8 changed files with 26 additions and 503 deletions
--- a/backport-CVE-2024-10524.patch
+++ b/backport-CVE-2024-10524.patch
@ -1,191 +0,0 @@
 From c419542d956a2607bbce5df64b9d378a8588d778 Mon Sep 17 00:00:00 2001
 From: Tim Rühsen <tim.ruehsen@gmx.de>
 Date: Sun, 27 Oct 2024 19:53:14 +0100
 Subject: Fix CVE-2024-10524 (drop support for shorthand URLs)
 * doc/wget.texi: Add documentation for removed support for shorthand URLs.
 * src/html-url.c (src/html-url.c): Call maybe_prepend_scheme.
 * src/main.c (main): Likewise.
 * src/retr.c (getproxy): Likewise.
 * src/url.c: Rename definition of rewrite_shorthand_url to maybe_prepend_scheme,
  add new function is_valid_port.
 * src/url.h: Rename declaration of rewrite_shorthand_url to maybe_prepend_scheme.
 Reported-by: Goni Golan <gonig@jfrog.com>
 ---
 doc/wget.texi  | 12 ++++--------
 src/html-url.c |  2 +-
 src/main.c     |  2 +-
 src/retr.c     |  2 +-
 src/url.c      | 57 ++++++++++++++++++---------------------------------------
 src/url.h      |  2 +-
 6 files changed, 26 insertions(+), 51 deletions(-)
 diff --git a/doc/wget.texi b/doc/wget.texi
 index 1d026d72..d46da375 100644
 --- a/doc/wget.texi
 +++ b/doc/wget.texi
@@ -314,8 +314,8 @@ for text files.  Here is an example:
 ftp://host/directory/file;type=a
 @end example
 -Two alternative variants of @sc{url} specification are also supported,
 -because of historical (hysterical?) reasons and their widespreaded use.
 +The two alternative variants of @sc{url} specifications are no longer
 +supported because of security considerations:
 @sc{ftp}-only syntax (supported by @code{NcFTP}):
 @example
@@ -327,12 +327,8 @@ host:/dir/file
 host[:port]/dir/file
 @end example
 -These two alternative forms are deprecated, and may cease being
 -supported in the future.
 -
 -If you do not understand the difference between these notations, or do
 -not know which one to use, just use the plain ordinary format you use
 -with your favorite browser, like @code{Lynx} or @code{Netscape}.
 +These two alternative forms have been deprecated long time ago,
 +and support is removed with version 1.22.0.
 @c man begin OPTIONS
 diff --git a/src/html-url.c b/src/html-url.c
 index 8e960092..99914943 100644
 --- a/src/html-url.c
 +++ b/src/html-url.c
@@ -932,7 +932,7 @@ get_urls_file (const char *file, bool *read_again)
           url_text = merged;
         }
 -      new_url = rewrite_shorthand_url (url_text);
 +      new_url = maybe_prepend_scheme (url_text);
       if (new_url)
         {
           xfree (url_text);
 diff --git a/src/main.c b/src/main.c
 index 77b1a0b6..6858d2da 100644
 --- a/src/main.c
 +++ b/src/main.c
@@ -2126,7 +2126,7 @@ only if outputting to a regular file.\n"));
       struct iri *iri = iri_new ();
       struct url *url_parsed;
 -      t = rewrite_shorthand_url (argv[optind]);
 +      t = maybe_prepend_scheme (argv[optind]);
       if (!t)
         t = argv[optind];
 diff --git a/src/retr.c b/src/retr.c
 index 5422963c..26eb9f17 100644
 --- a/src/retr.c
 +++ b/src/retr.c
@@ -1546,7 +1546,7 @@ getproxy (struct url *u)
   /* Handle shorthands.  `rewritten_storage' is a kludge to allow
      getproxy() to return static storage. */
 -  rewritten_url = rewrite_shorthand_url (proxy);
 +  rewritten_url = maybe_prepend_scheme (proxy);
   if (rewritten_url)
     return rewritten_url;
 diff --git a/src/url.c b/src/url.c
 index 07c3bc87..2f27c48a 100644
 --- a/src/url.c
 +++ b/src/url.c
