packages/wget
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Package init

Browse Source
This commit is contained in:
overweight 2019-09-30 11:19:50 -04:00
commit 2c12a5b0b7
23 changed files with 1278 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

124
CVE-2018-20483-Don-t-save-user-pw-with-xattr.patch Normal file
View File

@ -0,0 +1,124 @@
From 3cdfb594cf75f11cdbb9702ac5e856c332ccacfa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Wed, 26 Dec 2018 14:38:18 +0100
Subject: [PATCH 2/2] Don't save user/pw with --xattr
Also the Referer info is reduced to scheme+host+port.
* src/ftp.c (getftp): Change params of set_file_metadata()
* src/http.c (gethttp): Change params of set_file_metadata()
* src/xattr.c (set_file_metadata): Remove user/password from origin URL,
reduce Referer value to scheme/host/port.
* src/xattr.h: Change prototype of set_file_metadata()
---
src/ftp.c | 2 +-
src/http.c | 4 ++--
src/xattr.c | 24 ++++++++++++++++++++----
src/xattr.h | 3 ++-
4 files changed, 25 insertions(+), 8 deletions(-)
diff --git a/src/ftp.c b/src/ftp.c
index 3f4ab53f..6b8bdf8f 100644
--- a/src/ftp.c
+++ b/src/ftp.c
@@ -1580,7 +1580,7 @@ Error in server response, closing control connection.\n"));
#ifdef ENABLE_XATTR
if (opt.enable_xattr)
- set_file_metadata (u->url, NULL, fp);
+ set_file_metadata (u, NULL, fp);
#endif
fd_close (local_sock);
diff --git a/src/http.c b/src/http.c
index d77762f8..a01fc573 100644
--- a/src/http.c
+++ b/src/http.c
@@ -4113,9 +4113,9 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
if (opt.enable_xattr)
{
if (original_url != u)
- set_file_metadata (u->url, original_url->url, fp);
+ set_file_metadata (u, original_url, fp);
else
- set_file_metadata (u->url, NULL, fp);
+ set_file_metadata (u, NULL, fp);
}
#endif
diff --git a/src/xattr.c b/src/xattr.c
index 66524226..0f20fadf 100644
--- a/src/xattr.c
+++ b/src/xattr.c
@@ -21,6 +21,7 @@
#include <string.h>
#include "log.h"
+#include "utils.h"
#include "xattr.h"
#ifdef USE_XATTR
@@ -57,7 +58,7 @@ write_xattr_metadata (const char *name, const char *value, FILE *fp)
#endif /* USE_XATTR */
int
-set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp)
+set_file_metadata (const struct url *origin_url, const struct url *referrer_url, FILE *fp)
{
/* Save metadata about where the file came from (requested, final URLs) to
* user POSIX Extended Attributes of retrieved file.
@@ -67,13 +68,28 @@ set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp)
* [http://0pointer.de/lennart/projects/mod_mime_xattr/].
*/
int retval = -1;
+ char *value;
if (!origin_url || !fp)
return retval;
- retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (origin_url), fp);
- if ((!retval) && referrer_url)
- retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (referrer_url), fp);
+ value = url_string (origin_url, URL_AUTH_HIDE);
+ retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (value), fp);
+ xfree (value);
+
+ if (!retval && referrer_url)
+ {
+ struct url u;
+
+ memset(&u, 0, sizeof(u));
+ u.scheme = referrer_url->scheme;
+ u.host = referrer_url->host;
+ u.port = referrer_url->port;
+
+ value = url_string (&u, 0);
+ retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (value), fp);
+ xfree (value);
+ }
return retval;
}
diff --git a/src/xattr.h b/src/xattr.h
index 10f3ed11..40c7a8d3 100644
--- a/src/xattr.h
+++ b/src/xattr.h
@@ -16,12 +16,13 @@
along with this program; if not, see <http://www.gnu.org/licenses/>. */
#include <stdio.h>
+#include <url.h>
#ifndef _XATTR_H
#define _XATTR_H
/* Store metadata name/value attributes against fp. */
-int set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp);
+int set_file_metadata (const struct url *origin_url, const struct url *referrer_url, FILE *fp);
#if defined(__linux)
/* libc on Linux has fsetxattr (5 arguments). */
--
2.19.1

70
CVE-2018-20483-Don-t-use-extended-attributes-xattr-by-default.patch Normal file
View File

@ -0,0 +1,70 @@
From c125d24762962d91050d925fbbd9e6f30b2302f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Wed, 26 Dec 2018 13:51:48 +0100
Subject: [PATCH 1/2] Don't use extended attributes (--xattr) by default
* src/init.c (defaults): Set enable_xattr to false by default
* src/main.c (print_help): Reverse option logic of --xattr
* doc/wget.texi: Add description for --xattr
Users may not be aware that the origin URL and Referer are saved
including credentials, and possibly access tokens within
the urls.
---
doc/wget.texi | 8 ++++++++
src/init.c | 4 ----
src/main.c | 2 +-
3 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/doc/wget.texi b/doc/wget.texi
index 7ae19d8e..a6cb15ea 100644
--- a/doc/wget.texi
+++ b/doc/wget.texi
@@ -540,6 +540,14 @@ right NUMBER.
Set preferred location for Metalink resources. This has effect if multiple
resources with same priority are available.
+@cindex xattr
+@item --xattr
+Enable use of file system's extended attributes to save the
+original URL and the Referer HTTP header value if used.
+
+Be aware that the URL might contain private information like
+access tokens or credentials.
+
@cindex force html
@item -F
diff --git a/src/init.c b/src/init.c
index b829a2c0..51b63614 100644
--- a/src/init.c
+++ b/src/init.c
@@ -507,11 +507,7 @@ defaults (void)
opt.hsts = true;
#endif
-#ifdef ENABLE_XATTR
- opt.enable_xattr = true;
-#else
opt.enable_xattr = false;
-#endif
}
/* Return the user's home directory (strdup-ed), or NULL if none is
diff --git a/src/main.c b/src/main.c
index ff41c8d9..4408ffbb 100644
--- a/src/main.c
+++ b/src/main.c
@@ -755,7 +755,7 @@ Download:\n"),
#endif
#ifdef ENABLE_XATTR
N_("\
- --no-xattr turn off storage of metadata in extended file attributes\n"),
+ --xattr turn on storage of metadata in extended file attributes\n"),
#endif
"\n",
--
2.19.1

