commit 43f04f81a7200e6e810e3841f14bd74fa1a7233f Author: MSVSphere Packaging Team Date: Fri Sep 22 19:25:33 2023 +0300 import perl-HTTP-Tiny-0.076-461.el9 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..619db47 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/HTTP-Tiny-0.076.tar.gz diff --git a/.perl-HTTP-Tiny.metadata b/.perl-HTTP-Tiny.metadata new file mode 100644 index 0000000..a41982e --- /dev/null +++ b/.perl-HTTP-Tiny.metadata @@ -0,0 +1 @@ +2e27950c8cc5643649fac3607ba0082711139dd7 SOURCES/HTTP-Tiny-0.076.tar.gz diff --git a/SOURCES/HTTP-Tiny-0.070-Croak-on-failed-write-into-a-file.patch b/SOURCES/HTTP-Tiny-0.070-Croak-on-failed-write-into-a-file.patch new file mode 100644 index 0000000..510d701 --- /dev/null +++ b/SOURCES/HTTP-Tiny-0.070-Croak-on-failed-write-into-a-file.patch @@ -0,0 +1,36 @@ +From ddda87fb08ca523115be1ffd6dec8442e47bc20b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Wed, 27 Nov 2013 10:45:39 +0100 +Subject: [PATCH] Croak on failed write into a file +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The mirror() method saves a document into a file. Any error while +writing to the file, e.g. no disk space, was ignored. This patch fixes +it by croaking on such I/O error. + +Signed-off-by: Petr Písař +--- + lib/HTTP/Tiny.pm | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm +index 541befe..b3fffd0 100644 +--- a/lib/HTTP/Tiny.pm ++++ b/lib/HTTP/Tiny.pm +@@ -300,7 +300,10 @@ sub mirror { + sysopen my $fh, $tempfile, Fcntl::O_CREAT()|Fcntl::O_EXCL()|Fcntl::O_WRONLY() + or _croak(qq/Error: Could not create temporary file $tempfile for downloading: $!\n/); + binmode $fh; +- $args->{data_callback} = sub { print {$fh} $_[0] }; ++ $args->{data_callback} = sub { ++ print {$fh} $_[0] ++ or _croak(qq/Error: Could not write into temporary file $tempfile: $!\n/); ++ }; + my $response = $self->request('GET', $url, $args); + close $fh + or _croak(qq/Error: Caught error closing temporary file $tempfile: $!\n/); +-- +2.7.4 + diff --git a/SOURCES/HTTP-Tiny-0.076-Change-verify_SSL-default-to-1-add-ENV-var-to-enable.patch b/SOURCES/HTTP-Tiny-0.076-Change-verify_SSL-default-to-1-add-ENV-var-to-enable.patch new file mode 100644 index 0000000..ea2316a --- /dev/null +++ b/SOURCES/HTTP-Tiny-0.076-Change-verify_SSL-default-to-1-add-ENV-var-to-enable.patch @@ -0,0 +1,569 @@ +From 77f557ef84698efeb6eed04e4a9704eaf85b741d Mon Sep 17 00:00:00 2001 +From: Stig Palmquist +Date: Mon, 5 Jun 2023 16:46:22 +0200 +Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable + insecure default + +- Changes the `verify_SSL` default parameter from `0` to `1` + + Based on patch by Dominic Hargreaves: + https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92 + + Fixes CVE-2023-31486 + +- Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that + enables the previous insecure default behaviour if set to `1`. + + This provides a workaround for users who encounter problems with the + new `verify_SSL` default. + + Example to disable certificate checks: + ``` + $ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl + ``` + +- Updates to documentation: + - Describe changing the verify_SSL value + - Describe the escape-hatch environment variable + - Remove rationale for not enabling verify_SSL + - Add missing certificate search paths + - Replace "SSL" with "TLS/SSL" where appropriate + - Use "machine-in-the-middle" instead of "man-in-the-middle" + +- Update `210_live_ssl.t` + - Use github.com, cpan.org and badssl.com hosts for checking + certificates. + - Add self signed snake-oil certificate for checking failures rather + than bypassing the `SSL_verify_callback` + - Test `verify_SSL` parameter in addition to low level SSL_options + - Test that `PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1` behaves as + expected against badssl.com + +- Added `180_verify_SSL.t` + - Test that `verify_SSL` default is `1` + - Test