From ece81b7517b1af6f86aff733498f6c11d5aa814f Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Wed, 3 Aug 2016 21:17:26 +0200 Subject: fail on unsupported http/https proxy settings Closes: #623443 --- .../test-bug-623443-fail-on-bad-proxies | 33 ++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100755 test/integration/test-bug-623443-fail-on-bad-proxies (limited to 'test') diff --git a/test/integration/test-bug-623443-fail-on-bad-proxies b/test/integration/test-bug-623443-fail-on-bad-proxies new file mode 100755 index 000000000..04542e0cd --- /dev/null +++ b/test/integration/test-bug-623443-fail-on-bad-proxies @@ -0,0 +1,33 @@ +#!/bin/sh +set -e + +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" +setupenvironment +configarchitecture 'amd64' + +buildsimplenativepackage 'unrelated' 'all' '0.5~squeeze1' 'unstable' + +setupaptarchive --no-update +changetowebserver + +testsuccess apt update +rm -rf rootdir/var/lib/apt/lists + +export http_proxy=enrico:password@proxy-cache.localnet:3128 +testfailure apt update +unset http_proxy +testsuccess grep 'Unsupported proxy configured' rootdir/tmp/testfailure.output + +changetohttpswebserver + +testsuccess apt update +rm -rf rootdir/var/lib/apt/lists + +export http_proxy=enrico:password@proxy-cache.localnet:3128 +testfailure apt update +unset http_proxy +testsuccess grep 'Unsupported proxy configured' rootdir/tmp/testfailure.output + + + -- cgit v1.2.3 From 57401c48fadc0c78733a67294f9cc20a57e527c9 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Tue, 2 Aug 2016 22:44:50 +0200 Subject: detect redirection loops in acquire instead of workers Having the detection handled in specific (http) workers means that a redirection loop over different hostnames isn't detected. Its also not a good idea have this implement in each method independently even if it would work --- test/integration/test-apt-redirect-loop | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100755 test/integration/test-apt-redirect-loop (limited to 'test') diff --git a/test/integration/test-apt-redirect-loop b/test/integration/test-apt-redirect-loop new file mode 100755 index 000000000..b54f74276 --- /dev/null +++ b/test/integration/test-apt-redirect-loop @@ -0,0 +1,23 @@ +#!/bin/sh +set -e + +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" + +setupenvironment +configarchitecture "i386" + +insertpackage 'stable' 'apt' 'all' '1' +setupaptarchive --no-update + +echo 'alright' > aptarchive/working +changetohttpswebserver +webserverconfig 'aptwebserver::redirect::replace::/redirectme3/' '/redirectme/' +webserverconfig 'aptwebserver::redirect::replace::/redirectme2/' '/redirectme3/' +webserverconfig 'aptwebserver::redirect::replace::/redirectme/' '/redirectme2/' + +testfailure apthelper download-file "http://localhost:${APTHTTPPORT}/redirectme/working" httpfile +testsuccess grep 'Redirection loop encountered' rootdir/tmp/testfailure.output + +testfailure apthelper download-file "https://localhost:${APTHTTPSPORT}/redirectme/working" httpsfile +testsuccess grep 'Redirection loop encountered' rootdir/tmp/testfailure.output -- cgit v1.2.3 From 4bba5a88d0f6afde4414b586b64c48a4851d5324 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Tue, 2 Aug 2016 14:49:58 +0200 Subject: use the same redirection handling for http and https MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit cURL which backs our https implementation can handle redirects on its own, but by dealing with them on our own we gain finer control over which redirections will be performed (we don't like https → http) and by whom so that redirections to other hosts correctly spawn a new https method dealing with these instead of letting the