diff options
| -rw-r--r-- | apt-pkg/cachefilter-patterns.cc | 56 | ||||
| -rw-r--r-- | apt-pkg/cachefilter-patterns.h | 130 | ||||
| -rw-r--r-- | apt-pkg/contrib/netrc.cc | 22 | ||||
| -rw-r--r-- | debian/NEWS | 10 | ||||
| -rw-r--r-- | doc/apt-patterns.7.xml | 46 | ||||
| -rw-r--r-- | doc/apt_auth.conf.5.xml | 14 | ||||
| -rwxr-xr-x | test/integration/test-apt-patterns | 56 | ||||
| -rwxr-xr-x | test/integration/test-authentication-basic | 42 |
8 files changed, 356 insertions, 20 deletions
diff --git a/apt-pkg/cachefilter-patterns.cc b/apt-pkg/cachefilter-patterns.cc index bf6166ee4..a9f76ff1d 100644 --- a/apt-pkg/cachefilter-patterns.cc +++ b/apt-pkg/cachefilter-patterns.cc @@ -6,8 +6,12 @@ * SPDX-License-Identifier: GPL-2.0+ */ +#include <config.h> + #include <apt-pkg/cachefilter-patterns.h> +#include <apti18n.h> + namespace APT { namespace Internal @@ -210,6 +214,12 @@ std::unique_ptr<APT::CacheFilter::Matcher> PatternParser::aPattern(std::unique_p if (node->matches("?architecture", 1, 1)) return std::make_unique<APT::CacheFilter::PackageArchitectureMatchesSpecification>(aWord(node->arguments[0])); + if (node->matches("?archive", 1, 1)) + return std::make_unique<Patterns::VersionIsArchive>(aWord(node->arguments[0])); + if (node->matches("?all-versions", 1, 1)) + return std::make_unique<Patterns::VersionIsAllVersions>(aPattern(node->arguments[0])); + if (node->matches("?any-version", 1, 1)) + return std::make_unique<Patterns::VersionIsAnyVersion>(aPattern(node->arguments[0])); if (node->matches("?automatic", 0, 0)) return std::make_unique<Patterns::PackageIsAutomatic>(file); if (node->matches("?broken", 0, 0)) @@ -232,21 +242,33 @@ std::unique_ptr<APT::CacheFilter::Matcher> PatternParser::aPattern(std::unique_p return std::make_unique<APT::CacheFilter::NOTMatcher>(aPattern(node->arguments[0]).release()); if (node->matches("?obsolete", 0, 0)) return std::make_unique<Patterns::PackageIsObsolete>(); + if (node->matches("?origin", 1, 1)) + return std::make_unique<Patterns::VersionIsOrigin>(aWord(node->arguments[0])); + if (node->matches("?section", 1, 1)) + return std::make_unique<Patterns::VersionIsSection>(aWord(node->arguments[0])); + if (node->matches("?source-package", 1, 1)) + return std::make_unique<Patterns::VersionIsSourcePackage>(aWord(node->arguments[0])); + if (node->matches("?source-version", 1, 1)) + return std::make_unique<Patterns::VersionIsSourceVersion>(aWord(node->arguments[0])); if (node->matches("?true", 0, 0)) return std::make_unique<APT::CacheFilter::TrueMatcher>(); if (node->matches("?upgradable", 0, 0)) return std::make_unique<Patterns::PackageIsUpgradable>(file); + if (node->matches("?version", 1, 1)) + return std::make_unique<Patterns::VersionIsVersion>(aWord(node->arguments[0])); if (node->matches("?virtual", 0, 0)) return std::make_unique<Patterns::PackageIsVirtual>(); if (node->matches("?x-name-fnmatch", 1, 1)) return std::make_unique<APT::CacheFilter::PackageNameMatchesFnmatch>(aWord(node->arguments[0])); // Variable argument patterns - if (node->matches("?and", 0, -1)) + if (node->matches("?and", 0, -1) || node->matches("?narrow", 0, -1)) { auto pattern = std::make_unique<APT::CacheFilter::ANDMatcher>(); for (auto &arg : node->arguments) pattern->AND(aPattern(arg).release()); + if (node->term == "?narrow") + return std::make_unique<Patterns::VersionIsAnyVersion>(std::move(pattern)); return pattern; } if (node->matches("?or", 0, -1)) @@ -272,6 +294,38 @@ std::string PatternParser::aWord(std::unique_ptr<PatternTreeParser::Node> &nodeP return node->word.to_string(); } +namespace Patterns +{ + +BaseRegexMatcher::BaseRegexMatcher(std::string const &Pattern) +{ + pattern = new regex_t; + int const Res = regcomp(pattern, Pattern.c_str(), REG_EXTENDED | REG_ICASE | REG_NOSUB); + if (Res == 