that `PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT` behaves as expected + - Test that using different values for `verify_SSL` and legacy `verify_ssl` + doesn't disable cert checks + +Backported from HTTP::Tiny 0.083 + +--- + lib/HTTP/Tiny.pm | 72 ++++++++++++++---------- + t/180_verify_SSL.t | 109 ++++++++++++++++++++++++++++++++++++ + t/210_live_ssl.t | 136 ++++++++++++++++++++++++++++++--------------- + t/snake-oil.crt | 33 +++++++++++ + 4 files changed, 277 insertions(+), 73 deletions(-) + create mode 100644 t/180_verify_SSL.t + create mode 100644 t/snake-oil.crt + +diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm +index 2ece5ca..58be640 100644 +--- a/lib/HTTP/Tiny.pm ++++ b/lib/HTTP/Tiny.pm +@@ -39,10 +39,14 @@ sub _croak { require Carp; Carp::croak(@ + #pod C<$ENV{no_proxy}> —) + #pod * C — Request timeout in seconds (default is 60) If a socket open, + #pod read or write takes longer than the timeout, an exception is thrown. +-#pod * C — A boolean that indicates whether to validate the SSL +-#pod certificate of an C — connection (default is false) ++#pod * C — A boolean that indicates whether to validate the TLS/SSL ++#pod certificate of an C ? connection (default is true). Changed from false ++#pod to true for RHBZ#2228412. + #pod * C — A hashref of C — options to pass through to + #pod L ++#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default ++#pod certificate verification behavior to not check server identity if set to 1. ++#pod Only effective if C is not set. Added for RHBZ#2228412. + #pod + #pod Passing an explicit C for C, C or C will + #pod prevent getting the corresponding proxies from the environment. +@@ -108,11 +112,17 @@ sub timeout { + sub new { + my($class, %args) = @_; + ++ # Support lower case verify_ssl argument, but only if verify_SSL is not ++ # true. ++ if ( exists $args{verify_ssl} ) { ++ $args{verify_SSL} ||= $args{verify_ssl}; ++ } ++ + my $self = { + max_redirect => 5, + timeout => defined $args{timeout} ? $args{timeout} : 60, + keep_alive => 1, +- verify_SSL => $args{verify_SSL} || $args{verify_ssl} || 0, # no verification by default ++ verify_SSL => defined $args{verify_SSL} ? $args{verify_SSL} : _verify_SSL_default(), + no_proxy => $ENV{no_proxy}, + }; + +@@ -131,6 +141,13 @@ sub new { + return $self; + } + ++sub _verify_SSL_default { ++ my ($self) = @_; ++ # Check if insecure default certificate verification behaviour has been ++ # changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ++ return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1; ++} ++ + sub _set_proxies { + my ($self) = @_; + +@@ -1041,7 +1058,7 @@ sub new { + timeout => 60, + max_line_size => 16384, + max_header_lines => 64, +- verify_SSL => 0, ++ verify_SSL => HTTP::Tiny::_verify_SSL_default(), + SSL_options => {}, + %args + }, $class; +@@ -2012,11 +2029,11 @@ proxy + timeout + verify_SSL + +-=head1 SSL SUPPORT ++=head1 TLS/SSL SUPPORT + + Direct C connections are supported only if L 1.56 or + greater and L 1.49 or greater are installed. An exception will be +-thrown if new enough versions of these modules are not installed or if the SSL ++thrown if new enough versions of these modules are not installed or if the TLS + encryption fails. You can also use C utility function + that returns boolean to see if the required modules are installed. + +@@ -2024,7 +2041,7 @@ An C connection may be made via a + command (i.e. RFC 2817). You may not proxy C via a proxy that itself + requires C to communicate. + +-SSL provides two distinct capabilities: ++TLS/SSL provides two distinct capabilities: + + =over 4 + +@@ -2038,24 +2055,17 @@ Verification of server identity + + =back + +-B. ++B. + +-Server identity verification is controversial and potentially tricky because it +-depends on a (usually paid) third-party Certificate Authority (CA) trust model +-to validate a certificate as legitimate. This