summaryrefslogtreecommitdiff
path: root/test
Commit message (Collapse)AuthorAgeFilesLines
* Adjust code for missing includes/using std::stringJulian Andres Klode2019-06-121-0/+1
|
* http: Fix Host header in proxied https connectionsSimon Körner2019-06-111-0/+22
| | | | | | | | | | | | | | Currently CONNECT requests use the name of the proxy as Host value, instead of the origin server's name. According to RFC 2616 "The Host field value MUST represent the naming authority of the origin server or gateway given by the original URL." The current implementation causes problems with some proxy vendors. This commit fixes this. [jak: Adding a test case] See merge request apt-team/apt!66
* Introduce apt satisfy and apt-get satisfyJulian Andres Klode2019-06-111-0/+72
| | | | | | | | | | | | | | | | | | Allow to satisfy dependency strings supplied on the command line, optionally prefixed with "Conflicts:" to satisfy them like Conflicts. Build profiles and architecture restriction lists, as used in build dependencies, are supported as well. Compared to build-dep, build-essential is not installed automatically, and installing of recommended packages follows the global default, which defaults to yes. Closes: #275379 See merge request apt-team/apt!63
* Make APT::StringView publicJulian Andres Klode2019-06-111-3/+0
|
* CMake: Enforce "override" use on overriden methodsJulian Andres Klode2019-05-061-0/+2
| | | | | This ensures that we do not accidentally stop overriding a method because it's signature changed in an API break.
* Use debDebFile to get control file instead of dpkg-debJulian Andres Klode2019-05-061-3/+3
|
* Merge libapt-inst into libapt-pkgJulian Andres Klode2019-05-062-3/+3
|
* Add test case for local-only packages pinned to neverJulian Andres Klode2019-04-151-1/+14
| | | | Test from the fix for the regression in trusty for LP #1821308.
* Add explicit message for unsupported binary signatureDavid Kalnischkies2019-03-031-0/+22
| | | | | | | | | | | | | | | | | | | | | | | Verifying the content of Release.gpg made us fail on binary signatures which were never officially supported (apt-secure manpage only documents only the generation of ASCII armored), but silently accepted by gpgv as we passed it on unchecked before. The binary format is complex and is itself split into old and new formats so adding support for this would not only add lots of code but also a good opportunity for bugs and dubious benefit. Reporting this issue explicitly should help repository creators figure out the problem faster than the default NODATA message hinting at captive portals. Given that the binary format has no file magic or any other clear and simple indication that this is a detached signature we guess based on the first two bits only – and by that only supporting the "old" binary format which seems to be the only one generated by gnupg in this case. References: e2965b0b6bdd68ffcad0e06d11755412a7e16e50 Closes: #921685
* Fix various typos in the documentationJakub Wilk2019-02-102-2/+2
|
* Merge branch 'pu/dead-pin' into 'master'Julian Andres Klode2019-02-042-3/+123
|\ | | | | | | | | A pin of -32768 overrides any other, disables repo See merge request apt-team/apt!40
| * Add a Packages-Require-Authorization Release file fieldJulian Andres Klode2019-02-011-0/+61
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new field allows a repository to declare that access to packages requires authorization. The current implementation will set the pin to -32768 if no authorization has been provided in the auth.conf(.d) files. This implementation is suboptimal in two aspects: (1) A repository should behave more like NotSource repositories (2) We only have the host name for the repository, we cannot use paths yet. - We can fix those after an ABI break. The code also adds a check to acquire-item.cc to not use the specified repository as a download source, mimicking NotSource.
| * Introduce experimental 'never' pinning for sourcesJulian Andres Klode2019-02-011-3/+62
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This allows disabling a repository by pinning it to 'never', which is internally translated to a value of -32768 (or whatever the minimum of short is). This overrides any other pin for that repository. It can be used to make sure certain sources are never used; for example, in unattended-upgrades. To prevent semantic changes to existing files, we substitute min + 1 for every pin-priority: <min>. This is a temporary solution, as we are waiting for an ABI break. To add pins with that value, the special Pin-Priority "never" may be used for now. It's unclear if that will persist, or if the interface will change eventually.
