SECURITY FIX for CVE-2010-2252

By default, on server redirects, use the original URL to get the local file name. ok naddy@ additional testing by kevlo@, thanks.
2010-09-13 16:48:11 +00:00 · 2010-09-13 16:48:11 +00:00 · b736114294
commit b736114294
parent 50568fc641
7 changed files with 119 additions and 2 deletions
--- a/net/wget/Makefile
+++ b/net/wget/Makefile
@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.50 2010/07/12 22:07:42 sthen Exp $
+# $OpenBSD: Makefile,v 1.51 2010/09/13 16:48:11 jasper Exp $

 COMMENT =	retrieve files from the web via HTTP, HTTPS and FTP

 DISTNAME =	wget-1.12
-REVISION =	0
+REVISION =	1
 CATEGORIES =	net

 HOMEPAGE =	http://www.gnu.org/software/wget/
--- a/net/wget/patches/patch-src_http_c
+++ b/net/wget/patches/patch-src_http_c
@ -0,0 +1,31 @@
+$OpenBSD: patch-src_http_c,v 1.1 2010/09/13 16:48:11 jasper Exp $
+
+By default, on server redirects, use the original URL to get the
+local file name. Fixes CVE-2010-2252.
+Diff from upstream.
+
+--- src/http.c.orig	Tue Sep 22 05:02:18 2009
+++ src/http.c	Mon Sep 13 10:13:32 2010
+@@ -2410,8 +2410,9 @@ File %s already there; not retrieving.\n\n"), quote (h
+ /* The genuine HTTP loop!  This is the part where the retrieval is
+    retried, and retried, and retried, and...  */
+ uerr_t
+-http_loop (struct url *u, char **newloc, char **local_file, const char *referer,
+-           int *dt, struct url *proxy, struct iri *iri)
+http_loop (struct url *u, struct url *original_url, char **newloc,
+           char **local_file, const char *referer, int *dt, struct url *proxy,
+           struct iri *iri)
+ {
+   int count;
+   bool got_head = false;         /* used for time-stamping and filename detection */
+@@ -2457,7 +2458,8 @@ http_loop (struct url *u, char **newloc, char **local_
+     }
+   else if (!opt.content_disposition)
+     {
+-      hstat.local_file = url_file_name (u);
+      hstat.local_file =
+        url_file_name (opt.trustservernames ? u : original_url);
+       got_name = true;
+     }
+ 
+ 
--- a/net/wget/patches/patch-src_http_h
+++ b/net/wget/patches/patch-src_http_h
@ -0,0 +1,19 @@
+$OpenBSD: patch-src_http_h,v 1.1 2010/09/13 16:48:11 jasper Exp $
+
+By default, on server redirects, use the original URL to get the
+local file name. Fixes CVE-2010-2252.
+Diff from upstream.
+
+--- src/http.h.orig	Sat Sep  5 00:31:54 2009
+++ src/http.h	Mon Sep 13 16:47:49 2010
+@@ -33,8 +33,8 @@ as that of the covered work.  */
+ 
+ struct url;
+ 
+-uerr_t http_loop (struct url *, char **, char **, const char *, int *,
+-		  struct url *, struct iri *);
+uerr_t http_loop (struct url *, struct url *, char **, char **, const char *,
+		  int *, struct url *, struct iri *);
+ void save_cookies (void);
+ void http_cleanup (void);
+ time_t http_atotm (const char *);
--- a/net/wget/patches/patch-src_init_c
+++ b/net/wget/patches/patch-src_init_c
@ -0,0 +1,16 @@
+$OpenBSD: patch-src_init_c,v 1.1 2010/09/13 16:48:11 jasper Exp $
+
+By default, on server redirects, use the original URL to get the
+local file name. Fixes CVE-2010-2252.
+Diff from upstream.
+
+--- src/init.c.orig	Tue Sep 22 05:02:41 2009
+++ src/init.c	Mon Sep 13 10:13:32 2010
+@@ -243,6 +243,7 @@ static const struct {
+   { "timeout",          NULL,                   cmd_spec_timeout },
+   { "timestamping",     &opt.timestamping,      cmd_boolean },
+   { "tries",            &opt.ntry,              cmd_number_inf },
+  { "trustservernames", &opt.trustservernames,  cmd_boolean },
+   { "useproxy",         &opt.use_proxy,         cmd_boolean },
+   { "user",             &opt.user,              cmd_string },
+   { "useragent",        NULL,                   cmd_spec_useragent },
--- a/net/wget/patches/patch-src_main_c
+++ b/net/wget/patches/patch-src_main_c
@ -0,0 +1,17 @@
+$OpenBSD: patch-src_main_c,v 1.1 2010/09/13 16:48:11 jasper Exp $
+
+By default, on server redirects, use the original URL to get the
+local file name. Fixes CVE-2010-2252.
+Diff from upstream.
+
+--- src/main.c.orig	Tue Sep 22 05:03:11 2009
+++ src/main.c	Mon Sep 13 10:13:32 2010
+@@ -675,6 +675,8 @@ Recursive accept/reject:\n"),
+     N_("\
+   -I,  --include-directories=LIST  list of allowed directories.\n"),
+     N_("\
+  --trust-server-names  use the name specified by the redirection url last component.\n"),
+    N_("\
+   -X,  --exclude-directories=LIST  list of excluded directories.\n"),
+     N_("\
+   -np, --no-parent                 don't ascend to the parent directory.\n"),
--- a/net/wget/patches/patch-src_options_h
+++ b/net/wget/patches/patch-src_options_h
@ -0,0 +1,16 @@
+$OpenBSD: patch-src_options_h,v 1.1 2010/09/13 16:48:11 jasper Exp $
+
+By default, on server redirects, use the original URL to get the
+local file name. Fixes CVE-2010-2252.
+Diff from upstream.
+
+--- src/options.h.orig	Tue Sep 22 05:03:47 2009
+++ src/options.h	Mon Sep 13 10:13:32 2010
+@@ -242,6 +242,7 @@ struct options
+   char *encoding_remote;
+   char *locale;
+ 
+  bool trustservernames;
+ #ifdef __VMS
+   int ftp_stmlf;                /* Force Stream_LF format for binary FTP. */
+ #endif /* def __VMS */
--- a/net/wget/patches/patch-src_retr_c
+++ b/net/wget/patches/patch-src_retr_c
@ -0,0 +1,18 @@
+$OpenBSD: patch-src_retr_c,v 1.1 2010/09/13 16:48:11 jasper Exp $
+
+By default, on server redirects, use the original URL to get the
+local file name. Fixes CVE-2010-2252.
+Diff from upstream.
+
+--- src/retr.c.orig	Fri Sep  4 18:31:54 2009
+++ src/retr.c	Mon Sep 13 10:13:32 2010
+@@ -689,7 +689,8 @@ retrieve_url (struct url * orig_parsed, const char *or
+ #endif
+       || (proxy_url && proxy_url->scheme == SCHEME_HTTP))
+     {
+-      result = http_loop (u, &mynewloc, &local_file, refurl, dt, proxy_url, iri);
+      result = http_loop (u, orig_parsed, &mynewloc, &local_file, refurl, dt,
+                          proxy_url, iri);
+     }
+   else if (u->scheme == SCHEME_FTP)
+     {