16
CVE-2019-5953.patch Normal file
View File

@ -0,0 +1,16 @@
--- a/src/iri.c 2018-05-05 16:46:22.000000000 -0400
+++ b/src/iri_1.c 2019-06-18 22:40:45.284000000 -0400
@@ -189,9 +189,10 @@ do_conversion (const char *tocode, const
{
tooshort++;
done = len;
- len = outlen = done + inlen * 2;
- s = xrealloc (s, outlen + 1);
- *out = s + done;
+ len = done + inlen * 2;
+ s = xrealloc (s, len + 1);
+ *out = s + done - outlen;
+ outlen += inlen * 2;
}
else /* Weird, we got an unspecified error */
{

28
Fix-corner-case-in-processing-server-response.patch Normal file
View File

@ -0,0 +1,28 @@
From 5d87635c66aaa01bdf95f6b093b66c3d2768b696 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Mon, 25 Mar 2019 16:05:47 +0100
Subject: [PATCH 82/83] Fix corner case in processing server response
* src/http.c (response_head_terminator): Don't access uninitialized data
* fuzz/wget_read_hunk_fuzzer.c: Sync response_head_terminator()
---
fuzz/wget_read_hunk_fuzzer.c | 2 +-
src/http.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/http.c b/src/http.c
index 304a2f86..289d1101 100644
--- a/src/http.c
+++ b/src/http.c
@@ -553,7 +553,7 @@ response_head_terminator (const char *start, const char *peeked, int peeklen)
return p + 2;
}
/* p==end-2: check for \n\n directly preceding END. */
- if (p[0] == '\n' && p[1] == '\n')
+ if (peeklen >= 2 && p[0] == '\n' && p[1] == '\n')
return p + 2;
return NULL;
--
2.19.1

38
Revert-Bail-out-on-unexpected-416-server-errors.patch Normal file
View File

@ -0,0 +1,38 @@
From 11fad3fa72c5622efbbc57b5a12c355de695726a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Fri, 9 Nov 2018 16:16:43 +0100
Subject: [PATCH 41/83] Revert "Bail out on unexpected 416 server errors"
This reverts commit 6f3b9959935ad7640bcf48a0a93848ed25ff8963.
The code is obviously wrong, see https://savannah.gnu.org/bugs/?54963
Also, the example from the original post doesn't work any more.
With other words, the broken server behavior has been fixed meanwhile.
---
src/http.c | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/src/http.c b/src/http.c
index e3f5639a..d77762f8 100644
--- a/src/http.c
+++ b/src/http.c
@@ -3965,16 +3965,6 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
}
}
- if (statcode == HTTP_STATUS_RANGE_NOT_SATISFIABLE
- && hs->restval < (contlen + contrange))
- {
- /* The file was not completely downloaded,
- yet the server claims the range is invalid.
- Bail out. */
- CLOSE_INVALIDATE (sock);
- retval = RANGEERR;
- goto cleanup;
- }
if (statcode == HTTP_STATUS_RANGE_NOT_SATISFIABLE
|| (!opt.timestamping && hs->restval > 0 && statcode == HTTP_STATUS_OK
&& contrange == 0 && contlen >= 0 && hs->restval >= contlen))
--
2.19.1

142
Save-original-data-to-WARC-file.patch Normal file
View File

@ -0,0 +1,142 @@
From ad261f41ceeb59242a096b31854038c3eff65c8f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Tue, 29 May 2018 10:49:24 +0200
Subject: [PATCH 11/83] Save original data to WARC file
* src/retr.c (write_data): Cleanup,
(fd_read_body): Write to WARC before uncompressing
Fixes: #53968
---
src/retr.c | 68 +++++++++++++++++++++++++++++++++---------------------
1 file changed, 42 insertions(+), 26 deletions(-)
diff --git a/src/retr.c b/src/retr.c
index 17ed228b..ae86730c 100644
--- a/src/retr.c
+++ b/src/retr.c
@@ -159,8 +159,8 @@ limit_bandwidth (wgint bytes, struct ptimer *timer)
/* Write data in BUF to OUT. However, if *SKIP is non-zero, skip that
amount of data and decrease SKIP. Increment *TOTAL by the amount
of data written. If OUT2 is not NULL, also write BUF to OUT2.
- In case of error writing to OUT, -1 is returned. In case of error
- writing to OUT2, -2 is returned. Return 1 if the whole BUF was
+ In case of error writing to OUT, -2 is returned. In case of error
+ writing to OUT2, -3 is returned. Return 1 if the whole BUF was
skipped. */
static int
@@ -169,25 +169,31 @@ write_data (FILE *out, FILE *out2, const char *buf, int bufsize,
{
if (out == NULL && out2 == NULL)
return 1;
- if (*skip > bufsize)
- {
- *skip -= bufsize;
- return 1;
- }
- if (*skip)
+
+ if (skip)
{
- buf += *skip;
- bufsize -= *skip;
- *skip = 0;
- if (bufsize == 0)
- return 1;
+ if (*skip > bufsize)
+ {
+ *skip -= bufsize;
+ return 1;
+ }
+ if (*skip)
+ {
+ buf += *skip;
+ bufsize -= *skip;
+ *skip = 0;
+ if (bufsize == 0)
+ return 1;
+ }
}
- if (out != NULL)
+ if (out)
fwrite (buf, 1, bufsize, out);
- if (out2 != NULL)
+ if (out2)
fwrite (buf, 1, bufsize, out2);
- *written += bufsize;
+
+ if (written)
+ *written += bufsize;
/* Immediately flush the downloaded data. This should not hinder
performance: fast downloads will arrive in large 16K chunks
@@ -203,17 +209,18 @@ write_data (FILE *out, FILE *out2, const char *buf, int bufsize,
actual justification. (Also, why 16K? Anyone test other values?)
*/
#ifndef __VMS
- if (out != NULL)
+ if (out)
fflush (out);
- if (out2 != NULL)
+ if (out2)
fflush (out2);
#endif /* ndef __VMS */
- if (out != NULL && ferror (out))
- return -1;
- else if (out2 != NULL && ferror (out2))
+
+ if (out && ferror (out))
return -2;
- else
- return 0;
+ else if (out2 && ferror (out2))
+ return -3;
+
+ return 0;
}
/* Read the contents of file descriptor FD until it the connection
@@ -452,6 +459,15 @@ fd_read_body (const char *downloaded_filename, int fd, FILE *out, wgint toread,
{
int err;
int towrite;
+
+ /* Write original data to WARC file */
+ write_res = write_data (NULL, out2, dlbuf, ret, NULL, NULL);
+ if (write_res < 0)
+ {
+ ret = write_res;
+ goto out;
+ }
+
gzstream.avail_in = ret;
gzstream.next_in = (unsigned char *) dlbuf;
@@ -482,11 +498,11 @@ fd_read_body (const char *downloaded_filename, int fd, FILE *out, wgint toread,
}
towrite = gzbufsize - gzstream.avail_out;
- write_res = write_data (out, out2, gzbuf, towrite, &skip,
+ write_res = write_data (out, NULL, gzbuf, towrite, &skip,
&sum_written);
if (write_res < 0)
{
- ret = (write_res == -3) ? -3 : -2;
+ ret = write_res;
goto out;
}
}
@@ -499,7 +515,7 @@ fd_read_body (const char *downloaded_filename, int fd, FILE *out, wgint toread,
&sum_written);
if (write_res < 0)
{
- ret = (write_res == -3) ? -3 : -2;
+ ret = write_res;
goto out;
}
}
--
2.19.1