* | Merge branch 'pu/refuseunsignedlines' into 'master'Julian Andres Klode2019-02-015-44/+225
|\ \ | | | | | | | | | | | | Fail if InRelease or Release.gpg contain unsigned lines See merge request apt-team/apt!45
| * | Refuse files with lines unexpectedly starting with a dashDavid Kalnischkies2019-01-281-1/+124
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We support dash-encoding even if we don't really work with files who would need it as implementations are free to encode every line, but otherwise a line starting with a dash must either be a header we parse explicitly or the file is refused. This is against the RFC which says clients should warn on such files, but given that we aren't expecting any files with dash-started lines to begin with this looks a lot like a we should not continue to touch the file as it smells like an attempt to confuse different parsers by "hiding" headers in-between others. The other slightly more reasonable explanation would be an armor header key starting with a dash, but no existing key does that and it seems unlikely that this could ever happen. Also, it is recommended that clients warn about unknown keys, so new appearance is limited.
| * | Merge and reuse tmp file handling across the boardDavid Kalnischkies2019-01-241-0/+7
| | | | | | | | | | | | | | | | | | Having many rather similar implementations especially if one is exported while others aren't (and the rest of it not factored out at all) seems suboptimal.
| * | Fail on non-signature lines in Release.gpgDavid Kalnischkies2019-01-232-16/+75
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The exploit for CVE-2019-3462 uses the fact that a Release.gpg file can contain additional content beside the expected detached signature(s). We were passing the file unchecked to gpgv which ignores these extras without complains, so we reuse the same line-reading implementation we use for InRelease splitting to detect if a Release.gpg file contains unexpected data and fail in this case given that we in the previous commit we established that we fail in the similar InRelease case now.
| * | Fail instead of warn for unsigned lines in InReleaseDavid Kalnischkies2019-01-232-27/+19
| |/ | | | | | | | | | | | | | | | | | | | | | | The warnings were introduced 2 years ago without any reports from the wild about them actually appearing for anyone, so now seems to be an as good time as any to switch them to errors. This allows rewritting the code by failing earlier instead of trying to keep going which makes the diff a bit hard to follow but should help simplifying reasoning about it. References: 6376dfb8dfb99b9d182c2fb13aa34b2ac89805e3
* / Step over empty sections in TagFiles with commentsDavid Kalnischkies2019-02-012-0/+70
|/ | | | | | | | Implementing a parser with recursion isn't the best idea, but in practice we should get away with it for the time being to avoid needless codechurn. Closes: #920317 #921037
* Merge branch 'pu/gpgvsignedby' into 'master'Julian Andres Klode2019-01-221-21/+43
|\ | | | | | | | | Report keys used to sign file from gpgv method to acquire system See merge request apt-team/apt!44
| * Communicate back which key(s) were used for signingDavid Kalnischkies2019-01-221-20/+42
| | | | | | | | | | | | | | Telling the acquire system which keys caused the gpgv method to succeed allows us for now just a casual check if the gpgv method really executed catching bugs like CVE-2018-0501, but we will make use of the information for better features in the following commits.