0) + return; + + delete pattern; + pattern = NULL; + char Error[300]; + regerror(Res, pattern, Error, sizeof(Error)); + _error->Error(_("Regex compilation error - %s"), Error); +} +bool BaseRegexMatcher::operator()(const char *string) +{ + if (unlikely(pattern == NULL)) + return false; + else + return regexec(pattern, string, 0, 0, 0) == 0; +} +BaseRegexMatcher::~BaseRegexMatcher() +{ + if (pattern == NULL) + return; + regfree(pattern); + delete pattern; +} +} // namespace Patterns + } // namespace Internal // The bridge into the public world diff --git a/apt-pkg/cachefilter-patterns.h b/apt-pkg/cachefilter-patterns.h index d37da815f..bd8ce7e7e 100644 --- a/apt-pkg/cachefilter-patterns.h +++ b/apt-pkg/cachefilter-patterns.h @@ -117,6 +117,21 @@ namespace Patterns { using namespace APT::CacheFilter; +/** \brief Basic helper class for matching regex */ +class BaseRegexMatcher +{ + regex_t *pattern; + + public: + BaseRegexMatcher(std::string const &string); + ~BaseRegexMatcher(); + bool operator()(const char *cstring); + bool operator()(std::string const &string) + { + return (*this)(string.c_str()); + } +}; + struct PackageIsAutomatic : public PackageMatcher { pkgCacheFile *Cache; @@ -229,6 +244,121 @@ struct PackageIsVirtual : public PackageMatcher return Pkg->VersionList == 0; } }; + +struct VersionAnyMatcher : public Matcher +{ + bool operator()(pkgCache::GrpIterator const &Grp) override { return false; } + bool operator()(pkgCache::VerIterator const &Ver) override = 0; + bool operator()(pkgCache::PkgIterator const &Pkg) override + { + for (auto Ver = Pkg.VersionList(); not Ver.end(); Ver++) + { + if ((*this)(Ver)) + return true; + } + return false; + } +}; + +struct VersionIsAllVersions : public Matcher +{ + std::unique_ptr<APT::CacheFilter::Matcher> base; + VersionIsAllVersions(std::unique_ptr<APT::CacheFilter::Matcher> base) : base(std::move(base)) {} + bool operator()(pkgCache::GrpIterator const &) override { return false; } + bool operator()(pkgCache::VerIterator const &Ver) override + { + return (*base)(Ver); + } + bool operator()(pkgCache::PkgIterator const &Pkg) override + { + for (auto Ver = Pkg.VersionList(); not Ver.end(); Ver++) + { + if (not(*this)(Ver)) + return false; + } + return true; + } +}; + +struct VersionIsAnyVersion : public VersionAnyMatcher +{ + std::unique_ptr<APT::CacheFilter::Matcher> base; + VersionIsAnyVersion(std::unique_ptr<APT::CacheFilter::Matcher> base) : base(std::move(base)) {} + bool operator()(pkgCache::VerIterator const &Ver) override + { + return (*base)(Ver); + } +}; + +struct VersionIsArchive : public VersionAnyMatcher +{ + BaseRegexMatcher matcher; + VersionIsArchive(std::string const &pattern) : matcher(pattern) {} + bool operator()(pkgCache::VerIterator const &Ver) override + { + for (auto VF = Ver.FileList(); not VF.end(); VF++) + { + if (VF.File().Archive() && matcher(VF.File().Archive())) + return true; + } + return false; + } +}; + +struct VersionIsOrigin : public VersionAnyMatcher +{ + BaseRegexMatcher matcher; + VersionIsOrigin(std::string const &pattern) : matcher(pattern) {} + bool operator()(pkgCache::VerIterator const &Ver) override + { + for (auto VF = Ver.FileList(); not VF.end(); VF++) + { + if (VF.File().Origin() && matcher(VF.File().Origin())) + return true; + } + return false; + } +}; + +struct VersionIsSection : public VersionAnyMatcher +{ + BaseRegexMatcher matcher; + VersionIsSection(std::string const &pattern) : matcher(pattern) {} + bool operator()(pkgCache::VerIterator const &Ver) override + { + return matcher(Ver.Section()); + } +}; + +struct VersionIsSourcePackage : public VersionAnyMatcher +{ + BaseRegexMatcher matcher; + VersionIsSourcePackage(std::string const &pattern) : matcher(pattern) {} + bool operator()(pkgCache::VerIterator const &Ver) override + { + return matcher(Ver.SourcePkgName()); + } +}; + +struct VersionIsSourceVersion : public VersionAnyMatcher +{ + BaseRegexMatcher matcher; + VersionIsSourceVersion(std::string const &pattern) : matcher(pattern) {} + bool operator()(pkgCache::VerIterator const &Ver) override + { + return matcher(Ver.SourceVerStr()); + } +}; + +struct VersionIsVersion : public VersionAnyMatcher +{ + BaseRegexMatcher matcher; + VersionIsVersion(std::string const &pattern) : matcher(pattern) {} + bool operator()(pkgCache::VerIterator const &Ver) override + { + return matcher(Ver.VerStr()); + } +}; } // namespace Patterns } // namespace Internal } // namespace APT diff --git a/apt-pkg/contrib/netrc.cc b/apt-pkg/contrib/netrc.cc index ee1996f8d..2069a0394 100644 --- a/apt-pkg/contrib/netrc.cc +++ b/apt-pkg/contrib/netrc.cc @@ -72,6 +72,26 @@ bool MaybeAddAuth(FileFd &NetRCFile, URI &Uri) active_token = MACHINE; break; case MACHINE: + // If token contains a protocol: Check it first, and strip it away if + // it matches. If it does not match, ignore this stanza. + // If there is no protocol, only allow https protocols. + if (token.find("://") != std::string::npos) + { + if (not APT::String::Startswith(token, Uri.Access + "://")) + { + active_token = NO; + break; + } + token.erase(0, Uri.Access.length() + 3); + } + else if (Uri.Access != "https" && Uri.Access != "tor+https") + { + if (Debug) + std::clog << "MaybeAddAuth: Rejecting matching host adding '" << Uri.User << "' and '" << Uri.Password << "' for " + << (std::string)Uri << " from " << NetRCFile.Name() << "as the protocol is not https" << std::endl; + active_token = NO; + break; + } if (token.find('/') == std::string::npos) { if (Uri.Port != 0 && Uri.Host == token) @@ -168,7 +188,7 @@ bool IsAuthorized(pkgCache::PkgFileIterator const I, std::vector<std::unique_ptr } // FIXME: Use the full base url - URI uri(std::string("http://") + I.Site() + "/"); + URI uri(std::string("https://") + I.Site() + "/"); for (auto &authconf : authconfs) { if (not authconf->IsOpen()) diff --git a/debian/NEWS b/debian/NEWS index e8cb4e279..555791602 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,13 @@ +apt (1.9.5) UNRELEASED; urgency=medium + + Credentials in apt_auth.conf(5) now only apply to https and tor+https + sources to avoid them being leaked over plaintext (Closes: #945911). To + opt-in to http, add http:// before the hostname. Note that this will transmit + credentials in plain text, which you do not want on devices that could be + operating in an untrusted network. + + -- Julian Andres Klode <juliank@ubuntu.com> Mon, 02 Dec 2019 11:45:52 +0100 + apt (1.8.0~alpha3) unstable; urgency=medium The PATH for running dpkg is now configured by the option DPkg::Path, diff --git a/doc/apt-patterns.7.xml b/doc/apt-patterns.7.xml index efd4293dc..219d2c209 100644 --- a/doc/apt-patterns.7.xml +++ b/doc/apt-patterns.7.xml @@ -61,6 +61,23 @@ </variablelist> </refsect1> <refsect1> + <title>Narrowing patterns</title> + <para> + </para> + <variablelist> + <varlistentry><term><code>?all-versions(PATTERN)</code></term> + <listitem><para>Selects packages where all versions match PATTERN. When matching versions instead, same as PATTERN.</para></listitem> + </varlistentry> + <varlistentry><term><code>?any-version(PATTERN)</code></term> + <listitem><para>Selects any version where the pattern matches on the version.</para> + <para>For example, while <code>?and(?version(1),?version(2))</code> matches a package which has one version containing 1 and one version containing 2, <code>?any-version(?and(?version(1),?version(2)))</code> restricts the <code>?and</code> to act on the same version.</para></listitem> + </varlistentry> + <varlistentry><term><code>?narrow(PATTERN...)