Re: [Bug-wget] [PATCH 10/25] New document: Metalink/XML and Metalink/HTT

bug-wget

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] [PATCH 10/25] New document: Metalink/XML and Metalink/HTT

From:	Giuseppe Scrivano
Subject:	Re: [Bug-wget] [PATCH 10/25] New document: Metalink/XML and Metalink/HTTP standard reference
Date:	Sun, 11 Sep 2016 22:45:09 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)

Matthew White <address@hidden> writes:

> [Coverity Scan is ok, make syntax-check is ok, make check-valgrind is ok, 
> contrib/check-hard is ok]
>
> This introduces the new document doc/metalink-standard.txt.
>
> The purpose of the document is to serve as a Metalink/XML and Metalink/HTTP 
> standard reference of the Metalink functionalities currently implemented in 
> Wget.
>
> Regards,
> Matthew
>
> -- 
> Matthew White <address@hidden>
>
> From 40442c885ab06dbef19caeef6bc4ba22a26dbb31 Mon Sep 17 00:00:00 2001
> From: Matthew White <address@hidden>
> Date: Fri, 19 Aug 2016 13:17:34 +0200
> Subject: [PATCH 10/25] New document: Metalink/XML and Metalink/HTTP standard
>  reference
>
> * doc/metalink-standard.txt: New doc. Implemented and recommended
>   Metalink/XML and Metalink/HTTP standard features
> ---
>  doc/metalink-standard.txt | 156 
> ++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 156 insertions(+)
>  create mode 100644 doc/metalink-standard.txt
>
> diff --git a/doc/metalink-standard.txt b/doc/metalink-standard.txt
> new file mode 100644
> index 0000000..d00c384
> --- /dev/null
> +++ b/doc/metalink-standard.txt
> @@ -0,0 +1,156 @@
> +GNU Wget Metalink recommended behaviour
> +
> +  Metalink/XML and Metalink/HTTP standard reference
> +
> +
> +1. Security features
> +********************
> +
> +Only metalink:file elements with safe "name" fields shall be accepted
> +[1 #section-4.1.2.1]. If unsafe metalink:file elements are saved, any
> +related test shall fail (see '2. Tests').
> +
> +By design, libmetalink rejects unsafe metalink:file elements [3]:
> +* lib/metalink_helper.c (metalink_check_safe_path): Verify path
> +
> +1.1 Exceptions
> +==============
> +
> +The option --directory-prefix could allow to use an absolute, relative
> +or home path.
> +
> +2. Tests
> +********
> +
> +Saving a file to an unexpected path poses a security problem. We must
> +ensure that Wget's automated tests never modify the root and the home
> +paths or descend/escalate to a relative path unexpectedly.
> +
> +2.1 Metalink/XML implemented tests
> +==================================
> +
> +* testenv/Test-metalink-xml.py: Accept safe paths
> +* testenv/Test-metalink-xml-abspath.py: Reject absolute paths
> +* testenv/Test-metalink-xml-relpath.py: Reject relative paths
> +* testenv/Test-metalink-xml-homepath.py: Reject home paths

ACK with these tests merged together.

Regards,
Giuseppe

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-wget] [PATCH 10/25] New document: Metalink/XML and Metalink/HTTP standard reference, Matthew White, 2016/09/10
- Re: [Bug-wget] [PATCH 10/25] New document: Metalink/XML and Metalink/HTTP standard reference, Giuseppe Scrivano <=
  - Re: [Bug-wget] [PATCH 10/25] New document: Metalink/XML and Metalink/HTTP standard reference, Matthew White, 2016/09/13

Prev by Date: Re: [Bug-wget] [PATCH 08/25] Implement Metalink/XML --directory-prefix option in Metalink module
Next by Date: Re: [Bug-wget] [PATCH 11/25] New: Metalink/XML and Metalink/HTTP file naming safety rules
Previous by thread: [Bug-wget] [PATCH 10/25] New document: Metalink/XML and Metalink/HTTP standard reference
Next by thread: Re: [Bug-wget] [PATCH 10/25] New document: Metalink/XML and Metalink/HTTP standard reference
Index(es):
- Date
- Thread