On Tue, Jul 24, 2012 at 10:09:27AM +0200, Didier 'OdyX' Raboud wrote: > tags 651204 +patch > thanks > > Le mercredi, 30 mai 2012 11.47:05, Thijs Kinkhorst a écrit : > > Hi, > > > > Wheezy and sid contain a patch for this issue. Squeeze seems still > > affected. Are you able to provide an updated package for squeeze? > > Would the attached patch do the job for Squeeze?
It looks good to me. I didn't get around to implement something similar since ages since I didn't have a test system to run this on. Could you test this on a Squeeze box? If so I'd be happy about an NMU. Cheers, -- Guido > > OdyX > From: Till Kamppeter <till.kamppe...@gmail.com> > Date: Tue, 13 Dec 2011 20:54:26 +0100 > Subject: Fix MITM via unencrypted metadata download > > Adapted to Squeeze by Didier Raboud <o...@debian.org> on Tue Jul 24 10:09:16 > CEST 2012. > > Closes: #651204 > --- > cupshelpers/openprinting.py | 35 +++++++++++++++++++++++------------ > 1 files changed, 23 insertions(+), 12 deletions(-) > > --- a/cupshelpers/openprinting.py > +++ b/cupshelpers/openprinting.py > @@ -19,7 +19,7 @@ > ## along with this program; if not, write to the Free Software > ## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. > > -import urllib, httplib, platform, threading, tempfile, traceback > +import pycurl,urllib, httplib, platform, threading, tempfile, traceback > import os, sys > from xml.etree.ElementTree import XML > from . import Device > @@ -42,10 +42,18 @@ > self.parameters = parameters > self.callback = callback > self.user_data = user_data > + self.result = "" > > self.setDaemon (True) > > def run (self): > + > + # Callback function for pycURL collecting the data coming from > + # the web server > + def collect_data(result): > + self.result += result; > + return len(result) > + > # CGI script to be executed > query_command = "/query.cgi" > # Headers for the post request > @@ -55,26 +63,26 @@ > (urllib.urlencode (self.parameters), > self.parent.language[0], > self.parent.language[0])) > - self.url = "http://%s%s?%s"; % (self.parent.base_url, query_command, > params) > + self.url = "https://%s%s?%s"; % (self.parent.base_url, query_command, > params) > # Send request > - result = None > + self.result = "" > status = 1 > try: > - conn = httplib.HTTPConnection(self.parent.base_url) > - conn.request("POST", query_command, params, headers) > - resp = conn.getresponse() > - status = resp.status > - if status == 200: > - result = resp.read() > - conn.close() > + curl = pycurl.Curl() > + curl.setopt(pycurl.SSL_VERIFYPEER, 1) > + curl.setopt(pycurl.SSL_VERIFYHOST, 2) > + curl.setopt(pycurl.WRITEFUNCTION, collect_data) > + curl.setopt(pycurl.URL, self.url) > + status = curl.perform() > + if status == None: status = 0 > + if (status != 0): > + self.result = sys.exc_info () > except: > - result = sys.exc_info () > - > - if status == 200: > - status = 0 > + self.result = sys.exc_info () > + if status == None: status = 0 > > if self.callback != None: > - self.callback (status, self.user_data, result) > + self.callback (status, self.user_data, self.result) > > class OpenPrinting: > def __init__(self, language=None): -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