discriminates against servers +-with self-signed certificates or certificates signed by free, community-driven +-CA's such as L. +- +-By default, HTTP::Tiny does not make any assumptions about your trust model, +-threat level or risk tolerance. It just aims to give you an encrypted channel +-when you need one. +- +-Setting the C attribute to a true value will make HTTP::Tiny verify +-that an SSL connection has a valid SSL certificate corresponding to the host +-name of the connection and that the SSL certificate has been verified by a CA. +-Assuming you trust the CA, this will protect against a L. If you are +-concerned about security, you should enable this option. ++This was changed for RHBZ#2228412 due to security concerns. The previous default ++behavior can be enabled by setting C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> ++to 1. ++ ++Verification is done by checking that that the TLS/SSL connection has a valid ++certificate corresponding to the host name of the connection and that the ++certificate has been verified by a CA. Assuming you trust the CA, this will ++protect against L. + + Certificate verification requires a file containing trusted CA certificates. + +@@ -2063,9 +2073,7 @@ If the environment variable C module is installed, HTTP::Tiny will use the CA file +-included with it as a source of trusted CA's. (This means you trust Mozilla, +-the author of Mozilla::CA, the CPAN mirror where you got Mozilla::CA, the +-toolchain used to install it, and your operating system security, right?) ++included with it as a source of trusted CA's. + + If that module is not available, then HTTP::Tiny will search several + system-specific default locations for a CA certificate file: +@@ -2084,13 +2092,33 @@ system-specific default locations for a + + /etc/ssl/ca-bundle.pem + ++=item * ++ ++/etc/openssl/certs/ca-certificates.crt ++ ++=item * ++ ++/etc/ssl/cert.pem ++ ++=item * ++ ++/usr/local/share/certs/ca-root-nss.crt ++ ++=item * ++ ++/etc/pki/tls/cacert.pem ++ ++=item * ++ ++/etc/certs/ca-certificates.crt ++ + =back + + An exception will be raised if C is true and no CA certificate file + is available. + +-If you desire complete control over SSL connections, the C attribute +-lets you provide a hash reference that will be passed through to ++If you desire complete control over TLS/SSL connections, the C ++attribute lets you provide a hash reference that will be passed through to + C, overriding any options set by HTTP::Tiny. For + example, to provide your own trusted CA file: + +@@ -2100,7 +2128,7 @@ example, to provide your own trusted CA + + The C attribute could also be used for such things as providing a + client certificate for authentication to a server or controlling the choice of +-cipher used for the SSL connection. See L documentation for ++cipher used for the TLS/SSL connection. See L documentation for + details. + + =head1 PROXY SUPPORT +diff --git a/t/180_verify_SSL.t b/t/180_verify_SSL.t +new file mode 100644 +index 0000000..d6bc412 +--- /dev/null ++++ b/t/180_verify_SSL.t +@@ -0,0 +1,109 @@ ++#!perl ++ ++use strict; ++use warnings; ++use Test::More 0.88; ++use lib 't'; ++ ++use HTTP::Tiny; ++ ++delete $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT}; ++ ++{ ++ my $ht = HTTP::Tiny->new(); ++ is($ht->verify_SSL, 1, "verify_SSL is 1 by default"); ++} ++ ++{ ++ my $ht = HTTP::Tiny->new( ++ verify_SSL => 0 ++ ); ++ is($ht->verify_SSL, 0, "verify_SSL=>0 sets 0"); ++} ++ ++{ ++ my $ht = HTTP::Tiny->new( ++ verify_ssl => 0 ++ ); ++ is($ht->verify_SSL, 0, "verify_ssl=>0 sets 0"); ++} ++ ++{ ++ my $ht = HTTP::Tiny->new( ++ verify_SSL => 1, ++ verify_ssl => 0 ++ ); ++ is($ht->verify_SSL, 1, "verify_SSL=>1 and verify_ssl=>0 sets 1"); ++} ++ ++{ ++ my $ht = HTTP::Tiny->new( ++ verify_SSL => 0, ++ verify_ssl => 1 ++ ); ++ is($ht->verify_SSL, 1, "verify_SSL=>0 and verify_ssl=>1 sets 1"); ++} ++ ++{ ++ my $ht = HTTP::Tiny->new( ++ verify_SSL => 0, ++ verify_ssl => 0 ++ ); ++ is($ht->verify_SSL, 0, "verify_SSL=>0 and verify_ssl=>0 sets 0"); ++} ++ ++{ ++ local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "1"; ++ my $ht = HTTP::Tiny->new(); ++ is($ht->verify_SSL, 0, "PERL_HTTP_TINY_INSECURE_BY_DEFAULT=1 changes verify_SSL default to 0"); ++} ++ ++{ ++ local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "0"; ++ my $ht = HTTP::Tiny->new(); ++ is($ht->verify_SSL, 1, "PERL_HTTP_TINY_INSECURE_BY_DEFAULT=0 keeps verify_SSL default at 1"); ++} ++ ++{ ++ local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "False"; ++ my $ht = HTTP::Tiny->new(); ++ is($ht->verify_SSL, 1, "Unsupported PERL_HTTP_TINY_INSECURE_BY_DEFAULT=False keeps verify_SSL default at 1"); ++} ++ ++{ ++ local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "1"; ++ my $ht = HTTP::Tiny->new(verify_SSL=>1); ++ is($ht->verify_SSL, 1, "PERL_HTTP_TINY_INSECURE_BY_DEFAULT=1 does not override verify_SSL attribute set to 1"); ++} ++ ++{ ++ local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "1"; ++ my $ht = HTTP::Tiny->new( ++ verify_SSL => 1, ++ verify_ssl => 1 ++ ); ++ is($ht->verify_SSL, 1, "PERL_HTTP_TINY_INSECURE_BY_DEFAULT=1, verify_SSL=>1 and verify_ssl=>1 sets 1"); ++} ++ ++{ ++ local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "1"; ++ my $ht = HTTP::Tiny->new( ++ verify_SSL => 1, ++ verify_ssl => 0 ++ ); ++ is($ht->verify_SSL, 1, "PERL_HTTP_TINY_INSECURE_BY_DEFAULT=1, verify_SSL=>1 and verify_ssl=>0 sets 1"); ++} ++ ++{ ++ local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "1"; ++ my $ht = HTTP::Tiny->new( ++ verify_SSL => 0, ++ verify_ssl => 0 ++ ); ++ is($ht->verify_SSL, 0, "PERL_HTTP_TINY_INSECURE_BY_DEFAULT=1, verify_SSL=>0 and verify_ssl=>0 sets 0"); ++} ++ ++ ++ ++done_testing; ++ +diff --git a/t/210_live_ssl.t b/t/210_live_ssl.t +index 6f80e51..7b84f93 100644 +--- a/t/210_live_ssl.t ++++ b/t/210_live_ssl.t +@@ -18,6 +18,8 @@ BEGIN { + } + use HTTP::Tiny; + ++delete $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT}; ++ + plan skip_all => 'Only run for $ENV{AUTOMATED_TESTING}' + unless $ENV{AUTOMATED_TESTING}; + +@@ -27,33 +29,73 @@ if ( can_run('openssl') ) { + diag "\nNote: running test with ", qx/openssl version/; + } + +-my $data = { +- 'https://www.google.ca/' => { +- host => 'www.google.ca', +- pass => { SSL_verifycn_scheme => 'http', SSL_verifycn_name => 'www.google.ca', SSL_verify_mode => 0x01, SSL_ca_file => Mozilla::CA::SSL_ca_file() }, +- fail => { SSL_verify_callback => sub { 0 }, SSL_verify_mode => 0x01 }, +- default_should_yield => '1', +- }, +- 'https://twitter.com/' => { +- host => 'twitter.com', +- pass => { SSL_verifycn_scheme => 'http', SSL_verifycn_name => 'twitter.com', SSL_verify_mode => 0x01, SSL_ca_file => Mozilla::CA::SSL_ca_file() }, +- fail => { SSL_verify_callback => sub { 0 }, SSL_verify_mode => 0x01 }, +- default_should_yield => '1', +- }, +- 'https://github.com/' => { +- host => 'github.com', +- pass => { SSL_verifycn_scheme => 'http', SSL_verifycn_name => 'github.com', SSL_verify_mode => 0x01, SSL_ca_file => Mozilla::CA::SSL_ca_file() }, +- fail => { SSL_verify_callback => sub { 0 }, SSL_verify_mode => 0x01 }, +- default_should_yield => '1', +- }, +- 'https://spinrite.com/' => { +- host => 'spinrite.com', +- pass => { SSL_verifycn_scheme => 'none', SSL_verifycn_name => 'spinrite.com', SSL_verify_mode => 0x00 }, +- fail => { SSL_verifycn_scheme => 'http', SSL_verifycn_name => 'spinrite.com', SSL_verify_mode => 0x01, SSL_ca_file => Mozilla::CA::SSL_ca_file() }, +- default_should_yield => '', +- } +-}; +-plan tests => 1+ scalar keys %$data; ++test_ssl('https://cpan.org/' => { ++ host => 'cpan.org', ++ pass => { verify_SSL => 1 }, ++ fail => { verify_SSL => 1, SSL_options => { SSL_ca_file => "t/snake-oil.crt" } }, ++ default_verify_should_return => !!1, ++}); ++ ++test_ssl('https://github.com/' => { ++ host => 'github.com', ++ pass => { verify_SSL => 1 }, ++ fail => { verify_SSL => 1, SSL_options => { SSL_ca_file => "t/snake-oil.crt" } }, ++ default_verify_should_return => !!1, ++}); ++ ++test_ssl('https://wrong.host.badssl.com/' => { ++ host => 'wrong.host.badssl.com', ++ pass => { SSL_options => { SSL_verifycn_scheme => 'none', SSL_verifycn_name => 'wrong.host.badssl.com', SSL_verify_mode => 0x00 } }, ++ fail => { SSL_options => { SSL_verifycn_scheme => 'http', SSL_verifycn_name => 'wrong.host.badssl.com', SSL_verify_mode => 0x01, SSL_ca_file => Mozilla::CA::SSL_ca_file() } }, ++ default_verify_should_return => !!0, ++}); ++ ++test_ssl('https://untrusted-root.badssl.com/' => { ++ host => 'untrusted-root.badssl.com', ++ pass => { verify_SSL => 0 }, ++ fail => { verify_SSL => 1 }, ++ default_verify_should_return => !!0, ++}); ++ ++test_ssl('https://mozilla-modern.badssl.com/' => { ++ host => 'mozilla-modern.badssl.com', ++ pass => { verify_SSL => 1 }, ++ fail => { verify_SSL => 1, SSL_options => { SSL_ca_file => "t/snake-oil.crt" } }, ++ default_verify_should_return => !!1, ++}); ++ ++{ ++ local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = 1; ++ test_ssl('https://wrong.host.badssl.com/' => { ++ host => 'wrong.host.badssl.com', ++ pass => { verify_SSL => 0 }, ++ fail => { verify_SSL => 1 }, ++ default_verify_should_return => !!1, ++ }); ++ test_ssl('https://expired.badssl.com/' => { ++ host => 'expired.badssl.com', ++ pass => { verify_SSL => 0 }, ++ fail => { verify_SSL => 1 }, ++ default_verify_should_return => !!1, ++ }); ++ ++} ++ ++test_ssl('https://wrong.host.badssl.com/' => { ++ host => 'wrong.host.badssl.com', ++ pass => { verify_SSL => 0 }, ++ fail => { verify_SSL => 1 }, ++ default_verify_should_return => !!0, ++}); ++ ++test_ssl('https://expired.badssl.com/' => { ++ host => 'expired.badssl.com', ++ pass => { verify_SSL => 0 }, ++ fail => { verify_SSL => 1 }, ++ default_verify_should_return => !!0, ++}); ++ ++ + + subtest "can_ssl" => sub { + ok( HTTP::Tiny->can_ssl, "class method" ); +@@ -69,8 +111,10 @@ subtest "can_ssl" => sub { + like( $why, qr/not found or not readable/, "failure reason" ); + }; + ++done_testing(); + +-while (my ($url, $data) = each %$data) { ++sub test_ssl { ++ my ($url, $data) = @_; + subtest $url => sub { + plan 'skip_all' => 'Internet connection timed out' + unless IO::Socket::INET->new( +@@ -81,8 +125,8 @@ while (my ($url, $data) = each %$data) { + ); + + # the default verification +- my $response = HTTP::Tiny->new(verify_ssl => 1)->get($url); +- is $response->{success}, $data->{default_should_yield}, "Request to $url passed/failed using default as expected" ++ my $response = HTTP::Tiny->new()->get($url); ++ is $response->{success}, $data->{default_verify_should_return}, "Request to $url passed/failed using default as expected" + or do { + # $response->{content} = substr $response->{content}, 0, 50; + $response->{content} =~ s{\n.*}{}s; +@@ -90,21 +134,25 @@ while (my ($url, $data) = each %$data) { + }; + + # force validation to succeed +- my $pass = HTTP::Tiny->new( SSL_options => $data->{pass} )->get($url); +- isnt $pass->{status}, '599', "Request to $url completed (forced pass)" +- or do { +- $pass->{content} =~ s{\n.*}{}s; +- diag explain $pass +- }; +- ok $pass->{content}, 'Got some content'; ++ if ($data->{pass}) { ++ my $pass = HTTP::Tiny->new( %{$data->{pass}} )->get($url); ++ isnt $pass->{status}, '599', "Request to $url completed (forced pass)" ++ or do { ++ $pass->{content} =~ s{\n.*}{}s; ++ diag explain $pass ++ }; ++ ok $pass->{content}, 'Got some content'; ++ } + + # force validation to fail +- my $fail = HTTP::Tiny->new( SSL_options => $data->{fail} )->get($url); +- is $fail->{status}, '599', "Request to $url failed (forced fail)" +- or do { +- $fail->{content} =~ s{\n.