@@ -594,60 +594,39 @@ parse_credentials (const char *beg, const char *end, char **user, char **passwd)
   return true;
 }
 -/* Used by main.c: detect URLs written using the "shorthand" URL forms
 -   originally popularized by Netscape and NcFTP.  HTTP shorthands look
 -   like this:
 -
 -   www.foo.com[:port]/dir/file   -> http://www.foo.com[:port]/dir/file
 -   www.foo.com[:port]            -> http://www.foo.com[:port]
 -
 -   FTP shorthands look like this:
 -
 -   foo.bar.com:dir/file          -> ftp://foo.bar.com/dir/file
 -   foo.bar.com:/absdir/file      -> ftp://foo.bar.com//absdir/file
 +static bool is_valid_port(const char *p)
 +{
 +  unsigned port = (unsigned) atoi (p);
 +  if (port == 0 || port > 65535)
 +    return false;
 -   If the URL needs not or cannot be rewritten, return NULL.  */
 +  int digits = strspn (p, "0123456789");
 +  return digits && (p[digits] == '/' || p[digits] == '\0');
 +}
 +/* Prepend "http://" to url if scheme is missing, otherwise return NULL. */
 char *
 -rewrite_shorthand_url (const char *url)
 +maybe_prepend_scheme (const char *url)
 {
 -  const char *p;
 -  char *ret;
 -
   if (url_scheme (url) != SCHEME_INVALID)
     return NULL;
 -  /* Look for a ':' or '/'.  The former signifies NcFTP syntax, the
 -     latter Netscape.  */
 -  p = strpbrk (url, ":/");
 +  const char *p = strchr (url, ':');
   if (p == url)
     return NULL;
   /* If we're looking at "://", it means the URL uses a scheme we
      don't support, which may include "https" when compiled without
 -     SSL support.  Don't bogusly rewrite such URLs.  */
 +     SSL support.  Don't bogusly prepend "http://" to such URLs.  */
   if (p && p[0] == ':' && p[1] == '/' && p[2] == '/')
     return NULL;
 -  if (p && *p == ':')
 -    {
 -      /* Colon indicates ftp, as in foo.bar.com:path.  Check for
 -         special case of http port number ("localhost:10000").  */
 -      int digits = strspn (p + 1, "0123456789");
 -      if (digits && (p[1 + digits] == '/' || p[1 + digits] == '\0'))
 -        goto http;
 -
 -      /* Turn "foo.bar.com:path" to "ftp://foo.bar.com/path". */
 -      if ((ret = aprintf ("ftp://%s", url)) != NULL)
 -        ret[6 + (p - url)] = '/';
 -    }
 -  else
 -    {
 -    http:
 -      /* Just prepend "http://" to URL. */
 -      ret = aprintf ("http://%s", url);
 -    }
 -  return ret;
 +  if (p && p[0] == ':' && !is_valid_port (p + 1))
 +    return NULL;
 +
 +
 +  fprintf(stderr, "Prepended http:// to '%s'\n", url);
 +  return aprintf ("http://%s", url);
 }
 static void split_path (const char *, char **, char **);
 diff --git a/src/url.h b/src/url.h
 index 2dfbf30b..7796a21c 100644
 --- a/src/url.h
 +++ b/src/url.h
@@ -128,7 +128,7 @@ char *uri_merge (const char *, const char *);
 int mkalldirs (const char *);
 -char *rewrite_shorthand_url (const char *);
 +char *maybe_prepend_scheme (const char *);
 bool schemes_are_similar_p (enum url_scheme a, enum url_scheme b);
 bool are_urls_equal (const char *u1, const char *u2);
 -- 
 cgit v1.2.3-70-g09d2
--- a/backport-CVE-2024-38428.patch
+++ b/backport-CVE-2024-38428.patch
@ -1,76 +0,0 @@
 From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
 Date: Sun, 2 Jun 2024 12:40:16 +0200
 Subject: Properly re-implement userinfo parsing (rfc2396)
 * src/url.c (url_skip_credentials): Properly re-implement userinfo parsing (rfc2396)
 The reason why the implementation is based on RFC 2396, an outdated standard,
 is that the whole file is based on that RFC, and mixing standard here might be
 dangerous.