current one deal with it. --- test/integration/test-apt-https-no-redirect | 6 ++++-- test/integration/test-partial-file-support | 3 +++ 2 files changed, 7 insertions(+), 2 deletions(-) (limited to 'test') diff --git a/test/integration/test-apt-https-no-redirect b/test/integration/test-apt-https-no-redirect index b437ac1e6..69e2ba57f 100755 --- a/test/integration/test-apt-https-no-redirect +++ b/test/integration/test-apt-https-no-redirect @@ -11,7 +11,9 @@ insertpackage 'stable' 'apt' 'all' '1' setupaptarchive --no-update echo 'alright' > aptarchive/working -changetohttpswebserver -o "aptwebserver::redirect::replace::/redirectme/=http://localhost:${APTHTTPPORT}/" +changetohttpswebserver +webserverconfig 'aptwebserver::redirect::replace::/redirectme/' "http://localhost:${APTHTTPPORT}/" +webserverconfig 'aptwebserver::redirect::replace::/redirectme2/' "https://localhost:${APTHTTPSPORT}/" msgtest 'download of a file works via' 'http' testsuccess --nomsg downloadfile "http://localhost:${APTHTTPPORT}/working" httpfile @@ -25,4 +27,4 @@ msgtest 'download of a file does not work if' 'https redirected to http' testfailure --nomsg downloadfile "https://localhost:${APTHTTPSPORT}/redirectme/working" redirectfile msgtest 'libcurl has forbidden access in last request to' 'http resource' -testsuccess --nomsg grep -q -E -- 'Protocol "?http"? not supported or disabled in libcurl' rootdir/tmp/testfailure.output +testsuccess --nomsg grep -q -E -- "Redirection from https to 'http://.*' is forbidden" rootdir/tmp/testfailure.output diff --git a/test/integration/test-partial-file-support b/test/integration/test-partial-file-support index e2d2743b3..1c5d120d8 100755 --- a/test/integration/test-partial-file-support +++ b/test/integration/test-partial-file-support @@ -146,3 +146,6 @@ serverconfigs "http://localhost:${APTHTTPPORT}" changetohttpswebserver serverconfigs "https://localhost:${APTHTTPSPORT}" + +webserverconfig 'aptwebserver::redirect::replace::/redirectme/' "https://localhost:${APTHTTPSPORT}/" +serverconfigs "http://localhost:${APTHTTPPORT}/redirectme" -- cgit v1.2.3 From 30060442025824c491f58887ca7369f3c572fa57 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sun, 31 Jul 2016 18:05:56 +0200 Subject: implement generic config fallback for methods MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The https method implemented for a long while now a hardcoded fallback to the same options in http, which, while it works, is rather inflexible if we want to allow the methods to use another name to change their behavior slightly, like apt-transport-tor does to https – most of the diff being s#https#tor#g which then fails to do the full circle fallthrough tor -> https -> http for https sources. With this config infrastructure this could be implemented now. --- test/integration/test-bug-738785-switch-protocol | 2 +- test/integration/test-different-methods-for-same-source | 15 ++++++++++++++- test/integration/test-pdiff-usage | 2 +- 3 files changed, 16 insertions(+), 3 deletions(-) (limited to 'test') diff --git a/test/integration/test-bug-738785-switch-protocol b/test/integration/test-bug-738785-switch-protocol index 8f8216d04..fa6702eb0 100755 --- a/test/integration/test-bug-738785-switch-protocol +++ b/test/integration/test-bug-738785-switch-protocol @@ -63,4 +63,4 @@ ln -s "$OLDMETHODS/https" "$NEWMETHODS" # check that downgrades from https to http are not allowed webserverconfig 'aptwebserver::support::http' 'true' sed -i -e "s#:${APTHTTPPORT}/redirectme#:${APTHTTPSPORT}/downgrademe#" -e 's# http:# https:#' rootdir/etc/apt/sources.list.d/* -testfailure aptget update --allow-insecure-repositories +testfailure aptget update --allow-insecure-repositories -o Acquire::https::Timeout=1 diff --git a/test/integration/test-different-methods-for-same-source b/test/integration/test-different-methods-for-same-source index 6b3f796b1..40138ad5d 100755 --- a/test/integration/test-different-methods-for-same-source +++ b/test/integration/test-different-methods-for-same-source @@ -24,10 +24,23 @@ IFS="$backupIFS" ln -s "${OLDMETHODS}/http" "${NEWMETHODS}/http-ng" changetowebserver +webserverconfig 'aptwebserver::redirect::replace::/redirectme/' "http://localhost:${APTHTTPPORT}/" sed -i -e 's# http:# http-ng:#' $(find rootdir/etc/apt/sources.list.d -name '*-deb-src.list') -testsuccess apt update +testsuccess apt update -o Debug::Acquire::http-ng=1 cp rootdir/tmp/testsuccess.output update.log # all requests are folded into the first Release file testsuccess grep ' http-ng://' update.log testfailure grep ' http://' update.log +# see if method-specific debug was enabled +testsuccess grep '^Answer for: http-ng:' update.log + +rm -rf rootdir/var/lib/apt/lists +sed -i -e "s#:${APTHTTPPORT}/#:${APTHTTPPORT}/redirectme#" rootdir/etc/apt/sources.list.d/* +testsuccess apt update -o Debug::Acquire::http-ng=1 +cp rootdir/tmp/testsuccess.output update.log +# all requests are folded into the first Release file +testsuccess grep ' http-ng://' update.log +testfailure grep '^[^L].* http://' update.log +# see if method-specific debug was enabled +testsuccess grep '^Answer for: http-ng:' update.log diff --git a/test/integration/test-pdiff-usage b/test/integration/test-pdiff-usage index 91528389b..39d847203 100755 --- a/test/integration/test-pdiff-usage +++ b/test/integration/test-pdiff-usage @@ -317,7 +317,7 @@ Debug::Acquire::Transaction "true"; Debug::pkgAcquire::Worker "true"; Debug::Acquire::http "true"; Debug::pkgAcquire "true"; -Debug::pkgAcquire::rred "true";' > rootdir/etc/apt/apt.conf.d/rreddebug.conf +Debug::Acquire::rred "true";' > rootdir/etc/apt/apt.conf.d/rreddebug.conf testcase() { testrun -o Acquire::PDiffs::Merge=0 -o APT::Get::List-Cleanup=1 "$@" -- cgit v1.2.3 From 61db48241f2d46697a291bfedaf398a1ca9a70e3 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Thu, 4 Aug 2016 08:45:38 +0200 Subject: implement socks5h proxy support for http method MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Socks support is a requested feature in sofar that the internet is actually believing Acquire::socks::Proxy would exist. It doesn't and this commit isn't adding it as that isn't how our configuration works, but it allows Acquire::http::Proxy="socks5h://…". The HTTPS method was changed already to support socks proxies (all versions) via curl. This commit implements only SOCKS5 (RFC1928) with no auth or pass&user auth (RFC1929), but not GSSAPI which is required by the RFC. The 'h' in the protocol name further indicates that DNS resolution is delegated to the socks proxy rather than performed locally. The implementation works and was tested with Tor as socks proxy for which implementing socks5h only can actually be considered a feature. Closes: 744934 --- test/integration/skip-method-http-socks-client | 116 +++++++++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100755 test/integration/skip-method-http-socks-client (limited to 'test') diff --git a/test/integration/skip-method-http-socks-client b/test/integration/skip-method-http-socks-client new file mode 100755 index 000000000..ee08f6d34 --- /dev/null +++ b/test/integration/skip-method-http-socks-client @@ -0,0 +1,116 @@ +#!