26
src-convert.c-convert_links-Fix-code-to-avoid-false-.patch Normal file
View File

@ -0,0 +1,26 @@
From 88a49c1e414294ffdee0b25ba31d453ffea64d09 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Thu, 20 Sep 2018 14:58:27 +0200
Subject: [PATCH 27/83] * src/convert.c (convert_links): Fix code to avoid
false positive by clang
---
src/convert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/convert.c b/src/convert.c
index e6ca8fbb..b7f3d95c 100644
--- a/src/convert.c
+++ b/src/convert.c
@@ -303,7 +303,7 @@ convert_links (const char *file, struct urlpos *links)
{
case CO_CONVERT_TO_RELATIVE:
/* Convert absolute URL to relative. */
- {
+ if (link->local_name) {
char *newname = construct_relative (file, link->local_name);
char *quoted_newname = local_quote_string (newname,
link->link_css_p);
--
2.19.1

26
src-convert.c-convert_links-Fix-fallthrough.patch Normal file
View File

@ -0,0 +1,26 @@
From 21daa24e7214ed4e6505c7068412545b5ac47ff3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Fri, 26 Oct 2018 22:52:41 +0200
Subject: [PATCH 35/83] * src/convert.c (convert_links): Fix fallthrough
---
src/convert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/convert.c b/src/convert.c
index b7f3d95c..8cacbfbc 100644
--- a/src/convert.c
+++ b/src/convert.c
@@ -322,8 +322,8 @@ convert_links (const char *file, struct urlpos *links)
xfree (newname);
xfree (quoted_newname);
++to_file_count;
- break;
}
+ break;
case CO_CONVERT_BASENAME_ONLY:
{
char *newname = convert_basename (p, link);
--
2.19.1

52
src-ftp.c-getftp-Fix-RESOURCE-LEAK-found-by-Coverity.patch Normal file
View File

@ -0,0 +1,52 @@
From b24351183ec574f81c729cbb3286aceaee3f03c8 Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Mon, 30 Jul 2018 12:20:27 +0200
Subject: [PATCH 17/83] * src/ftp.c (getftp): Fix RESOURCE LEAK found by
Coverity
Error: RESOURCE_LEAK (CWE-772):
wget-1.19.5/src/ftp.c:1493: alloc_fn: Storage is returned from allocation function "fopen".
wget-1.19.5/src/ftp.c:1493: var_assign: Assigning: "fp" = storage returned from "fopen(con->target, "wb")".
wget-1.19.5/src/ftp.c:1811: leaked_storage: Variable "fp" going out of scope leaks the storage it points to.
\# 1809| if (fp && !output_stream)
\# 1810| fclose (fp);
\# 1811|-> return err;
\# 1812| }
\# 1813|
It can happen, that "if (!output_stream || con->cmd & DO_LIST)" on line #1398 can be true, even though "output_stream != NULL". In this case a new file is opened to "fp". Later it may happen in the FTPS branch, that some error will occure and code will jump to label "exit_error". In "exit_error", the "fp" is closed only if "output_stream == NULL". However this may not be true as described earlier and "fp" leaks.
On line #1588, there is the following conditional free of "fp":
/* Close the local file. */
if (!output_stream || con->cmd & DO_LIST)
fclose (fp);
Therefore the conditional at the end of the function after "exit_error" label should be modified to:
if (fp && (!output_stream || con->cmd & DO_LIST))
fclose (fp);
This will ensure that "fp" does not leak in any case it sould be opened.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
---
src/ftp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/ftp.c b/src/ftp.c
index 69148936..daaae939 100644
--- a/src/ftp.c
+++ b/src/ftp.c
@@ -1806,7 +1806,7 @@ Error in server response, closing control connection.\n"));
exit_error:
/* If fp is a regular file, close and try to remove it */
- if (fp && !output_stream)
+ if (fp && (!output_stream || con->cmd & DO_LIST))
fclose (fp);
return err;
}
--
2.19.1

26
src-gnutls.c-ssl_connect_wget-Fix-call-to-gnutls_set.patch Normal file
View File

@ -0,0 +1,26 @@
From 5811c2222bd7d778ecbe4d2c8b2ae8448e0e074c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Thu, 27 Dec 2018 20:46:55 +0100
Subject: [PATCH 58/83] * src/gnutls.c (ssl_connect_wget): Fix call to
gnutls_set_default_priority()
---
src/gnutls.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/gnutls.c b/src/gnutls.c
index a2c9d1c1..b23714ca 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -784,7 +784,7 @@ ssl_connect_wget (int fd, const char *hostname, int *continue_session)
err = gnutls_priority_set_direct (session, opt.tls_ciphers_string, NULL);
#else
logprintf (LOG_NOTQUIET, _("GnuTLS: Cannot set prio string directly. Falling back to default priority.\n"));
- err = gnutls_set_default_priority ();
+ err = gnutls_set_default_priority (session);
#endif
}
--
2.19.1

34
src-host.c-sufmatch-Fix-dot-prefixed-domain-matching.patch Normal file
View File

@ -0,0 +1,34 @@
From fd85ac9cc623847e9d94d9f9241ab34e2c146cbf Mon Sep 17 00:00:00 2001
From: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Date: Thu, 25 Oct 2018 17:39:52 -0300
Subject: [PATCH 36/83] * src/host.c (sufmatch): Fix dot-prefixed domain
matching
Current sufmatch does not match when domain is dot-prefixed.
The example of no_proxy in man (.mit.edu) does use a dot-prefixed
domain.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Copyright-paperwork-exempt: Yes
---
src/host.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/host.c b/src/host.c
index b42cd6e8..2bf848f3 100644
--- a/src/host.c
+++ b/src/host.c
@@ -1033,8 +1033,9 @@ sufmatch (const char **list, const char *what)
/* Domain or subdomain match
* k == -1: exact match
* k >= 0 && what[k] == '.': subdomain match
+ * k >= 0 && list[i][0] == '.': dot-prefixed subdomain match
*/
- if (j == -1 && (k == -1 || what[k] == '.'))
+ if (j == -1 && (k == -1 || what[k] == '.' || list[i][0] == '.'))
return true;
}
--
2.19.1

