| author | Florian Pritz
<bluewind@archlinux.org> 2018-01-26 16:43:15 UTC |
| committer | Florian Pritz
<bluewind@archlinux.org> 2018-01-26 16:43:15 UTC |
| parent | 6c46332b53a51edd6a66312701acf08a3793ed00 |
| PKGBUILD | +3 | -9 |
| transmission-2.92-openssl-1.1.0.patch | +0 | -261 |
| transmission-daemon-rce-fix.patch | +0 | -274 |
diff --git a/PKGBUILD b/PKGBUILD index 9d1816f..5eb8181 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -3,30 +3,24 @@ pkgbase=transmission pkgname=(transmission-cli transmission-gtk transmission-qt) -pkgver=2.92 -pkgrel=8 +pkgver=2.93 +pkgrel=1 arch=(x86_64) url="http://www.transmissionbt.com/" license=(MIT) makedepends=(gtk3 intltool curl qt5-base libevent systemd qt5-tools) source=(https://github.com/transmission/transmission-releases/raw/master/transmission-${pkgver}.tar.xz - transmission-daemon-rce-fix.patch transmission-2.90-libsystemd.patch - transmission-2.92-openssl-1.1.0.patch transmission-cli.sysusers transmission-cli.tmpfiles) -sha256sums=('3a8d045c306ad9acb7bf81126939b9594553a388482efa0ec1bfb67b22acd35f' - '622e40013c8442ed9fae006eeb18f5c5662ab7462d387d845cd51f2b5afe71bf' +sha256sums=('8815920e0a4499bcdadbbe89a4115092dab42ce5199f71ff9a926cfd12b9b90b' '9f8f4bb532e0e46776dbd90e75557364f495ec95896ee35900ea222d69bda411' - 'efd41985f60c977a95744ee44dfbb628424765caee83c6af3e29a5b1cbfadc98' '641310fb0590d40e00bea1b5b9c843953ab78edf019109f276be9c6a7bdaf5b2' '1266032bb07e47d6bcdc7dabd74df2557cc466c33bf983a5881316a4cc098451') prepare() { cd $pkgbase-$pkgver patch -p1 -i "$srcdir/transmission-2.90-libsystemd.patch" - patch -p1 -i "$srcdir/transmission-2.92-openssl-1.1.0.patch" - patch -p1 -i "$srcdir/transmission-daemon-rce-fix.patch" rm -f m4/glib-gettext.m4 autoreconf -fi diff --git a/transmission-2.92-openssl-1.1.0.patch b/transmission-2.92-openssl-1.1.0.patch deleted file mode 100644 index 29484b8..0000000 --- a/transmission-2.92-openssl-1.1.0.patch +++ /dev/null @@ -1,261 +0,0 @@ -From f91cf5ad8c677b61ceb0bf5877b87f9e93256dd7 Mon Sep 17 00:00:00 2001 -From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> -Date: Mon, 5 Sep 2016 21:49:07 +0000 -Subject: [PATCH] transmission: build against openssl 1.1.0 - -Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> ---- - libtransmission/crypto-utils-openssl.c | 73 ++++++++++++++++++++++++++++++++-- - 1 file changed, 69 insertions(+), 4 deletions(-) - -diff --git a/libtransmission/crypto-utils-openssl.c b/libtransmission/crypto-utils-openssl.c -index c4539dc..972e24a 100644 ---- a/libtransmission/crypto-utils-openssl.c -+++ b/libtransmission/crypto-utils-openssl.c -@@ -229,6 +229,61 @@ tr_rc4_process (tr_rc4_ctx_t handle, - **** - ***/ - -+#if OPENSSL_VERSION_NUMBER < 0x10100000 -+static inline int -+DH_set0_pqg (DH * dh, -+ BIGNUM * p, -+ BIGNUM * q, -+ BIGNUM * g) -+{ -+ /* If the fields p and g in d are NULL, the corresponding input -+ * parameters MUST be non-NULL. q may remain NULL. -+ */ -+ if ((dh->p == NULL && p == NULL) -+ || (dh->g == NULL && g == NULL)) -+ return 