Ubuntu
update-manager package

_get_changelog_or_news does not handle Basic auth properly

Bug #1343888 reported by Dominik George
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
update-manager (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

_get_changelog_or_news when fetching chengelogs from third-party URLS that contain username:password does not handle that information correctly.

urllib2 expects to get the authorization information in a an Opener object isntead of in the URL. Passing it in the URL leads to it being passed wrongly, which also is a bug in urllib2.

Here is how to do it the right way (but untested as I do not have Ubuntu):

See original description
Tags: patch
Revision history for this message
Dominik George (natureshadow) wrote :

Thanks, Launchpad broke my pasted diff.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "update-manager_basic-auth.diff" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Dominik George (natureshadow)
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote :

In MyCache.py we can see the following which may no longer be true.

246 # https uris are not supported when they contain a username/password
247 # because the urllib2 https implementation will not check certificates
248 # and so its possible to do a man-in-the-middle attack to steal the
249 # credentials
250 res = urlsplit(uri)
251 if res.scheme == "https" and res.username:
252 raise HttpsChangelogsUnsupportedError(
253 "https locations with username/password are not"
254 "supported to fetch changelogs")

Changed in update-manager (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.