/bin/sh +set -e + +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" + +setupenvironment + +# We don't do a real proxy here, we just look how the implementation +# reacts to certain responses from a "proxy" provided by socat +# Checks HTTP, but requesting https instead will check HTTPS (curl) which +# uses different error messages through – also: https://github.com/curl/curl/issues/944 + +# FIXME: Not run automatically as it uses a hardcoded port (5555) + +msgtest 'Check that everything is installed' 'socat' +if dpkg-checkbuilddeps -d 'socat' /dev/null >/dev/null 2>&1; then + msgpass +else + msgskip "$(command dpkg -l socat)" + exit +fi + +runclient() { + # this doesn't need to be an actually reachable webserver for this test + # in fact, its better if it isn't. + rm -f index.html + apthelper download-file http://localhost:2903/ index.html \ + -o Acquire::http::Proxy="socks5h://${1}localhost:5555" \ + -o Acquire::http::Timeout=2 -o Debug::Acquire::http=1 > client.output 2>&1 || true +} +runserver() { + socat -x tcp-listen:5555,reuseaddr \ + system:"echo -n '$*' | xxd -r -p; echo 'HTTP/1.1 200 OK'; echo 'Content-Length: 5'; echo 'Connection: close'; echo; echo 'HTML'" \ + > server.output 2>&1 & +} +PROXY="socks5h://localhost:5555" + +msgmsg 'SOCKS does not run' +runclient +testsuccess grep 'Could not connect to localhost:5555' client.output + +msgmsg 'SOCKS greets back with wrong version' +runserver '04 00' +runclient +testsuccess grep 'greets back with wrong version: 4' client.output + +msgmsg 'SOCKS tries GSSAPI auth we have not advertised' +runserver '05 01' +runclient +testsuccess grep 'greets back having not found a common authorization method: 1' client.output + +msgmsg 'SOCKS tries user&pass auth we have not advertised' +runserver '05 02' +runclient +testsuccess grep 'pass auth, but we had not offered it' client.output + +msgmsg 'SOCKS user:pass wrong version' +runserver '05 02' '05 00' +runclient 'user:pass@' +testsuccess grep 'auth status response with wrong version: 5' client.output + +msgmsg 'SOCKS user:pass wrong auth' +runserver '05 02' '01 01' +runclient 'user:pass@' +testsuccess grep 'reported authorization failure: username or password incorrect? (1)' client.output + +msgmsg 'SOCKS user:pass request not granted no hostname' +runserver '05 02' '01 00' '05 01 00 03 00 1f 90' +runclient 'user:pass@' +testsuccess grep 'grant the connect to :8080 due to: general SOCKS server failure (1)' client.output + +msgmsg 'SOCKS user:pass request not granted with hostname' +runserver '05 02' '01 00' '05 01 00 03 09 68 6f 73 74 6c 6f 63 61 6c 1f 90' +runclient 'user:pass@' +testsuccess grep 'grant the connect to hostlocal:8080 due to: general SOCKS server failure (1)' client.output + +msgmsg 'SOCKS user:pass request not granted ipv4' +runserver '05 02' '01 00' '05 04 00 01 ac 10 fe 01 1f 90' +runclient 'user:pass@' +testsuccess grep 'grant the connect to 172.16.254.1:8080 due to: Host unreachable (4)' client.output + +msgmsg 'SOCKS user:pass request not granted ipv6' +runserver '05 02' '01 00' '05 12 00 04 20 01 0d b8 ac 10 fe 00 00 00 00 00 00 00 00 00 1f 90' +runclient 'user:pass@' +testsuccess grep 'grant the connect to \[2001:0DB8:AC10:FE00:0000:0000:0000:0000\]:8080 due to: Unknown error (18)' client.output + +msgmsg 'SOCKS user:pass request granted ipv4' +runserver '05 02' '01 00' '05 00 00 01 ac 10 fe 01 1f 90' +runclient 'user:pass@' +testequal "http: SOCKS proxy $PROXY connection established to 172.16.254.1:8080" head -n 1 client.output +testfileequal index.html 'HTML' + +msgmsg 'SOCKS user:pass request granted ipv6' +runserver '05 02' '01 00' '05 00 00 04 20 01 0d b8 ac 10 fe 00 00 00 00 00 00 00 00 00 1f 90' +runclient 'user:pass@' +testequal "http: SOCKS proxy $PROXY connection established to [2001:0DB8:AC10:FE00:0000:0000:0000:0000]:8080" head -n 1 client.output +testfileequal index.html 'HTML' + +msgmsg 'SOCKS