0; -+ -+ if (p != NULL) { -+ BN_free (dh->p); -+ dh->p = p; -+ } -+ if (q != NULL) { -+ BN_free (dh->q); -+ dh->q = q; -+ } -+ if (g != NULL) { -+ BN_free (dh->g); -+ dh->g = g; -+ } -+ -+ if (q != NULL) { -+ dh->length = BN_num_bits (q); -+ } -+ -+ return 1; -+} -+ -+static inline int -+DH_set_length (DH * dh, -+ long length) -+{ -+ dh->length = length; -+ return 1; -+} -+ -+static inline void -+DH_get0_key(const DH * dh, -+ const BIGNUM ** pub_key, -+ const BIGNUM ** priv_key) -+{ -+ if (pub_key != NULL) -+ *pub_key = dh->pub_key; -+ if (priv_key != NULL) -+ *priv_key = dh->priv_key; -+} -+ -+#endif -+ - tr_dh_ctx_t - tr_dh_new (const uint8_t * prime_num, - size_t prime_num_length, -@@ -236,13 +291,19 @@ tr_dh_new (const uint8_t * prime_num, - size_t generator_num_length) - { - DH * handle = DH_new (); -+ BIGNUM * p, * g; - - assert (prime_num != NULL); - assert (generator_num != NULL); -+ p = BN_bin2bn (prime_num, prime_num_length, NULL); -+ g = BN_bin2bn (generator_num, generator_num_length, NULL); - -- if (!check_pointer (handle->p = BN_bin2bn (prime_num, prime_num_length, NULL)) || -- !check_pointer (handle->g = BN_bin2bn (generator_num, generator_num_length, NULL))) -+ if (!check_pointer (p) || -+ !check_pointer (g) || -+ !DH_set0_pqg (handle, p, NULL, g)) - { -+ BN_free (p); -+ BN_free (g); - DH_free (handle); - handle = NULL; - } -@@ -267,16 +328,20 @@ tr_dh_make_key (tr_dh_ctx_t raw_handle, - { - DH * handle = raw_handle; - int dh_size, my_public_key_length; -+ const BIGNUM * hand_pub_key; - - assert (handle != NULL); - assert (public_key != NULL); - -- handle->length = private_key_length * 8; -+ -+ DH_set_length(handle, private_key_length * 8); - - if (!check_result (DH_generate_key (handle))) - return false; - -- my_public_key_length = BN_bn2bin (handle->pub_key, public_key); -+ DH_get0_key (handle, &hand_pub_key, NULL); -+ -+ my_public_key_length = BN_bn2bin (hand_pub_key, public_key); - dh_size = DH_size (handle); - - tr_dh_align_key (public_key, my_public_key_length, dh_size); -From 8c8386a7f3f482a9c917f51d28e0042e55f56b3e Mon Sep 17 00:00:00 2001 -From: Mike Gelfand <mikedld@mikedld.com> -Date: Wed, 7 Sep 2016 01:09:04 +0300 -Subject: [PATCH] Fix coding style and building with !TR_LIGHTWEIGHT - ---- - libtransmission/crypto-utils-openssl.c | 60 +++++++++++++++++++--------------- - 1 file changed, 33 insertions(+), 27 deletions(-) - -diff --git a/libtransmission/crypto-utils-openssl.c b/libtransmission/crypto-utils-openssl.c -index 972e24a..9fd2c58 100644 ---- a/libtransmission/crypto-utils-openssl.c -+++ b/libtransmission/crypto-utils-openssl.c -@@ -14,6 +14,7 @@ - #include <assert.h> - - #include <openssl/bn.h> -+#include <openssl/crypto.h> - #include <openssl/dh.h> - #include <openssl/err.h> - #include <openssl/evp.h> -@@ -48,7 +49,12 @@ log_openssl_error (const char * file, - static bool strings_loaded = false; - if (!strings_loaded) - { -+#if OPENSSL_VERSION_NUMBER < 0x10100000 - ERR_load_crypto_strings (); -+#else -+ OPENSSL_init_crypto (OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); -+#endif -+ - strings_loaded = true; - } - #endif -@@ -230,6 +236,7 @@ tr_rc4_process (tr_rc4_ctx_t handle, - ***/ - - #if OPENSSL_VERSION_NUMBER < 0x10100000 -+ - static inline int - DH_set0_pqg (DH * dh, - BIGNUM * p, -@@ -237,28 +244,29 @@ DH_set0_pqg (DH * dh, - BIGNUM * g) - { - /* If the fields p and g in d are NULL, the corresponding input -- * parameters MUST be non-NULL. q may remain NULL. -+ * parameters MUST be non-NULL. q may remain NULL. - */ -- if ((dh->p == NULL && p == NULL) -- || (dh->g == NULL && g == NULL)) -+ if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL)) - return 0; - -- if (p != NULL) { -- BN_free (dh->p); -- dh->p = p; -- } -- if (q != NULL) { -- BN_free (dh->q); -- dh->q = q; -- } -- if (g != NULL) { -- BN_free (dh->g); -- dh->g = g; -- } -- -- if (q != NULL) { -+ if (p != NULL) -+ { -+ BN_free (dh->p); -+ dh->p = p; -+ } -+ if (q != NULL) -+ { -+ BN_free (dh->q); -+ dh->q = q; -+ } -+ if (g != NULL) -+ { -+ BN_free (dh->g); -+ dh->g = g; -+ } -+ -+ if (q != NULL) - dh->length = BN_num_bits (q); -- } - - return 1; - } -@@ -267,8 +275,8 @@ static inline int - DH_set_length (DH * dh, - long length) - { -- dh->length = length; -- return 1; -+ dh->length = length; -+ return 1; - } - - static inline void -@@ -295,12 +303,11 @@ tr_dh_new (const uint8_t * prime_num, - - assert (prime_num != NULL); - assert (generator_num != NULL); -+ - p = BN_bin2bn (prime_num, prime_num_length, NULL); - g = BN_bin2bn (generator_num, generator_num_length, NULL); - -- if (!check_pointer (p) || -- !check_pointer (g) || -- !DH_set0_pqg (handle, p, NULL, g)) -+ if (!check_pointer (p) || !check_pointer (g) || !DH_set0_pqg (handle, p, NULL, g)) - { - BN_free (p); - BN_free (g); -@@ -328,20 +335,19 @@ tr_dh_make_key (tr_dh_ctx_t raw_handle, - { - DH * handle = raw_handle; - int dh_size, my_public_key_length; -- const BIGNUM * hand_pub_key; -+ const BIGNUM * my_public_key; - - assert (handle != NULL); - assert (public_key != NULL); - -- - DH_set_length(handle, private_key_length * 8); - - if (!check_result (DH_generate_key (handle))) - return false; - -- DH_get0_key (handle, &hand_pub_key, NULL); -+ DH_get0_key (handle, &my_public_key, NULL); - -- my_public_key_length = BN_bn2bin (hand_pub_key, public_key); -+ my_public_key_length = BN_bn2bin (my_public_key, public_key); - dh_size = DH_size (handle); - - tr_dh_align_key (public_key, my_public_key_length, dh_size); diff --git a/transmission-daemon-rce-fix.patch b/transmission-daemon-rce-fix.patch deleted file mode 100644 index 6a8e3c2..0000000 --- a/transmission-daemon-rce-fix.patch +++ /dev/null @@ -1,274 +0,0 @@ -diff --git a/libtransmission/quark.c b/libtransmission/quark.c -index 861050057..e19ac9a2f 100644 ---- a/libtransmission/quark.c -+++ b/libtransmission/quark.c -@@ -288,6 +288,8 @@ static struct tr_key_struct const my_static[] = - { "rpc-authentication-required", 27 }, - { "rpc-bind-address", 16 }, - { "rpc-enabled", 11 }, -+ { "rpc-host-whitelist", 