| * Refactor internal Signers information storage in gpgvDavid Kalnischkies2019-01-221-19/+19
| | | | | | | | | | | | | | | | | | Having a method take a bunch of string vectors is bad style, so we change this to a wrapping struct and adapt the rest of the code brushing it up slightly in the process, which results even in a slightly "better" debug output, no practical change otherwise. Gbp-Dch: Ignore
* | SECURITY UPDATE: content injection in http method (CVE-2019-3462)Julian Andres Klode2019-01-221-0/+66
|/ | | | | | | | | | | | | | | | | This fixes a security issue that can be exploited to inject arbritrary debs or other files into a signed repository as followed: (1) Server sends a redirect to somewhere%0a<headers for the apt method> (where %0a is \n encoded) (2) apt method decodes the redirect (because the method encodes the URLs before sending them out), writting something like somewhere\n <headers> into its output (3) apt then uses the headers injected for validation purposes. Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec LP: #1812353
* Merge branch 'pu/dpkg-path' into 'master'Julian Andres Klode2018-12-102-0/+38
|\ | | | | | | | | Set PATH=/usr/sbin:/usr/bin:/sbin:/bin when running dpkg See merge request apt-team/apt!38
| * Set PATH=/usr/sbin:/usr/bin:/sbin:/bin when running dpkgJulian Andres Klode2018-12-102-0/+38
| | | | | | | | | | | | | | | | | | This avoids a lot of problems from local installations of scripting languages and other stuff in /usr/local for which maintainer scripts are not prepared. [v3: Inherit PATH during tests, check overrides work] [v2: Add testing]
* | Add support for /etc/apt/auth.conf.d/*.conf (netrcparts)Julian Andres Klode2018-12-041-1/+12
|/ | | | | | | | | This allows us to install matching auth files for sources.list.d files, for example; very useful. This converts aptmethod's authfd from one FileFd to a vector of pointers to FileFd, as FileFd cannot be copied, and move operators are hard.
* Merge branch 'bugfix/spaceinconfig' into 'master'Julian Andres Klode2018-12-041-0/+14
|\ | | | | | | | | Use quoted tagnames in config dumps See merge request apt-team/apt!32
| * Use quoted tagnames in config dumpsDavid Kalnischkies2018-11-291-0/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Tagnames in configuration can include spaces (and other nasties) e.g. in repository-specific configuration options due to Origin/Label potentially containing a space. The configuration file format supports parsing quoted as well as encoded spaces, but the output generated by apt-config and other places which might be feedback into apt via parsing (e.g. before calling apt-key in our gpgv method) do not quote and hence produce invalid configuration files. Changing the default to be an encoded tagname ensures that the output of dump can be used as a config file, but other users might not expect this so that is technically a backward-breaking change.
* | Provide a "autopurge" shortcutJulian Andres Klode2018-12-031-0/+15
| | | | | | | | | | | | | | This adds a new "autopurge" command that will is a shortcut for "autoremove --purge" Thanks: Michael Vogt for the initial work
* | test-pdiff-usage: make transaction failure test case more robustJulian Andres Klode2018-12-031-1/+7
|/ | | | Try 10 times in a row
* Fix typo reported by codespell in code commentsDavid Kalnischkies2018-11-251-1/+1
| | | | | | | | No user visible change expect for some years old changelog entries, so we don't really need to add a new one for this… Reported-By: codespell Gbp-Dch: Ignore
* Allow to override the directory of a request in aptwebserverDavid Kalnischkies2018-11-251-2/+9
| | | | | | | | | The filename can be overridden, but sometimes it is useful to do it only for the directory-part of the filename – e.g. if you want to let a flat archive directory (like /var/cache/apt/archives) serve a pool-based request like /pool/a/apt_version.deb. Gbp-Dch: Ignore
* aptwebserver: Prevent XSS in debug and file listingDavid Kalnischkies2018-11-251-24/+36
| | | | | | | | | | | We sometimes autogenerate HTML pages e.g. for listing files in a directory or for various error codes. If this would be a serious webserver this would be a security problem (althrough a bit hard to exploit), but as it is not shipped and intended to be used by our testcases only the world hasn't ended &amp; we can ignore it for changelog and fix it for brownie points. Gbp-Dch: Ignore
* aptwebserver: Guess Content-Type from filename extensionDavid Kalnischkies2018-11-251-1/+85
| | | | | | | | | | Browsing pages served via aptwebserver is working better if we tell the browser the Content-Type which for this simple usecase we can just do by guessing based on the file extension – and because hardcoding a list would be boring we just reuse the mime.types data from mime-support if available and allow it to be overridden by files and config. Gbp-Dch: Ignore
* Print useful error on "apt changelog" without argumentsJulian Andres Klode2018-11-211-0/+5
| | | | Fixes Debian/apt#77
* Merge branch 'feature/subkeys' into 'master'Julian Andres Klode2018-10-148-10/+147
|\ | | | | | | | | Support subkeys and multiple keyrings in Signed-By options See merge request apt-team/apt!27
| * Support multiple keyrings in sources.list Signed-ByDavid Kalnischkies2018-09-113-8/+55
| | | | | | | | | | | | | | A user can specify multiple fingerprints for a while now, so its seems counter-intuitive to support only one keyring, especially if this isn't really checked or enforced and while unlikely mixtures of both should work properly, too, instead of a kinda random behaviour.
