diff options
| author | Julian Andres Klode <jak@debian.org> | 2017-10-21 15:44:43 +0200 |
|---|---|---|
| committer | Julian Andres Klode <jak@debian.org> | 2017-10-22 18:52:16 +0200 |
| commit | 1a76517470ebc2dd3f96e39ebe6f3706d6dd78da (patch) | |
| tree | 93b8d79678ba890d53d108c26118ed0807264367 | |
| parent | 404dececf913d3c09368a73ca00aa8172dbf6865 (diff) | |
Run Proxy-Auto-Detect script from main process
This avoids running the Proxy-Auto-Detect script inside the
untrusted (well, less trusted for now) sandbox. This will allow
us to restrict the http method from fork()ing or exec()ing via
seccomp.
| -rw-r--r-- | apt-pkg/acquire-method.cc | 24 | ||||
| -rw-r--r-- | apt-pkg/acquire-method.h | 8 | ||||
| -rw-r--r-- | apt-pkg/acquire-worker.cc | 12 | ||||
| -rw-r--r-- | methods/basehttp.cc | 7 | ||||
| -rw-r--r-- | methods/http.cc | 4 |
5 files changed, 48 insertions, 7 deletions
diff --git a/apt-pkg/acquire-method.cc b/apt-pkg/acquire-method.cc index 5b31559f3..309b5dcf9 100644 --- a/apt-pkg/acquire-method.cc +++ b/apt-pkg/acquire-method.cc @@ -372,6 +372,7 @@ int pkgAcqMethod::Run(bool Single) FetchItem *Tmp = new FetchItem; Tmp->Uri = LookupTag(Message,"URI"); + Tmp->Proxy(LookupTag(Message, "Proxy")); Tmp->DestFile = LookupTag(Message,"FileName"); if (RFC1123StrToTime(LookupTag(Message,"Last-Modified").c_str(),Tmp->LastModified) == false) Tmp->LastModified = 0; @@ -491,10 +492,25 @@ void pkgAcqMethod::Dequeue() { /*{{{*/ /*}}}*/ pkgAcqMethod::~pkgAcqMethod() {} -pkgAcqMethod::FetchItem::FetchItem() : - Next(nullptr), DestFileFd(-1), LastModified(0), IndexFile(false), - FailIgnore(false), MaximumSize(0), d(nullptr) +struct pkgAcqMethod::FetchItem::Private +{ + std::string Proxy; +}; + +pkgAcqMethod::FetchItem::FetchItem() : Next(nullptr), DestFileFd(-1), LastModified(0), IndexFile(false), + FailIgnore(false), MaximumSize(0), d(new Private) {} -pkgAcqMethod::FetchItem::~FetchItem() {} + +std::string pkgAcqMethod::FetchItem::Proxy() +{ + return d->Proxy; +} + +void pkgAcqMethod::FetchItem::Proxy(std::string const &Proxy) +{ + d->Proxy = Proxy; +} + +pkgAcqMethod::FetchItem::~FetchItem() { delete d; } pkgAcqMethod::FetchResult::~FetchResult() {} diff --git a/apt-pkg/acquire-method.h b/apt-pkg/acquire-method.h index cab2bda40..2de9cf5c2 100644 --- a/apt-pkg/acquire-method.h +++ b/apt-pkg/acquire-method.h @@ -55,10 +55,14 @@ class pkgAcqMethod FetchItem(); virtual ~FetchItem(); + std::string Proxy(); // For internal use only. + void Proxy(std::string const &Proxy) APT_HIDDEN; + private: - void * const d; + struct Private; + Private *const d; }; - + struct FetchResult { HashStringList Hashes; diff --git a/apt-pkg/acquire-worker.cc b/apt-pkg/acquire-worker.cc index 4aa55a743..49d67e370 100644 --- a/apt-pkg/acquire-worker.cc +++ b/apt-pkg/acquire-worker.cc @@ -21,6 +21,7 @@ #include <apt-pkg/error.h> #include <apt-pkg/fileutl.h> #include <apt-pkg/hashes.h> +#include <apt-pkg/proxy.h> #include <apt-pkg/strutl.h> #include <algorithm> @@ -671,6 +672,17 @@ bool pkgAcquire::Worker::QueueItem(pkgAcquire::Queue::QItem *Item) Message += "URI: " + Item->URI; Message += "\nFilename: " + Item->Owner->DestFile; + URI URL = Item->URI; + // FIXME: We should not hard code proxy protocols here. + if (URL.Access == "http" || URL.Access == "https") + { + AutoDetectProxy(URL); + if (_config->Exists("Acquire::" + URL.Access + "::proxy::" + URL.Host)) + { + Message += "\nProxy: " + _config->Find("Acquire::" + URL.Access + "::proxy::" + URL.Host); + } + } + HashStringList const hsl = Item->GetExpectedHashes(); for (HashStringList::const_iterator hs = hsl.begin(); hs != hsl.end(); ++hs) Message += "\nExpected-" + hs->HashType() + ": " + hs->HashValue(); diff --git a/methods/basehttp.cc b/methods/basehttp.cc index 0eb617f89..59399c8bc 100644 --- a/methods/basehttp.cc +++ b/methods/basehttp.cc @@ -573,6 +573,13 @@ int BaseHttpMethod::Loop() // Connect to the server if (Server == 0 || Server->Comp(Queue->Uri) == false) { + if (!Queue->Proxy().empty()) + { + URI uri = Queue->Uri; + std::cerr << "Setting " + << "Acquire::" + uri.Access + "::proxy::" + uri.Host << " to " << Queue->Proxy() << std::endl; + _config->Set("Acquire::" + uri.Access + "::proxy::" + uri.Host, Queue->Proxy()); + } Server = CreateServerState(Queue->Uri); setPostfixForMethodNames(::URI(Queue->Uri).Host.c_str()); AllowRedirect = ConfigFindB("AllowRedirect", true); diff --git a/methods/http.cc b/methods/http.cc index fc22180d3..cbc77f477 100644 --- a/methods/http.cc +++ b/methods/http.cc @@ -427,7 +427,9 @@ bool HttpServerState::Open() Persistent = true; // Determine the proxy setting - AutoDetectProxy(ServerName); + // Used to run AutoDetectProxy(ServerName) here, but we now send a Proxy + // header in the URI Acquire request and set "Acquire::"+uri.Access+"::proxy::"+uri.Host + // to it in BaseHttpMethod::Loop() string SpecificProxy = Owner->ConfigFind("Proxy::" + ServerName.Host, ""); if (!SpecificProxy.empty()) { |