[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] 2 commits: Keep proxy settings on client if wpad is unreachable (Closes: #941001)

Thu Dec 19 12:57:31 GMT 2019


Dominik George pushed to branch master at Debian Edu / debian-edu-config


Commits:
9fdbc552 by Dominik George at 2019-12-19T12:54:58Z
Keep proxy settings on client if wpad is unreachable (Closes: #941001)

Remove use of eval `...` while at it to minimise security risks.

It seems that pactester would have caught anything injected from a
spoofed wpad file or something, but better be safe than sorry.

- - - - -
4f1baee6 by Dominik George at 2019-12-19T12:56:55Z
Merge branch 'master' of salsa.debian.org:debian-edu/debian-edu-config

- - - - -


4 changed files:

- debian/changelog
- share/debian-edu-config/tools/update-proxy-from-wpad
- share/debian-edu-config/tools/wpad-extract
- testsuite/webcache


Changes:

=====================================
debian/changelog
=====================================
@@ -5,6 +5,8 @@ debian-edu-config (2.11.11) UNRELEASED; urgency=medium
   * debian/control: Reference Debian Edu in binary package description
   * Follow-up for CVE-2019-3467:
     - Add NEWS to warn administrators with possible local changes.
+  * Keep proxy settings on client if wpad is unreachable (Closes: #941001)
+    - Remove use of eval `...` while at it to minimise security risks
 
   [ Holger Levsen ]
   * Close #936375 in 2.11.7 changelog entry.


=====================================
share/debian-edu-config/tools/update-proxy-from-wpad
=====================================
@@ -83,7 +83,7 @@ fi
 # proxy.
 http_proxy=
 
-eval `/usr/share/debian-edu-config/tools/wpad-extract`
+. /usr/share/debian-edu-config/tools/wpad-extract >/dev/null || exit 1
 ftp_proxy=$http_proxy
 https_proxy=$http_proxy
 


=====================================
share/debian-edu-config/tools/wpad-extract
=====================================
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 #
 # Detect proxy URL via WPAD
 #
@@ -11,5 +11,10 @@
 # DNS if the skolelinux machines are not connected to the Internet.
 proxy_url=$(curl -s http://wpad/wpad.dat | pactester -p - \
             -u http://130.89.148.14 | awk '{print $2}' | cut -d';' -f1)
-echo http_proxy=http://$proxy_url
 
+if [ "$proxy_url" ]; then
+    http_proxy=http://$proxy_url
+    echo http_proxy=$http_proxy
+else
+    return 1
+fi


=====================================
testsuite/webcache
=====================================
@@ -69,7 +69,7 @@ if HEAD $HEADOPTS $url > /dev/null 2>&1 ; then
     # Subshell to avoid leaking http_proxy and ftp_proxy variables to
     # the rest of this script
     (
-	eval `/usr/share/debian-edu-config/tools/wpad-extract`
+	. /usr/share/debian-edu-config/tools/wpad-extract >/dev/null
 	if [ "$http_proxy" ] ; then
 	    echo "success: $0: WPAD file '$url' includes HTTP proxy info."
 	else



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/compare/9564ff171302068f394a5546e2fd26fb28980f2b...4f1baee6808d124f27f5918c67d5680798a0fe2e

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/compare/9564ff171302068f394a5546e2fd26fb28980f2b...4f1baee6808d124f27f5918c67d5680798a0fe2e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20191219/3e094beb/attachment-0001.html>