</code></term> + <listitem><para>Selects any version matching all PATTERNs, short for<code>?any-version(?and(PATTERN...))</code>.</para></listitem> + </varlistentry> + </variablelist> + </refsect1> + <refsect1> <title>Package patterns</title> <para> These patterns select specific packages. @@ -106,6 +123,32 @@ </varlistentry> </variablelist> </refsect1> + <refsect1> + <title>Version patterns</title> + <para> + These patterns select specific versions of a package. + </para> + <variablelist> + <varlistentry><term><code>?archive(REGEX)</code></term> + <listitem><para>Selects versions that come from the archive that matches the specified regular expression. Archive, here, means the values after <code>a=</code> in <command>apt-cache policy</command>.</para></listitem> + </varlistentry> + <varlistentry><term><code>?origin(REGEX)</code></term> + <listitem><para>Selects versions that come from the origin that matches the specified regular expression. Origin, here, means the values after <code>o=</code> in <command>apt-cache policy</command>.</para></listitem> + </varlistentry> + <varlistentry><term><code>?section(REGEX)</code></term> + <listitem><para>Selects versions where the section matches the specified regular expression.</para></listitem> + </varlistentry> + <varlistentry><term><code>?source-package(REGEX)</code></term> + <listitem><para>Selects versions where the source package name matches the specified regular expression.</para></listitem> + </varlistentry> + <varlistentry><term><code>?source-version(REGEX)</code></term> + <listitem><para>Selects versions where the source package version matches the specified regular expression.</para></listitem> + </varlistentry> + <varlistentry><term><code>?version(REGEX)</code></term> + <listitem><para>Selects versions where the version string matching the specified regular expression.</para></listitem> + </varlistentry> + </variablelist> + </refsect1> <refsect1><title>Examples</title> @@ -147,6 +190,9 @@ <listitem> <para>A trailing comma is allowed in argument lists</para> </listitem> + <listitem> + <para>?narrow accepts infinite arguments</para> + </listitem> </itemizedlist> </refsect1> diff --git a/doc/apt_auth.conf.5.xml b/doc/apt_auth.conf.5.xml index e7961ef81..99394be00 100644 --- a/doc/apt_auth.conf.5.xml +++ b/doc/apt_auth.conf.5.xml @@ -50,7 +50,7 @@ Unknown tokens will be ignored. Tokens may be separated by spaces, tabs or newli <variablelist> <varlistentry> -<term><literal>machine</literal> <replaceable>hostname</replaceable>[:<replaceable>port</replaceable>][/<replaceable>path</replaceable>]</term> +<term><literal>machine</literal> <replaceable>[protocol://]</replaceable><replaceable>hostname</replaceable>[:<replaceable>port</replaceable>][/<replaceable>path</replaceable>]</term> <listitem><para>Entries are looked up by searching for the <emphasis><literal>machine</literal></emphasis> token matching the hostname of the URI apt needs login information for. Extending the netrc-format @@ -60,7 +60,8 @@ different login information reside on the same server. A machine token with a pa matches if the path in the URI starts with the path given in the token. Once a match is made, the subsequent tokens are processed, stopping when the end of file is reached or another <emphasis><literal>machine</literal></emphasis> -token is encountered.</para></listitem> +token is encountered.</para> +<para>If protocol is not specified, the entry only matches https and tor+https.</para></listitem> </varlistentry> <varlistentry> @@ -80,9 +81,9 @@ token is encountered.