Hello community, here is the log from the commit of package yast2-registration for openSUSE:Factory checked in at 2018-11-22 13:24:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yast2-registration (Old) and /work/SRC/openSUSE:Factory/.yast2-registration.new.19453 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-registration" Thu Nov 22 13:24:34 2018 rev:26 rq:650753 version:4.1.8 Changes: -------- --- /work/SRC/openSUSE:Factory/yast2-registration/yast2-registration.changes 2018-11-20 22:31:51.254617576 +0100 +++ /work/SRC/openSUSE:Factory/.yast2-registration.new.19453/yast2-registration.changes 2018-11-22 13:24:40.550053139 +0100 @@ -1,0 +2,7 @@ +Wed Nov 21 16:39:02 CET 2018 - sch...@suse.de + +- Do not allow redirection while checking via HTTP request if + (old) NCC API is present at the server (bsc#1111404). +- 4.1.8 + +------------------------------------------------------------------- Old: ---- yast2-registration-4.1.7.tar.bz2 New: ---- yast2-registration-4.1.8.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yast2-registration.spec ++++++ --- /var/tmp/diff_new_pack.3bLVBl/_old 2018-11-22 13:24:40.910052764 +0100 +++ /var/tmp/diff_new_pack.3bLVBl/_new 2018-11-22 13:24:40.914052759 +0100 @@ -17,7 +17,7 @@ Name: yast2-registration -Version: 4.1.7 +Version: 4.1.8 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build ++++++ yast2-registration-4.1.7.tar.bz2 -> yast2-registration-4.1.8.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-registration-4.1.7/package/yast2-registration.changes new/yast2-registration-4.1.8/package/yast2-registration.changes --- old/yast2-registration-4.1.7/package/yast2-registration.changes 2018-11-19 17:04:25.000000000 +0100 +++ new/yast2-registration-4.1.8/package/yast2-registration.changes 2018-11-21 17:44:29.000000000 +0100 @@ -1,4 +1,11 @@ ------------------------------------------------------------------- +Wed Nov 21 16:39:02 CET 2018 - sch...@suse.de + +- Do not allow redirection while checking via HTTP request if + (old) NCC API is present at the server (bsc#1111404). +- 4.1.8 + +------------------------------------------------------------------- Mon Nov 19 16:11:29 CET 2018 - sch...@suse.de - Improved error messages (bsc#1060151). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-registration-4.1.7/package/yast2-registration.spec new/yast2-registration-4.1.8/package/yast2-registration.spec --- old/yast2-registration-4.1.7/package/yast2-registration.spec 2018-11-19 17:04:25.000000000 +0100 +++ new/yast2-registration-4.1.8/package/yast2-registration.spec 2018-11-21 17:44:29.000000000 +0100 @@ -17,7 +17,7 @@ Name: yast2-registration -Version: 4.1.7 +Version: 4.1.8 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-registration-4.1.7/src/lib/registration/downloader.rb new/yast2-registration-4.1.8/src/lib/registration/downloader.rb --- old/yast2-registration-4.1.7/src/lib/registration/downloader.rb 2018-11-19 17:04:25.000000000 +0100 +++ new/yast2-registration-4.1.8/src/lib/registration/downloader.rb 2018-11-21 17:44:29.000000000 +0100 @@ -39,19 +39,27 @@ # is reached the download fails with RuntimeError exception # @param file_url [String, URI] URL of the file to download # @param insecure [Boolean] if true the SSL verification errors are ignored + # @param allow_redirect [Boolean] true: redirection will be followed # @return [String] the contents of the downloaded file - def self.download(file_url, insecure: false) - download_file(file_url, insecure: insecure) + def self.download(file_url, insecure: false, allow_redirect: true) + if allow_redirect + # Taking default value for redirection_count + download_file(file_url, insecure: insecure) + else + # Do not allow redirection + download_file(file_url, insecure: insecure, redirection_count: 0) + end end # internal method which handles HTTP redirects # @param file_url [String, URI] URL of the file to download # @param insecure [Boolean] if true the SSL verification errors are ignored # @param redirection_count [Numeric] current redirection count, when zero - # the download fails with RuntimeError exception + # the download fails with DownloadError exception # @return [String] the contents of the downloaded file def self.download_file(file_url, insecure: false, redirection_count: 10) - raise "Redirection limit reached, download aborted" if redirection_count <= 0 + raise DownloadError, + "Redirection not allowed or limit has been reached" if redirection_count < 0 file_url = URI(file_url) unless file_url.is_a?(URI) http = Net::HTTP.new(file_url.host, file_url.port) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-registration-4.1.7/src/lib/registration/smt_status.rb new/yast2-registration-4.1.8/src/lib/registration/smt_status.rb --- old/yast2-registration-4.1.7/src/lib/registration/smt_status.rb 2018-11-19 17:04:25.000000000 +0100 +++ new/yast2-registration-4.1.8/src/lib/registration/smt_status.rb 2018-11-21 17:44:29.000000000 +0100 @@ -22,7 +22,7 @@ log.info "Checking NCC API presence: #{download_url}" begin - Downloader.download(download_url, insecure: insecure) + Downloader.download(download_url, insecure: insecure, allow_redirect: false) log.info "NCC API found" return true rescue DownloadError diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-registration-4.1.7/test/downloader_spec.rb new/yast2-registration-4.1.8/test/downloader_spec.rb --- old/yast2-registration-4.1.7/test/downloader_spec.rb 2018-11-19 17:04:25.000000000 +0100 +++ new/yast2-registration-4.1.8/test/downloader_spec.rb 2018-11-21 17:44:29.000000000 +0100 @@ -63,6 +63,19 @@ expect(Registration::Downloader.download(url)).to eq("response") end + it "can block HTTP redirection" do + index = Net::HTTPRedirection.new("1.1", 302, "Found") + index["location"] = "http://redirected.example.com" + + http = double + expect(Net::HTTP).to receive(:new).and_return(http) + expect(http).to receive(:request).and_return(index) + expect(http).to receive(:proxy?).and_return(false) + expect { Registration::Downloader.download(url, allow_redirect: false) }.to raise_error( + Registration::DownloadError, "Redirection not allowed or limit has been reached" + ) + end + it "reads proxy credentials when proxy is used" do user = "proxy_user" password = "proxy_password" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-registration-4.1.7/test/smt_status_spec.rb new/yast2-registration-4.1.8/test/smt_status_spec.rb --- old/yast2-registration-4.1.7/test/smt_status_spec.rb 2018-11-19 17:04:25.000000000 +0100 +++ new/yast2-registration-4.1.8/test/smt_status_spec.rb 2018-11-21 17:44:29.000000000 +0100 @@ -11,7 +11,7 @@ it "returns true when /center/regsvc?command=listproducts returns OK" do expect(Registration::Downloader).to receive(:download) - .with(expected_url, insecure: false) + .with(expected_url, insecure: false, allow_redirect: false) .and_return(true) expect(subject.ncc_api_present?).to eq(true) @@ -19,7 +19,7 @@ it "returns false otherwise" do expect(Registration::Downloader).to receive(:download) - .with(expected_url, insecure: false) + .with(expected_url, insecure: false, allow_redirect: false) .and_raise(Registration::DownloadError) expect(subject.ncc_api_present?).to eq(false)