18 }, -+ { "rpc-host-whitelist-enabled", 26 }, - { "rpc-password", 12 }, - { "rpc-port", 8 }, - { "rpc-url", 7 }, -diff --git a/libtransmission/quark.h b/libtransmission/quark.h -index d40ab75fa..9dc534560 100644 ---- a/libtransmission/quark.h -+++ b/libtransmission/quark.h -@@ -290,6 +290,8 @@ enum - TR_KEY_rpc_authentication_required, - TR_KEY_rpc_bind_address, - TR_KEY_rpc_enabled, -+ TR_KEY_rpc_host_whitelist, -+ TR_KEY_rpc_host_whitelist_enabled, - TR_KEY_rpc_password, - TR_KEY_rpc_port, - TR_KEY_rpc_url, -diff --git a/libtransmission/rpc-server.c b/libtransmission/rpc-server.c -index 7c78f92ac..c4db2e64c 100644 ---- a/libtransmission/rpc-server.c -+++ b/libtransmission/rpc-server.c -@@ -51,6 +51,7 @@ struct tr_rpc_server - bool isEnabled; - bool isPasswordEnabled; - bool isWhitelistEnabled; -+ bool isHostWhitelistEnabled; - tr_port port; - char * url; - struct in_addr bindAddress; -@@ -62,6 +63,7 @@ struct tr_rpc_server - char * password; - char * whitelistStr; - tr_list * whitelist; -+ tr_list* hostWhitelist; - - char * sessionId; - time_t sessionIdExpiresAt; -@@ -547,6 +549,48 @@ static bool isAddressAllowed(tr_rpc_server const* server, char const* address) - return false; - } - -+static bool isHostnameAllowed(tr_rpc_server const* server, struct evhttp_request* req) -+{ -+ const char *host = evhttp_find_header(req->input_headers, "Host"); -+ char *hostname; -+ -+ // If password auth is enabled, any hostname is permitted. -+ if (server->isPasswordEnabled) -+ return true; -+ -+ // If whitelist is disabled, no restrictions. -+ if (!server->isHostWhitelistEnabled) -+ return true; -+ -+ // No host header, invalid request. -+ if (!host) -+ return false; -+ -+ // Host header might include the port. -+ hostname = tr_strndup(host, strcspn(host, ":")); -+ -+ // localhost or ipaddress is always acceptable. -+ if (strcmp(hostname, "localhost") == 0 -+ || strcmp(hostname, "localhost.") == 0 -+ || tr_addressIsIP(hostname)) -+ { -+ tr_free(hostname); -+ return true; -+ } -+ -+ // Otherwise, hostname must be whitelisted. -+ for (tr_list* l = server->hostWhitelist; l != NULL; l = l->next) { -+ if (tr_wildmat(hostname, l->data)) -+ { -+ tr_free(hostname); -+ return true; -+ } -+ } -+ -+ tr_free(hostname); -+ return false; -+} -+ - static bool - test_session_id (struct tr_rpc_server * server, struct evhttp_request * req) - { -@@ -636,6 +680,22 @@ static void handle_request(struct evhttp_request* req, void* arg) - handle_upload (req, server); - } - #ifdef REQUIRE_SESSION_ID -+ else if (!isHostnameAllowed(server, req)) -+ { -+ char* tmp = tr_strdup_printf( -+ "<p>Transmission received your request, but the hostname was unrecognized.</p>" -+ "<p>To fix this, choose one of the following options:" -+ "<ul>" -+ "<li>Enable password authentication, then any hostname is allowed.</li>" -+ "<li>Add the hostname you want to use to the whitelist in settings.</li>" -+ "</ul></p>" -+ "<p>If you're editing settings.json, see the 'rpc-host-whitelist' and 'rpc-host-whitelist-enabled' entries.