no auth no hostname' +runserver '05 00 05 00 00 03 00 1f 90' +runclient +testequal "http: SOCKS proxy $PROXY connection established to :8080" head -n 1 client.output +testfileequal index.html 'HTML' + +msgmsg 'SOCKS no auth with hostname' +runserver '05 00 05 00 00 03 09 68 6f 73 74 6c 6f 63 61 6c 1f 90' +runclient +testequal "http: SOCKS proxy $PROXY connection established to hostlocal:8080" head -n 1 client.output +testfileequal index.html 'HTML' + +msgmsg 'SOCKS user-only request granted ipv4' +runserver '05 02' '01 00' '05 00 00 01 ac 10 fe 01 1f 90' +runclient 'apt@' +testequal "http: SOCKS proxy $PROXY connection established to 172.16.254.1:8080" head -n 1 client.output +testfileequal index.html 'HTML' -- cgit v1.2.3 From c9c910695185b59aa27b787c1a250497e47b492b Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sat, 6 Aug 2016 19:59:57 +0200 Subject: allow methods to be disabled and redirected via config To prevent accidents like adding http-sources while using tor+http it can make sense to allow disabling methods. It might even make sense to allow "redirections" and adding "symlinked" methods via configuration. This could e.g. allow using different options for certain sources by adding and configuring a "virtual" new method which picks up the config based on the name it was called with like e.g. http does if called as tor+http. --- test/integration/test-apt-https-no-redirect | 15 +++++++++++++++ .../integration/test-apt-update-failure-propagation | 21 +++++++++++++++------ test/integration/test-bug-738785-switch-protocol | 20 ++------------------ .../test-different-methods-for-same-source | 15 ++------------- 4 files changed, 34 insertions(+), 37 deletions(-) (limited to 'test') diff --git a/test/integration/test-apt-https-no-redirect b/test/integration/test-apt-https-no-redirect index 69e2ba57f..d6c630d5f 100755 --- a/test/integration/test-apt-https-no-redirect +++ b/test/integration/test-apt-https-no-redirect @@ -14,6 +14,7 @@ echo 'alright' > aptarchive/working changetohttpswebserver webserverconfig 'aptwebserver::redirect::replace::/redirectme/' "http://localhost:${APTHTTPPORT}/" webserverconfig 'aptwebserver::redirect::replace::/redirectme2/' "https://localhost:${APTHTTPSPORT}/" +echo 'Dir::Bin::Methods::https+http "https";' > rootdir/etc/apt/apt.conf.d/99add-https-http-method msgtest 'download of a file works via' 'http' testsuccess --nomsg downloadfile "http://localhost:${APTHTTPPORT}/working" httpfile @@ -22,9 +23,23 @@ testfileequal httpfile 'alright' msgtest 'download of a file works via' 'https' testsuccess --nomsg downloadfile "https://localhost:${APTHTTPSPORT}/working" httpsfile testfileequal httpsfile 'alright' +rm -f httpfile httpsfile + +msgtest 'download of http file works via' 'https+http' +testsuccess --nomsg downloadfile "http://localhost:${APTHTTPPORT}/working" httpfile +testfileequal httpfile 'alright' + +msgtest 'download of https file works via' 'https+http' +testsuccess --nomsg downloadfile "https://localhost:${APTHTTPSPORT}/working" httpsfile +testfileequal httpsfile 'alright' +rm -f httpfile httpsfile msgtest 'download of a file does not work if' 'https redirected to http' testfailure --nomsg downloadfile "https://localhost:${APTHTTPSPORT}/redirectme/working" redirectfile msgtest 'libcurl has forbidden access in last request to' 'http resource' testsuccess --nomsg grep -q -E -- "Redirection from https to 'http://.