wget: Server responses &c written to the tty verbatim (escape sequences, control characters, ...)

Automatically imported from Debian bug report #261755 http://bugs.debian.org/261755

Message-ID: <email address hidden>
Date: Wed, 28 Jul 2004 02:31:09 +0200
From: Jan Minar <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Cc: <email address hidden>
Subject: wget: Server responses &c written to the tty verbatim (escape sequences, control characters,
 ...)

--7ZAtKRhVyVSsbBD2
Content-Type: multipart/mixed; boundary="mYCpIKhGyMATD0i+"
Content-Disposition: inline

--mYCpIKhGyMATD0i+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: wget
Version: 1.8.1-6.1
Severity: grave
Justification: user security hole
Tags: security patch

Hi.

Wget does absolutely no filtering of the server-supplied error messages,
and redirection URLs. And probably just anywhere else.

Both 1.8 & 1.9 branches exhibit this behaviour.

A simple not-very-functional demo is attached.

I found out there are just too many places where wget should filter, but
doesn't. The enclosed patch is covering just one of these places,
sadly. And even this tiny bit is covered badly, as, e.g., there's no
need to mark the message as server-generated, when in fact it's our
message about the lack of any message from the server, heh.

The comments in the patch should explain my reasoning in detail -- the
basic goals:

(1) Filter escape sequences & friends
 -- HTTP 1.1 RFC allows [^\r\n\x00-\x1f\127]
(2) Mark the beginning & the end, and purpose of the message (``Remote
  server said: >>> ... <<<'')
(3) Don't allow ending faking (remove extraneous whitespace, escape the end=
 mark)
 -- ``A recipient MAY replace any linear white space with a single SP
 before interpreting the field value'' -- RFC 2616, Section 2.2

Please CC me, when appropriate.

Cheers.
Jan.

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686
Locale: LANG=3DC, LC_CTYPE=3Dcs_CZ.ISO-8859-2

Versions of packages wget depends on:
ii libc6 2.2.5-11.5 GNU C Library: Shared librarie=
s an

--=20
   "To me, clowns aren't funny. In fact, they're kind of scary. I've wonder=
ed
 where this started and I think it goes back to the time I went to the circ=
us,
     and a clown killed my dad."

--mYCpIKhGyMATD0i+
Content-Type: text/plain; charset=us-ascii
Content-Description: A simple, not very functional demo
Content-Disposition: attachment; filename=wgettrap
Content-Transfer-Encoding: quoted-printable

#!/usr/bin/perl -W
# Usage:
# nc -lp31337 -e ./wgettrap.redirect
# nc -lp31337 -e ./wgettrap.segfault
#
# Discussion:
#
# We exploit the fact the attacker can speak on behalf of wget, i.e. & *som=
e*
# user will likely trust what wget says, and will be interested enough to r=
un
# our code.
#
# We prepare a redirection to a specially crafted `core' file, and then
# instruct the user to run it:
#
# (1) Redirection to a specially crafted `core' file
# (2) Set Content-Length just a little bit too high
# (3) Send the `core' file
# (4) wget will try reconnecting because of (2)
# (5) Return the segfault error
# (6) Obfuscate the wget output all-around-the-place
#
# The wget.segfault functionality...

Silly bug

Message-ID: <email address hidden>
Date: Fri, 30 Jul 2004 20:25:37 +0200
From: Florian Weimer <email address hidden>
To: <email address hidden>
Subject: Patch review

+ /* We encode each byte using at most 4 bytes, + trailing '\0'. */
+ buf = xmalloc (4 * strlen (reason_phrase_ptr) + 1);

Where is this buffer freed? Or is this compatible with the existing
approach to memory management in wget?

- logprintf (LOG_NOTQUIET, _("%s ERROR %d: %s.\n"),
+ /*
+ * XXX Let's not allow the attacker pretend it's us speaking.
+ *
+ * It's important to:
+ * (1) Explain who created the message
+ * (2) Mark very visibly the beginning & end of the message
+ * (3) Make clear we have no connection whatsoever with this message
+ */
+ /* logprintf (LOG_NOTQUIET, _("%s ERROR %d: %s.\n"), */
+ logprintf (LOG_NOTQUIET,
+ _("%s ERROR: Remote server said: >>> %d %s <<<.\n"),

I suppose that it would be better to use C-style quoting (with "")
instead of yet another ad-hoc string literal syntax. To increase
backwards compatibility, it's probably best to add the quotes only if
potentially harmful characters are actually contained in the server
response.

Note that you'd also have to change escape_reason_phrase().

