upgrade.py crashes if a captive portal is used

Bug #1091567 reported by Daniël van Eeden
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
Amarnath Chitumalla
hplip (Ubuntu)

Bug Description

The "hp-upgrade --check" command downloads info from http://hplip.sourceforge.net/hplip_web.conf. This fails if a captive portal is used for WLAN authentication (Hotels, Airports, etc)

This could have a security impact as it downloads information without verifying the source. A specially crafted config file or limitless (/dev/null, /dev/random) file could have an impact.

1. Use TLS and verify certificates
2. Use GPG to sign the file and verify on the client.
3. Limit the maximum amount of bytes downloaded
4. Validate the config file.
5. Retry the upgrade check at a later time (after wlan authentication)
6. Use APT to check for updates if that's possible

PythonArgs: ['/usr/bin/hp-upgrade', '--check']
 Traceback (most recent call last):
   File "/usr/bin/hp-upgrade", line 210, in <module>
     hplip_version_conf = ConfigBase(HPLIP_Ver_file)
   File "/usr/share/hplip/base/g.py", line 81, in __init__
   File "/usr/share/hplip/base/g.py", line 121, in read
   File "/usr/lib/python2.7/ConfigParser.py", line 324, in readfp
     self._read(fp, filename)
   File "/usr/lib/python2.7/ConfigParser.py", line 512, in _read
     raise MissingSectionHeaderError(fpname, lineno, line)
 MissingSectionHeaderError: File contains no section headers.
 file: /tmp/tmpA55LLA, line: 1
 '<HTML><HEAD><TITLE> Web Authentication Redirect</TITLE><META http-equiv="Cache-control" content="no-cache"><META http-equiv="Pragma" content="no-cache"><META http-equiv="Expires" content="-1"><META http-equiv="refresh" content="1; URL=https://__REMOVED__/login.html?redirect=hplip.sourceforge.net/hplip_web.conf"></HEAD></HTML>\r\n'

Tags: patch
Revision history for this message
Daniël van Eeden (dveeden) wrote :

HPLIP version: 3.12.6-3ubuntu4
Ubuntu version: Ubuntu 12.10 (Quantal)

Changed in hplip:
status: New → In Progress
assignee: nobody → Amarnath Chitumalla (amarnath-chitumalla)
status: In Progress → Fix Committed
Revision history for this message
Amarnath Chitumalla (amarnath-chitumalla) wrote :


Thank you for reporting the issue. We have fixed this issue and fix will be available in next HPLIP release.

Meanwhile, you can apply this patch.

1) copy the attached g.py file under /usr/share/hplip/base folder
$ sudo cp -b g.py /usr/share/hplip/base/g.py
$ su -c "cp -b g.py /usr/share/hplip/base/g.py"

Thanks & Regards,

Revision history for this message
Daniël van Eeden (dveeden) wrote :

Changed to Confirmed as the issues is confirmed by Amarnath Chitumalla (HPLIP).

Changed in hplip (Ubuntu):
status: New → Confirmed
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "g.py" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Changed in hplip:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers


Remote bug watches

Bug watches keep track of this bug in other bug trackers.