*' is forbidden" rootdir/tmp/testfailure.output + +msgtest 'download of a file does work if' 'https+http redirected to https' +testsuccess --nomsg downloadfile "https+http://localhost:${APTHTTPPORT}/redirectme2/working" redirectfile +testfileequal redirectfile 'alright' diff --git a/test/integration/test-apt-update-failure-propagation b/test/integration/test-apt-update-failure-propagation index ec6bf4a48..1361b1b93 100755 --- a/test/integration/test-apt-update-failure-propagation +++ b/test/integration/test-apt-update-failure-propagation @@ -27,10 +27,11 @@ for FILE in rootdir/etc/apt/sources.list.d/*-sid-* ; do done pretest() { + msgmsg "$@" rm -rf rootdir/var/lib/apt/lists testsuccessequal 'N: Unable to locate package foo' aptcache policy foo } -pretest +pretest 'initialize test' 'update' testsuccess aptget update testsuccessequal "foo: Installed: (none) @@ -41,7 +42,7 @@ testsuccessequal "foo: 1 500 500 https://localhost:${APTHTTPSPORT} stable/main all Packages" aptcache policy foo -pretest +pretest 'not found' 'release files' mv aptarchive/dists/stable aptarchive/dists/stable.good testfailuremsg "E: The repository 'https://localhost:${APTHTTPSPORT} stable Release' does not have a Release file. N: Updating from such a repository can't be done securely, and is therefore disabled by default. @@ -76,7 +77,16 @@ posttest() { } posttest -pretest +pretest 'method disabled' 'https' +echo 'Dir::Bin::Methods::https "false";' > rootdir/etc/apt/apt.conf.d/99disable-https +testfailuremsg "E: The method 'https' is explicitly disabled via configuration. +N: If you meant to use Tor remember to use tor+https instead of https. +E: Failed to fetch https://localhost:${APTHTTPSPORT}/dists/stable/InRelease +E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update +rm -f rootdir/etc/apt/apt.conf.d/99disable-https +posttest + +pretest 'method not installed' 'https' rm "${NEWMETHODS}/https" testfailuremsg "E: The method driver ${TMPWORKINGDIRECTORY}/rootdir/usr/lib/apt/methods/https could not be found. N: Is the package apt-transport-https installed? @@ -84,13 +94,12 @@ E: Failed to fetch https://localhost:${APTHTTPSPORT}/dists/stable/InRelease E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update posttest -ln -s "$OLDMETHODS/https" "$NEWMETHODS" -pretest +pretest 'https connection refused' 'doom port' for FILE in rootdir/etc/apt/sources.list.d/*-stable-* ; do # lets see how many testservers run also Doom sed -i -e "s#:${APTHTTPSPORT}/#:666/#" "$FILE" done -testwarning aptget update +testwarning aptget update -o Dir::Bin::Methods::https="${OLDMETHODS}/https" testequalor2 "W: Failed to fetch https://localhost:666/dists/stable/InRelease Failed to connect to localhost port 666: Connection refused W: Some index files failed to download. They have been ignored, or old ones used instead." "W: Failed to fetch https://localhost:666/dists/stable/InRelease couldn't connect to host W: Some index files failed to download. They have been ignored, or old ones used instead." tail -n 2 rootdir/tmp/testwarning.output diff --git a/test/integration/test-bug-738785-switch-protocol b/test/integration/test-bug-738785-switch-protocol index fa6702eb0..690e8727e 100755 --- a/test/integration/test-bug-738785-switch-protocol +++ b/test/integration/test-bug-738785-switch-protocol @@ -38,28 +38,12 @@ cd - >/dev/null testsuccess aptget install apt -y testdpkginstalled 'apt' -# install a slowed down file: otherwise its to fast to reproduce combining -NEWMETHODS="$(readlink -f rootdir)/usr/lib/apt/methods" -OLDMETHODS="$(readlink -f rootdir/usr/lib/apt/methods)" -rm "$NEWMETHODS" -mkdir "$NEWMETHODS" -backupIFS="$IFS" -IFS="$(printf "\n\b")" -for METH in $(find "$OLDMETHODS" -maxdepth 1 ! -type d); do - ln -s "$OLDMETHODS/$(basename "$METH")" "$NEWMETHODS" -done -IFS="$backupIFS" -rm "$NEWMETHODS/https" - cd downloaded -testfailureequal "E: The method driver $(readlink -f './../')/rootdir/usr/lib/apt/methods/https could not be found. -N: Is the package apt-transport-https installed?" aptget download apt +testfailureequal "E: The method 'https' is explicitly disabled via configuration. +N: If you meant to use Tor remember to use tor+https instead of https." aptget download apt -o Dir::Bin::Methods::https=false testfailure test -e apt_1.0_all.deb cd - >/dev/null -# revert to all methods -ln -s "$OLDMETHODS/https" "$NEWMETHODS" - # check that downgrades from https to http are not allowed webserverconfig 'aptwebserver::support::http' 'true' sed -i -e "s#:${APTHTTPPORT}/redirectme#:${APTHTTPSPORT}/downgrademe#" -e 's# http:# https:#' rootdir/etc/apt/sources.list.d/* diff --git a/test/integration/test-different-methods-for-same-source b/test/integration/test-different-methods-for-same-source index 40138ad5d..791a84cb7 100755 --- a/test/integration/test-different-methods-for-same-source +++ b/test/integration/test-different-methods-for-same-source @@ -10,21 +10,10 @@ insertpackage 'stable' 'foo' 'all' '1' insertsource 'stable' 'foo' 'all' '1' setupaptarchive --no-update -# install a slowed down file: otherwise its to fast to reproduce combining -NEWMETHODS="$(readlink -f rootdir)/usr/lib/apt/methods" -OLDMETHODS="$(readlink -f rootdir/usr/lib/apt/methods)" -rm "$NEWMETHODS" -mkdir "$NEWMETHODS" -backupIFS="$IFS" -IFS="$(printf "\n\b")" -for METH in $(find "$OLDMETHODS" -maxdepth 1 ! -type d); do - ln -s "$OLDMETHODS/$(basename "$METH")" "$NEWMETHODS" -done -IFS="$backupIFS" -ln -s "${OLDMETHODS}/http" "${NEWMETHODS}/http-ng" - changetowebserver webserverconfig 'aptwebserver::redirect::replace::/redirectme/' "http://localhost:${APTHTTPPORT}/" + +echo 'Dir::Bin::Methods::http-ng "http";' > rootdir/etc/apt/apt.conf.d/99add-http-ng-method sed -i -e 's# http:# http-ng:#' $(find rootdir/etc/apt/sources.list.d -name '*-deb-src.list') testsuccess apt update -o Debug::Acquire::http-ng=1 -- cgit v1.2.3 From 8665dceb5cf2a197ae270b08066f05c8a2870223 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sat, 6 Aug 2016 13:53:05 +0200 Subject: block direct connections to .onion domains (RFC7687) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Doing a direct connect to an .onion address (if you don't happen to use it as a local domain, which you shouldn't) is bound to fail and does leak the information that you do use Tor and which hidden service you wanted to connect to to a DNS server. Worse, if the DNS is poisoned and actually resolves tricking a user into believing the setup would work correctly… This does block also the usage of wrappers like torsocks with apt, but with native support available and advertised in the error message this shouldn't really be an issue. Inspired-by: https://bugzilla.mozilla.org/show_bug.cgi?id=1228457 --- test/integration/test-method-connect | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100755 test/integration/test-method-connect (limited to 'test') diff --git a/test/integration/test-method-connect b/test/integration/test-method-connect new file mode 100755 index 000000000..b35f96dc3 --- /dev/null +++ b/test/integration/test-method-connect @@ -0,0 +1,13 @@ +#!/bin/sh +set -e + +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" + +setupenvironment + +cd downloaded +testfailureequal 'Err:1 http://vwakviie2ienjx6t.onion/ + Direct connection to .onion domains is blocked by default. If you meant to use Tor remember to use tor+http instead of http. +E: Failed to fetch http://vwakviie2ienjx6t.onion/ Direct connection to .onion domains is blocked by default. If you meant to use Tor remember to use tor+http instead of http. +E: Download Failed' apthelper download-file 'http://vwakviie2ienjx6t.onion/' ftp.debian.org.html -- cgit v1.2.3