*}{}s; +- diag explain [IO::Socket::SSL::errstr(), $fail] +- }; +- ok $fail->{content}, 'Got some content'; ++ if ($data->{fail}) { ++ my $fail = HTTP::Tiny->new( %{$data->{fail}} )->get($url); ++ is $fail->{status}, '599', "Request to $url failed (forced fail)" ++ or do { ++ $fail->{content} =~ s{\n.*}{}s; ++ diag explain [IO::Socket::SSL::errstr(), $fail] ++ }; ++ ok $fail->{content}, 'Got some content'; ++ } + }; + } +diff --git a/t/snake-oil.crt b/t/snake-oil.crt +new file mode 100644 +index 0000000..c0a5bdc +--- /dev/null ++++ b/t/snake-oil.crt +@@ -0,0 +1,33 @@ ++Generated with: ++ ++ openssl req -new -newkey rsa:4096 -x509 -new -nodes -sha256 -days 7300 -keyout /dev/null -out snake-oil.crt -subj '/CN=snake.oil/' ++ ++-----BEGIN CERTIFICATE----- ++MIIFCTCCAvGgAwIBAgIUUUWe96AgoaW3pyYxlJfMxUMA6bgwDQYJKoZIhvcNAQEL ++BQAwFDESMBAGA1UEAwwJc25ha2Uub2lsMB4XDTIzMDUyMTE1NDkxMVoXDTQzMDUx ++NjE1NDkxMVowFDESMBAGA1UEAwwJc25ha2Uub2lsMIICIjANBgkqhkiG9w0BAQEF ++AAOCAg8AMIICCgKCAgEAnScXg4MGa6CmCFOYzr8ggzqsDAR0CoVdOaqQ6XtRoRcP ++PzptoqHDFtr4NqWwmeWAGIcey6CKFZXsm9LvPly/VUDDjctYZig3UoLaoQpygwae ++2BgslsfuhwomxXuinatF6bo1vz+EaRpASJyHOBOp3Yvh2cLSXmD+YuTU8rci1IG/ ++FFmjsrftPsxKFZiI9meAtsGayQGdUIBsEvawhs5y7TDcblPfbBM21sg3touTrfzZ ++Yk9dXd7hX3uq5ZX4H9BWcqeGux3speYC2STClnGMl8DqGdAV4XssbFCVqIhvmzrW ++L6Ce9vt0x/gxQQB4EYJlvECSqm7IiwO85I8XJ04EzmVU4e2+c1B7WS/swhGLr8JJ ++4yk/gbCe98ErU3ccnXPzZznNQXTt2iAQLqa5zNDmxjzyZXhDA1nijg2cJb1RnQVu ++m5YrUXOXt9b5664nLCVUf0s/yMqPbcIUA3puAPS6BgDEExnYL48rmTT1gazMO6S5 ++ZwpycEVkwYUFj364vIHJvQO0xB54dqNul9kMLUwPLmP9H6nBIsGgJhZCAp+WDEzp ++Y4eqp0drTlJlpfjd/QOaOsKZgwrqiD0yh35bj43zcVHKaFYGLcS8M1+XlbYNYx90 ++w7+GpbY+MebCYF//dXAFXzORxdA1XZ30I7CAxAVK5l5cokrMIHJ01kkzYEGA1Y0C ++AwEAAaNTMFEwHQYDVR0OBBYEFAyj5N91aOt4TxNEOJ18JUPEBsOyMB8GA1UdIwQY ++MBaAFAyj5N91aOt4TxNEOJ18JUPEBsOyMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI ++hvcNAQELBQADggIBAHGiT2h0SU2tlFmUQ8CzgJ7JRTg91ltRwEvs/SQ/YN7DdDwt ++dQy/0nMIeFstdDIkdQyjcAUO92msLzd8AniiwAjynxamiQqdA57+rdhp7oEbFgw+ ++nF56bG4tiBG1gAIxtY9f2sG/Sqf6UuimxOX43nybG8RdRu8hOh/TQXcj8raa2PMT ++pTdphjMJUKSplHtFpbLFuf5FxklpeAYxYAReMzQhVgTzi7fcz3QhT/l6eqK6G05v ++gi+QsgesMiGdHKiTtx8N70JFZ+8BzJ0CJDI8PR2XZTLbpKxNfk426hTjJBkRULT5 ++s7IWuuEO4Bb1p27K2WgHGh0mxFk4POPFmotxupVqzl8g2umcfWLDq0UR3BcRyR3B ++GWZNCcDTVLaAsarbSJoY1L/6j4O0RQdgpOWiENLbEcelGprGLBVe4s/NDA6aUYA+ ++2Dll+0tHe6oKI+RCRoDhhiAH7UVIGQdORzcbY3Fxbf1OlFdpOyXLI751b1DjSYRu ++9cVFXZIBRTTiEvGbUfoDEXDmKxpWHkGRel2864FBodcwGv7yW6mC3o6vpOqQFcW7 ++MjJsFhtVj8PdPmue+ye766PeH45ydDD01nr1I92w6E1C0pEEqRNEpoOGgORyNgit ++EZag4DlWFs5MFdlj32haztRgi2dhVuJxlzx4lAmvOoqvGVQVIicN1JSlikBk ++-----END CERTIFICATE----- +-- +2.41.0 + diff --git a/SPECS/perl-HTTP-Tiny.spec b/SPECS/perl-HTTP-Tiny.spec new file mode 100644 index 0000000..d7d994f --- /dev/null +++ b/SPECS/perl-HTTP-Tiny.spec @@ -0,0 +1,313 @@ +# Run optional test +%bcond_without perl_HTTP_Tiny_enables_optional_deps + +Name: perl-HTTP-Tiny +Version: 0.076 +Release: 461%{?dist} +Summary: Small, simple, correct HTTP/1.1 client +License: GPL+ or Artistic +URL: https://metacpan.org/release/HTTP-Tiny +Source0: https://cpan.metacpan.org/authors/id/D/DA/DAGOLDEN/HTTP-Tiny-%{version}.tar.gz +# Check for write failure, bug #1031096, refused by upstream, +# +Patch0: HTTP-Tiny-0.070-Croak-on-failed-write-into-a-file.patch +# Change verify_SSL default to 1, add ENV var to enable insecure default +# Fix rhbz#2228412 - CVE-2023-31486 +Patch1: HTTP-Tiny-0.076-Change-verify_SSL-default-to-1-add-ENV-var-to-enable.patch +BuildArch: noarch +BuildRequires: coreutils +BuildRequires: make +BuildRequires: perl-generators +BuildRequires: perl-interpreter +BuildRequires: perl(Config) +BuildRequires: perl(ExtUtils::MakeMaker) >= 6.76 +BuildRequires: perl(strict) +BuildRequires: perl(warnings) +# Run-time: +BuildRequires: perl(bytes) +BuildRequires: perl(Carp) +BuildRequires: perl(Errno) +BuildRequires: perl(Fcntl) +BuildRequires: perl(IO::Socket) +# IO::Socket::IP 0.32 is optional +# IO::Socket::SSL 1.56 is optional +BuildRequires: perl(MIME::Base64) +# Mozilla::CA is optional +# Net::SSLeay 1.49 is an optional fall-back for IO::Socket::SSL +BuildRequires: perl(Socket) +BuildRequires: perl(Time::Local) +# Tests: +# Data::Dumper not used +BuildRequires: perl(Exporter) +BuildRequires: perl(File::Basename) +BuildRequires: perl(File::Spec) +BuildRequires: perl(File::Temp) +BuildRequires: perl(IO::Dir) +BuildRequires: perl(IO::File) +BuildRequires: perl(IO::Socket::INET) +# IO::Socket::SSL 1.56 not needed +BuildRequires: perl(IPC::Cmd) +BuildRequires: perl(lib) +# Mozilla::CA not needed +# Net::SSLeay 1.49 not needed +BuildRequires: perl(open) +BuildRequires: perl(Test::More) >= 0.96 +Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) +Requires: perl(bytes) +Requires: perl(Carp) +Requires: perl(Fcntl) +Recommends: perl(IO::Socket::IP) >= 0.32 +%if !%{defined perl_bootstrap} +Requires: perl(IO::Socket::SSL) >= 1.56 +Requires: perl(Mozilla::CA) +Requires: perl(Net::SSLeay) >= 1.49 +%else +Recommends: perl(IO::Socket::SSL) >= 1.56 +Recommends: perl(Mozilla::CA) +Recommends: perl(Net::SSLeay) >= 1.49 +%endif +Requires: perl(MIME::Base64) +Requires: perl(Time::Local) + +# Filter modules bundled for tests +%global __provides_exclude_from %{?__provides_exclude_from:%__provides_exclude_from|}^%{_libexecdir} +%global __requires_exclude %{?__requires_exclude:%__requires_exclude|}^perl\\(Util\\) +%global __requires_exclude %{__requires_exclude}|^perl\\(BrokenCookieJar\\) +%global __requires_exclude %{__requires_exclude}|^perl\\(SimpleCookieJar\\) + +%description +This is a very simple HTTP/1.1 client, designed for doing simple GET requests +without the overhead of a large framework like LWP::UserAgent. + +It is more correct and more complete than HTTP::Lite. It supports proxies +(currently only non-authenticating ones) and redirection. It also correctly +resumes after EINTR. + +%package tests +Summary: Tests for %{name} +Requires: %{name} = %{?epoch:%{epoch}:}%{version}-%{release} +Requires: perl-Test-Harness +%if %{with perl_HTTP_Tiny_enables_optional_deps} && !%{defined perl_bootstrap} +Requires: openssl +Requires: perl(IO::Socket::IP) >= 0.32 +Requires: perl(IO::Socket::SSL) >= 1.56 +Requires: perl(Mozilla::CA) +Requires: perl(Net::SSLeay) >= 1.49 +%endif + +%description tests +Tests from %{name}. Execute them +with "%{_libexecdir}/%{name}/test". + +%prep +%setup -q -n HTTP-Tiny-%{version} +%patch -P0 -p1 +%patch -P1 -p1 + +# Help generators to recognize Perl scripts +for F in t/*.t; do + perl -i -MConfig -ple 'print $Config{startperl} if $. == 1 && !s{\A#!.*perl\b}{$Config{startperl}}' "$F" + chmod +x "$F" +done + +%build +perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 +make %{?_smp_mflags} + +%install +make pure_install DESTDIR='%{buildroot}' +%{_fixperms} '%{buildroot}'/* + +# Install tests +mkdir -p %{buildroot}%{_libexecdir}/%{name} +cp -a t corpus %{buildroot}%{_libexecdir}/%{name} +cat > %{buildroot}%{_libexecdir}/%{name}/test << 'EOF' +#!/bin/sh +cd %{_libexecdir}/%{name} && AUTOMATED_TESTING=1 exec prove -I . -j "$(getconf _NPROCESSORS_ONLN)" +EOF +chmod +x %{buildroot}%{_libexecdir}/%{name}/test + +%check +export HARNESS_OPTIONS=j$(perl -e 'if ($ARGV[0] =~ /.*-j([0-9][0-9]*).*/) {print $1} else {print 1}' -- '%{?_smp_mflags}') +make test + +%files +%license LICENSE +%doc Changes CONTRIBUTING.mkdn eg README +%{perl_vendorlib}/* +%{_mandir}/man3/* + +%files tests +%{_libexecdir}/%{name} + +%changelog +* Fri Sep 22 2023 MSVSphere Packaging Team - 0.076-461 +- Rebuilt for MSVSphere 9.3 beta + +* Fri Aug 04 2023 Jitka Plesnikova - 0.076-461 +- Changes the verify_SSL default parameter from 0 to 1 - CVE-2023-31486 +- Resolves: rhbz#2228412 + +* Mon Aug 09 2021 Mohan Boddu - 0.076-460 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Fri Apr 16 2021 Mohan Boddu - 0.076-459 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Wed Jan 27 