34
src-hsts.c-open_hsts_test_store-Fix-unlink-NULL.patch Normal file
View File

@ -0,0 +1,34 @@
From 35f5f79ce13e10850b6ae2e4e732e7cf64ed5438 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Wed, 9 May 2018 12:29:39 +0200
Subject: [PATCH 07/83] * src/hsts.c (open_hsts_test_store): Fix unlink(NULL)
---
src/hsts.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/src/hsts.c b/src/hsts.c
index 61ca413d..64149e4d 100644
--- a/src/hsts.c
+++ b/src/hsts.c
@@ -654,11 +654,13 @@ open_hsts_test_store (void)
static void
close_hsts_test_store (hsts_store_t store)
{
- char *filename = NULL;
+ char *filename;
- filename = get_hsts_store_filename ();
- unlink (filename);
- xfree (filename);
+ if ((filename = get_hsts_store_filename ()))
+ {
+ unlink (filename);
+ xfree (filename);
+ }
xfree (store);
}
--
2.19.1

73
src-http.c-check_auth-Fix-RESOURCE-LEAK-found-by-Cov.patch Normal file
View File

@ -0,0 +1,73 @@
From b8be904ac7c25387672b0aa39f7cba699bffc48e Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Mon, 30 Jul 2018 15:38:45 +0200
Subject: [PATCH 18/83] * src/http.c (check_auth): Fix RESOURCE LEAK found by
Coverity
Error: RESOURCE_LEAK (CWE-772):
wget-1.19.5/src/http.c:2434: alloc_fn: Storage is returned from allocation function "xmalloc".
wget-1.19.5/lib/xmalloc.c:41:11: alloc_fn: Storage is returned from allocation function "malloc".
wget-1.19.5/lib/xmalloc.c:41:11: var_assign: Assigning: "p" = "malloc(n)".
wget-1.19.5/lib/xmalloc.c:44:3: return_alloc: Returning allocated memory "p".
wget-1.19.5/src/http.c:2434: var_assign: Assigning: "auth_stat" = storage returned from "xmalloc(4UL)".
wget-1.19.5/src/http.c:2446: noescape: Resource "auth_stat" is not freed or pointed-to in "create_authorization_line".
wget-1.19.5/src/http.c:5203:70: noescape: "create_authorization_line(char const *, char const *, char const *, char const *, char const *, _Bool *, uerr_t *)" does not free or save its parameter "auth_err".
wget-1.19.5/src/http.c:2476: leaked_storage: Variable "auth_stat" going out of scope leaks the storage it points to.
\# 2474| /* Creating the Authorization header went wrong */
\# 2475| }
\# 2476|-> }
\# 2477| else
\# 2478| {
Error: RESOURCE_LEAK (CWE-772):
wget-1.19.5/src/http.c:2431: alloc_fn: Storage is returned from allocation function "url_full_path".
wget-1.19.5/src/url.c:1105:19: alloc_fn: Storage is returned from allocation function "xmalloc".
wget-1.19.5/lib/xmalloc.c:41:11: alloc_fn: Storage is returned from allocation function "malloc".
wget-1.19.5/lib/xmalloc.c:41:11: var_assign: Assigning: "p" = "malloc(n)".
wget-1.19.5/lib/xmalloc.c:44:3: return_alloc: Returning allocated memory "p".
wget-1.19.5/src/url.c:1105:19: var_assign: Assigning: "full_path" = "xmalloc(length + 1)".
wget-1.19.5/src/url.c:1107:3: noescape: Resource "full_path" is not freed or pointed-to in function "full_path_write".
wget-1.19.5/src/url.c:1078:47: noescape: "full_path_write(struct url const *, char *)" does not free or save its parameter "where".
wget-1.19.5/src/url.c:1110:3: return_alloc: Returning allocated memory "full_path".
wget-1.19.5/src/http.c:2431: var_assign: Assigning: "pth" = storage returned from "url_full_path(u)".
wget-1.19.5/src/http.c:2446: noescape: Resource "pth" is not freed or pointed-to in "create_authorization_line".
wget-1.19.5/src/http.c:5203:40: noescape: "create_authorization_line(char const *, char const *, char const *, char const *, char const *, _Bool *, uerr_t *)" does not free or save its parameter "path".
wget-1.19.5/src/http.c:2476: leaked_storage: Variable "pth" going out of scope leaks the storage it points to.
\# 2474| /* Creating the Authorization header went wrong */
\# 2475| }
\# 2476|-> }
\# 2477| else
\# 2478| {
Both "pth" and "auth_stat" are allocated in "check_auth()" function. These are used for creating the HTTP Authorization Request header via "create_authorization_line()" function. In case the creation went OK (auth_err == RETROK), then the memory previously allocated to "pth" and "auth_stat" is freed. However if the creation failed, then the memory is never freed and it leaks.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
---
src/http.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/http.c b/src/http.c
index 093be167..4e0d467a 100644
--- a/src/http.c
+++ b/src/http.c
@@ -2451,6 +2451,8 @@ check_auth (const struct url *u, char *user, char *passwd, struct response *resp
auth_stat);
auth_err = *auth_stat;
+ xfree (auth_stat);
+ xfree (pth);
if (auth_err == RETROK)
{
request_set_header (req, "Authorization", value, rel_value);
@@ -2464,8 +2466,6 @@ check_auth (const struct url *u, char *user, char *passwd, struct response *resp
register_basic_auth_host (u->host);
}
- xfree (pth);
- xfree (auth_stat);
*retry = true;
goto cleanup;
}
--
2.19.1

66
src-http.c-http_loop-Fix-RESOURCE-LEAK-found-by-Cove.patch Normal file
View File

