Bug#961903: prusa-slicer: Unwanted background connections to http://files.prusa3d.com/

[Antoni Villalonga]

Please consider the attached patch.

Raw file: 
https://salsa.debian.org/friki/slic3r-prusa/-/raw/1d54f79dc7108515aeb62d2dab4918aea1ffd0e7/debian/patches/Secured-self-updates-and-disable-by-default.patch
Merge Request: 
https://salsa.debian.org/3dprinting-team/slic3r-prusa/-/merge_requests/1

-- 
Antoni Villalonga
https://friki.cat/
From: Antoni Villalonga 
Date: Sun, 09 Aug 2020 00:15:17 +0200
Subject: Secure self-updates and disable by default
Bug-Debian: http://bugs.debian.org/961903
Forwarded: not-needed

--- a/src/slic3r/GUI/AppConfig.cpp
+++ b/src/slic3r/GUI/AppConfig.cpp
@@ -57,9 +57,9 @@
 set("show_incompatible_presets", "0");
 
 if (get("version_check").empty())
-set("version_check", "1");
+set("version_check", "0");
 if (get("preset_update").empty())
-set("preset_update", "1");
+set("preset_update", "0");
 
 if (get("export_sources_full_pathnames").empty())
 set("export_sources_full_pathnames", "0");
--- a/resources/profiles/BIBO.ini
+++ b/resources/profiles/BIBO.ini
@@ -7,7 +7,7 @@
 # This means, the server may force the PrusaSlicer configuration to be downgraded.
 config_version = 0.0.1
 # Where to get the updates from?
-config_update_url = http://files.prusa3d.com/wp-content/uploads/repository/PrusaSlicer-settings-master/live/BIBO/
+config_update_url = https://files.prusa3d.com/wp-content/uploads/repository/PrusaSlicer-settings-master/live/BIBO/
 
 # The printer models will be shown by the Configuration Wizard in this order,
 # also the first model installed & the first nozzle installed will be activated after install.
--- a/resources/profiles/Creality.ini
+++ b/resources/profiles/Creality.ini
@@ -7,8 +7,8 @@
 # This means, the server may force the PrusaSlicer configuration to be downgraded.
 config_version = 0.0.2
 # Where to get the updates from?
-config_update_url = http://files.prusa3d.com/wp-content/uploads/repository/PrusaSlicer-settings-master/live/Creality/
-# changelog_url = http://files.prusa3d.com/?latest=slicer-profiles=%1%
+config_update_url = https://files.prusa3d.com/wp-content/uploads/repository/PrusaSlicer-settings-master/live/Creality/
+# changelog_url = https://files.prusa3d.com/?latest=slicer-profiles=%1%
 
 # The printer models will be shown by the Configuration Wizard in this order,
 # also the first model installed & the first nozzle installed will be activated after install.
--- a/resources/profiles/LulzBot.ini
+++ b/resources/profiles/LulzBot.ini
@@ -4,7 +4,7 @@
 # Vendor name will be shown by the Config Wizard.
 name = LulzBot
 config_version = 0.0.1
-config_update_url = http://files.prusa3d.com/wp-content/uploads/repository/PrusaSlicer-settings-master/live/LulzBot/
+config_update_url = https://files.prusa3d.com/wp-content/uploads/repository/PrusaSlicer-settings-master/live/LulzBot/
 
 [printer_model:MINI_AERO]
 name = Mini Aero
--- a/resources/profiles/PrusaResearch.ini
+++ b/resources/profiles/PrusaResearch.ini
@@ -7,8 +7,8 @@
 # This means, the server may force the PrusaSlicer configuration to be downgraded.
 config_version = 1.1.2
 # Where to get the updates from?
-config_update_url = http://files.prusa3d.com/wp-content/uploads/repository/PrusaSlicer-settings-master/live/PrusaResearch/
-changelog_url = http://files.prusa3d.com/?latest=slicer-profiles=%1%
+config_update_url = https://files.prusa3d.com/wp-content/uploads/repository/PrusaSlicer-settings-master/live/PrusaResearch/
+changelog_url = https://files.prusa3d.com/?latest=slicer-profiles=%1%
 
 # The printer models will be shown by the Configuration Wizard in this order,
 # also the first model installed & the first nozzle installed will be activated after install.
--- a/src/slic3r/GUI/UpdateDialogs.cpp
+++ b/src/slic3r/GUI/UpdateDialogs.cpp
@@ -25,7 +25,7 @@
 namespace GUI {
 
 
-static const char* URL_CHANGELOG = "http://files.prusa3d.com/?latest=slicer-stable=%1%;;
+static const char* URL_CHANGELOG = "https://files.prusa3d.com/?latest=slicer-stable=%1%;;
 static const char* URL_DOWNLOAD = "https://www.prusa3d.com/downloads=%1%;;
 static const char* URL_DEV = "https://github.com/prusa3d/PrusaSlicer/releases/tag/version_%1%;;
 
--- a/src/slic3r/Utils/PresetUpdater.cpp
+++ b/src/slic3r/Utils/PresetUpdater.cpp
@@ -301,7 +301,7 @@
 		const std::string idx_path = (cache_path / (vendor.id + ".idx")).string();
 		const std::string idx_path_temp = idx_path + "-update";
 		//check if idx_url is leading to our site 
-		if (! boost::starts_with(idx_url, "http://files.prusa3d.com/wp-content/uploads/repository/;))
+		if (! boost::starts_with(idx_url, "https://files.prusa3d.com/wp-content/uploads/repository/;))
 		{
 			BOOST_LOG_TRIVIAL(warning) << "unsafe url path for vendor \"" << vendor.name << "\" rejected: " << idx_url;
 			continue;

Bug#961903: prusa-slicer: Unwanted background connections to http://files.prusa3d.com/

[Antoni Villalonga]

Package: prusa-slicer
Severity: normal

Dear Maintainer,

prusa-slicer connects to http://files.prusa3d.com/ to download firmware-related
information, without user confirmation.

It leaks information about software usage and affects the final generated
files.

Moreover the insecure connection opens vector of attack that may endup on
printers physical damage.

Please, dissable that feature by default and switch to secure connections.

Regards,