 ---
 src/url.c | 40 ++++++++++++++++++++++++++++++++++------
 1 file changed, 34 insertions(+), 6 deletions(-)
 diff --git a/src/url.c b/src/url.c
 index 2ff0b55..0acd3f3 100644
 --- a/src/url.c
 +++ b/src/url.c
@@ -41,6 +41,7 @@ as that of the covered work.  */
 #include "url.h"
 #include "host.h"  /* for is_valid_ipv6_address */
 #include "c-strcase.h"
 +#include "c-ctype.h"
 #ifdef HAVE_ICONV
 # include <iconv.h>
@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme)
 static const char *
 url_skip_credentials (const char *url)
 {
 -  /* Look for '@' that comes before terminators, such as '/', '?',
 -     '#', or ';'.  */
 -  const char *p = (const char *)strpbrk (url, "@/?#;");
 -  if (!p || *p != '@')
 -    return url;
 -  return p + 1;
 +  /*
 +   * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 .
 +   * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough re-visit.
 +   *
 +   * The RFC says
 +   * server        = [ [ userinfo "@" ] hostport ]
 +   * userinfo      = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," )
 +   * unreserved    = alphanum | mark
 +   * mark          = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
 +   */
 +  static const char *allowed = "-_.!~*'();:&=+$,";
 +
 +  for (const char *p = url; *p; p++)
 +    {
 +      if (c_isalnum(*p))
 +        continue;
 +
 +      if (strchr(allowed, *p))
 +        continue;
 +
 +      if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2]))
 +        {
 +          p += 2;
 +          continue;
 +        }
 +
 +      if (*p == '@')
 +        return p + 1;
 +
 +      break;
 +    }
 +
 +  return url;
 }
 /* Parse credentials contained in [BEG, END).  The region is expected
 -- 
 2.33.0
--- a/backport-src-url.c-maybe_prepend_scheme-Print-message-only-in.patch
+++ b/backport-src-url.c-maybe_prepend_scheme-Print-message-only-in.patch
@ -1,26 +0,0 @@
 From d98df662121977f3d3ba69d0cfbd4d3322714f2d Mon Sep 17 00:00:00 2001
 From: Darshit Shah <darnir@gnu.org>
 Date: Fri, 15 Nov 2024 22:28:41 +0100
 Subject: [PATCH] * src/url.c (maybe_prepend_scheme): Print message only in
 verbose mode
 ---
 src/url.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/url.c b/src/url.c
 index 2f27c48a..913db4f1 100644
 --- a/src/url.c
 +++ b/src/url.c
@@ -625,7 +625,7 @@ maybe_prepend_scheme (const char *url)
     return NULL;
 -  fprintf(stderr, "Prepended http:// to '%s'\n", url);
 +  logprintf (LOG_VERBOSE, _ ("Prepended http:// to '%s'\n"), url);
   return aprintf ("http://%s", url);
 }
 -- 
 2.23.0
--- a/backport-wget-1.17-path.patch
+++ b/backport-wget-1.17-path.patch
@ -1,172 +0,0 @@
 diff --git a/NEWS b/NEWS
 index d23ae95..aa3247f 100644
 --- a/NEWS
 +++ b/NEWS
@@ -935,7 +935,7 @@ distributed with Wget.
