diff options
Diffstat (limited to 'meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch')
-rw-r--r-- | meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch b/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch new file mode 100644 index 0000000000..cbc4a127a8 --- /dev/null +++ b/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | From 6c5471e4834aebd7359d88b760b087136473bac8 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de> | ||
3 | Date: Wed, 26 Dec 2018 13:51:48 +0100 | ||
4 | Subject: [PATCH 1/2] Don't use extended attributes (--xattr) by default | ||
5 | |||
6 | * src/init.c (defaults): Set enable_xattr to false by default | ||
7 | * src/main.c (print_help): Reverse option logic of --xattr | ||
8 | * doc/wget.texi: Add description for --xattr | ||
9 | |||
10 | Users may not be aware that the origin URL and Referer are saved | ||
11 | including credentials, and possibly access tokens within | ||
12 | the urls. | ||
13 | |||
14 | CVE: CVE-2018-20483 patch 1 | ||
15 | Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/wget.git/commit/?id=c125d24762962d91050d925fbbd9e6f30b2302f8] | ||
16 | Signed-off-by: Aviraj CJ <acj@cisco.com> | ||
17 | --- | ||
18 | doc/wget.texi | 8 ++++++++ | ||
19 | src/init.c | 4 ---- | ||
20 | src/main.c | 2 +- | ||
21 | 3 files changed, 9 insertions(+), 5 deletions(-) | ||
22 | |||
23 | diff --git a/doc/wget.texi b/doc/wget.texi | ||
24 | index eaf6b380..3f9d7c1c 100644 | ||
25 | --- a/doc/wget.texi | ||
26 | +++ b/doc/wget.texi | ||
27 | @@ -540,6 +540,14 @@ right NUMBER. | ||
28 | Set preferred location for Metalink resources. This has effect if multiple | ||
29 | resources with same priority are available. | ||
30 | |||
31 | +@cindex xattr | ||
32 | +@item --xattr | ||
33 | +Enable use of file system's extended attributes to save the | ||
34 | +original URL and the Referer HTTP header value if used. | ||
35 | + | ||
36 | +Be aware that the URL might contain private information like | ||
37 | +access tokens or credentials. | ||
38 | + | ||
39 | |||
40 | @cindex force html | ||
41 | @item -F | ||
42 | diff --git a/src/init.c b/src/init.c | ||
43 | index eb81ab47..800970c5 100644 | ||
44 | --- a/src/init.c | ||
45 | +++ b/src/init.c | ||
46 | @@ -509,11 +509,7 @@ defaults (void) | ||
47 | opt.hsts = true; | ||
48 | #endif | ||
49 | |||
50 | -#ifdef ENABLE_XATTR | ||
51 | - opt.enable_xattr = true; | ||
52 | -#else | ||
53 | opt.enable_xattr = false; | ||
54 | -#endif | ||
55 | } | ||
56 | |||
57 | /* Return the user's home directory (strdup-ed), or NULL if none is | ||
58 | diff --git a/src/main.c b/src/main.c | ||
59 | index 81db9319..6ac1621b 100644 | ||
60 | --- a/src/main.c | ||
61 | +++ b/src/main.c | ||
62 | @@ -754,7 +754,7 @@ Download:\n"), | ||
63 | #endif | ||
64 | #ifdef ENABLE_XATTR | ||
65 | N_("\ | ||
66 | - --no-xattr turn off storage of metadata in extended file attributes\n"), | ||
67 | + --xattr turn on storage of metadata in extended file attributes\n"), | ||
68 | #endif | ||
69 | "\n", | ||
70 | |||
71 | -- | ||
72 | 2.19.1 | ||
73 | |||