Ubuntu
hplip package

hp-plugin downloads plugins via insecure HTTP

Bug #1898456 reported by Malte S. Stretz on 2020-10-04

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	HPLIP	New	Undecided	Unassigned
	hplip (Ubuntu)	New	Undecided	Unassigned

Bug Description

While looking what hp-plugin was doing when it was semmingly hung I noticed that it calls wget to download an executable via plain HTTP even though www.openprinting.org supports HTTPS:

Relevant part from ps axf:

10353 pts/4 Ss 0:00 | \_ /bin/bash
10492 pts/4 Sl+ 0:07 | | \_ /usr/bin/python3 /usr/bin/hp-plugin
10507 pts/5 Ss+ 0:00 | | \_ /usr/bin/wget --cache=off -P $HOME/.hplip http://www.openprinting.org/download/printdriver/auxfiles/HP/plugins/hplip-3.20.3-plugin.run

Looks like there are two issues here:

1. Unless a local file exists, a plugin descriptor is downloaded from http://hplip.sf.net/plugin.conf
2. That one then contains the actual download URLs at www.openprinting.org which are plain HTTP as well

The first one has checksums so theoretically it might be ok to download the latter via HTTP (though there is no reason to do so) but the checksums are downloaded via plain HTTP as well.

Malte S. Stretz (mss) on 2020-10-04

summary:

- hp-plugin downloads from openprinting.org via insecure HTTP from
+ hp-plugin downloads plugins via insecure HTTP

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuhplip package

hp-plugin downloads plugins via insecure HTTP

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
hplip package