bug-wget
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] [PATCH 10/25] New document: Metalink/XML and Metalink/HTT


From: Matthew White
Subject: Re: [Bug-wget] [PATCH 10/25] New document: Metalink/XML and Metalink/HTTP standard reference
Date: Tue, 13 Sep 2016 09:20:15 +0200

On Sun, 11 Sep 2016 22:45:09 +0200
Giuseppe Scrivano <address@hidden> wrote:

> Matthew White <address@hidden> writes:
> 
> > [Coverity Scan is ok, make syntax-check is ok, make check-valgrind is ok, 
> > contrib/check-hard is ok]
> >
> > This introduces the new document doc/metalink-standard.txt.
> >
> > The purpose of the document is to serve as a Metalink/XML and Metalink/HTTP 
> > standard reference of the Metalink functionalities currently implemented in 
> > Wget.
> >
> > Regards,
> > Matthew
> >
> > -- 
> > Matthew White <address@hidden>
> >
> > From 40442c885ab06dbef19caeef6bc4ba22a26dbb31 Mon Sep 17 00:00:00 2001
> > From: Matthew White <address@hidden>
> > Date: Fri, 19 Aug 2016 13:17:34 +0200
> > Subject: [PATCH 10/25] New document: Metalink/XML and Metalink/HTTP standard
> >  reference
> >
> > * doc/metalink-standard.txt: New doc. Implemented and recommended
> >   Metalink/XML and Metalink/HTTP standard features
> > ---
> >  doc/metalink-standard.txt | 156 
> > ++++++++++++++++++++++++++++++++++++++++++++++
> >  1 file changed, 156 insertions(+)
> >  create mode 100644 doc/metalink-standard.txt
> >
> > diff --git a/doc/metalink-standard.txt b/doc/metalink-standard.txt
> > new file mode 100644
> > index 0000000..d00c384
> > --- /dev/null
> > +++ b/doc/metalink-standard.txt
> > @@ -0,0 +1,156 @@
> > +GNU Wget Metalink recommended behaviour
> > +
> > +  Metalink/XML and Metalink/HTTP standard reference
> > +
> > +
> > +1. Security features
> > +********************
> > +
> > +Only metalink:file elements with safe "name" fields shall be accepted
> > +[1 #section-4.1.2.1]. If unsafe metalink:file elements are saved, any
> > +related test shall fail (see '2. Tests').
> > +
> > +By design, libmetalink rejects unsafe metalink:file elements [3]:
> > +* lib/metalink_helper.c (metalink_check_safe_path): Verify path
> > +
> > +1.1 Exceptions
> > +==============
> > +
> > +The option --directory-prefix could allow to use an absolute, relative
> > +or home path.
> > +
> > +2. Tests
> > +********
> > +
> > +Saving a file to an unexpected path poses a security problem. We must
> > +ensure that Wget's automated tests never modify the root and the home
> > +paths or descend/escalate to a relative path unexpectedly.
> > +
> > +2.1 Metalink/XML implemented tests
> > +==================================
> > +
> > +* testenv/Test-metalink-xml.py: Accept safe paths
> > +* testenv/Test-metalink-xml-abspath.py: Reject absolute paths
> > +* testenv/Test-metalink-xml-relpath.py: Reject relative paths
> > +* testenv/Test-metalink-xml-homepath.py: Reject home paths
> 
> ACK with these tests merged together.

All the Metalink tests are specialized, hence each test has a different file 
name and content.

I don't know if it's a good idea to merge the tests together. But this is just 
my opinion.

WDYT?

Please, see the comments on Patch 01/25:
http://lists.gnu.org/archive/html/bug-wget/2016-09/msg00074.html

> 
> Regards,
> Giuseppe

Regards,
Matthew

-- 
Matthew White <address@hidden>

Attachment: pgpLVup_c_V_k.pgp
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]