Thanks, I've addressed all feedback.
On Thu, Jan 15, 2015 at 1:12 PM, Andreas Hasenack <email address hidden> wrote:
> Review: Approve > > +1, just a minor comment about the test. > > > Diff comments: > > > === modified file 'hooks/hooks.py' > > --- hooks/hooks.py 2015-01-12 10:40:19 +0000 > > +++ hooks/hooks.py 2015-01-15 19:11:45 +0000 > > @@ -501,11 +501,13 @@ > > notify_website_relation() > > > > > > -def _download_file(url): > > +def _download_file(url, Curl=pycurl.Curl): > > """ Download from a url and save to the filename given """ > > + # Fix for CVE-2014-8150, urls cannot end with newline > > + url = url.rstrip() > > buf = cStringIO.StringIO() > > juju.juju_log("Fetching License: %s" % url) > > - curl = pycurl.Curl() > > + curl = Curl() > > curl.setopt(pycurl.URL, str(url)) > > curl.setopt(pycurl.WRITEFUNCTION, buf.write) > > curl.perform() > > > > === modified file 'hooks/test_hooks.py' > > --- hooks/test_hooks.py 2014-12-10 22:08:57 +0000 > > +++ hooks/test_hooks.py 2015-01-15 19:11:45 +0000 > > @@ -12,6 +12,23 @@ > > import yaml > > > > > > +class CurlStub(object): > > + > > + def __init__(self, result=None, infos=None, error=None): > > + pass > > + > > + def setopt(self, option, value): > > + if option == pycurl.URL: > > + if "\n" in value: > > The curl patch (http://curl.haxx.se/CVE-2014-8150.patch) blocks both \n > and \r, can we do the same in the test just to be consistent? > > > + raise AssertionError("URL cannot contain newline") > > + > > + def perform(self): > > + pass > > + > > + def close(self): > > + pass > > + > > + > > class TestJuju(object): > > """ > > Testing object to intercept juju calls and inject data, or make sure > > @@ -908,13 +925,19 @@ > > filename = self.makeFile() > > with open(filename, "w") as fp: > > fp.write("foobar") > > - output = hooks._download_file("file://%s" % filename) > > + output = hooks._download_file("file:///%s" % filename) > > self.assertIn("foobar", output) > > > > + def test__download_file_success_trailing_newline(self): > > + """Test that newlines are stripped before passing to curl. > CVE-2014-8150.""" > > + # put two newlines, since that could be a common pattern in a > text > > + # file when using an editor > > + hooks._download_file("http://example.com/\n\n", Curl=CurlStub) > > + > > def test__download_file_failure(self): > > """The fail path of download file raises an exception.""" > > self.assertRaises( > > - pycurl.error, hooks._download_file, "file://FOO/NO/EXIST") > > + pycurl.error, hooks._download_file, "file:///FOO/NO/EXIST") > > > > def test__replace_in_file(self): > > """ > > @@ -962,7 +985,7 @@ > > source = self.makeFile() > > with open(source, "w") as fp: > > fp.write("LICENSE_FILE_TEXT from curl") > > - hooks.juju.config["license-file"] = "file://%s" % source > > + hooks.juju.config["license-file"] = "file:///%s" % source > > hooks._install_license() > > self.assertFileContains( > > hooks.LANDSCAPE_LICENSE_DEST, "LICENSE_FILE_TEXT from curl") > > > > > -- > > https://code.launchpad.net/~davidpbritton/landscape-charm/strip-url-newline-1411353/+merge/246628 > You are the owner of > lp:~davidpbritton/landscape-charm/strip-url-newline-1411353. >
-- David Britton <email address hidden>
« Back to merge proposal
Thanks, I've addressed all feedback.
On Thu, Jan 15, 2015 at 1:12 PM, Andreas Hasenack <email address hidden>
wrote:
> Review: Approve website_ relation( ) file(url) : StringIO( ) log("Fetching License: %s" % url) pycurl. URL, str(url)) pycurl. WRITEFUNCTION, buf.write) test_hooks. py' curl.haxx. se/CVE- 2014-8150. patch) blocks both \n download_ file("file: //%s" % filename) download_ file("file: ///%s" % filename) "foobar" , output) file_success_ trailing_ newline( self): download_ file("http:// example. com/\n\n", Curl=CurlStub) file_failure( self): download_ file, "file:/ /FOO/NO/ EXIST") download_ file, "file:/ //FOO/NO/ EXIST") in_file( self): "LICENSE_ FILE_TEXT from curl") config[ "license- file"] = "file://%s" % source config[ "license- file"] = "file:///%s" % source install_ license( ) Contains( _LICENSE_ DEST, "LICENSE_FILE_TEXT from curl") /code.launchpad .net/~davidpbri tton/landscape- charm/strip- url-newline- 1411353/ +merge/ 246628
>
> +1, just a minor comment about the test.
>
>
> Diff comments:
>
> > === modified file 'hooks/hooks.py'
> > --- hooks/hooks.py 2015-01-12 10:40:19 +0000
> > +++ hooks/hooks.py 2015-01-15 19:11:45 +0000
> > @@ -501,11 +501,13 @@
> > notify_
> >
> >
> > -def _download_
> > +def _download_file(url, Curl=pycurl.Curl):
> > """ Download from a url and save to the filename given """
> > + # Fix for CVE-2014-8150, urls cannot end with newline
> > + url = url.rstrip()
> > buf = cStringIO.
> > juju.juju_
> > - curl = pycurl.Curl()
> > + curl = Curl()
> > curl.setopt(
> > curl.setopt(
> > curl.perform()
> >
> > === modified file 'hooks/
> > --- hooks/test_hooks.py 2014-12-10 22:08:57 +0000
> > +++ hooks/test_hooks.py 2015-01-15 19:11:45 +0000
> > @@ -12,6 +12,23 @@
> > import yaml
> >
> >
> > +class CurlStub(object):
> > +
> > + def __init__(self, result=None, infos=None, error=None):
> > + pass
> > +
> > + def setopt(self, option, value):
> > + if option == pycurl.URL:
> > + if "\n" in value:
>
> The curl patch (http://
> and \r, can we do the same in the test just to be consistent?
>
> > + raise AssertionError("URL cannot contain newline")
> > +
> > + def perform(self):
> > + pass
> > +
> > + def close(self):
> > + pass
> > +
> > +
> > class TestJuju(object):
> > """
> > Testing object to intercept juju calls and inject data, or make sure
> > @@ -908,13 +925,19 @@
> > filename = self.makeFile()
> > with open(filename, "w") as fp:
> > fp.write("foobar")
> > - output = hooks._
> > + output = hooks._
> > self.assertIn(
> >
> > + def test__download_
> > + """Test that newlines are stripped before passing to curl.
> CVE-2014-8150."""
> > + # put two newlines, since that could be a common pattern in a
> text
> > + # file when using an editor
> > + hooks._
> > +
> > def test__download_
> > """The fail path of download file raises an exception."""
> > self.assertRaises(
> > - pycurl.error, hooks._
> > + pycurl.error, hooks._
> >
> > def test__replace_
> > """
> > @@ -962,7 +985,7 @@
> > source = self.makeFile()
> > with open(source, "w") as fp:
> > fp.write(
> > - hooks.juju.
> > + hooks.juju.
> > hooks._
> > self.assertFile
> > hooks.LANDSCAPE
> >
>
>
> --
>
> https:/
> You are the owner of
> lp:~davidpbritton/landscape-charm/strip-url-newline-1411353.
>
--
David Britton <email address hidden>