| * Support subkeys properly in Signed-By optionsDavid Kalnischkies2018-09-117-2/+92
| | | | | | | | | | | | | | | | If we limit a file to be signed by a certain key it should usually accept also being signed by any of this keys subkeys instead of requiring each subkey to be listed explicitly. If the later is really wanted we support now also the same syntax as gpg does with appending an exclamation mark at the end of the fingerprint to force no mapping.
* | Default to https: scheme for fetching Debian changelogsBen Hutchings2018-10-132-3/+3
| | | | | | | | Closes: #910941
* | Set DPKG_FRONTEND_LOCKED when running {pre,post}-invoke scriptsJulian Andres Klode2018-10-051-0/+80
| | | | | | | | | | | | | | | | | | Some post-invoke scripts install packages, which fails because the environment variable is not set. This sets the variable for all three kinds of scripts {pre,post-}invoke and pre-install-pkgs, but we will only allow post-invoke at a later time. Gbp-Dch: full
* | Deal with descriptions embedded in displayed record correctlyDavid Kalnischkies2018-09-201-2/+68
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The implementation of "apt-cache show" (not "apt show") incorrectly resets the currently used parser if the record itself and the description to show come from the same file (as it is the case if no Translation-* files are available e.g. after debootstrap). The code is more complex than you would hope to support some rather unusual setups involving Descriptions and their translations as tested for by ./test-bug-712435-missing-descriptions as otherwise this could be a one-line change. Regression-Of: bf53f39c9a0221b670ffff74053ed36fc502d5a0 Closes: #909155
* | Merge branch 'bugfix/statusfd' into 'master'Julian Andres Klode2018-09-184-57/+78
|\ \ | | | | | | | | | | | | Process all of --status-fd and don't expect duplicate status msg See merge request apt-team/apt!26
| * | Reorder progress report messagesDavid Kalnischkies2018-09-112-22/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We are seeing 'processing' messages from dpkg first, so it makes sense to translate them to "Preparing" messages instead of using "Installing" and co to override these shortly after with the "Preparing" messages. The difference isn't all to visible as later messages tend to linger far longer in the display than the ealier ones, but at least in a listing it seems more logical.
| * | Don't expect duplicated dpkg status-fd messagesDavid Kalnischkies2018-09-114-50/+71
| |/ | | | | | | | | | | | | | | | | | | | | The progress reporting relies on parsing the status reports of dpkg which used to repeat being in the same state multiple times in the same run, but by fixing #365921 it will stop doing so. The problem is in theory just with 'config-files' in case we do purge as this (can) do remove + purge in one step, but we remove this also for the unpack + configure combination althrough we handle these currently in two independent dpkg calls.