2021 Fedora Release Engineering - 0.076-458 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Tue Jul 28 2020 Fedora Release Engineering - 0.076-457 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Jun 22 2020 Jitka Plesnikova - 0.076-456 +- Increase release to favour standalone package + +* Thu Jan 30 2020 Fedora Release Engineering - 0.076-440 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Jul 26 2019 Fedora Release Engineering - 0.076-439 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu May 30 2019 Jitka Plesnikova - 0.076-438 +- Increase release to favour standalone package + +* Fri Feb 01 2019 Fedora Release Engineering - 0.076-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Aug 06 2018 Petr Pisar - 0.076-1 +- 0.076 bump + +* Tue Jul 31 2018 Petr Pisar - 0.074-1 +- 0.074 bump + +* Fri Jul 13 2018 Fedora Release Engineering - 0.070-417 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jun 27 2018 Jitka Plesnikova - 0.070-416 +- Increase release to favour standalone package + +* Thu Feb 08 2018 Fedora Release Engineering - 0.070-395 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 0.070-394 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Jun 03 2017 Jitka Plesnikova - 0.070-393 +- Perl 5.26 rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 0.070-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Oct 10 2016 Petr Pisar - 0.070-1 +- 0.070 bump + +* Mon Sep 26 2016 Petr Pisar - 0.068-1 +- 0.068 bump + +* Fri Sep 02 2016 Petr Pisar - 0.064-1 +- 0.064 bump + +* Tue Aug 02 2016 Jitka Plesnikova - 0.058-3 +- Avoid loading optional modules from default . (CVE-2016-1238) + +* Sat May 14 2016 Jitka Plesnikova - 0.058-2 +- Perl 5.24 rebuild + +* Wed May 04 2016 Petr Pisar - 0.058-1 +- 0.058 bump + +* Thu Feb 04 2016 Fedora Release Engineering - 0.056-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Jun 18 2015 Fedora Release Engineering - 0.056-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Jun 03 2015 Jitka Plesnikova - 0.056-2 +- Perl 5.22 rebuild + +* Tue May 19 2015 Petr Pisar - 0.056-1 +- 0.056 bump + +* Mon Feb 02 2015 Petr Pisar - 0.054-1 +- 0.054 bump + +* Mon Dec 15 2014 Jitka Plesnikova - 0.053-1 +- 0.053 bump + +* Fri Nov 21 2014 Petr Pisar - 0.051-1 +- 0.051 bump + +* Wed Sep 24 2014 Jitka Plesnikova - 0.050-1 +- 0.050 bump + +* Wed Sep 10 2014 Petr Pisar - 0.049-1 +- 0.049 bump + +* Tue Aug 26 2014 Jitka Plesnikova - 0.048-2 +- Perl 5.20 rebuild + +* Fri Aug 22 2014 Petr Pisar - 0.048-1 +- 0.048 bump + +* Wed Jul 30 2014 Petr Pisar - 0.047-1 +- 0.047 bump + +* Tue Jul 29 2014 Petr Pisar - 0.046-1 +- 0.046 bump + +* Sat Jun 07 2014 Fedora Release Engineering - 0.043-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Fri Feb 21 2014 Petr Pisar - 0.043-1 +- 0.043 bump + +* Wed Feb 19 2014 Petr Pisar - 0.042-1 +- 0.042 bump + +* Thu Nov 28 2013 Petr Pisar - 0.039-1 +- 0.039 bump + +* Wed Nov 27 2013 Petr Pisar - 0.038-2 +- Croak on failed write into a file (bug #1031096) +- Do not use already existing temporary files (bug #1031096) + +* Tue Nov 19 2013 Petr Pisar - 0.038-1 +- 0.038 bump + +* Tue Oct 29 2013 Petr Pisar - 0.037-1 +- 0.037 bump + +* Thu Sep 26 2013 Petr Pisar - 0.036-1 +- 0.036 bump + +* Wed Sep 11 2013 Petr Pisar - 0.035-1 +- 0.035 bump + +* Sat Aug 03 2013 Fedora Release Engineering - 0.034-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Fri Jul 12 2013 Petr Pisar - 0.034-2 +- Link minimal build-root packages against libperl.so explicitly + +* Mon Jul 01 2013 Petr Pisar - 0.034-1 +- 0.034 bump + +* Mon Jun 24 2013 Petr Pisar - 0.033-1 +- 0.033 bump + +* Fri Jun 21 2013 Petr Pisar - 0.032-1 +- 0.032 bump + +* Thu Jun 20 2013 Petr Pisar - 0.031-1 +- 0.031 bump + +* Fri Jun 14 2013 Petr Pisar - 0.030-1 +- 0.030 bump + +* Thu Apr 18 2013 Petr Pisar - 0.029-1 +- 0.029 bump + +* Fri Mar 15 2013 Petr Pisar 0.028-1 +- Specfile autogenerated by cpanspec 1.78.