1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109147: bookworm-pu: package libsoup3/3.2.3-0+deb12u1 (2/2)

    From Simon McVittie@21:1/5 to Simon McVittie on Sat Jul 12 16:40:01 2025
    [continued from previous message]

    + static gboolean redirected = FALSE;
    +
    + if (!redirected) {
    + char *redirect_uri = g_uri_to_string (user_data);
    + soup_server_message_set_redirect (msg, SOUP_STATUS_MOVED_PERMANENTLY, redirect_uri);
    + g_free (redirect_uri);
    + redirected = TRUE;
    + return;
    + }
    +
    + g_assert_not_reached ();
    +}
    +
    +static gboolean
    +auth_for_redirect_callback (SoupMessage *msg, SoupAuth *auth, gboolean retrying, gpointer user_data)
    +{
    + GUri *known_server_uri = user_data;
    +
    + if (!soup_uri_host_equal (known_server_uri, soup_message_get_uri (msg)))
    + return FALSE;
    +
    + soup_auth_authenticate (auth, "user", "good-basic");
    +
    + return TRUE;
    +}
    +
    +static void
    +do_strip_on_crossorigin_redirect (void)
    +{
    + SoupSession *session;
    + SoupMessage *msg;
    + SoupServer *server1, *server2;
    + SoupAuthDomain *auth_domain;
    + GUri *uri;
    + gint status;
    +
    + server1 = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
    + server2 = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
    +
    + /* Both servers have the same credentials. */
    + auth_domain = soup_auth_domain_basic_new ("realm", "auth-test", "auth-callback", server_basic_auth_callback, NULL);
    + soup_auth_domain_add_path (auth_domain, "/");
    + soup_server_add_auth_domain (server1, auth_domain);
    + soup_server_add_auth_domain (server2, auth_domain);
    + g_object_unref (auth_domain);
    +
    + /* Server 1 asks for auth, then redirects to Server 2. */
    + soup_server_add_handler (server1, NULL,
    + redirect_server_callback,
    + soup_test_server_get_uri (server2, "http", NULL), (GDestroyNotify)g_uri_unref);
    + /* Server 2 requires auth. */
    + soup_server_add_handler (server2, NULL, server_callback, NULL, NULL);
    +
    + session = soup_test_session_new (NULL);
    + uri = soup_test_server_get_uri (server1, "http", NULL);
    + msg = soup_message_new_from_uri ("GET", uri);
    + /* The client only sends credentials for the host it knows. */
    + g_signal_connect (msg, "authenticate", G_CALLBACK (auth_for_redirect_callback), uri);
    +
    + status = soup_test_session_send_message (session, msg);
    +
    + g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED);
    +
    + g_uri_unref (uri);
    + soup_test_server_quit_unref (server1);
    + soup_test_server_quit_unref (server2);
    +}
    +
    int
    main (int argc, char **argv)
    {
    @@ -1899,6 +2025,11 @@
    g_test_add_func ("/auth/auth-uri", do_auth_uri_test);
    g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate);
    g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms);
    + g_test_add_func ("/auth/strip-on-crossorigin-redirect", do_strip_on_crossorigin_redirect);
    + g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
    + g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
    + g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
    + g_test_add_data_func ("/auth/missing-params/nonce-and-qop", "Digest realm=\"auth-test\"", do_missing_params_test);

    ret = g_test_run ();

    diff -Nru libsoup3-3.2.2/tests/header-parsing-test.c libsoup3-3.2.3/tests/header-parsing-test.c
    --- libsoup3-3.2.2/tests/header-parsing-test.c 2022-11-02 19:46:22.000000000 +0000
    +++ libsoup3-3.2.3/tests/header-parsing-test.c 2025-07-12 14:43:24.000000000 +0100
    @@ -6,6 +6,15 @@
    const char *name, *value;
    } Header;

    +/* These are not C strings to ensure going one byte over is not safe. */ +static char unterminated_http_version[] = {
    + 'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.'
    +};
    +
    +static char only_newlines[] = {
    + '\n', '\n', '\n', '\n'
    +};
    +
    static struct RequestTest {
    const char *description;
    const char *bugref;
    @@ -358,24 +367,6 @@
    }
    },

    - { "NUL in header name", "760832",
    - "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
    - SOUP_STATUS_OK,
    - "GET", "/", SOUP_HTTP_1_1,
    - { { "Host", "example.com" },
    - { NULL }
    - }
    - },
    -
    - { "NUL in header value", "760832",
    - "GET / HTTP/1.1\r\nHost: example\x00" "com\r\n", 35,
    - SOUP_STATUS_OK,
    - "GET", "/", SOUP_HTTP_1_1,
    - { { "Host", "examplecom" },
    -