diff options
| author | Julian Andres Klode <julian.klode@canonical.com> | 2019-12-02 11:46:49 +0100 |
|---|---|---|
| committer | Julian Andres Klode <julian.klode@canonical.com> | 2019-12-02 14:27:38 +0100 |
| commit | 93f33052de84e9aeaf19c92291d043dad2665bbd (patch) | |
| tree | 667c4240b6f6fb9c91ae20b655478508b09d6214 /test | |
| parent | 1690c3f87ae45a41e8d3e09bf0b1021c008460b9 (diff) | |
netrc: Restrict auth.conf entries to https by default
This avoids downgrade attacks where an attacker could inject
Location: http://private.example/
and then (having access to raw data to private.example, for example,
by opening a port there, or sniffing network traffic) read the credentials
for the private repository.
Closes: #945911
Diffstat (limited to 'test')
| -rwxr-xr-x | test/integration/test-authentication-basic | 42 |
1 files changed, 33 insertions, 9 deletions
diff --git a/test/integration/test-authentication-basic b/test/integration/test-authentication-basic index 211c73e35..5aafaade0 100755 --- a/test/integration/test-authentication-basic +++ b/test/integration/test-authentication-basic @@ -65,35 +65,59 @@ runtest() { authfile '' testauthfailure "$1" + protocol="${1%%://*}" + # good auth - authfile 'machine localhost + authfile "machine ${protocol}://localhost login star@irc -password hunter2' +password hunter2" testauthsuccess "$1" # bad auth - authfile 'machine localhost + authfile "machine ${protocol}://localhost login anonymous -password hunter2' +password hunter2" testauthfailure "$1" # 2 stanzas: unmatching + good auth - authfile 'machine debian.org + authfile "machine ${protocol}://debian.org login debian password jessie -machine localhost +machine ${protocol}://localhost login star@irc -password hunter2' +password hunter2" testauthsuccess "$1" + # no protocol specifier + authfile "machine localhost +login star@irc +password hunter2" + if [ "$protocol" = "https" ]; then + testauthsuccess "$1" + else + testauthfailure "$1" + fi + + # wrong protocol specifier + if [ "$protocol" = "https" ]; then + authfile "machine http://localhost +login star@irc +password hunter2" + else + authfile "machine https://localhost +login star@irc +password hunter2" + fi + testauthfailure "$1" + # delete file, make sure it fails; add auth.conf.d snippet, works again. rm rootdir/etc/apt/auth.conf testauthfailure "$1" - authfile 'machine localhost + authfile "machine ${protocol}://localhost login star@irc -password hunter2' rootdir/etc/apt/auth.conf.d/myauth.conf +password hunter2" rootdir/etc/apt/auth.conf.d/myauth.conf testauthsuccess "$1" rm rootdir/etc/apt/auth.conf.d/myauth.conf } |