From 2c6ea642663e2a44efc8583fae7c54b7b98f72b3 Mon Sep 17 00:00:00 2001 From: Ariadne Conill Date: Mon, 7 Jun 2021 18:51:07 -0600 Subject: [PATCH] Ensure the ssl-use-system-ca-file property is set to true on all SoupSessions. The default SoupSessionSync and SoupSessionAsync behaviour does not perform any TLS certificate validation, unless the ssl-use-system-ca-file property is set to true. This mitigates CVE-2016-20011. --- src/feed-channel.c | 2 ++ src/feed-enclosure.c | 4 ++++ src/feeds-pool.c | 1 + src/feeds-publisher.c | 4 +++- src/feeds-subscriber.c | 4 +++- 5 files changed, 13 insertions(+), 2 deletions(-) diff --git a/src/feed-channel.c b/src/feed-channel.c index 19ca7b2..d2d51b9 100644 --- a/src/feed-channel.c +++ b/src/feed-channel.c @@ -973,6 +973,8 @@ quick_and_dirty_parse (GrssFeedChannel *channel, SoupMessage *msg, GList **save_ static void init_soup_session (SoupSession *session, GrssFeedChannel *channel) { + g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL); + if (channel->priv->jar != NULL) soup_session_add_feature (session, SOUP_SESSION_FEATURE (channel->priv->jar)); if (channel->priv->gzip == TRUE) diff --git a/src/feed-enclosure.c b/src/feed-enclosure.c index 68ebbfe..2cd8f9e 100644 --- a/src/feed-enclosure.c +++ b/src/feed-enclosure.c @@ -220,6 +220,8 @@ grss_feed_enclosure_fetch (GrssFeedEnclosure *enclosure, GError **error) url = grss_feed_enclosure_get_url (enclosure); session = soup_session_sync_new (); + g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL); + msg = soup_message_new ("GET", url); status = soup_session_send_message (session, msg); @@ -282,6 +284,8 @@ grss_feed_enclosure_fetch_async (GrssFeedEnclosure *enclosure, GAsyncReadyCallba task = g_task_new (enclosure, NULL, callback, user_data); session = soup_session_async_new (); + g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL); + msg = soup_message_new ("GET", grss_feed_enclosure_get_url (enclosure)); soup_session_queue_message (session, msg, enclosure_downloaded, task); } diff --git a/src/feeds-pool.c b/src/feeds-pool.c index f18f3cd..7b33956 100644 --- a/src/feeds-pool.c +++ b/src/feeds-pool.c @@ -178,6 +178,7 @@ grss_feeds_pool_init (GrssFeedsPool *node) memset (node->priv, 0, sizeof (GrssFeedsPoolPrivate)); node->priv->parser = grss_feed_parser_new (); node->priv->soupsession = soup_session_async_new (); + g_object_set (G_OBJECT (node->priv->soupsession), "ssl-use-system-ca-file", TRUE, NULL); } /** diff --git a/src/feeds-publisher.c b/src/feeds-publisher.c index 427a54f..500cd96 100644 --- a/src/feeds-publisher.c +++ b/src/feeds-publisher.c @@ -888,8 +888,10 @@ create_and_run_server (GrssFeedsPublisher *pub) { SoupAddress *soup_addr; - if (pub->priv->soupsession == NULL) + if (pub->priv->soupsession == NULL) { pub->priv->soupsession = soup_session_async_new (); + g_object_set (G_OBJECT (pub->priv->soupsession), "ssl-use-system-ca-file", TRUE, NULL); + } soup_addr = soup_address_new_any (SOUP_ADDRESS_FAMILY_IPV4, pub->priv->port); pub->priv->server = soup_server_new ("port", pub->priv->port, "interface", soup_addr, NULL); diff --git a/src/feeds-subscriber.c b/src/feeds-subscriber.c index 259f891..0f63f83 100644 --- a/src/feeds-subscriber.c +++ b/src/feeds-subscriber.c @@ -513,8 +513,10 @@ init_run_server (GrssFeedsSubscriber *sub) { GInetAddress *addr; - if (sub->priv->soupsession == NULL) + if (sub->priv->soupsession == NULL) { sub->priv->soupsession = soup_session_async_new (); + g_object_set (G_OBJECT (sub->priv->soupsession), "ssl-use-system-ca-file", TRUE, NULL); + } /* Flow: -- GitLab mus 2022-11-09machine/digital-ocean: Use static-networking-service-type....* gnu/machine/digital-ocean.scm (ip+netmask->cidr): New procedure. (guix-infect, add-static-networking): Use static-networking-service-type instead of the deprecated static-networking-service. Ricardo Wurmus 2022-11-09machine/digital-ocean: Use nightly Guix....* gnu/machine/digital-ocean.scm (guix-infect): Fetch latest Guix build from ci.guix.gnu.org. Ricardo Wurmus 2022-09-04Fix misspelling of GUIX_DIGITAL_OCEAN_TOKEN....* gnu/machine/digital-ocean.scm (maybe-raise-missing-api-key-error): Fix misspelling of GUIX_DIGITAL_OCEAN_TOKEN. Signed-off-by: Mathieu Othacehe <othacehe@gnu.org> Matthew James Kraai