- logprintf (LOG_NOTQUIET, "%d %s\n\n", hstat.statcode, hstat.error);
+ logprintf (LOG_NOTQUIET, _(">>> %d %s <<<\n\n"),
+ hstat.statcode, hstat.error);

Same here.

What's the status of this bug with respect to upstream? Has it been
sent in for review?

Message-Id: <1091216836.8798.3.camel@localhost>
Date: Fri, 30 Jul 2004 21:47:16 +0200
From: =?ISO-8859-1?Q?No=E8l_K=F6the?= <email address hidden>
To: Florian Weimer <email address hidden>, <email address hidden>
Subject: Re: Bug#261755: Patch review

--=-Q4nsZ32s1w2QK+Qiyezu
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Am Fr, den 30.07.2004 schrieb Florian Weimer um 20:25:

> What's the status of this bug with respect to upstream? Has it been
> sent in for review?

bug/patch submitter CC: the report to the upstream mailinglist (archive:
http://www.mail-archive.com/wget%40sunsite.dk/) but there is no answer
to the mail until now.

--=20
No=C3=A8l K=C3=B6the <noel debian.org>
Debian GNU/Linux, www.debian.org

--=-Q4nsZ32s1w2QK+Qiyezu
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Dies ist ein digital signierter Nachrichtenteil

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBBCqXD9/DnDzB9Vu0RAni4AJ9uP6rHKhI3XW02M1QFm1xhIyMu4ACdG8l4
+n/U7eSkGS19SSSrB7OX6Y4=
=rZ1v
-----END PGP SIGNATURE-----

--=-Q4nsZ32s1w2QK+Qiyezu--

Message-Id: <email address hidden>
Date: Wed, 11 Aug 2004 13:08:24 +0200
From: =?ISO-8859-1?Q?No=E8l_K=F6the?= <email address hidden>
To: Florian Weimer <email address hidden>, <email address hidden>
Cc: Jan Minar <email address hidden>
Subject: Re: Bug#261755: Patch review

--=-D6TaGedH6xQiuzqeBQx9
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Am Fr, den 30.07.2004 schrieb Florian Weimer um 20:25:

Hello,

fullquote because Jan asked for CC: and the previous mail wasn't CC: to
him.

> + /* We encode each byte using at most 4 bytes, + trailing '\0'. */
> + buf =3D xmalloc (4 * strlen (reason_phrase_ptr) + 1);
>=20
> Where is this buffer freed? Or is this compatible with the existing
> approach to memory management in wget?
>=20
> - logprintf (LOG_NOTQUIET, _("%s ERROR %d: %s.\n"),
> + /*
> + * XXX Let's not allow the attacker pretend it's us speaking.
> + *
> + * It's important to:
> + * (1) Explain who created the message
> + * (2) Mark very visibly the beginning & end of the message
> + * (3) Make clear we have no connection whatsoever with this message
> + */
> + /* logprintf (LOG_NOTQUIET, _("%s ERROR %d: %s.\n"), */
> + logprintf (LOG_NOTQUIET,
> + _("%s ERROR: Remote server said: >>> %d %s <<<.\n"),
>=20
> I suppose that it would be better to use C-style quoting (with "")
> instead of yet another ad-hoc string literal syntax. To increase
> backwards compatibility, it's probably best to add the quotes only if
> potentially harmful characters are actually contained in the server
> response.
>=20
> Note that you'd also have to change escape_reason_phrase().
>=20
> - logprintf (LOG_NOTQUIET, "%d %s\n\n", hstat.statcode, hstat.error);
> + logprintf (LOG_NOTQUIET, _(">>> %d %s <<<\n\n"),
> + hstat.statcode, hstat.error);
>=20
> Same here.
>=20
> What's the status of this bug with respect to upstream? Has it been
> sent in for review?

Still no answer from upstream to Jans patch/bug.

--=20
No=C3=A8l K=C3=B6the <noel debian.org>
Debian GNU/Linux, www.debian.org

--=-D6TaGedH6xQiuzqeBQx9
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Dies ist ein digital signierter Nachrichtenteil

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD4DBQBBGf4o9/DnDzB9Vu0RAiPUAJYi3mSESbZmiO1l6+s7as704717AJ49I/KS
3t8IMBdeb1mM6WSZiX2jLg==
=YHW+
-----END PGP SIGNATURE-----

--=-D6TaGedH6xQiuzqeBQx9--

Message-ID: <email address hidden>
Date: Fri, 13 Aug 2004 03:22:40 +0200
From: Jan Minar <email address hidden>
To: Noel =?iso-8859-2?Q?K=F6the?= <email address hidden>
Cc: Florian Weimer <email address hidden>, <email address hidden>
Subject: Re: Bug#261755: Patch review

--FCuugMFkClbJLl1L
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Aug 11, 2004 at 01:08:24PM +0200, Noel K=F6the wrote:
> Am Fr, den 30.07.2004 schrieb Florian Weimer um 20:25:

> fullquote because Jan asked for CC: and the previous mail wasn't CC: to
> him.

