[Coverity Scan is ok, make syntax-check is ok, make check-valgrind is ok, contrib/check-hard is ok]
This updates some Metalink tests and add one test: * testenv/Test-metalink-xml-relpath.py: Reject relative paths * testenv/Test-metalink-xml-homepath.py: New file. Reject home paths The following description is verbatim from the patch: ----- When --input-metalink=<file> is used, each metalink:file name is verified by libmetalink's metalink_check_safe_path(). By design, absolute, relative and home paths are rejected. At the moment of writing, when --metalink-over-http is used, absolute, relative, and home paths aren't a concern. The destination file name is a combination of URL's file name and cli's "Directory Options" handled by src/url.c (url_file_name). ----- Regards, Matthew -- Matthew White <[email protected]>
>From 9812e43397d3bdb3b1488a635558f89078e4a945 Mon Sep 17 00:00:00 2001 From: Matthew White <[email protected]> Date: Tue, 16 Aug 2016 19:55:13 +0200 Subject: [PATCH 05/25] Update Metalink/XML tests and add a new test for home paths * testenv/Test-metalink-xml-relpath.py: Update test * testenv/Test-metalink-xml-homepath.py: New file. Reject home paths * testenv/Makefile.am: Add new file When --input-metalink=<file> is used, each metalink:file name is verified by libmetalink's metalink_check_safe_path(). By design, absolute, relative and home paths are rejected. At the moment of writing, when --metalink-over-http is used, absolute, relative, and home paths aren't a concern. The destination file name is a combination of URL's file name and cli's "Directory Options" handled by src/url.c (url_file_name). --- testenv/Makefile.am | 9 ++-- testenv/Test-metalink-xml-homepath.py | 87 +++++++++++++++++++++++++++++++++++ testenv/Test-metalink-xml-relpath.py | 42 ++++++++++++++++- 3 files changed, 133 insertions(+), 5 deletions(-) create mode 100755 testenv/Test-metalink-xml-homepath.py diff --git a/testenv/Makefile.am b/testenv/Makefile.am index 41bf902..569d762 100644 --- a/testenv/Makefile.am +++ b/testenv/Makefile.am @@ -27,10 +27,11 @@ if METALINK_IS_ENABLED - METALINK_TESTS = Test-metalink-xml.py \ - Test-metalink-http.py \ - Test-metalink-xml-relpath.py \ - Test-metalink-xml-abspath.py + METALINK_TESTS = Test-metalink-http.py \ + Test-metalink-xml.py \ + Test-metalink-xml-relpath.py \ + Test-metalink-xml-abspath.py \ + Test-metalink-xml-homepath.py else METALINK_TESTS = endif diff --git a/testenv/Test-metalink-xml-homepath.py b/testenv/Test-metalink-xml-homepath.py new file mode 100755 index 0000000..85c6df9 --- /dev/null +++ b/testenv/Test-metalink-xml-homepath.py @@ -0,0 +1,87 @@ +#!/usr/bin/env python3 +from sys import exit +from test.http_test import HTTPTest +from misc.wget_file import WgetFile +import re +import hashlib + +""" + This is to test if Metalink XML file escapes current directory. +""" +############# File Definitions ############################################### +File1 = "Would you like some Tea?" +File1_lowPref = "Do not take this" +File1_sha256 = hashlib.sha256 (File1.encode ('UTF-8')).hexdigest () +MetaXml = \ +"""<?xml version="1.0" encoding="utf-8"?