@ -0,0 +1,66 @@
From dfef92bac3997b9848e86d84a843d5d7dde4fd99 Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Tue, 31 Jul 2018 16:58:12 +0200
Subject: [PATCH 19/83] * src/http.c (http_loop): Fix RESOURCE LEAK found by
Coverity
Error: RESOURCE_LEAK (CWE-772):
wget-1.19.5/src/http.c:4486: alloc_fn: Storage is returned from allocation function "url_string".
wget-1.19.5/src/url.c:2248:3: alloc_fn: Storage is returned from allocation function "xmalloc".
wget-1.19.5/lib/xmalloc.c:41:11: alloc_fn: Storage is returned from allocation function "malloc".
wget-1.19.5/lib/xmalloc.c:41:11: var_assign: Assigning: "p" = "malloc(n)".
wget-1.19.5/lib/xmalloc.c:44:3: return_alloc: Returning allocated memory "p".
wget-1.19.5/src/url.c:2248:3: var_assign: Assigning: "result" = "xmalloc(size)".
wget-1.19.5/src/url.c:2248:3: var_assign: Assigning: "p" = "result".
wget-1.19.5/src/url.c:2250:3: noescape: Resource "p" is not freed or pointed-to in function "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
wget-1.19.5/src/url.c:2253:7: noescape: Resource "p" is not freed or pointed-to in function "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
wget-1.19.5/src/url.c:2257:11: noescape: Resource "p" is not freed or pointed-to in function "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
wget-1.19.5/src/url.c:2264:3: noescape: Resource "p" is not freed or pointed-to in function "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
wget-1.19.5/src/url.c:2270:7: identity_transfer: Passing "p" as argument 1 to function "number_to_string", which returns an offset off that argument.
wget-1.19.5/src/utils.c:1776:11: var_assign_parm: Assigning: "p" = "buffer".
wget-1.19.5/src/utils.c:1847:3: return_var: Returning "p", which is a copy of a parameter.
wget-1.19.5/src/url.c:2270:7: noescape: Resource "p" is not freed or pointed-to in function "number_to_string".
wget-1.19.5/src/utils.c:1774:25: noescape: "number_to_string(char *, wgint)" does not free or save its parameter "buffer".
wget-1.19.5/src/url.c:2270:7: var_assign: Assigning: "p" = "number_to_string(p, url->port)".
wget-1.19.5/src/url.c:2273:3: noescape: Resource "p" is not freed or pointed-to in function "full_path_write".
wget-1.19.5/src/url.c:1078:47: noescape: "full_path_write(struct url const *, char *)" does not free or save its parameter "where".
wget-1.19.5/src/url.c:2287:3: return_alloc: Returning allocated memory "result".
wget-1.19.5/src/http.c:4486: var_assign: Assigning: "hurl" = storage returned from "url_string(u, URL_AUTH_HIDE_PASSWD)".
wget-1.19.5/src/http.c:4487: noescape: Resource "hurl" is not freed or pointed-to in "logprintf".
wget-1.19.5/src/http.c:4513: leaked_storage: Variable "hurl" going out of scope leaks the storage it points to.
\# 4511| {
\# 4512| printwhat (count, opt.ntry);
\# 4513|-> continue;
\# 4514| }
\# 4515| else
There are two conditional branches, which call continue, without freeing memory potentially allocated and pointed to by"hurl" pointer. In fase "!opt.verbose" is True and some of the appropriate conditions in the following if/else if construction, in which "continue" is called, are also true, then the memory allocated to "hurl" will leak.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
---
src/http.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/http.c b/src/http.c
index 4e0d467a..46fde6f2 100644
--- a/src/http.c
+++ b/src/http.c
@@ -4505,6 +4505,7 @@ http_loop (const struct url *u, struct url *original_url, char **newloc,
&& (hstat.statcode == 500 || hstat.statcode == 501))
{
got_head = true;
+ xfree (hurl);
continue;
}
/* Maybe we should always keep track of broken links, not just in
@@ -4523,6 +4524,7 @@ Remote file does not exist -- broken link!!!\n"));
else if (check_retry_on_http_error (hstat.statcode))
{
printwhat (count, opt.ntry);
+ xfree (hurl);
continue;
}
else
--
2.19.1

35
src-http.c-resp_new-Fix-code-to-avoid-false-positive.patch Normal file
View File

@ -0,0 +1,35 @@
From 0727b8f3a9ef34b7e92128d4ef1cab6665f25fb9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Thu, 20 Sep 2018 14:59:06 +0200
Subject: [PATCH 28/83] * src/http.c (resp_new): Fix code to avoid false
positive by clang
---
src/http.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/src/http.c b/src/http.c
index 46fde6f2..e3f5639a 100644
--- a/src/http.c
+++ b/src/http.c
@@ -648,10 +648,13 @@ resp_new (char *head)
{
char *end = strchr (hdr, '\n');
- if (end)
- hdr = end + 1;
- else
- hdr += strlen (hdr);
+ if (!end)
+ {
+ hdr += strlen (hdr);
+ break;
+ }
+
+ hdr = end + 1;
if (*hdr != ' ' && *hdr != '\t')
break;
--
2.19.1

41
src-utils.c-open_stat-Fix-RESOURCE-LEAK-found-by-Cov.patch Normal file
View File

@ -0,0 +1,41 @@
From c045cdded4e3850724d8bb3a655852948e62c0df Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Thu, 2 Aug 2018 13:49:52 +0200
Subject: [PATCH 20/83] * src/utils.c (open_stat): Fix RESOURCE LEAK found by
Coverity
Error: RESOURCE_LEAK (CWE-772):
wget-1.19.5/src/utils.c:914: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
wget-1.19.5/src/utils.c:914: var_assign: Assigning: "fd" = handle returned from "open(fname, flags, mode)".
wget-1.19.5/src/utils.c:921: noescape: Resource "fd" is not freed or pointed-to in "fstat". [Note: The source code implementation of the function has been overridden by a builtin model.]
wget-1.19.5/src/utils.c:924: leaked_handle: Handle variable "fd" going out of scope leaks the handle.
\# 922| {
\# 923| logprintf (LOG_NOTQUIET, _("Failed to stat file %s, error: %s\n"), fname, strerror(errno));
\# 924|-> return -1;
\# 925| }
\# 926| #if !(defined(WINDOWS) || defined(__VMS))
This seems to be a real issue, since the opened file descriptor in "fd"
would leak. There is also additional check below the "fstat" call, which
closes the opened "fd".
Signed-off-by: Tomas Hozza <thozza@redhat.com>
---
src/utils.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/utils.c b/src/utils.c
index 0cb905ad..c6258083 100644
--- a/src/utils.c
+++ b/src/utils.c
@@ -924,6 +924,7 @@ open_stat(const char *fname, int flags, mode_t mode, file_stats_t *fstats)
if (fstat (fd, &fdstats) == -1)
{
logprintf (LOG_NOTQUIET, _("Failed to stat file %s, error: %s\n"), fname, strerror(errno));
+ close (fd);
return -1;
}
#if !(defined(WINDOWS) || defined(__VMS))
--
2.19.1

