[Bug 1091567] [NEW] upgrade.py crashes if a captive portal is used

Tue, 18 Dec 2012 01:05:38 -0800 

Public bug reported:

The "hp-upgrade --check" command downloads info from
http://hplip.sourceforge.net/hplip_web.conf. This fails if a captive
portal is used for WLAN authentication (Hotels, Airports, etc)

This could have a security impact as it downloads information without
verifying the source. A specially crafted config file or limitless
(/dev/null, /dev/random) file could have an impact.

1. Use TLS and verify certificates
2. Use GPG to sign the file and verify on the client.
3. Limit the maximum amount of bytes downloaded
4. Validate the config file.
5. Retry the upgrade check at a later time (after wlan authentication)
6. Use APT to check for updates if that's possible

PythonArgs: ['/usr/bin/hp-upgrade', '--check']
Traceback:
 Traceback (most recent call last):
   File "/usr/bin/hp-upgrade", line 210, in <module>
     hplip_version_conf = ConfigBase(HPLIP_Ver_file)
   File "/usr/share/hplip/base/g.py", line 81, in __init__
     self.read()
   File "/usr/share/hplip/base/g.py", line 121, in read
     self.conf.readfp(fp)
   File "/usr/lib/python2.7/ConfigParser.py", line 324, in readfp
     self._read(fp, filename)
   File "/usr/lib/python2.7/ConfigParser.py", line 512, in _read
     raise MissingSectionHeaderError(fpname, lineno, line)
 MissingSectionHeaderError: File contains no section headers.
 file: /tmp/tmpA55LLA, line: 1
 '<HTML><HEAD><TITLE> Web Authentication Redirect</TITLE><META 
http-equiv="Cache-control" content="no-cache"><META http-equiv="Pragma" 
content="no-cache"><META http-equiv="Expires" content="-1"><META 
http-equiv="refresh" content="1; 
URL=https://__REMOVED__/login.html?redirect=hplip.sourceforge.net/hplip_web.conf";></HEAD></HTML>\r\n'

** Affects: hplip
     Importance: Undecided
         Status: New

** Affects: hplip (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1091567

Title:
  upgrade.py crashes if a captive portal is used

To manage notifications about this bug go to:
https://bugs.launchpad.net/hplip/+bug/1091567/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to