Summary: | net-proxy/http-replicator - /etc/init.d/http-replicator: "--flat" parameter causes trouble on verification failures | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
Component: | Current packages | Assignee: | No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it <maintainer-needed> |
Status: | RESOLVED WONTFIX | ||
Severity: | normal | CC: | treecleaner, zubkov318 |
Priority: | Normal | Keywords: | NeedPatch, PMASKED |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Deadline: | 2020-03-18 |
Description
Thomas Deutschmann (RETIRED)
2014-10-01 15:12:09 UTC
A subset of this problem is fixed in version 3.0-r5 [same file name but different URL], as long as the client side uses the correct FETCHCOMMAND (see bug 442874). However, the specific issue of a source file being replaced in-place is still broken and requires manual intervention to recover. If someone wants to work on this, perhaps portage could be tweaked to add additional headers (similar to bug 442874) when retrying the download after a hash/checksum failure, and then http-replicator watches for the extra headers. Perhaps a "ignore cached" or a "expecting this sha256" extra HTTP header. *** Bug 503226 has been marked as a duplicate of this bug. *** I would not advise blindly removing the --flat option from http-replicator-4.0_alpha2. In addition to the repcacheman concern mentioned above, from my memory of a quick look at the code a few years ago, unless --flat is specified there does not appear to be anything to protect a 4.0 server from someone requesting "GET /../../../../any/file/on/your/server". (3.0 looked OK, though). Perhaps this should be considered a security issue, although I think the default configuration isn't vulnerable. See also: - bug 442874, comment 18. - If you follow some links from the ebuild-indicated homepage (moved..., issues...), you can find an upstream bug report I filed about this a few years ago, but it hasn't had any activity: https://github.com/gertjanvanzwieten/replicator/issues/4 - I may add a more detailed comment to bug 676758 (stabilize 4.0) about other things 3.0 still does better than 4.0. |