 ** Compiles on pre-ANSI compilers.
 -** Global wgetrc now goes to /usr/local/etc (i.e. $sysconfdir).
 +** Global wgetrc now goes to /etc (i.e. $sysconfdir).
 ** Lots of bugfixes.
@@ -998,7 +998,7 @@ Emacs, standalone info, or converted to HTML, dvi or postscript.
 ** Fixed a long-standing bug, so that Wget now works over SLIP
 connections.
 -** You can have a system-wide wgetrc (/usr/local/lib/wgetrc by
 +** You can have a system-wide wgetrc (/etc/wgetrc by
 default). Settings in $HOME/.wgetrc override the global ones, of
 course :-)
 diff --git a/README b/README
 index 692e1c6..38231c9 100644
 --- a/README
 +++ b/README
@@ -33,7 +33,7 @@ for socks.
 Most of the features are configurable, either through command-line
 options, or via initialization file .wgetrc.  Wget allows you to
 -install a global startup file (/usr/local/etc/wgetrc by default) for
 +install a global startup file (/etc/wgetrc by default) for
 site settings.
 Wget works under almost all Unix variants in use today and, unlike
 diff --git a/doc/sample.wgetrc b/doc/sample.wgetrc
 index c0d0779..9a73ada 100644
 --- a/doc/sample.wgetrc
 +++ b/doc/sample.wgetrc
@@ -10,7 +10,7 @@
 ## Or online here:
 ##   https://www.gnu.org/software/wget/manual/wget.html#Startup-File
 ##
 -## Wget initialization file can reside in /usr/local/etc/wgetrc
 +## Wget initialization file can reside in /etc/wgetrc
 ## (global, for all users) or $HOME/.wgetrc (for a single user).
 ##
 ## To use the settings in this file, you will have to uncomment them,
@@ -22,7 +22,7 @@
 ##
 -## Global settings (useful for setting up in /usr/local/etc/wgetrc).
 +## Global settings (useful for setting up in /etc/wgetrc).
 ## Think well before you change them, since they may reduce wget's
 ## functionality, and make it behave contrary to the documentation:
 ##
 diff --git a/doc/sample.wgetrc.munged_for_texi_inclusion b/doc/sample.wgetrc.munged_for_texi_inclusion
 index 3c7f2f4..521ef16 100644
 --- a/doc/sample.wgetrc.munged_for_texi_inclusion
 +++ b/doc/sample.wgetrc.munged_for_texi_inclusion
@@ -10,7 +10,7 @@
 ## Or online here:
 ##   https://www.gnu.org/software/wget/manual/wget.html#Startup-File
 ##
 -## Wget initialization file can reside in /usr/local/etc/wgetrc
 +## Wget initialization file can reside in /etc/wgetrc
 ## (global, for all users) or $HOME/.wgetrc (for a single user).
 ##
 ## To use the settings in this file, you will have to uncomment them,
@@ -22,7 +22,7 @@
 ##
 -## Global settings (useful for setting up in /usr/local/etc/wgetrc).
 +## Global settings (useful for setting up in /etc/wgetrc).
 ## Think well before you change them, since they may reduce wget's
 ## functionality, and make it behave contrary to the documentation:
 ##
 diff --git a/doc/wget.info b/doc/wget.info
 index 40ce0d4..89c6652 100644
 --- a/doc/wget.info
 +++ b/doc/wget.info
@@ -109,7 +109,7 @@ retrieval through HTTP proxies.
    • Most of the features are fully configurable, either through command
      line options, or via the initialization file ‘.wgetrc’ (*note
      Startup File::).  Wget allows you to define “global” startup files
 -     (‘/usr/local/etc/wgetrc’ by default) for site settings.  You can
 +     (‘/etc/wgetrc’ by default) for site settings.  You can
      also specify the location of a startup file with the –config
      option.  To disable the reading of config files, use –no-config.
      If both –config and –no-config are given, –no-config is ignored.
