Re: 1.10 alpha 3 build fails
On Saturday, April 30, 2005 at 8:31:14 PM +0200, Hrvoje Niksic wrote: Alain Guibert [EMAIL PROTECTED] writes: On Friday, April 29, 2005 at 2:15:55 PM +0200, Hrvoje Niksic wrote: The problem was that the check for sockaddr_in6 set ipv6 to yes if successful, overriding other tests that set it to no. This patch should fix the problem. I can't confirm, stuck in auto-requirement I don't know how to solve whithout breaking other things. Autoconf 2.59 installation was difficult for me, with required Perl upgrade from 5.003.07 to 5.8.6 failing some tests and filling my $HOME, but with your helpfull explanations I succeeded. Thank you very much! I can now confirm: Alpha3+configure.in patch builds cleanly on Debian Bo even without --disable-ipv6: | checking for getaddrinfo... no | configure: Disabling IPv6 support: your system does not support getaddrinfo(3) Thank you again, Hrvoje! Alain.
Re: 1.10 alpha 3 build fails
Alain Guibert [EMAIL PROTECTED] writes: I can now confirm: Alpha3+configure.in patch builds cleanly on Debian Bo even without --disable-ipv6: Excellent. Thanks for testing this.
Is this a bug in wget ? I need an urgent help!
I try to do something like wget http://website.com/ ... login=usernamedomain=hotmail%2ecom_lang=EN But when wget sends the URL out, the hotmail%2ecom becomes hotmail.com !!! Is this the supposed behaviour ? I saw this on the sniffer. I suppose the translation of %2 to . is done by wget. Because of this, wget cannot retrieve the document. How can I force wget to send out URL as it is without making any translation ??! Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html
Re: Is this a bug in wget ? I need an urgent help!
Will Kuhn [EMAIL PROTECTED] writes: I try to do something like wget http://website.com/ ... login=usernamedomain=hotmail%2ecom_lang=EN But when wget sends the URL out, the hotmail%2ecom becomes hotmail.com !!! Is this the supposed behaviour ? Yes. I saw this on the sniffer. I suppose the translation of %2 to . is done by wget. Actually, %2e is translated to .. Since 2e is the ASCII hex code corresponding to the . character, the two are entirely equivalent. Are you sure that the download doesn't fail for some other unrelated reason? How can I force wget to send out URL as it is without making any translation ??! Some translation must be done, for example spaces must be converted to %20, and so on. During that course Wget translates regular characters represented by hex codes into regular characters. If you don't like it, you can hack url.c:decide_copy_method to always return CM_PASSTHROUGH upon encountering a %XX sequence.
Re: Is this a bug in wget ? I need an urgent help!
Hrvoje Niksic [EMAIL PROTECTED] writes: Can I have it not do the translation ??! Unfortunately, only by changing the source code as described in the previous mail. BTW I've just changed the CVS code to not decode the % sequences. Wget 1.10 will contain the fix.
Don't allow newlines in URLs to end up in FTP commands
A newline in an FTP URL can causes Wget to effectively send the
URL-specified command to the server. Since URL may come from the
network, this can be construed as a vulnerability.
A separate fix that applies to 1.9.1 follows in a separate mail.
Distributors of Wget will probably want to make sure to include the
appropriate patch.
2005-05-07 Hrvoje Niksic [EMAIL PROTECTED]
* ftp-basic.c (ftp_request): Prevent newlines in VALUE causing
inadvertent sending of multiple FTP commands.
Index: src/ftp-basic.c
===
RCS file: /pack/anoncvs/wget/src/ftp-basic.c,v
retrieving revision 1.44
diff -u -r1.44 ftp-basic.c
--- src/ftp-basic.c 2005/05/05 10:10:51 1.44
+++ src/ftp-basic.c 2005/05/07 01:04:11
@@ -103,7 +103,27 @@
{
char *res;
if (value)
-res = concat_strings (command, , value, \r\n, (char *) 0);
+{
+ /* Check for newlines in VALUE (possibly injected by the %0A URL
+escape) making the callers inadvertently send multiple FTP
+commands at once. Without this check an attacker could
+intentionally redirect to ftp://server/fakedir%0Acommand.../
+and execute arbitrary FTP command on a remote FTP server. */
+ if (strpbrk (value, \r\n))
+ {
+ /* Copy VALUE to the stack and modify CR/LF to space. */
+ char *defanged, *p;
+ STRDUP_ALLOCA (defanged, value);
+ for (p = defanged; *p; p++)
+ if (*p == '\r' || *p == '\n')
+ *p = ' ';
+ DEBUGP ((\nDetected newlines in %s \%s\; changing to %s \%s\\n,
+ command, escnonprint (value), command, escnonprint
(defanged)));
+ /* Make VALUE point to the defanged copy of the string. */
+ value = defanged;
+ }
+ res = concat_strings (command, , value, \r\n, (char *) 0);
+}
else
res = concat_strings (command, \r\n, (char *) 0);
if (opt.server_response)
Re: Don't allow newlines in URLs to end up in FTP commands
Hrvoje Niksic [EMAIL PROTECTED] writes:
A fix that applies to 1.9.1 follows in a separate mail.
Distributors of Wget will probably want to make sure to include the
appropriate patch.
Here is that fix.
2005-05-07 Hrvoje Niksic [EMAIL PROTECTED]
* ftp-basic.c (ftp_request): Prevent newlines in VALUE causing
inadvertent sending of multiple FTP commands.
--- wget-1.9.1.pristine/src/ftp-basic.c 2003-11-08 20:17:55.0 +0100
+++ wget-1.9.1/src/ftp-basic.c 2005-05-07 03:08:02.306330903 +0200
@@ -116,9 +116,30 @@
static char *
ftp_request (const char *command, const char *value)
{
- char *res = (char *)xmalloc (strlen (command)
- + (value ? (1 + strlen (value)) : 0)
- + 2 + 1);
+ char *res;
+
+ /* Check for newlines in VALUE (possibly injected by the %0A URL
+ escape) making the callers inadvertently send multiple FTP
+ commands at once. Without this check an attacker could
+ intentionally redirect to ftp://server/fakedir%0Acommand.../ and
+ execute arbitrary FTP command on a remote FTP server. */
+ if (value strpbrk (value, \r\n))
+{
+ /* Copy VALUE to the stack and modify CR/LF to space. */
+ char *defanged, *p;
+ STRDUP_ALLOCA (defanged, value);
+ for (p = defanged; *p; p++)
+ if (*p == '\r' || *p == '\n')
+ *p = ' ';
+ DEBUGP ((\nDetected newlines in %s \%s\; changing to %s \%s\\n,
+ command, value, command, defanged));
+ /* Make VALUE point to the defanged copy of the string. */
+ value = defanged;
+}
+
+ res = (char *)xmalloc (strlen (command)
++ (value ? (1 + strlen (value)) : 0)
++ 2 + 1);
sprintf (res, %s%s%s\r\n, command, value ? : , value ? value : );
if (opt.server_response)
{