Thanks. Note that when you send a mail to <number>@bugs.debian.org, the
original submitter is *not* sent a copy; you have to CC: the submitter
explicitly.

> > + /* We encode each byte using at most 4 bytes, + trailing '\0'. */
> > + buf =3D xmalloc (4 * strlen (reason_phrase_ptr) + 1);
> >=20
> > Where is this buffer freed? Or is this compatible with the existing
> > approach to memory management in wget?

It isn't. Did I mention I can't code in C?...

> > - logprintf (LOG_NOTQUIET, _("%s ERROR %d: %s.\n"),
> > + /*
> > + * XXX Let's not allow the attacker pretend it's us speaking.
> > + *
> > + * It's important to:
> > + * (1) Explain who created the message
> > + * (2) Mark very visibly the beginning & end of the message
> > + * (3) Make clear we have no connection whatsoever with this message
> > + */
> > + /* logprintf (LOG_NOTQUIET, _("%s ERROR %d: %s.\n"), */
> > + logprintf (LOG_NOTQUIET,
> > + _("%s ERROR: Remote server said: >>> %d %s <<<.\n"),
> >=20
> > I suppose that it would be better to use C-style quoting (with "")
> > instead of yet another ad-hoc string literal syntax.

Let's split this effort in four consequential steps:

(I) Filtering the control characters (including escape-sequences).

This is easy, if it weren't for so many places in the code that have to
be changed, and the massive difference between the woody & sarge
version. Just set the correct locale, do isprint(), and escape
appropriately. This can and should be adopted without a delay.

The following steps deal primarily with the freeform server-response:

(II) Making it possible to determine what the server-response is

You have to ensure the beginning & ending delimiters are not spoofable.
With Unicode, where similar glyphs are not so uncommon, and '\n' being
supplied by the terminal by the virtue of wrapping, this soon gets
tricky.

The begin-delimiter is ``Remote server said: BEGIN_QUOT'', the
end-delimiter is ``END_QUOT\n''. The begin-delimiter will work good,
regardless of the BEGIN_QUOT value. The only problem is we can't really
tell whether it was the *remote server*, or some third party (attacker),
who originated the message. If someone could come up with a more
appropriate phrase, I'd be pleased. The end-delimiter and any similar
glyphs (locale-dependent) will be escaped in the server-response, so
that it can't be spoofed. As we will never know which characters look
similar in a given font/locale combination, therefore we can never be
100% confident we are secure against spoofing. This, too, ...

Message-Id: <email address hidden>
Date: Sun, 22 Aug 2004 11:39:07 +0200
From: Thomas Hood <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: Florian Weimer <email address hidden>
Subject: Can this be fixed in time for sarge?

The changes contemplated look very invasive. How quickly can this
bug be fixed?
--
Thomas Hood

Message-ID: <email address hidden>
Date: Sun, 22 Aug 2004 13:12:43 +0200
From: Jan Minar <email address hidden>
To: Thomas Hood <email address hidden>, <email address hidden>
Subject: Re: Bug#261755: Can this be fixed in time for sarge?

--17pEHd4RhPHOinZp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Aug 22, 2004 at 11:39:07AM +0200, Thomas Hood wrote:
> The changes contemplated look very invasive. How quickly can this
> bug be fixed?

It looks like we'd have to go thru the whole code, sanitizing all calls
to logprintf() where a tainted variable is involved. This is tedious.

I'm leaning towards solving the control-chars injection by a wrapper
that would filter these. I can't think of no such workaround for the
spoofing vulnerability.

J.

--=20
   "To me, clowns aren't funny. In fact, they're kind of scary. I've wonder=
ed
 where this started and I think it goes back to the time I went to the circ=
us,
     and a clown killed my dad."

--17pEHd4RhPHOinZp
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFBKH+r+uczK20Fa5cRAqvAAKCqJGpkyGlt1Z+TTYc+d/7JQ7VEmgCfRkqB
4I0yoQEQAXZkiWII2PidtOE=
=/xC+
-----END PGP SIGNATURE-----

--17pEHd4RhPHOinZp--

Message-ID: <email address hidden>
Date: Sun, 22 Aug 2004 13:32:12 +0200
From: Jan Minar <email address hidden>
To: Thomas Hood <email address hidden>, <email address hidden>
Subject: Re: Bug#261755: Can this be fixed in time for sarge?