@@ -2825,8 +2825,8 @@ File: wget.info,  Node: Wgetrc Location,  Next: Wgetrc Syntax,  Prev: Startup Fi
 ===================
 When initializing, Wget will look for a “global” startup file,
 -‘/usr/local/etc/wgetrc’ by default (or some prefix other than
 -‘/usr/local’, if Wget was not installed there) and read commands from
 +‘/etc/wgetrc’ by default (or some prefix other than
 +‘/etc’, if Wget was not installed there) and read commands from
 there, if it exists.
    Then it will look for the user’s file.  If the environmental variable
@@ -2837,7 +2837,7 @@ further attempts will be made.
    The fact that user’s settings are loaded after the system-wide ones
 means that in case of collision user’s wgetrc _overrides_ the
 -system-wide wgetrc (in ‘/usr/local/etc/wgetrc’ by default).  Fascist
 +system-wide wgetrc (in ‘/etc/wgetrc’ by default).  Fascist
 admins, away!
@@ -3380,7 +3380,7 @@ its line.
      ## Or online here:
      ##   https://www.gnu.org/software/wget/manual/wget.html#Startup-File
      ##
 -     ## Wget initialization file can reside in /usr/local/etc/wgetrc
 +     ## Wget initialization file can reside in /etc/wgetrc
      ## (global, for all users) or $HOME/.wgetrc (for a single user).
      ##
      ## To use the settings in this file, you will have to uncomment them,
@@ -3392,7 +3392,7 @@ its line.
      ##
 -     ## Global settings (useful for setting up in /usr/local/etc/wgetrc).
 +     ## Global settings (useful for setting up in /etc/wgetrc).
      ## Think well before you change them, since they may reduce wget's
      ## functionality, and make it behave contrary to the documentation:
      ##
 diff --git a/doc/wget.texi b/doc/wget.texi
 index eaf6b38..608d008 100644
 --- a/doc/wget.texi
 +++ b/doc/wget.texi
@@ -190,7 +190,7 @@ gauge can be customized to your preferences.
 Most of the features are fully configurable, either through command line
 options, or via the initialization file @file{.wgetrc} (@pxref{Startup
 File}).  Wget allows you to define @dfn{global} startup files
 -(@file{/usr/local/etc/wgetrc} by default) for site settings. You can also
 +(@file{/etc/wgetrc} by default) for site settings. You can also
 specify the location of a startup file with the --config option.
 To disable the reading of config files, use --no-config.
 If both --config and --no-config are given, --no-config is ignored.
@@ -199,7 +199,7 @@ If both --config and --no-config are given, --no-config is ignored.
 @ignore
 @c man begin FILES
 @table @samp
 -@item /usr/local/etc/wgetrc
 +@item /etc/wgetrc
 Default location of the @dfn{global} startup file.
 @item .wgetrc
@@ -3154,8 +3154,8 @@ commands.
 @cindex location of wgetrc
 When initializing, Wget will look for a @dfn{global} startup file,
 -@file{/usr/local/etc/wgetrc} by default (or some prefix other than
 -@file{/usr/local}, if Wget was not installed there) and read commands
 +@file{/etc/wgetrc} by default (or some prefix other than
 +@file{/etc}, if Wget was not installed there) and read commands
 from there, if it exists.
 Then it will look for the user's file.  If the environmental variable
@@ -3166,7 +3166,7 @@ If @code{WGETRC} is not set, Wget will try to load @file{$HOME/.wgetrc}.
 The fact that user's settings are loaded after the system-wide ones
 means that in case of collision user's wgetrc @emph{overrides} the
 -system-wide wgetrc (in @file{/usr/local/etc/wgetrc} by default).
 +system-wide wgetrc (in @file{/etc/wgetrc} by default).
 Fascist admins, away!