26
src-utils.ci-file_exists_p-Fix-stat-NULL.patch Normal file
View File

@ -0,0 +1,26 @@
From 4bdb09d3a705c550a594f837124a8c20b89d98b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Wed, 9 May 2018 12:37:03 +0200
Subject: [PATCH 08/83] * src/utils.ci (file_exists_p): Fix stat(NULL,...)
---
src/utils.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/utils.c b/src/utils.c
index ec55f2e0..0cb905ad 100644
--- a/src/utils.c
+++ b/src/utils.c
@@ -563,6 +563,9 @@ file_exists_p (const char *filename, file_stats_t *fstats)
{
struct stat buf;
+ if (!filename)
+ return false;
+
#if defined(WINDOWS) || defined(__VMS)
int ret = stat (filename, &buf);
if (ret >= 0)
--
2.19.1

71
src-warc.c-warc_write_cdx_record-Fix-RESOURCE-LEAK-f.patch Normal file
View File

@ -0,0 +1,71 @@
From 2f451dbf4e83c751f6bbba7ed26d90bf275fcbf7 Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Fri, 24 Aug 2018 16:57:37 +0200
Subject: [PATCH 22/83] * src/warc.c (warc_write_cdx_record): Fix RESOURCE LEAK
found by Coverity
Error: RESOURCE_LEAK (CWE-772): - REAL ERROR
wget-1.19.5/src/warc.c:1376: alloc_fn: Storage is returned from allocation function "url_escape".
wget-1.19.5/src/url.c:284:3: alloc_fn: Storage is returned from allocation function "url_escape_1".
wget-1.19.5/src/url.c:255:3: alloc_fn: Storage is returned from allocation function "xmalloc".
wget-1.19.5/lib/xmalloc.c:41:11: alloc_fn: Storage is returned from allocation function "malloc".
wget-1.19.5/lib/xmalloc.c:41:11: var_assign: Assigning: "p" = "malloc(n)".
wget-1.19.5/lib/xmalloc.c:44:3: return_alloc: Returning allocated memory "p".
wget-1.19.5/src/url.c:255:3: var_assign: Assigning: "newstr" = "xmalloc(newlen + 1)".
wget-1.19.5/src/url.c:258:3: var_assign: Assigning: "p2" = "newstr".
wget-1.19.5/src/url.c:275:3: return_alloc: Returning allocated memory "newstr".
wget-1.19.5/src/url.c:284:3: return_alloc_fn: Directly returning storage allocated by "url_escape_1".
wget-1.19.5/src/warc.c:1376: var_assign: Assigning: "redirect_location" = storage returned from "url_escape(redirect_location)".
wget-1.19.5/src/warc.c:1381: noescape: Resource "redirect_location" is not freed or pointed-to in "fprintf".
wget-1.19.5/src/warc.c:1387: leaked_storage: Returning without freeing "redirect_location" leaks the storage that it points to.
\# 1385| fflush (warc_current_cdx_file);
\# 1386|
\# 1387|-> return true;
\# 1388| }
\# 1389|
url_escape() really returns a newly allocated memory and it leaks when the warc_write_cdx_record() returns. The memory returned from url_escape() is usually stored in a temporary variable in other parts of the project and then freed. I took the same approach.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
---
src/warc.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/warc.c b/src/warc.c
index 5ebd04d7..2eb74966 100644
--- a/src/warc.c
+++ b/src/warc.c
@@ -1364,6 +1364,7 @@ warc_write_cdx_record (const char *url, const char *timestamp_str,
char timestamp_str_cdx[15];
char offset_string[MAX_INT_TO_STRING_LEN(off_t)];
const char *checksum;
+ char *tmp_location = NULL;
memcpy (timestamp_str_cdx , timestamp_str , 4); /* "YYYY" "-" */
memcpy (timestamp_str_cdx + 4, timestamp_str + 5, 2); /* "mm" "-" */
@@ -1382,18 +1383,19 @@ warc_write_cdx_record (const char *url, const char *timestamp_str,
if (mime_type == NULL || strlen(mime_type) == 0)
mime_type = "-";
if (redirect_location == NULL || strlen(redirect_location) == 0)
- redirect_location = "-";
+ tmp_location = strdup ("-");
else
- redirect_location = url_escape(redirect_location);
+ tmp_location = url_escape(redirect_location);
number_to_string (offset_string, offset);
/* Print the CDX line. */
fprintf (warc_current_cdx_file, "%s %s %s %s %d %s %s - %s %s %s\n", url,
timestamp_str_cdx, url, mime_type, response_code, checksum,
- redirect_location, offset_string, warc_current_filename,
+ tmp_location, offset_string, warc_current_filename,
response_uuid);
fflush (warc_current_cdx_file);
+ free (tmp_location);
return true;
}
--
2.19.1

69
src-warc.c-warc_write_start_record-Fix-potential-RES.patch Normal file
View File

@ -0,0 +1,69 @@
From 8b451f9f21cc1b00d1a08116b542fb7bd7589405 Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Fri, 3 Aug 2018 16:19:20 +0200
Subject: [PATCH 21/83] * src/warc.c (warc_write_start_record): Fix potential
RESOURCE LEAK
In warc_write_start_record() function, the reutrn value of dup() is
directly used in gzdopen() call and not stored anywhere. However the
zlib documentation says that "The duplicated descriptor should be saved
to avoid a leak, since gzdopen does not close fd if it fails." [1].
This change stores the FD in a variable and closes it in case gzopen()
fails.
[1] https://www.zlib.net/manual.html
Error: RESOURCE_LEAK (CWE-772):
wget-1.19.5/src/warc.c:217: open_fn: Returning handle opened by "dup".
wget-1.19.5/src/warc.c:217: leaked_handle: Failing to save or close handle opened by "dup(fileno(warc_current_file))" leaks it.
\# 215|
\# 216| /* Start a new GZIP stream. */
\# 217|-> warc_current_gzfile = gzdopen (dup (fileno (warc_current_file)), "wb9");
\# 218| warc_current_gzfile_uncompressed_size = 0;
\# 219|
Signed-off-by: Tomas Hozza <thozza@redhat.com>
---
src/warc.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/warc.c b/src/warc.c
index 3482cf3b..5ebd04d7 100644
--- a/src/warc.c
+++ b/src/warc.c
@@ -203,6 +203,7 @@ warc_write_start_record (void)
/* Start a GZIP stream, if required. */
if (opt.warc_compression_enabled)
{
+ int dup_fd;
/* Record the starting offset of the new record. */
warc_current_gzfile_offset = ftello (warc_current_file);
@@ -214,13 +215,23 @@ warc_write_start_record (void)
fflush (warc_current_file);
/* Start a new GZIP stream. */
- warc_current_gzfile = gzdopen (dup (fileno (warc_current_file)), "wb9");
+ dup_fd = dup (fileno (warc_current_file));
+ if (dup_fd < 0)
+ {
+ logprintf (LOG_NOTQUIET,
+_("Error duplicating WARC file file descriptor.\n"));
+ warc_write_ok = false;
+ return false;
+ }
+
+ warc_current_gzfile = gzdopen (dup_fd, "wb9");
warc_current_gzfile_uncompressed_size = 0;
if (warc_current_gzfile == NULL)
{
logprintf (LOG_NOTQUIET,
_("Error opening GZIP stream to WARC file.\n"));
+ close (dup_fd);
warc_write_ok = false;
return false;
}
--
2.19.1