</para></listitem> <refsect1><title>Example</title> <para>Supplying login information for a user named <literal>apt</literal> with the password <literal>debian</literal> for the &sources-list; entry -<literallayout>deb http://example.org/debian &debian-stable-codename; main</literallayout> +<literallayout>deb https://example.org/debian &debian-stable-codename; main</literallayout> could be done in the entry directly: -<literallayout>deb http://apt:debian@example.org/debian &debian-stable-codename; main</literallayout> +<literallayout>deb https://apt:debian@example.org/debian &debian-stable-codename; main</literallayout> Alternatively an entry like the following in the auth.conf file could be used: <literallayout>machine example.org login apt @@ -95,7 +96,7 @@ machine example.org/debian login apt password debian machine example.org/debian/ login apt password debian </literallayout> On the other hand neither of the following lines apply: -<literallayout>machine example.org:80 login apt password debian +<literallayout>machine example.org:443 login apt password debian machine example.org/deb/ login apt password debian machine example.org/ubuntu login apt password debian machine example.orga login apt password debian @@ -111,6 +112,9 @@ also the implementation slightly. For maximum backward compatibility you should avoid multiple <literal>machine</literal> tokens with the same hostname, but if you need multiple they should all have a path specified in the <literal>machine</literal> token.</para> +<para>Login information in auth.conf are more flexible than those in sources.list. For +example, login information can be specified for parts of a repository only, or if the +sources.list entry redirects elsewhere, login information for the redirect destination can be supplied.</para> </refsect1> <refsect1> diff --git a/test/integration/test-apt-patterns b/test/integration/test-apt-patterns index 92c76edd1..06c552479 100755 --- a/test/integration/test-apt-patterns +++ b/test/integration/test-apt-patterns @@ -5,15 +5,16 @@ TESTDIR="$(readlink -f "$(dirname "$0")")" setupenvironment configarchitecture 'i386' 'amd64' -insertpackage 'unstable' 'available' 'all' '1.0' +insertpackage 'unstable' 'available' 'all' '1.0' 'Section: asection' insertinstalledpackage 'manual1' 'i386' '1.0' 'Depends: automatic1' insertinstalledpackage 'manual2' 'i386' '1.0' -insertinstalledpackage 'automatic1' 'i386' '1.0' -insertinstalledpackage 'automatic2' 'i386' '1.0' +insertinstalledpackage 'automatic1' 'i386' '1.0' 'Source: automatic (0)' +insertinstalledpackage 'automatic2' 'i386' '1.0' 'Source: automatic (1)' -insertinstalledpackage 'essential' 'i386' '1.0' 'Essential: yes' +insertinstalledpackage 'essential' 'i386' '1.0' 'Essential: yes +Section: asection' insertinstalledpackage 'conf-only' 'i386' '1.0' '' '' 'deinstall ok config-files' insertinstalledpackage 'broken' 'i386' '1.0' 'Depends: does-not-exist' @@ -22,6 +23,7 @@ insertpackage 'unstable' 'not-obsolete' 'all' '2.0' insertpackage 'unstable' 'foreign' 'amd64' '2.0' +getoriginfromsuite() { echo -n 'meow'; } setupaptarchive testsuccess aptmark auto automatic1 automatic2 @@ -103,6 +105,27 @@ testsuccessequal "Listing... automatic1/now 1.0 i386 [installed,local]" apt list '?and(?name(^automatic),?name(1$))' +msgmsg "Narrow and friends" +testsuccessequal "Listing... +not-obsolete/unstable 2.0 i386 [upgradable from: 1.0] +N: There is 1 additional version. Please use the '-a' switch to see it" apt list '?and(?version(^1\.0$),?version(^2\.0$))' + +testsuccessequal "Listing..." apt list '?any-version(?and(?version(^1\.0$),?version(^2\.0$)))' +testsuccessequal "Listing..." apt list '?narrow(?version(^1\.0$),?version(^2\.0$))' + +# XXX FIXME: I guess we do want this to only show version 1.0? +testsuccessequal "Listing... +not-obsolete/unstable 2.0 i386 [upgradable from: 1.0] +N: There is 1 additional version. Please use the '-a' switch to see it" apt list '?any-version(?and(?version(^1\.0$),?name(not-obsolete)))' +testsuccessequal "Listing... +not-obsolete/unstable 