--oyUTqETQ0mS9luUI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Aug 22, 2004 at 01:12:43PM +0200, Jan Minar wrote:
> I'm leaning towards solving the control-chars injection by a wrapper
> that would filter these. I can't think of no such workaround for the
> spoofing vulnerability.

Here's the script:

--- /dev/null Wed Dec 10 03:42:57 2003
+++ /home/jan/bin/wget Sun Aug 22 13:18:19 2004
@@ -0,0 +1,6 @@
+#!/bin/sh
+# ~jan/bin/wget -- wget wrapper that'll get rid of the escape sequences
+
+WGET=3D/usr/bin/wget
+
+"$WGET" -o /dev/fd/1 "$@" | filter-controls

Here's the filter-controls source:

--- /dev/null Wed Dec 10 03:42:57 2003
+++ /home/jan/code/filter-controls/filter-controls.c Tue Aug 17 01:50:28 20=
04
@@ -0,0 +1,43 @@
+#include <stdio.h>
+#include <ctype.h>
+#include <stdlib.h>
+
+void my_putchar(char);
+
+/* my_putchar(char) error-checking putchar() wrapper */
+/* DNW: Somehow echo hello | ./filter-controls > /dev/full returns 0. */
+inline void
+my_putchar (char c) {
+ if (putchar (c) =3D=3D EOF) {
+ perror ("Error writing to stdout");
+ exit (1);
+ }
+}
+
+int
+main (void)
+{
+ int c;
+ int last_was_space =3D 0;
+
+ setbuf (stdout, NULL);
+
+ while ((c =3D getchar()) !=3D EOF) {
+ if (isgraph(c) || c =3D=3D '\n') {
+ my_putchar (c);
+ last_was_space =3D 0;
+ } else if (isspace (c)) {
+ if (last_was_space =3D=3D 0)
+ my_putchar (' ');
+ last_was_space =3D 1;
+ } else {
+ my_putchar ('\\');
+ my_putchar ('0' + ((c & 0xff) >> 6));
+ my_putchar ('0' + ((c & 0x3f) >> 3));
+ my_putchar ('0' + (c & 7));
+
+ last_was_space =3D 0;
+ }
+ }
+ return 0;
+}

Of course the script is not necessary; I only didn't want to learn
setting up pipes in C.

The problem here is, we lose the nice progress bar, getting the tedious
dot-progress interface instead. Nobody will like this. So maybe
hooking/rewriting the logprintf() function will be an option, although
I don't like it.

Jan.

--=20
   "To me, clowns aren't funny. In fact, they're kind of scary. I've wonder=
ed
 where this started and I think it goes back to the time I went to the circ=
us,
     and a clown killed my dad."

--oyUTqETQ0mS9luUI
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFBKIQ8+uczK20Fa5cRAguxAJ0YE4U7bqySuhbNlM82/lyWuz84SwCfVqZs
KVcGlriJE/utGtMgsFap+T4=
=P22L
-----END PGP SIGNATURE-----

--oyUTqETQ0mS9luUI--

Message-ID: <email address hidden>
Date: Sun, 22 Aug 2004 20:02:54 +0200
From: Jan Minar <email address hidden>
To: Thomas Hood <email address hidden>, <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#261755: Control sequences injection patch

--32u276st3Jlj2kUU
Content-Type: multipart/mixed; boundary="f2QGlHpHGjS2mn6Y"
Content-Disposition: inline

--f2QGlHpHGjS2mn6Y
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

tags 261755 +patch
thanks

On Sun, Aug 22, 2004 at 11:39:07AM +0200, Thomas Hood wrote:
> The changes contemplated look very invasive. How quickly can this
> bug be fixed?

Here we go: Hacky, non-portable, but pretty slick & non-invasive,
whatever that means. Now I'm going to check whether it is going to
catch all the cases where malicious characters could be possibly
injected.

This patch (hopefully) solves the problem of remote attacker (server or
otherwise) injects malicious control sequences in the HTTP headers. It
by no mean solves the spoofing bug, which is by nature tricky to address
well.

Cheers,
Jan.

--=20
   "To me, clowns aren't funny. In fact, they're kind of scary. I've wonder=
ed
 where this started and I think it goes back to the time I went to the circ=
us,
     and a clown killed my dad."

