[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Chicken-hackers] [PATCH] setup-download: fix +url-regex+ and decons
From: |
Peter Bex |
Subject: |
Re: [Chicken-hackers] [PATCH] setup-download: fix +url-regex+ and deconstruct-url to match urls with path=/ or no path when port number is provided |
Date: |
Sun, 3 Mar 2013 12:04:44 +0100 |
User-agent: |
Mutt/1.4.2.3i |
On Sat, Mar 02, 2013 at 01:19:36PM -0500, Mario Domenech Goulart wrote:
> Hi,
>
> Attached is a patch to fix +ulr-regex+ and deconstruct-url in
> setup-download.
>
> If the fix is correct and if it doesn't end up causing problems for
> other corner cases, please consider pushing it to stability as well.
>
> It's possible that I'm being too paranoid, but since chicken-install may
> access a port which was not requested in certain cases, maybe this issue
> can be considered a security vulnerability (see the attached patch
> comments). I don't think it's serious, but I'm using this list anyway
> for your consideration.
I think this should not be classified a security issue for two reasons:
The first is that the end user controls the locations for chicken-install,
which is in a defaults file or passed on the command line.
The second is that it will always revert to port 80, which is likely
unavailable on a host when we're asking for a different port. The
worst that can happen is that we get back bogus data for an egg, which
would cause the installation to fail. So it's just a bug :)
Thanks for being careful, though!
> Feel free to forward it to chicken-hackers.
I've signed off and pushed the patch. It's also in stability now.
Cheers,
Peter
--
http://www.more-magic.net
0001-setup-download-fix-url-regex-and-deconstruct-url-to-.patch
Description: Text document
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [Chicken-hackers] [PATCH] setup-download: fix +url-regex+ and deconstruct-url to match urls with path=/ or no path when port number is provided,
Peter Bex <=