</p>" -+ "<p>This requirement has been added to help prevent " -+ "<a href=\"https://en.wikipedia.org/wiki/DNS_rebinding\">DNS Rebinding</a> " -+ "attacks.</p>"); -+ send_simple_response(req, 421, tmp); -+ tr_free(tmp); -+ } - else if (!test_session_id (server, req)) - { - const char * sessionId = get_current_session_id (server); -@@ -647,7 +707,7 @@ static void handle_request(struct evhttp_request* req, void* arg) - "<li> When you get this 409 error message, resend your request with the updated header" - "</ol></p>" - "<p>This requirement has been added to help prevent " -- "<a href=\"http://en.wikipedia.org/wiki/Cross-site_request_forgery\">CSRF</a> " -+ "<a href=\"https://en.wikipedia.org/wiki/Cross-site_request_forgery\">CSRF</a> " - "attacks.</p>" - "<p><code>%s: %s</code></p>", - TR_RPC_SESSION_ID_HEADER, sessionId); -@@ -875,19 +875,13 @@ char const* tr_rpcGetUrl(tr_rpc_server const* server) - return server->url ? server->url : ""; - } - --void --tr_rpcSetWhitelist (tr_rpc_server * server, const char * whitelistStr) -+static void tr_rpcSetList(char const* whitelistStr, tr_list** list) - { - void * tmp; - const char * walk; - -- /* keep the string */ -- tmp = server->whitelistStr; -- server->whitelistStr = tr_strdup (whitelistStr); -- tr_free (tmp); -- - /* clear out the old whitelist entries */ -- while ((tmp = tr_list_pop_front (&server->whitelist))) -+ while ((tmp = tr_list_pop_front(list)) != NULL) - tr_free (tmp); - - /* build the new whitelist entries */ -@@ -866,7 +921,7 @@ void tr_rpcSetWhitelist(tr_rpc_server* server, char const* whitelistStr) - const char * delimiters = " ,;"; - const size_t len = strcspn (walk, delimiters); - char * token = tr_strndup (walk, len); -- tr_list_append (&server->whitelist, token); -+ tr_list_append(list, token); - if (strcspn (token, "+-") < len) - tr_logAddNamedInfo (MY_NAME, "Adding address to whitelist: %s (And it has a '+' or '-'! Are you using an old ACL by mistake?)", token); - else -@@ -889,6 +944,22 @@ void tr_rpcSetWhitelist(tr_rpc_server* server, char const* whitelistStr) - } - } - -+void tr_rpcSetHostWhitelist(tr_rpc_server* server, char const* whitelistStr) -+{ -+ tr_rpcSetList(whitelistStr, &server->hostWhitelist); -+} -+ -+void tr_rpcSetWhitelist(tr_rpc_server* server, char const* whitelistStr) -+{ -+ /* keep the string */ -+ char* const tmp = server->whitelistStr; -+ -+ server->whitelistStr = tr_strdup(whitelistStr); -+ tr_free(tmp); -+ -+ tr_rpcSetList(whitelistStr, &server->whitelist); -+} -+ - const char* - tr_rpcGetWhitelist (const tr_rpc_server * server) - { -@@ -904,6 +975,11 @@ bool tr_rpcGetWhitelistEnabled(tr_rpc_server const* server) - return server->isWhitelistEnabled; - } - -+void tr_rpcSetHostWhitelistEnabled(tr_rpc_server* server, bool isEnabled) -+{ -+ server->isHostWhitelistEnabled = isEnabled; -+} -+ - /**** - ***** PASSWORD - ****/ -@@ -1054,6 +1130,28 @@ tr_rpc_server* tr_rpcInit(tr_session* session, tr_variant* settings) - else - tr_rpcSetWhitelistEnabled (s, boolVal); - -+ key = TR_KEY_rpc_host_whitelist_enabled; -+ -+ if (!tr_variantDictFindBool(settings, key, &boolVal)) -+ { -+ missing_settings_key(key); -+ } -+ else -+ { -+ tr_rpcSetHostWhitelistEnabled(s, boolVal); -+ } -+ -+ key = TR_KEY_rpc_host_whitelist; -+ -+ if (!tr_variantDictFindStr(settings, key, &str, NULL) && str != NULL) -+ { -+ missing_settings_key(key); -+ } -+ else -+ { -+ tr_rpcSetHostWhitelist(s, str); -+ } -+ - key = TR_KEY_rpc_authentication_required; - if (!tr_variantDictFindBool (settings, key, &boolVal)) - missing_settings_key (key); -diff --git a/libtransmission/rpc-server.h b/libtransmission/rpc-server.h -index 46e8a871f..ad1eb5204 100644 ---- a/libtransmission/rpc-server.h -+++ b/libtransmission/rpc-server.h -@@ -49,6 +49,10 @@ void tr_rpcSetWhitelist (tr_rpc_server * server, - - const char* tr_rpcGetWhitelist (const tr_rpc_server * server); - -+void tr_rpcSetHostWhitelistEnabled (tr_rpc_server * server, bool isEnabled); -+ -+void tr_rpcSetHostWhitelist (tr_rpc_server * server, char const * whitelist); -+ - void tr_rpcSetPassword (tr_rpc_server * server, - const char * password); - -diff --git a/libtransmission/session.c b/libtransmission/session.c -index 86d054f7f..9a0b7c104 100644 ---- a/libtransmission/session.c -+++ b/libtransmission/session.c -@@ -371,6 +371,8 @@ void tr_sessionGetDefaultSettings(tr_variant* d) - tr_variantDictAddStr (d, TR_KEY_rpc_username, ""); - tr_variantDictAddStr (d, TR_KEY_rpc_whitelist, TR_DEFAULT_RPC_WHITELIST); - tr_variantDictAddBool (d, TR_KEY_rpc_whitelist_enabled, true); -+ tr_variantDictAddStr (d, TR_KEY_rpc_host_whitelist, TR_DEFAULT_RPC_HOST_WHITELIST); -+ tr_variantDictAddBool (d, TR_KEY_rpc_host_whitelist_enabled, true); - tr_variantDictAddInt (d, TR_KEY_rpc_port, atoi (TR_DEFAULT_RPC_PORT_STR)); - tr_variantDictAddStr (d, TR_KEY_rpc_url, TR_DEFAULT_RPC_URL_STR); - tr_variantDictAddBool (d, TR_KEY_scrape_paused_torrents_enabled, true); -diff --git a/libtransmission/transmission.h b/libtransmission/transmission.h -index ac1871adb..08a24eca4 100644 ---- a/libtransmission/transmission.h -+++ b/libtransmission/transmission.h -@@ -109,6 +109,7 @@ char const* tr_getDefaultDownloadDir(void); - #define TR_DEFAULT_BIND_ADDRESS_IPV4 "0.0.0.0" - #define TR_DEFAULT_BIND_ADDRESS_IPV6 "::" - #define TR_DEFAULT_RPC_WHITELIST "127.0.0.1" -+#define TR_DEFAULT_RPC_HOST_WHITELIST "" - #define TR_DEFAULT_RPC_PORT_STR "9091" - #define TR_DEFAULT_RPC_URL_STR "/transmission/" - #define TR_DEFAULT_PEER_PORT_STR "51413" -diff --git a/libtransmission/web.c b/libtransmission/web.c -index cca888b66..a57c85457 100644 ---- a/libtransmission/web.c -+++ b/libtransmission/web.c -@@ -678,6 +678,7 @@ char const* tr_webGetResponseStr(long code) - case 415: return "Unsupported Media Type"; - case 416: return "Requested Range Not Satisfiable"; - case 417: return "Expectation Failed"; -+ case 421: return "Misdirected Request"; - case 500: return "Internal Server Error"; - case 501: return "Not Implemented"; - case 502: return "Bad Gateway";