libhttp/url.c in shellinabox through 2.20 has an implementation flaw in
the HTTP request parsing logic. By sending a crafted multipart/form-data
HTTP request, an attacker could exploit this to force shellinaboxd into
an infinite loop, exhausting available CPU resources and taking the
service down.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 5553223297)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
On Github, a large number of projects name their tag vXYZ (i.e v3.0,
v0.1, etc.). In some packages we do:
<pkg>_VERSION = v0.3
<pkg>_SITE = $(call github foo,bar,$(<pkg>_VERSION))
And in some other packages we do:
<pkg>_VERSION = 0.3
<pkg>_SITE = $(call github foo,bar,v$(<pkg>_VERSION))
I.e in one case we consider the version to be v0.3, in the other case
we consider 0.3 to be the version.
The problem with v0.3 is that when used in conjunction with
release-monitoring.org, it doesn't work very well, because
release-monitoring.org has the concept of "version prefix" and using
that they drop the "v" prefix for the version.
Therefore, a number of packages in Buildroot have a version that
doesn't match with release-monitoring.org because Buildroot has 'v0.3'
and release-monitoring.org has '0.3'.
Since really the version number of 0.3, is makes sense to update our
packages to drop this 'v'.
This commit only addresses the (common) case of github packages where
the prefix is simply 'v'. Other cases will be handled by separate
commits. Also, there are a few cases that couldn't be handled
mechanically that aren't covered by this commit.
Signed-off-by: Victor Huesca <victor.huesca@bootlin.com>
[Arnout: don't change flatbuffers, json-for-modern-cpp, libpagekite,
python-scapy3k, softether]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
We want to use SPDX identifier for license strings as much as possible.
SPDX short identifier for GPLv2/GPLv2+ is GPL-2.0/GPL-2.0+.
This change is done by using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/\<GPLv2\>/GPL-2.0/g'
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit fixes the build of shellinabox with the musl C library,
which requires two changes:
- A patch to include <sys/ttydefaults.h>, which is needed to get the
definitions of TTYDEF_*
- A hack to workaround what seems to be a problem in musl itself (musl
does #define utmp utmpx, which causes some symbol conflicts down the
road). Since anyway the utmpx implementation is just a set of stubs
in musl, we simply make shellinabox believe that <utmpx.h> is not
available by passing the appropriate variable. The musl issue has
been reported at http://www.openwall.com/lists/musl/2016/08/04/8.
Fixes:
http://autobuild.buildroot.net/results/1847cab964957da3c9bf4911a5ad3602b3c82431/
Signed-off-by: Olivier Singla <olivier.singla@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Shell In A Box implements a web server that can export arbitrary command
line tools to a web based terminal emulator. This emulator is accessible
to any JavaScript and CSS enabled web browser and does not require any
additional browser plugins.
Signed-off-by: Olivier Singla <olivier.singla@gmail.com>
[Thomas:
- Use "select" instead of "depends on" for the OpenSSL dependency, and
use alphabetic ordering.
- Rewrap Config.in help text.
- Use github macro
- Explain why the OpenSSL dependency is mandatory, while
--enable-ssl/--disable-ssl are available.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
