summaryrefslogtreecommitdiff
path: root/test/integration/test-cve-2019-3462-dequote-injection
blob: 74ab03ba58129a162c038fe00ac87ce4d80aef5f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#!/bin/sh
set -e

TESTDIR="$(readlink -f "$(dirname "$0")")"
. "$TESTDIR/framework"
setupenvironment
configarchitecture 'amd64'

# build two uncompressed packages
buildsimplenativepackage 'alpha' 'all' '1' 'unstable' '' '' 'section' 'optional' '' 'none'

setupaptarchive --no-update
ORIGINAL_SHA256=$(sha256sum aptarchive/pool/alpha_1_all.deb | awk '{print $1}')
ORIGINAL_SIZE=$(wc -c aptarchive/pool/alpha_1_all.deb | awk '{print $1}')
SHA256="DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF"
changetowebserver

runwithbaduri() {
	webserverconfig aptwebserver::redirect::replace::alpha_1_all.deb "$1"

	testsuccess apt update -o debug::http=1 -o debug::pkgacquire::worker=1

	testfailureequal "Reading package lists...
Building dependency tree...
The following NEW packages will be installed:
  alpha
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 20.7 kB of archives.
After this operation, 11.3 kB of additional disk space will be used.
Err:1 http://localhost:${APTHTTPPORT} unstable/main all alpha all 1
  SECURITY: URL redirect target contains control characters, rejecting.
E: Failed to fetch http://localhost:${APTHTTPPORT}/pool/alpha_1_all.deb  SECURITY: URL redirect target contains control characters, rejecting.
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?" aptget install alpha
}
runwithbaduri "beeta_1_all.deb%0a%0a201%20URI%20Done%0aURI:%20http://localhost:${APTHTTPPORT}/pool/beeta_1_all.deb%0aFilename:%20${TMPWORKINGDIRECTORY}/rootdir/var/cache/apt/archives/partial/alpha_1_all.deb%0aSize:%2020672%0aLast-Modified:%20Fri,%2018%20Jan%202019%2009:52:02%20+0000%0aSHA256-Hash:%20${SHA256}%0aChecksum-FileSize-Hash:%2012345%0a%0a%0a"
rm -rf rootdir/var/lib/apt/lists
runwithbaduri "beeta_1_all.deb%250a%250a201%2520URI%2520Done%250aURI:%2520http://localhost:${APTHTTPPORT}/pool/beeta_1_all.deb%250aFilename:%2520${TMPWORKINGDIRECTORY}/rootdir/var/cache/apt/archives/partial/alpha_1_all.deb%250aSize:%252020672%250aLast-Modified:%2520Fri,%252018%2520Jan%25202019%252009:52:02%2520+0000%250aSHA256-Hash:%2520${SHA256}%250aChecksum-FileSize-Hash:%252012345%250a%250a%0a"

# For reference, the following is the original reproducer/bug. It has
# been disabled using exit 0, as it will fail in fixed versions.
exit 0

testfailureequal "Reading package lists...
Building dependency tree...
The following NEW packages will be installed:
  alpha
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 20.7 kB of archives.
After this operation, 11.3 kB of additional disk space will be used.
Err:1 http://localhost:${APTHTTPPORT} unstable/main all alpha all 1
  Hash Sum mismatch
  Hashes of expected file:
   - SHA256:$ORIGINAL_SHA256
   - Filesize:$ORIGINAL_SIZE [weak]
  Hashes of received file:
   - SHA256:DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF
   - Filesize:12345 [weak]
  Last modification reported: Fri, 18 Jan 2019 09:52:02 +0000
E: Failed to fetch http://localhost:${APTHTTPPORT}/pool/beeta_1_all.deb  Hash Sum mismatch
   Hashes of expected file:
    - SHA256:$ORIGINAL_SHA256
    - Filesize:$ORIGINAL_SIZE [weak]
   Hashes of received file:
    - SHA256:DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF
    - Filesize:12345 [weak]
   Last modification reported: Fri, 18 Jan 2019 09:52:02 +0000
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?" aptget install alpha