net-misc/wget: fix from upstream for pasv ftp behavior #560418

2 files changed, 266 insertions, 0 deletions

diff --git a/net-misc/wget/files/wget-1.16.3-ftp-pasv-ip.patch b/net-misc/wget/files/wget-1.16.3-ftp-pasv-ip.patch
new file mode 100644
index 000000000000..566350283e5c
--- /dev/null
+++ b/net-misc/wget/files/wget-1.16.3-ftp-pasv-ip.patch
@@ -0,0 +1,175 @@
+https://bugs.gentoo.org/560418
+
+fix from upstream
+
+From 075d7556964f5a871a73c22ac4b69f5361295099 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Tue, 11 Aug 2015 16:48:08 +0200
+Subject: [PATCH] Fix IP address exposure in FTP code
+
+* src/ftp.c (getftp): Do not use PORT when PASV fails.
+* tests/FTPServer.px: Add pasv_not_supported server flag.
+* tests/Makefile.am: Add Test-ftp-pasv-not-supported.px
+* tests/Test-ftp-pasv-not-supported.px: New test
+
+Fix IP address exposure when automatically falling back from
+passive mode to active mode (using the PORT command). A behavior that
+may be used to expose a client's privacy even when using a proxy.
+---
+ NEWS                                 |  2 ++
+ src/ftp.c                            | 19 +++++++-----
+ tests/FTPServer.pm                   |  8 +++++
+ tests/Makefile.am                    |  3 +-
+ tests/Test-ftp-pasv-not-supported.px | 60 ++++++++++++++++++++++++++++++++++++
+ 5 files changed, 84 insertions(+), 8 deletions(-)
+ create mode 100755 tests/Test-ftp-pasv-not-supported.px
+
+diff --git a/src/ftp.c b/src/ftp.c
+index 68f1a33..9dab99c 100644
+--- a/src/ftp.c
++++ b/src/ftp.c
+@@ -252,7 +252,6 @@ getftp (struct url *u, wgint passed_expected_bytes, wgint *qtyread,
+   char *respline, *tms;
+   const char *user, *passwd, *tmrate;
+   int cmd = con->cmd;
+-  bool pasv_mode_open = false;
+   wgint expected_bytes = 0;
+   bool got_expected_bytes = false;
+   bool rest_failed = false;
+@@ -883,13 +882,19 @@ Error in server response, closing control connection.\n"));
+                           ? CONERROR : CONIMPOSSIBLE);
+                 }
+ 
+-              pasv_mode_open = true;  /* Flag to avoid accept port */
+               if (!opt.server_response)
+                 logputs (LOG_VERBOSE, _("done.    "));
+-            } /* err==FTP_OK */
+-        }
++            }
++          else
++            return err;
+ 
+-      if (!pasv_mode_open)   /* Try to use a port command if PASV failed */
++          /*
++           * We do not want to fall back from PASSIVE mode to ACTIVE mode !
++           * The reason is the PORT command exposes the client's real IP address
++           * to the server. Bad for someone who relies on privacy via a ftp proxy.
++           */
++        }
++      else
+         {
+           err = ftp_do_port (csock, &local_sock);
+           /* FTPRERR, WRITEFAILED, bindport (FTPSYSERR), HOSTERR,
+@@ -1148,8 +1153,8 @@ Error in server response, closing control connection.\n"));
+     }
+ 
+   /* If no transmission was required, then everything is OK.  */
+-  if (!pasv_mode_open)  /* we are not using pasive mode so we need
+-                              to accept */
++  if (!opt.ftp_pasv)  /* we are not using passive mode so we need
++                         to accept */
+     {
+       /* Wait for the server to connect to the address we're waiting
+          at.  */
+diff --git a/tests/FTPServer.pm b/tests/FTPServer.pm
+index c0a6e47..a5185d6 100644
+--- a/tests/FTPServer.pm
++++ b/tests/FTPServer.pm
+@@ -740,6 +740,14 @@ sub run
+                     last;
+                 }
+ 
++                if (defined($self->{_server_behavior}{pasv_not_supported})
++                    && $cmd eq 'PASV')
++                {
++                    print {$conn->{socket}}
++                      "500 PASV not supported.\r\n";
++                    next;
++                }
++
+                 # Run the command.
+                 &{$command_table->{$cmd}}($conn, $cmd, $rest);
+             }
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 5d387aa..daf162f 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -127,7 +127,8 @@ PX_TESTS = \
+              Test--start-pos.px \
+              Test--start-pos--continue.px \
+              Test--httpsonly-r.px \
+-             Test-204.px
++             Test-204.px \
++             Test-ftp-pasv-not-supported.px
+ 
+ EXTRA_DIST = FTPServer.pm FTPTest.pm HTTPServer.pm HTTPTest.pm \
+              WgetTests.pm WgetFeature.pm WgetFeature.cfg $(PX_TESTS) \
+diff --git a/tests/Test-ftp-pasv-not-supported.px b/tests/Test-ftp-pasv-not-supported.px
+new file mode 100755
+index 0000000..97d0610
+--- /dev/null
++++ b/tests/Test-ftp-pasv-not-supported.px
+@@ -0,0 +1,60 @@
++#!/usr/bin/env perl
++
++use strict;
++use warnings;
++
++use FTPTest;
++
++# This test checks whether Wget *does not* fall back from passive mode to
++# active mode using a PORT command. Wget <= 1.16.3 made a fallback exposing
++# the client's real IP address to the remote FTP server.