172
wget-1.17-path.patch Normal file
View File

@ -0,0 +1,172 @@
diff --git a/NEWS b/NEWS
index d23ae95..aa3247f 100644
--- a/NEWS
+++ b/NEWS
@@ -935,7 +935,7 @@ distributed with Wget.
** Compiles on pre-ANSI compilers.
-** Global wgetrc now goes to /usr/local/etc (i.e. $sysconfdir).
+** Global wgetrc now goes to /etc (i.e. $sysconfdir).
** Lots of bugfixes.
@@ -998,7 +998,7 @@ Emacs, standalone info, or converted to HTML, dvi or postscript.
** Fixed a long-standing bug, so that Wget now works over SLIP
connections.
-** You can have a system-wide wgetrc (/usr/local/lib/wgetrc by
+** You can have a system-wide wgetrc (/etc/wgetrc by
default). Settings in $HOME/.wgetrc override the global ones, of
course :-)
diff --git a/README b/README
index 692e1c6..38231c9 100644
--- a/README
+++ b/README
@@ -33,7 +33,7 @@ for socks.
Most of the features are configurable, either through command-line
options, or via initialization file .wgetrc. Wget allows you to
-install a global startup file (/usr/local/etc/wgetrc by default) for
+install a global startup file (/etc/wgetrc by default) for
site settings.
Wget works under almost all Unix variants in use today and, unlike
diff --git a/doc/sample.wgetrc b/doc/sample.wgetrc
index c0d0779..9a73ada 100644
--- a/doc/sample.wgetrc
+++ b/doc/sample.wgetrc
@@ -10,7 +10,7 @@
## Or online here:
## https://www.gnu.org/software/wget/manual/wget.html#Startup-File
##
-## Wget initialization file can reside in /usr/local/etc/wgetrc
+## Wget initialization file can reside in /etc/wgetrc
## (global, for all users) or $HOME/.wgetrc (for a single user).
##
## To use the settings in this file, you will have to uncomment them,
@@ -22,7 +22,7 @@
##
-## Global settings (useful for setting up in /usr/local/etc/wgetrc).
+## Global settings (useful for setting up in /etc/wgetrc).
## Think well before you change them, since they may reduce wget's
## functionality, and make it behave contrary to the documentation:
##
diff --git a/doc/sample.wgetrc.munged_for_texi_inclusion b/doc/sample.wgetrc.munged_for_texi_inclusion
index 3c7f2f4..521ef16 100644
--- a/doc/sample.wgetrc.munged_for_texi_inclusion
+++ b/doc/sample.wgetrc.munged_for_texi_inclusion
@@ -10,7 +10,7 @@
## Or online here:
## https://www.gnu.org/software/wget/manual/wget.html#Startup-File
##
-## Wget initialization file can reside in /usr/local/etc/wgetrc
+## Wget initialization file can reside in /etc/wgetrc
## (global, for all users) or $HOME/.wgetrc (for a single user).
##
## To use the settings in this file, you will have to uncomment them,
@@ -22,7 +22,7 @@
##
-## Global settings (useful for setting up in /usr/local/etc/wgetrc).
+## Global settings (useful for setting up in /etc/wgetrc).
## Think well before you change them, since they may reduce wget's
## functionality, and make it behave contrary to the documentation:
##
diff --git a/doc/wget.info b/doc/wget.info
index 40ce0d4..89c6652 100644
--- a/doc/wget.info
+++ b/doc/wget.info
@@ -109,7 +109,7 @@ retrieval through HTTP proxies.
• Most of the features are fully configurable, either through command
line options, or via the initialization file .wgetrc (*note
Startup File::). Wget allows you to define “global” startup files
- (/usr/local/etc/wgetrc by default) for site settings. You can
+ (/etc/wgetrc by default) for site settings. You can
also specify the location of a startup file with the config
option. To disable the reading of config files, use no-config.
If both config and no-config are given, no-config is ignored.
@@ -2825,8 +2825,8 @@ File: wget.info, Node: Wgetrc Location, Next: Wgetrc Syntax, Prev: Startup Fi
===================
When initializing, Wget will look for a “global” startup file,
-/usr/local/etc/wgetrc by default (or some prefix other than
-/usr/local, if Wget was not installed there) and read commands from
+/etc/wgetrc by default (or some prefix other than
+/etc, if Wget was not installed there) and read commands from
there, if it exists.
Then it will look for the users file. If the environmental variable
@@ -2837,7 +2837,7 @@ further attempts will be made.
The fact that users settings are loaded after the system-wide ones
means that in case of collision users wgetrc _overrides_ the
-system-wide wgetrc (in /usr/local/etc/wgetrc by default). Fascist
+system-wide wgetrc (in /etc/wgetrc by default). Fascist
admins, away!