2.0 i386 [upgradable from: 1.0] +N: There is 1 additional version. Please use the '-a' switch to see it" apt list '?narrow(?version(^1\.0$),?name(not-obsolete))' + + +testsuccessequal "Listing... +foreign/unstable 2.0 amd64 +not-obsolete/unstable 2.0 i386 [upgradable from: 1.0]" apt list '?not(?all-versions(?version(^1)))' + msgmsg "Package patterns" testsuccessequal "Listing... @@ -113,6 +136,11 @@ testsuccessequal "Listing..." apt list '?architecture(foreign)' testsuccessequal "Listing..." apt list '?architecture(native)' testsuccessequal "Listing... +available/unstable 1.0 all +foreign/unstable 2.0 amd64 +not-obsolete/unstable 2.0 i386 [upgradable from: 1.0]" apt list '?archive(^unstable$)' + +testsuccessequal "Listing... automatic1/now 1.0 i386 [installed,local] automatic2/now 1.0 i386 [installed,local]" apt list '?automatic' @@ -158,9 +186,29 @@ foreign/unstable 2.0 amd64 not-obsolete/unstable 2.0 i386 [upgradable from: 1.0]" apt list '?not(?obsolete)' testsuccessequal "Listing... +available/unstable 1.0 all +foreign/unstable 2.0 amd64 +not-obsolete/unstable 2.0 i386 [upgradable from: 1.0]" apt list '?origin(^meow$)' + +testsuccessequal "Listing... +available/unstable 1.0 all +essential/now 1.0 i386 [installed,local]" apt list '?section(asection)' + +testsuccessequal "Listing... +automatic1/now 1.0 i386 [installed,local] +automatic2/now 1.0 i386 [installed,local]" apt list '?source-package(^automatic$)' + +testsuccessequal "Listing... +automatic2/now 1.0 i386 [installed,local]" apt list '?source-version(^1$)' + +testsuccessequal "Listing... not-obsolete/unstable 2.0 i386 [upgradable from: 1.0] N: There is 1 additional version. Please use the '-a' switch to see it" apt list '?upgradable' +testsuccessequal "Listing... +foreign/unstable 2.0 amd64 +not-obsolete/unstable 2.0 i386 [upgradable from: 1.0]" apt list '?version(2.0)' + testsuccessequal "Package: does-not-exist State: not a real package (virtual) N: Can't select candidate version from package does-not-exist as it has no candidate diff --git a/test/integration/test-authentication-basic b/test/integration/test-authentication-basic index 211c73e35..5aafaade0 100755 --- a/test/integration/test-authentication-basic +++ b/test/integration/test-authentication-basic @@ -65,35 +65,59 @@ runtest() { authfile '' testauthfailure "$1" + protocol="${1%%://*}" + # good auth - authfile 'machine localhost + authfile "machine ${protocol}://localhost login star@irc -password hunter2' +password hunter2" testauthsuccess "$1" # bad auth - authfile 'machine localhost + authfile "machine ${protocol}://localhost login anonymous -password hunter2' +password hunter2" testauthfailure "$1" # 2 stanzas: unmatching + good auth - authfile 'machine debian.org + authfile "machine ${protocol}://debian.org login debian password jessie -machine localhost +machine ${protocol}://localhost login star@irc -password hunter2' +password hunter2" testauthsuccess "$1" + # no protocol specifier + authfile "machine localhost +login star@irc +password hunter2" + if [ "$protocol" = "https" ]; then + testauthsuccess "$1" + else + testauthfailure "$1" + fi + + # wrong protocol specifier + if [ "$protocol" = "https" ]; then + authfile "machine http://localhost +login star@irc +password hunter2" + else + authfile "machine https://localhost +login star@irc +password hunter2" + fi + testauthfailure "$1" + # delete file, make sure it fails; add auth.conf.d snippet, works again. rm rootdir/etc/apt/auth.conf testauthfailure "$1" - authfile 'machine localhost + authfile "machine ${protocol}://localhost login star@irc -password hunter2' rootdir/etc/apt/auth.conf.d/myauth.conf +password hunter2" rootdir/etc/apt/auth.conf.d/myauth.conf testauthsuccess "$1" rm rootdir/etc/apt/auth.conf.d/myauth.conf } |