++#
++# This behavior circumvents expected privacy when using a proxy / proxy network (e.g. Tor).
++#
++# Wget >= 1.16.4 does it right. This test checks it.
++
++###############################################################################
++
++# From bug report 10.08.2015 from tomtidaly@sigaint.org
++my $afile = <<EOF;
++FTP PORT command code in v1.16.3?
++
++In the past it could be possible for a site over http connection to
++redirect wget to FPT using FTP PORT command so the site gets the real IP
++of the computer even when wget proxy command is in use I believe:
++https://lists.torproject.org/pipermail/tor-talk/2012-April/024040.html
++
++Is that code still present in wget v1.16.3? It was present in v1.13.4.
++EOF
++
++$afile =~ s/\n/\r\n/g;
++
++
++# code, msg, headers, content
++my %urls = (
++    '/afile.txt' => {
++        content => $afile,
++    },
++);
++
++my $cmdline = $WgetTest::WGETPATH . " -S ftp://localhost:{{port}}/afile.txt";
++
++my $expected_error_code = 8;
++
++my %expected_downloaded_files = (
++    'afile.txt' => {
++        content => $afile,
++    },
++);
++
++###############################################################################
++
++my $the_test = FTPTest->new (
++                             server_behavior => {pasv_not_supported => 1},
++                             input => \%urls,
++                             cmdline => $cmdline,
++                             errcode => $expected_error_code,
++                             output => \%expected_downloaded_files);
++exit !$the_test->run();
++
++# vim: et ts=4 sw=4
+-- 
+2.5.1
+
diff --git a/net-misc/wget/wget-1.16.3-r1.ebuild b/net-misc/wget/wget-1.16.3-r1.ebuild
new file mode 100644
index 000000000000..d3ac2f850344
--- /dev/null
+++ b/net-misc/wget/wget-1.16.3-r1.ebuild
@@ -0,0 +1,91 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+PYTHON_COMPAT=( python{3_3,3_4} )
+
+inherit flag-o-matic python-any-r1 toolchain-funcs autotools
+
+DESCRIPTION="Network utility to retrieve files from the WWW"
+HOMEPAGE="https://www.gnu.org/software/wget/"
+SRC_URI="mirror://gnu/wget/${P}.tar.xz"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="debug gnutls idn ipv6 nls ntlm pcre +ssl static test uuid zlib"
+
+LIB_DEPEND="idn? ( net-dns/libidn[static-libs(+)] )
+	pcre? ( dev-libs/libpcre[static-libs(+)] )
+	ssl? (
+		gnutls? ( net-libs/gnutls[static-libs(+)] )
+		!gnutls? ( dev-libs/openssl:0[static-libs(+)] )
+	)
+	uuid? ( sys-apps/util-linux[static-libs(+)] )
+	zlib? ( sys-libs/zlib[static-libs(+)] )"
+RDEPEND="!static? ( ${LIB_DEPEND//\[static-libs(+)]} )"
+DEPEND="${RDEPEND}
+	app-arch/xz-utils
+	virtual/pkgconfig
+	static? ( ${LIB_DEPEND} )
+	test? (
+		${PYTHON_DEPS}
+		dev-lang/perl
+		dev-perl/HTTP-Daemon
+		dev-perl/HTTP-Message
+		dev-perl/IO-Socket-SSL
+	)
+	nls? ( sys-devel/gettext )"
+
+REQUIRED_USE="ntlm? ( !gnutls ssl ) gnutls? ( ssl )"
+
+DOCS=( AUTHORS MAILING-LIST NEWS README doc/sample.wgetrc )
+
+pkg_setup() {
+	use test && python-any-r1_pkg_setup
+}
+
+src_prepare() {
+	epatch "${FILESDIR}"/${P}-ftp-pasv-ip.patch #560418
+}
+
+src_configure() {
+	# fix compilation on Solaris, we need filio.h for FIONBIO as used in
+	# the included gnutls -- force ioctl.h to include this header
+	[[ ${CHOST} == *-solaris* ]] && append-cppflags -DBSD_COMP=1
+
+	if use static ; then
+		append-ldflags -static
+		tc-export PKG_CONFIG
+		PKG_CONFIG+=" --static"
+	fi
+	econf \
+		--disable-assert \
+		--disable-rpath \
+		$(use_with ssl ssl $(usex gnutls gnutls openssl)) \
+		$(use_enable ssl opie) \
+		$(use_enable ssl digest) \
+		$(use_enable idn iri) \
+		$(use_enable ipv6) \
+		$(use_enable nls) \
+		$(use_enable ntlm) \
+		$(use_enable pcre) \
+		$(use_enable debug) \
+		$(use_with uuid libuuid) \
+		$(use_with zlib)
+}
+
+src_test() {
+	emake check
+}
+
+src_install() {
+	default
+
+	sed -i \
+		-e "s:/usr/local/etc:${EPREFIX}/etc:g" \
+		"${ED}"/etc/wgetrc \
+		"${ED}"/usr/share/man/man1/wget.1 \
+		"${ED}"/usr/share/info/wget.info
+}