 @node Wgetrc Syntax, Wgetrc Commands, Wgetrc Location, Startup File
--- a/backport-wget-1.21-ssl-init-output.patch
+++ b/backport-wget-1.21-ssl-init-output.patch
@ -0,0 +1,21 @@
 diff --git a/src/gnutls.c b/src/gnutls.c
 index 0ecf2c81..81fe9518 100644
 --- a/src/gnutls.c
 +++ b/src/gnutls.c
@@ -99,7 +99,6 @@ static gnutls_certificate_credentials_t credentials;
 bool
 ssl_init (void)
 {
 -  fprintf(stderr,"SSL_INIT\n");
   /* Becomes true if GnuTLS is initialized. */
   const char *ca_directory;
   DIR *dir;
@@ -237,8 +236,6 @@ cert to be of the same type.\n"));
 void
 ssl_cleanup (void)
 {
 -  fprintf(stderr,"SSL_CLEANUP\n");
 -
   if (!ssl_initialized)
     return;
--- a/wget-1.21.2.tar.gz
+++ b/wget-1.21.2.tar.gz
--- a/wget-1.21.4.tar.gz
+++ b/wget-1.21.4.tar.gz
--- a/wget.spec
+++ b/wget.spec
@ -1,18 +1,15 @@
 Name:          wget
-Version:       1.21.4
+Version:       1.21.2
-Release:       3
+Release:       1
 Summary:       A package for retrieving files using HTTP, HTTPS, FTP and FTPS the most widely-used Internet protocols.
-License:       GPL-3.0-or-later AND LGPL-2.1-or-later
+License:       GPLv3+
 Url:           http://www.gnu.org/software/wget/
 Source:        https://ftp.gnu.org/gnu/wget/wget-%{version}.tar.gz
-Patch0:        backport-wget-1.17-path.patch
+Patch6000:     backport-wget-1.21-ssl-init-output.patch
 Patch1:        backport-CVE-2024-38428.patch
 Patch2:        backport-CVE-2024-10524.patch
 Patch3:        backport-src-url.c-maybe_prepend_scheme-Print-message-only-in.patch 
 Provides:      webclient bundled(gnulib)
-BuildRequires: make perl-HTTP-Daemon python3 libuuid-devel perl-podlators libpsl-devel libmetalink-devel
+BuildRequires: perl-HTTP-Daemon python3 libuuid-devel perl-podlators libpsl-devel libmetalink-devel
 BuildRequires: gnutls-devel pkgconfig texinfo gettext autoconf libidn2-devel gpgme-devel zlib-devel
 BuildRequires: gcc
@ -57,36 +54,6 @@ make check
 %{_infodir}/*
 %changelog
 * Thu Nov 21 2024 Han Jinpeng <hanjinpeng@kylinos.cn> -1.21.4-3
 - Type:CVE
 - ID:CVE-2024-10524
 - SUG:NA
 - DESC: fix CVE-2024-10524 and also fix Print message issue
 * Sun Jun 16 2024 xuchenchen <xuchenchen@kylinos.cn> -1.21.4-2
 - Type:CVES
 - ID:NA
 - SUG:NA
 - DESC:backport CVE-2024-38428
 * Fri Jul 28 2023 xingwei <xingwei14@h-partners.com> - 1.21.4-1
 - Type:requirements
 - ID:NA
 - SUG:NA
 - DESC:update wget to 1.21.4
 * Fri Feb 03 2023 xingwei <xingwei14@h-partners.com> - 1.21.3-1
 - Type:requirements
 - ID:NA
 - SUG:NA
 - DESC:update wget to 1.21.3
 * Sat Oct 22 2022 gaihuiying <eaglegai@163.com> - 1.21.2-2
 - Type:bugfix
 - ID:NA
 - SUG:NA
 - DESC:fix find_cell(): wget killed by SIGSEGV
 * Tue Mar 22 2022 xihaochen <xihaochen@huawei.com> - 1.21.2-1
 - Type:requirements
 - ID:NA