Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=2.1.2 2020-01-14T12:10:36Z 2020-01-14T12:10:36Z Julian Andres Klode julian.klode@canonical.com 2020-01-07T20:21:35Z urn:sha1:8c1a37e12790a23f3b132899485e011f9134b483 Remove it everywhere, except where it is still needed. 2019-06-17T16:28:52Z Julian Andres Klode julian.klode@canonical.com 2019-06-17T16:28:52Z urn:sha1:97553e635d2265ec4aad96b00b1fd72d98437f15 We are converting to std::string anyway by passing to istringstream, and this removes the need for .c_str() in callers. 2019-01-30T12:33:24Z Julian Andres Klode julian.klode@canonical.com 2019-01-23T12:57:45Z urn:sha1:711cda2302b0dfe5d4ab0588b245ae4a97863e5b As a follow-up for CVE-2019-3462, add checks similar to those for redirect to the central SendMessage() function. The checks are a bit more relaxed for values - they may include newlines and unicode characters (newlines get rewritten, so are safe). For keys and the message header, the checks are far more strict: They may only contain alphanumerical characters, the hyphen-minus, and the horizontal space. In case the method tries to send anything else, we construct a legal 400 URI Failed response, and send that. We specifically do not include the item URI, in case it has been compromised (that would cause infinite recursion). 2019-01-22T11:50:59Z Julian Andres Klode julian.klode@canonical.com 2019-01-18T08:13:52Z urn:sha1:5eb01ec13f3ede4bae5e60eb16bd8cffb7c03e1b This fixes a security issue that can be exploited to inject arbritrary debs or other files into a signed repository as followed: (1) Server sends a redirect to somewhere%0a<headers for the apt method> (where %0a is \n encoded) (2) apt method decodes the redirect (because the method encodes the URLs before sending them out), writting something like somewhere\n <headers> into its output (3) apt then uses the headers injected for validation purposes. Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec LP: #1812353 2018-05-07T11:41:31Z Guillem Jover guillem@debian.org 2018-05-06T20:32:41Z urn:sha1:164f1b78d1849a0f33df7352875f86e28f5de06a Prompted-by: Jakub Wilk <jwilk@debian.org> 2018-01-03T18:42:45Z David Kalnischkies david@kalnischkies.de 2017-10-27T22:01:27Z urn:sha1:04ab37fecaf286f724bef2e0969d2b67ab5ac1b1 Allowing a method to request work from other methods is a powerful capability which could be misused or exploited, so to slightly limited the surface let method opt-in into this capability on startup. 2018-01-03T17:55:41Z David Kalnischkies david@kalnischkies.de 2017-08-09T21:26:19Z urn:sha1:02567e3084d2faec92e8bf248e89fda6452e634b The format isn't too hard to get right, but it gets funny with multiline fields (which we don't really have yet) and its just easier to deal with it once and for all which can be reused for more messages later. 2017-10-22T16:52:16Z Julian Andres Klode jak@debian.org 2017-10-21T13:44:43Z urn:sha1:1a76517470ebc2dd3f96e39ebe6f3706d6dd78da This avoids running the Proxy-Auto-Detect script inside the untrusted (well, less trusted for now) sandbox. This will allow us to restrict the http method from fork()ing or exec()ing via seccomp. 2017-10-05T15:30:25Z David Kalnischkies david@kalnischkies.de 2017-08-09T21:05:34Z urn:sha1:19e525aac9a802f452100884fa142c5dc68b2db6 This isn't really used by the acquire system at all at the moment and the only method potentially sending this information is file://, but that used to be working correctly before broken in 2013, so better fix it now and worry about maybe using the data some day later. Regression-Of: b3501edb7091ca3aa6c2d6d96dc667b8161dd2b9 2017-07-12T11:57:51Z Julian Andres Klode jak@debian.org 2017-07-12T11:40:41Z urn:sha1:87274d0f22e1dfd99b2e5200e2fe75c1b804eac3 This makes it easier to see which headers includes what. The changes were done by running git grep -l '#\s*include' \ | grep -E '.(cc|h)$' \ | xargs sed -i -E 's/(^\s*)#(\s*)include/\1#\2 include/' To modify all include lines by adding a space, and then running ./git-clang-format.sh.