--f2QGlHpHGjS2mn6Y
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: attachment; filename="wget-filter-controls.patch"
Content-Transfer-Encoding: quoted-printable

--- wget-1.9.1.WORK/debian/changelog 2004-08-22 19:34:16.000000000 +0200
+++ wget-1.9.1-jan/debian/changelog 2004-08-22 19:39:48.000000000 +0200
@@ -1,3 +1,12 @@
+wget (1.9.1-4.local-1) unstable; urgency=3Dmedium
+
+ * Local build
+ * Hopeless attempt to filter control chars in log output (see
+ Bug#267393)
+ * This probably SHOULD make it in Sarge revision 0
+
+ -- Jan Min=C3=A1=C5=99 <email address hidden> Sun, 22 Aug 2004 19:39:02 +=
0200
+
 wget (1.9.1-4) unstable; urgency=3Dlow
=20
   * made passive the default. sorry forgot again.:(
--- wget-1.9.1.WORK/src/log.c 2004-08-22 19:34:16.000000000 +0200
+++ wget-1.9.1-jan/src/log.c 2004-08-22 19:31:33.000000000 +0200
@@ -63,6 +63,12 @@
 #include "wget.h"
 #include "utils.h"
=20
+/* vasprintf() requires _GNU_SOURCE. Which is OK with Debian. */
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
+#include <ctype.h>
+
 #ifndef errno
 extern int errno;
 #endif
@@ -345,7 +351,49 @@
   int expected_size;
   int allocated;
 };
+=0C
+/* XXX Where does the declaration belong?? */
+void escape_buffer (char **src);
=20
+/*
+ * escape_untrusted -- escape using '\NNN'. To be used wherever we want =
to
+ * print untrusted data.
+ *
+ * Syntax: escape_buffer (&buf-to-escape);
+ */
+void escape_buffer (char **src)
+{
+ char *dest;
+ int i, j;
+
+ /* We encode each byte using at most 4 bytes, + trailing '\0'. */
+ dest =3D xmalloc (4 * strlen (*src) + 1);
+
+ for (i =3D j =3D 0; (*src)[i] !=3D '\0'; ++i) {
+ /*
+ * We allow any non-control character, because LINE TABULATION
+ * & friends can't do more harm than SPACE. And someone
+ * somewhere might be using these, s...

Message-ID: <email address hidden>
Date: Tue, 24 Aug 2004 03:11:28 +0200
From: Jan Minar <email address hidden>
To: Thomas Hood <email address hidden>, <email address hidden>,
 <email address hidden>
Subject: Re: Bug#261755: Control sequences injection patch

--TYecfFk8j8mZq+dy
Content-Type: multipart/mixed; boundary="b5gNqxB1S1yM7hjW"
Content-Disposition: inline

--b5gNqxB1S1yM7hjW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Aug 22, 2004 at 08:02:54PM +0200, Jan Minar wrote:
> +/* vasprintf() requires _GNU_SOURCE. Which is OK with Debian. */
> +#ifndef _GNU_SOURCE
> +#define _GNU_SOURCE

This must be done before stdio.h is included.

> +#endif
> +#include <ctype.h>
> +
> #ifndef errno
> extern int errno;
> #endif
> @@ -345,7 +351,49 @@
> int expected_size;
> int allocated;
> };
> +=0C
> +/* XXX Where does the declaration belong?? */
> +void escape_buffer (char **src);
> =20
> +/*
> + * escape_untrusted -- escape using '\NNN'. To be used wherever we wan=
t to
> + * print untrusted data.
> + *
> + * Syntax: escape_buffer (&buf-to-escape);
> + */
> +void escape_buffer (char **src)
> +{
> + char *dest;
> + int i, j;
> +
> + /* We encode each byte using at most 4 bytes, + trailing '\0'. */
> + dest =3D xmalloc (4 * strlen (*src) + 1);
> +
> + for (i =3D j =3D 0; (*src)[i] !=3D '\0'; ++i) {
> + /*
> + * We allow any non-control character, because LINE TABULATION
> + * & friends can't do more harm than SPACE. And someone
> + * somewhere might be using these, so unless we actually can't
> + * protect against spoofing attacks, we don't pretend we can.
> + *
> + * Note that '\n' is included both in the isspace() *and*
> + * iscntrl() range.
> + */
> + if (isprint((*src)[i]) || isspace((*src)[i])) {

This lets '\r' thru, not good. BTW, (*src)[i] is quite a cypher.

> + dest[j++] =3D (*src)[i];
> + } else {
> + dest[j++] =3D '\\';
> + dest[j++] =3D '0' + (((*src)[i] & 0xff) >> 6);
> + dest[j++] =3D '0' + (((*src)[i] & 0x3f) >> 3);
> + dest[j++] =3D '0' + ((*src)[i] & 7);
> + }
> + }
> + dest[j] =3D '\0';
> +
> + xfree (*src);
> + *src =3D dest;
> +}

Attached is version 2, which solves these problems.