@@ -3380,7 +3380,7 @@ its line.
## Or online here:
## https://www.gnu.org/software/wget/manual/wget.html#Startup-File
##
- ## Wget initialization file can reside in /usr/local/etc/wgetrc
+ ## Wget initialization file can reside in /etc/wgetrc
## (global, for all users) or $HOME/.wgetrc (for a single user).
##
## To use the settings in this file, you will have to uncomment them,
@@ -3392,7 +3392,7 @@ its line.
##
- ## Global settings (useful for setting up in /usr/local/etc/wgetrc).
+ ## Global settings (useful for setting up in /etc/wgetrc).
## Think well before you change them, since they may reduce wget's
## functionality, and make it behave contrary to the documentation:
##
diff --git a/doc/wget.texi b/doc/wget.texi
index eaf6b38..608d008 100644
--- a/doc/wget.texi
+++ b/doc/wget.texi
@@ -190,7 +190,7 @@ gauge can be customized to your preferences.
Most of the features are fully configurable, either through command line
options, or via the initialization file @file{.wgetrc} (@pxref{Startup
File}). Wget allows you to define @dfn{global} startup files
-(@file{/usr/local/etc/wgetrc} by default) for site settings. You can also
+(@file{/etc/wgetrc} by default) for site settings. You can also
specify the location of a startup file with the --config option.
To disable the reading of config files, use --no-config.
If both --config and --no-config are given, --no-config is ignored.
@@ -199,7 +199,7 @@ If both --config and --no-config are given, --no-config is ignored.
@ignore
@c man begin FILES
@table @samp
-@item /usr/local/etc/wgetrc
+@item /etc/wgetrc
Default location of the @dfn{global} startup file.
@item .wgetrc
@@ -3154,8 +3154,8 @@ commands.
@cindex location of wgetrc
When initializing, Wget will look for a @dfn{global} startup file,
-@file{/usr/local/etc/wgetrc} by default (or some prefix other than
-@file{/usr/local}, if Wget was not installed there) and read commands
+@file{/etc/wgetrc} by default (or some prefix other than
+@file{/etc}, if Wget was not installed there) and read commands
from there, if it exists.
Then it will look for the user's file. If the environmental variable
@@ -3166,7 +3166,7 @@ If @code{WGETRC} is not set, Wget will try to load @file{$HOME/.wgetrc}.
The fact that user's settings are loaded after the system-wide ones
means that in case of collision user's wgetrc @emph{overrides} the
-system-wide wgetrc (in @file{/usr/local/etc/wgetrc} by default).
+system-wide wgetrc (in @file{/etc/wgetrc} by default).
Fascist admins, away!
@node Wgetrc Syntax, Wgetrc Commands, Wgetrc Location, Startup File

27
wget-1.19.5-no-log-when-quiet.patch Normal file
View File

@ -0,0 +1,27 @@
From 7ddcebd61e170fb03d361f82bf8f5550ee62a1ae Mon Sep 17 00:00:00 2001
From: Tomas Korbar <tkorbar@redhat.com>
Date: Wed, 29 Aug 2018 12:33:43 +0200
Subject: [PATCH] Avoid creating empty wget-log when using -O and -q in
background
* src/log.c (check_redirect_output): Check for quiet mode
---
src/log.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/log.c b/src/log.c
index d879dffe..e8cca2f3 100644
--- a/src/log.c
+++ b/src/log.c
@@ -974,7 +974,7 @@ check_redirect_output (void)
{
pid_t foreground_pgrp = tcgetpgrp (STDIN_FILENO);
- if (foreground_pgrp != -1 && foreground_pgrp != getpgrp ())
+ if (foreground_pgrp != -1 && foreground_pgrp != getpgrp () && !opt.quiet)
{
/* Process backgrounded */
redirect_output (true,NULL);
--
2.17.1

BIN
wget-1.19.5.tar.gz Normal file
View File

Binary file not shown.

82
wget.spec Normal file
View File

@ -0,0 +1,82 @@
Name: wget
Version: 1.19.5
Release: 6
Summary: A package for retrieving files using HTTP, HTTPS, FTP and FTPS the most widely-used Internet protocols.
License: GPLv3+
Url: http://www.gnu.org/software/wget/
Source: ftp://ftp.gnu.org/gnu/wget/wget-%{version}.tar.gz
#patches from fedora/redhat
Patch0001: wget-1.17-path.patch
Patch0002: wget-1.19.5-no-log-when-quiet.patch
#patches backport from upstream community
Patch6000: src-hsts.c-open_hsts_test_store-Fix-unlink-NULL.patch
Patch6001: src-utils.ci-file_exists_p-Fix-stat-NULL.patch
Patch6002: Save-original-data-to-WARC-file.patch
Patch6003: src-ftp.c-getftp-Fix-RESOURCE-LEAK-found-by-Coverity.patch
Patch6004: src-http.c-check_auth-Fix-RESOURCE-LEAK-found-by-Cov.patch
Patch6005: src-http.c-http_loop-Fix-RESOURCE-LEAK-found-by-Cove.patch
Patch6006: src-utils.c-open_stat-Fix-RESOURCE-LEAK-found-by-Cov.patch
Patch6007: src-warc.c-warc_write_start_record-Fix-potential-RES.patch
Patch6008: src-warc.c-warc_write_cdx_record-Fix-RESOURCE-LEAK-f.patch
Patch6009: src-convert.c-convert_links-Fix-code-to-avoid-false-.patch
Patch6010: src-http.c-resp_new-Fix-code-to-avoid-false-positive.patch
Patch6011: src-convert.c-convert_links-Fix-fallthrough.patch
Patch6012: src-host.c-sufmatch-Fix-dot-prefixed-domain-matching.patch
Patch6013: Revert-Bail-out-on-unexpected-416-server-errors.patch
Patch6014: src-gnutls.c-ssl_connect_wget-Fix-call-to-gnutls_set.patch
Patch6015: Fix-corner-case-in-processing-server-response.patch
Patch6016: CVE-2018-20483-Don-t-use-extended-attributes-xattr-by-default.patch
Patch6017: CVE-2018-20483-Don-t-save-user-pw-with-xattr.patch
Patch6018: CVE-2019-5953.patch
Provides: webclient bundled(gnulib)
BuildRequires: perl-HTTP-Daemon python3 libuuid-devel perl-podlators libpsl-devel libmetalink-devel
BuildRequires: gnutls-devel pkgconfig texinfo gettext autoconf libidn2-devel gpgme-devel zlib-devel
%description
GNU Wget is a free software package for retrieving files using HTTP, HTTPS,
FTP and FTPS the most widely-used Internet protocols. It is a non-interactive
commandline tool, so it may easily be called from scripts, cron jobs, terminals
without X-Windows support, etc.
%package help
Summary: help package for %{name}
%description help
This is the help package for %{name}. It includes some doc
files and man, info files.
%prep
%autosetup -p1
%build
%configure --with-ssl=gnutls --with-libpsl --enable-largefile --enable-opie --enable-digest --enable-ntlm --enable-nls --enable-ipv6 --disable-rpath --with-metalink
%make_build
%install
%make_install CFLAGS="$RPM_OPT_FLAGS"
%find_lang %{name}
rm -f %{buildroot}%{_infodir}/dir
%check
make check
%files -f %{name}.lang
%doc AUTHORS COPYING
%config(noreplace) %{_sysconfdir}/wgetrc
%{_bindir}/wget
%files help
%doc MAILING-LIST NEWS README doc/sample.wgetrc
%{_mandir}/man1/wget.*
%{_infodir}/*
%changelog
* Sat Sep 14 2019 huzhiyu<huzhiyu1@huawei.com> - 1.19.5-6
- Package init