> +<metalink version="3.0" xmlns="http://www.metalinker.org/";> + <publisher> + <name>GNU Wget</name> + </publisher> + <license> + <name>GNU GPL</name> + <url>http://www.gnu.org/licenses/gpl.html</url> + </license> + <identity>Wget Test File 1</identity> + <version>1.2.3</version> + <description>Wget Test File 1 description</description> + <files> + <file name="~/File1"> + <verification> + <hash type="sha256">{{FILE1_HASH}}</hash> + </verification> + <resources> + <url type="http" preference="40">http://broken.example/File1</url> + <url type="http" preference="25">http://{{SRV_HOST}}:{{SRV_PORT}}/File1_lowPref</url> + <url type="http" preference="30">http://{{SRV_HOST}}:{{SRV_PORT}}/File1</url> + </resources> + </file> + </files> +</metalink> +""" + +A_File = WgetFile ("File1", File1) +B_File = WgetFile ("File1_lowPref", File1_lowPref) +MetaFile = WgetFile ("test.meta4", MetaXml) + +WGET_OPTIONS = "--input-metalink test.meta4" +WGET_URLS = [[]] + +Files = [[A_File, B_File]] +Existing_Files = [MetaFile] + +ExpectedReturnCode = 0 +ExpectedDownloadedFiles = [MetaFile] + +################ Pre and Post Test Hooks ##################################### +pre_test = { + "ServerFiles" : Files, + "LocalFiles" : Existing_Files +} +test_options = { + "WgetCommands" : WGET_OPTIONS, + "Urls" : WGET_URLS +} +post_test = { + "ExpectedFiles" : ExpectedDownloadedFiles, + "ExpectedRetcode" : ExpectedReturnCode +} + +http_test = HTTPTest ( + pre_hook=pre_test, + test_params=test_options, + post_hook=post_test, +) + +http_test.server_setup() +### Get and use dynamic server sockname +srv_host, srv_port = http_test.servers[0].server_inst.socket.getsockname () + +MetaXml = re.sub (r'{{FILE1_HASH}}', File1_sha256, MetaXml) +MetaXml = re.sub (r'{{SRV_HOST}}', srv_host, MetaXml) +MetaXml = re.sub (r'{{SRV_PORT}}', str (srv_port), MetaXml) +MetaFile.content = MetaXml + +err = http_test.begin () + +exit (err) diff --git a/testenv/Test-metalink-xml-relpath.py b/testenv/Test-metalink-xml-relpath.py index 041d772..e146b97 100755 --- a/testenv/Test-metalink-xml-relpath.py +++ b/testenv/Test-metalink-xml-relpath.py @@ -26,11 +26,51 @@ MetaXml = \ <version>1.2.3</version> <description>Wget Test File 1 description</description> <files> + <file name="File1/"> + <verification> + <hash type="sha256">{{FILE1_HASH}}</hash> + </verification> + <resources> + <url type="http" preference="30">http://{{SRV_HOST}}:{{SRV_PORT}}/File1</url> + </resources> + </file> + <file name="./File1"> + <verification> + <hash type="sha256">{{FILE1_HASH}}</hash> + </verification> + <resources> + <url type="http" preference="30">http://{{SRV_HOST}}:{{SRV_PORT}}/File1</url> + </resources> + </file> <file name="../File1"> <verification> <hash type="sha256">{{FILE1_HASH}}</hash> </verification> <resources> + <url type="http" preference="30">http://{{SRV_HOST}}:{{SRV_PORT}}/File1</url> + </resources> + </file> + <file name="dir/./File1"> + <verification> + <hash type="sha256">{{FILE1_HASH}}</hash> + </verification> + <resources> + <url type="http" preference="30">http://{{SRV_HOST}}:{{SRV_PORT}}/File1</url> + </resources> + </file> + <file name="dir/../File1"> + <verification> + <hash type="sha256">{{FILE1_HASH}}</hash> + </verification> + <resources> + <url type="http" preference="30">http://{{SRV_HOST}}:{{SRV_PORT}}/File1</url> + </resources> + </file> + <file name="dir/subdir/File1"> + <verification> + <hash type="sha256">{{FILE1_HASH}}</hash> + </verification> + <resources> <url type="http" preference="40">http://broken.example/File1</url> <url type="http" preference="25">http://{{SRV_HOST}}:{{SRV_PORT}}/File1_lowPref</url> <url type="http" preference="30">http://{{SRV_HOST}}:{{SRV_PORT}}/File1</url> @@ -51,7 +91,7 @@ Files = [[A_File, B_File]] Existing_Files = [MetaFile] ExpectedReturnCode = 0 -ExpectedDownloadedFiles = [MetaFile] +ExpectedDownloadedFiles = [WgetFile ("dir/subdir/File1", File1), MetaFile] ################ Pre and Post Test Hooks ##################################### pre_test = { -- 2.7.3
pgp79ZUHHhhtS.pgp
Description: PGP signature