Please keep me CC'd.

Jan.

--=20
   "To me, clowns aren't funny. In fact, they're kind of scary. I've wonder=
ed
 where this started and I think it goes back to the time I went to the circ=
us,
     and a clown killed my dad."

--b5gNqxB1S1yM7hjW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="wget-filter-controls.patch.v2"
Content-Transfer-Encoding: quoted-printable

--- wget-1.9.1.ORIG/src/log.c 2004-08-22 13:42:33.000000000 +0200
+++ wget-1.9.1-jan/src/log.c 2004-08-24 02:38:38.000000000 +0200
@@ -42,6 +42,12 @@
 # endif
 #endif /* not WGET_USE_STDARG */
=20
+/* vasprintf() requires _GNU_SOURCE. Which is OK with Debian. */
+/* This *must* be defined before stdio.h is included. */
+#ifndef _GNU_SOURCE
+# define _GNU_SOURCE
+#endif
+
 #include <stdio.h>
 #ifdef HAVE_STRING_H
 # include <string.h>
@@ -63,6 +69,8 @@
 #include "wget.h"
 #include "utils.h"
=20
+#include <...

Message-Id: <email address hidden>
Date: Mon, 13 Sep 2004 17:32:08 -0400
From: =?utf-8?b?Tm/DqGwgS8O2dGhl?= <email address hidden>
To: <email address hidden>
Subject: Bug#261755: fixed in wget 1.9.1-5

Source: wget
Source-Version: 1.9.1-5

We believe that the bug you reported is fixed in the latest version of
wget, which is due to be installed in the Debian FTP archive:

wget_1.9.1-5.diff.gz
  to pool/main/w/wget/wget_1.9.1-5.diff.gz
wget_1.9.1-5.dsc
  to pool/main/w/wget/wget_1.9.1-5.dsc
wget_1.9.1-5_i386.deb
  to pool/main/w/wget/wget_1.9.1-5_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Noèl Köthe <email address hidden> (supplier of updated wget package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 13 Sep 2004 22:55:58 +0200
Source: wget
Binary: wget
Architecture: source i386
Version: 1.9.1-5
Distribution: unstable
Urgency: high
Maintainer: Noèl Köthe <email address hidden>
Changed-By: Noèl Köthe <email address hidden>
Description:
 wget - retrieves files from the web
Closes: 197916 261755
Changes:
 wget (1.9.1-5) unstable; urgency=high
 .
   * added patch from Jan Minar <jjminar fastmail.fm> which corrects
     the parsing/filtering of answer from servers
     (Thanks alot for your help Jan!)
     (closes: Bug#261755)
   * documenting incompatibility of -k and -O
     (closes: Bug#197916)
Files:
 4543b701997bcb32529c78606b8e4081 596 web optional wget_1.9.1-5.dsc
 2d9081bcbe108e443be4ed8f9c465537 11752 web optional wget_1.9.1-5.diff.gz
 beb626e0a77a3eb9ed85bfdd89a1d800 424634 web optional wget_1.9.1-5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBRgnL9/DnDzB9Vu0RAgE9AJ4nVAzUfQiHJrur2Eo1K4F8AFu3TACeMkpk
hMpSnjKIKfMR7TrYcRVns6o=
=hWNT
-----END PGP SIGNATURE-----

Message-ID: <Pine.LNX.4.61.0409260022180.29291@localhost>
Date: Sun, 26 Sep 2004 00:26:48 +0200 (CEST)
From: Tomas Pospisek <email address hidden>
To: <email address hidden>
cc: <email address hidden>
Subject: wget sid->sarge

I'm going through the list of packages that are pending to transition from
sid->sarge in order to tag them for manual propagation [1]. I've seen that
wget in sid fixes a security issue [2] (no sanitizing of server
responses). Question:

* I don't really understand the bug's security implications. Should
   sid's fixed wget be propagated to sarge?
* Does fix all the issues present in the code?