* / Show all architectures in 'apt list' outputDavid Kalnischkies2018-09-151-4/+23
|/ | | | | | | | | The uniqueness in std::set containers is ensured by the ordering operator we provide, but it was not considering that different versions can have the same description like the different architectures for a version of a package. Closes: #908218
* Unset more environment variables in test frameworkDavid Kalnischkies2018-09-111-2/+5
| | | | | | | | | It is an uphill battle to "reset" the environment to a clean state without making it needlessly hard to use 'good' environment variables, so we just try a little harder here without really trying for completeness. Gbp-Dch: Ignore
* Don't use gpg directly in apt-key testDavid Kalnischkies2018-09-101-1/+1
| | | | | Reported-By: Guillem Jover <guillem@debian.org> Gbp-Dch: Ignore
* Fix typos reported by codespell & spellintianDavid Kalnischkies2018-08-291-1/+1
| | | | | | | | No user-visible change as it effects mostly code comments and not a single error message, manpage or similar. Reported-By: codespell & spellintian Gbp-Dch: Ignore
* Don't use invalid iterator in Fallback-Of handlingDavid Kalnischkies2018-08-292-2/+23
| | | | | | | | | | | | | cppcheck reports: (error) Iterator 't' used after element has been erased. The loop is actually fashioned to deal with this (not in the most efficient way, but in simplest and speed isn't really a concern here) IF this codepath had a "break" at the end… so I added one. Note that the tests aren't failing before (and hopefully after) the change as the undefined behavior we encounter is too stable. Thanks: David Binderman for reporting
* clear alternative URIs for mirror:// between steps (CVE-2018-0501)David Kalnischkies2018-08-202-0/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | APT in 1.6 saw me rewriting the mirror:// transport method, which works comparable to the decommissioned httpredir.d.o "just" that apt requests a mirror list and performs all the redirections internally with all the bells like parallel download and automatic fallback (more details in the apt-transport-mirror manpage included in the 1.6 release). The automatic fallback is the problem here: The intend is that if a file fails to be downloaded (e.g. because the mirror is offline, broken, out-of-sync, …) instead of erroring out the next mirror in the list is contacted for a retry of the download. Internally the acquire process of an InRelease file (works with the Release/Release.gpg pair, too) happens in steps: 1) download file and 2) verify file, both handled as URL requests passed around. Due to an oversight the fallbacks for the first step are still active for the second step, so that the successful download from another mirror stands in for the failed verification… *facepalm* Note that the attacker can not judge by the request arriving for the InRelease file if the user is using the mirror method or not. If entire traffic is observed Eve might be able to observe the request for a mirror list, but that might or might not be telling if following requests for InRelease files will be based on that list or for another sources.list entry not using mirror (Users have also the option to have the mirror list locally (via e.g. mirror+file://) instead of on a remote host). If the user isn't using mirror:// for this InRelease file apt will fail very visibly as intended. (The mirror list needs to include at least two mirrors and to work reliably the attacker needs to be able to MITM all mirrors in the list. For remotely accessed mirror lists this is no limitation as the attacker is in full control of the file in that case) Fixed by clearing the alternatives after a step completes (and moving a pimpl class further to the top to make that valid compilable code). mirror:// is at the moment the only method using this code infrastructure (for all others this set is already empty) and the only method-independent user so far is the download of deb files, but those are downloaded and verified in a single step; so there shouldn't be much opportunity for regression here even through a central code area is changed. Upgrade instructions: Given all apt-based frontends are affected, even additional restrictions like signed-by are bypassed and the attack in progress is hardly visible in the progress reporting of an update operation (the InRelease file is marked "Ign", but no fallback to "Release/Release.gpg" is happening) and leaves no trace (expect files downloaded from the attackers repository of course) the best course of action might be to change the sources.list to not use the mirror family of transports ({tor+,…}mirror{,+{http{,s},file,…}}) until a fixed version of the src:apt packages are installed. Regression-Of: 355e1aceac1dd05c4c7daf3420b09bd860fd169d, 57fa854e4cdb060e87ca265abd5a83364f9fa681 LP: #1787752