On Sun, 11 Sep 2016 22:45:09 +0200 Giuseppe Scrivano <gscriv...@gnu.org> wrote:
> Matthew White <mehw.is...@inventati.org> writes: > > > [Coverity Scan is ok, make syntax-check is ok, make check-valgrind is ok, > > contrib/check-hard is ok] > > > > This introduces the new document doc/metalink-standard.txt. > > > > The purpose of the document is to serve as a Metalink/XML and Metalink/HTTP > > standard reference of the Metalink functionalities currently implemented in > > Wget. > > > > Regards, > > Matthew > > > > -- > > Matthew White <mehw.is...@inventati.org> > > > > From 40442c885ab06dbef19caeef6bc4ba22a26dbb31 Mon Sep 17 00:00:00 2001 > > From: Matthew White <mehw.is...@inventati.org> > > Date: Fri, 19 Aug 2016 13:17:34 +0200 > > Subject: [PATCH 10/25] New document: Metalink/XML and Metalink/HTTP standard > > reference > > > > * doc/metalink-standard.txt: New doc. Implemented and recommended > > Metalink/XML and Metalink/HTTP standard features > > --- > > doc/metalink-standard.txt | 156 > > ++++++++++++++++++++++++++++++++++++++++++++++ > > 1 file changed, 156 insertions(+) > > create mode 100644 doc/metalink-standard.txt > > > > diff --git a/doc/metalink-standard.txt b/doc/metalink-standard.txt > > new file mode 100644 > > index 0000000..d00c384 > > --- /dev/null > > +++ b/doc/metalink-standard.txt > > @@ -0,0 +1,156 @@ > > +GNU Wget Metalink recommended behaviour > > + > > + Metalink/XML and Metalink/HTTP standard reference > > + > > + > > +1. Security features > > +******************** > > + > > +Only metalink:file elements with safe "name" fields shall be accepted > > +[1 #section-4.1.2.1]. If unsafe metalink:file elements are saved, any > > +related test shall fail (see '2. Tests'). > > + > > +By design, libmetalink rejects unsafe metalink:file elements [3]: > > +* lib/metalink_helper.c (metalink_check_safe_path): Verify path > > + > > +1.1 Exceptions > > +============== > > + > > +The option --directory-prefix could allow to use an absolute, relative > > +or home path. > > + > > +2. Tests > > +******** > > + > > +Saving a file to an unexpected path poses a security problem. We must > > +ensure that Wget's automated tests never modify the root and the home > > +paths or descend/escalate to a relative path unexpectedly. > > + > > +2.1 Metalink/XML implemented tests > > +================================== > > + > > +* testenv/Test-metalink-xml.py: Accept safe paths > > +* testenv/Test-metalink-xml-abspath.py: Reject absolute paths > > +* testenv/Test-metalink-xml-relpath.py: Reject relative paths > > +* testenv/Test-metalink-xml-homepath.py: Reject home paths > > ACK with these tests merged together. All the Metalink tests are specialized, hence each test has a different file name and content. I don't know if it's a good idea to merge the tests together. But this is just my opinion. WDYT? Please, see the comments on Patch 01/25: http://lists.gnu.org/archive/html/bug-wget/2016-09/msg00074.html > > Regards, > Giuseppe Regards, Matthew -- Matthew White <mehw.is...@inventati.org>
pgp58naq3p1aU.pgp
Description: PGP signature