*t

[1] http://www.wolffelaar.nl/~sarge/
[2] http://bugs.debian.org/261755

--
--------------------------------------------------------
   Tomas Pospisek
   http://sourcepole.com - Linux & Open Source Solutions
--------------------------------------------------------

Message-Id: <email address hidden>
Date: Mon, 27 Sep 2004 16:29:02 +0200
From: =?ISO-8859-1?Q?No=E8l_K=F6the?= <email address hidden>
To: Tomas Pospisek <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#261755: wget sid->sarge

--=-PGR0BD7k8ULSU11Cecl9
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Am Sonntag, den 26.09.2004, 00:26 +0200 schrieb Tomas Pospisek:
> I'm going through the list of packages that are pending to transition fro=
m=20
> sid->sarge in order to tag them for manual propagation [1]. I've seen tha=
t=20
> wget in sid fixes a security issue [2] (no sanitizing of server=20
> responses). Question:
>=20
> * I don't really understand the bug's security implications. Should
> sid's fixed wget be propagated to sarge?
> * Does fix all the issues present in the code?

it opens this problem: #271931
Thats the reason why I didn't asked for moving it from sid to sarge.
sadly upstream is not available since some weeks to discuss this
problem.:(

--=20
No=C3=A8l K=C3=B6the <noel debian.org>
Debian GNU/Linux, www.debian.org

--=-PGR0BD7k8ULSU11Cecl9
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Dies ist ein digital signierter Nachrichtenteil

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQBBWCOu9/DnDzB9Vu0RAoLQAJ459zeLHEEISKSUr5QWRJjaCE9hsQCePRhU
kmPeiGD11Bw4q8S0YGD15i8=
=wHBn
-----END PGP SIGNATURE-----

--=-PGR0BD7k8ULSU11Cecl9--

Message-ID: <Pine.LNX.4.61.0409271716150.19851@localhost>
Date: Mon, 27 Sep 2004 17:19:27 +0200 (CEST)
From: Tomas Pospisek <email address hidden>
To: <email address hidden>
cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#261755: wget sid->sarge

--8323328-1147761676-1096298367=:19851
Content-Type: TEXT/PLAIN; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE

On Mon, 27 Sep 2004, No=E8l K=F6the wrote:

> Am Sonntag, den 26.09.2004, 00:26 +0200 schrieb Tomas Pospisek:
>> I'm going through the list of packages that are pending to transition fr=
om
>> sid->sarge in order to tag them for manual propagation [1]. I've seen th=
at
>> wget in sid fixes a security issue [2] (no sanitizing of server
>> responses). Question:
>>
>> * I don't really understand the bug's security implications. Should
>> sid's fixed wget be propagated to sarge?
>> * Does fix all the issues present in the code?
>
> it opens this problem: #271931
> Thats the reason why I didn't asked for moving it from sid to sarge.
> sadly upstream is not available since some weeks to discuss this
> problem.:(

OK, I've put that info into the release helping system [1]. Please update=
=20
it when the problem is fixed or let me know.
*t

[1] I don't know if the following link will work:
     http://www.wolffelaar.nl/~sarge/?PHPSESSID=3Df957b02aa24b1a4ab9237ae4e=
80df6a9&package=3Dwget&maint=3D&outofsync=3D&frozen=3D&status=3D
     Otherwise just visit http://www.wolffelaar.nl/~sarge/,
     enter wget in the first field and press return.

--
--------------------------------------------------------
   Tomas Pospisek
   http://sourcepole.com - Linux & Open Source Solutions
--------------------------------------------------------
--8323328-1147761676-1096298367=:19851--

Message-ID: <email address hidden>
Date: Tue, 28 Sep 2004 21:41:54 +0200
From: Jan Minar <email address hidden>
To: <email address hidden>
Cc: <email address hidden>,
 ismail donmez <email address hidden>
Subject: wget: Indiscriminate escaping in multibyte locales patch -- review required

--nVMJ2NtxeReIH9PS
Content-Type: multipart/mixed; boundary="SUOF0GtieIMvvwua"
Content-Disposition: inline

--SUOF0GtieIMvvwua
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi all!

Sorry for not making the patch right the first (or was it second?) time.
And thank Ambrose and Ismail for reporting the bug and commenting upon
it.

I rewrote the patch to be multibyte-aware, please test it and/or review
it. When I say please review it, I mean it, because the wchar API is
really not my cup of tea, and I probably made silly mistakes and
introduced new and interesting problems.

This new patch introduces no difference in what is printed when ``wget
localhost'' is run, at least under cs_CZ.UTF-8, zh_CN.gb18030,
zh_CN.gb2312, zh_CN.gbk, and ja_JP.eucjp locales.

BTW: Does anybody know why is upstream completely ignoring this issue?

