).

x11/nagstamon/Makefile

@@ -1,11 +1,11 @@
-# $OpenBSD: Makefile,v 1.12 2013/05/13 20:56:55 sthen Exp $
+# $OpenBSD: Makefile,v 1.13 2013/07/08 09:10:37 ajacoutot Exp $
 
 COMMENT=	nagios status monitor for the Desktop
 
 MODPY_EGG_VERSION= 0.9.9
 DISTNAME=	nagstamon_${MODPY_EGG_VERSION}
 PKGNAME=	${DISTNAME:S/_/-/}
-REVISION=	1
+REVISION=	2
 
 CATEGORIES=	x11 net
 

x11/nagstamon/distinfo

@@ -1,5 +1,2 @@
-MD5 (nagstamon_0.9.9.tar.gz) = +zv73pd9IUmI8f2o1OrOpQ==
-RMD160 (nagstamon_0.9.9.tar.gz) = y3iOAAVY5XZVZO5dhRM3o1qpSf8=
-SHA1 (nagstamon_0.9.9.tar.gz) = 3AWzXEC8piGnYx8PD1tYd6Nm1PU=
-SHA256 (nagstamon_0.9.9.tar.gz) = JTHaXlXzubp9iazbmviNtl/FAx4Rz2AQb//YUmktadA=
-SIZE (nagstamon_0.9.9.tar.gz) = 387260
+SHA256 (nagstamon_0.9.9.tar.gz) = l78tVpS5hEMSEjY4Z5ql7DUoosLKnPlWegUN2yOeKEM=
+SIZE (nagstamon_0.9.9.tar.gz) = 387268

x11/nagstamon/patches/patch-Nagstamon_Actions_py

@@ -0,0 +1,18 @@
+$OpenBSD: patch-Nagstamon_Actions_py,v 1.1 2013/07/08 09:10:38 ajacoutot Exp $
+
+Fix a security issue in the update-checking mechanism (upstream).
+
+--- Nagstamon/Actions.py.orig	Tue Mar 27 15:05:22 2012
++++ Nagstamon/Actions.py	Mon Jul  8 11:06:26 2013
+@@ -402,8 +402,10 @@ class CheckForNewVersion(threading.Thread):
+             if s.CheckingForNewVersion == False:
+                 # set the flag to lock that connection
+                 s.CheckingForNewVersion = True
++                # use IFW server to speed up request and secure via https
++                result = s.FetchURL("https://nagstamon.ifw-dresden.de/files-nagstamon/latest_version_" +\
++                                     self.output.version, giveback="raw", no_auth=True)
+                 # remove newline
+-                result = s.FetchURL("http://nagstamon.sourceforge.net/latest_version_" + self.output.version, giveback="raw")
+                 version, error = result.result.split("\n")[0], result.error
+                 
+                 # debug

x11/nagstamon/patches/patch-Nagstamon_Server_Generic_py

@@ -0,0 +1,39 @@
+$OpenBSD: patch-Nagstamon_Server_Generic_py,v 1.1 2013/07/08 09:10:38 ajacoutot Exp $
+
+Fix a security issue in the update-checking mechanism (upstream).
+
+--- Nagstamon/Server/Generic.py.orig	Tue Feb 14 11:21:14 2012
++++ Nagstamon/Server/Generic.py	Mon Jul  8 11:06:29 2013
+@@ -946,7 +946,7 @@ class GenericServer(object):
+         return Result()
+     
+     
+-    def FetchURL(self, url, giveback="obj", cgi_data=None):   
++    def FetchURL(self, url, giveback="obj", cgi_data=None, no_auth=False):
+         """
+         get content of given url, cgi_data only used if present
+         "obj" FetchURL gives back a dict full of miserable hosts/services,
+@@ -957,14 +957,21 @@ class GenericServer(object):
+         """        
+         
+         # run this method which checks itself if there is some action to take for initializing connection
+-        self.init_HTTP()
++        # if no_auth is true do not use Auth headers, used by Actions.CheckForNewVersion()
++        if no_auth == False:
++            self.init_HTTP()
++            # to avoid race condition and credentials leak use local HTTPheaders
++            HTTPheaders = self.HTTPheaders
++        else:
++            HTTPheaders = dict()
++            HTTPheaders["raw"] = HTTPheaders["obj"] = HTTPheaders["obj"] =  dict()
+ 
+         try:
+             try:
+                 # debug
+                 if str(self.conf.debug_mode) == "True":
+                     self.Debug(server=self.get_name(), debug="FetchURL: " + url + " CGI Data: " + str(cgi_data))
+-                request = urllib2.Request(url, cgi_data, self.HTTPheaders[giveback])
++                request = urllib2.Request(url, cgi_data, HTTPheaders[giveback])
+                 # use opener - if cgi_data is not empty urllib uses a POST request
+                 urlcontent = self.urlopener.open(request)
+                 del url, cgi_data, request