Cheers,
--=20
Jan

--SUOF0GtieIMvvwua
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="wget-filter-controls.patch.v3--multibyte-aware"
Content-Transfer-Encoding: quoted-printable

--- wget-1.9.1/src/log.c 2004-09-28 20:32:10.000000000 +0200
+++ ../wget-1.9.1-4.local-jan/src/log.c 2004-09-28 20:40:25.000000000 +0200
@@ -70,6 +70,8 @@
 #include "utils.h"
=20
 #include <ctype.h>
+#include <wchar.h>
+#include <wctype.h>
=20
 #ifndef errno
 extern int errno;
@@ -365,30 +367,41 @@
  */
 void escape_buffer (char **src)
 {
- char *dest, c;
+ char *dest;
  int i, j;
+ wchar_t c, buf[2];
+ size_t ret, len;
=20
- /* We encode each byte using at most 4 bytes, + trailing '\0'. */
- dest =3D xmalloc (4 * strlen (*src) + 1);
-
- for (i =3D j =3D 0; (c =3D (*src)[i]) !=3D '\0'; ++i) {
+ /*
+ * Note: We use mbrtowc()/wctomb() exclusively for converting from/to
+ * multibyte, so we don't have to care about the current shift state
+ * ourselves.
+ */
+
+ /* It's hard to tell the resulting length =3D> dynamic allocation */
+ len =3D 4 * strlen (*src); /* This initial len value is arbitrary */
+ dest =3D xmalloc (len);
+
+ for (i =3D j =3D 0; (ret =3D mbrtowc (&c, *src + i, len + 1, NULL)) !=3D =
0; i +=3D ret) {
+ if (ret =3D=3D (size_t)(-2)) {
+ perror ("Internal error in escape_buffer() -- bailing out");
+ exit (1);
+ } else if (ret =3D=3D (size_t)(-1)) {
+ c =3D (*src)[i];
+ ret =3D 1; /* So that i will be incremented by 1 */
+ goto escape;
+ }
   /*
- * We allow any non-control character, because '\t' & friends
- * can't do more harm than SPACE. And someone somewhere might
- * be using these, so unless we actually can protect against
- * spoofing attacks, we don't pretend it.
- *
- * Note that '\n' is included both in the isspace() *and*
- * iscntrl() range.
- *
- * We try not to allow '\r' & friends by using isblank()
- * instead of isspace(). Let's hope noone will complai...

Message-Id: <email address hidden>
Date: Wed, 29 Sep 2004 19:02:09 +0300
From: Ismail Donmez <email address hidden>
To: Jan Minar <email address hidden>
Cc: <email address hidden>,
 <email address hidden>
Subject: Re: wget: Indiscriminate escaping in multibyte locales patch -- review required

On Tuesday 28 September 2004 22:41, Jan Minar wrote:
> Hi all!
>
> Sorry for not making the patch right the first (or was it second?) time.
> And thank Ambrose and Ismail for reporting the bug and commenting upon
> it.
>
> I rewrote the patch to be multibyte-aware, please test it and/or review
> it. When I say please review it, I mean it, because the wchar API is
> really not my cup of tea, and I probably made silly mistakes and
> introduced new and interesting problems.
>
> This new patch introduces no difference in what is printed when ``wget
> localhost'' is run, at least under cs_CZ.UTF-8, zh_CN.gb18030,
> zh_CN.gb2312, zh_CN.gbk, and ja_JP.eucjp locales.
>
> BTW: Does anybody know why is upstream completely ignoring this issue?

Tested with LC_ALL=tr_TR.UTF-8 and works fine for me. Thanks for the fix!

Regards,
ismail

Message-ID: <email address hidden>
Date: Tue, 4 Jan 2005 22:03:27 +0100
From: Andreas Barth <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: wget - solving strategies

reopen 261755
tag 261755 +sarge
thanks

Hi,

just a few annotation from me on how to make wget reach sarge. IMHO,
the current patch to 261755 is _not_ acceptable for inclusion into a
stable release, because it is too clumpsy. It is of no use to filter the
printout to the console (after adding localized characters), but the
sanitation should take part of the input stream.

Therefore, IMHO the right fix to the other bug is a prerequisite to be
able to finally release with a good version of wget.

Some annotations to the listed bugs:

Can (1) really happen in a normal scenario? According to the man page
  When running Wget without -N, -nc, or -r, downloading the same file in
  the same directory will result in the original copy of file being
  preserved and the second copy being named file.1.
So, this case will happen only if -r is specified. (Or is wget buggy to
allow the remote side to overwrite that documented behaviour?)

(2) seems to happen _exactly_ when the hostnames are created in the
directory hierarchy. This needs tackling.

(3) see my comment above.

(4) needs probably be discussed a bit more.

Cheers,
Andi
--
   http://home.arcor.de/andreas-barth/
   PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C

Message-Id: <email address hidden>
Date: Sun, 23 Jan 2005 16:37:26 +0100
From: Andreas Barth <email address hidden>
To: <email address hidden>
Subject: reopening 261755

reopen 261755