[libwww-perl] 01/04: replaced bad https patch with fix-https-patch from upstream
dod at debian.org
dod at debian.org
Sat Nov 30 13:14:01 UTC 2013
This is an automated email from the git hooks/post-receive script.
dod pushed a commit to branch master
in repository libwww-perl.
commit 9d06843d2f2adce03d8756c6ba3766dfc5443ffa
Author: Dominique Dumont <dod at debian.org>
Date: Wed Nov 27 14:06:49 2013 +0100
replaced bad https patch with fix-https-patch from upstream
---
debian/patches/fix-htts-proxy | 174 ++++++++++++++++++++++++++++++++++++++
debian/patches/handle-https-proxy | 107 -----------------------
debian/patches/series | 2 +-
debian/patches/skip_https_proxy | 39 ---------
4 files changed, 175 insertions(+), 147 deletions(-)
diff --git a/debian/patches/fix-htts-proxy b/debian/patches/fix-htts-proxy
new file mode 100644
index 0000000..29120b4
--- /dev/null
+++ b/debian/patches/fix-htts-proxy
@@ -0,0 +1,174 @@
+Description:Fix htts proxy
+ part 1 of a patch to fix https_proxy handling
+Author:Steffen Ullrich
+Origin:https://github.com/libwww-perl/libwww-perl/pull/52
+Applied-Upstream:yes
+--- a/lib/LWP/Protocol/http.pm
++++ b/lib/LWP/Protocol/http.pm
+@@ -16,16 +16,6 @@
+ sub _new_socket
+ {
+ my($self, $host, $port, $timeout) = @_;
+- my $conn_cache = $self->{ua}{conn_cache};
+- if ($conn_cache) {
+- if (my $sock = $conn_cache->withdraw($self->socket_type, "$host:$port")) {
+- return $sock if $sock && !$sock->can_read(0);
+- # if the socket is readable, then either the peer has closed the
+- # connection or there are some garbage bytes on it. In either
+- # case we abandon it.
+- $sock->close;
+- }
+- }
+
+ local($^W) = 0; # IO::Socket::INET can be noisy
+ my $sock = $self->socket_class->new(PeerAddr => $host,
+@@ -33,7 +23,7 @@
+ LocalAddr => $self->{ua}{local_address},
+ Proto => 'tcp',
+ Timeout => $timeout,
+- KeepAlive => !!$conn_cache,
++ KeepAlive => !!$self->{ua}{conn_cache},
+ SendTE => 1,
+ $self->_extra_sock_opts($host, $port),
+ );
+@@ -104,9 +94,10 @@
+ }
+ $h->init_header('Host' => $hhost);
+
+- if ($proxy) {
++ if ($proxy && $url->scheme ne 'https') {
+ # Check the proxy URI's userinfo() for proxy credentials
+- # export http_proxy="http://proxyuser:proxypass@proxyhost:port"
++ # export http_proxy="http://proxyuser:proxypass@proxyhost:port".
++ # For https only the initial CONNECT requests needs authorization.
+ my $p_auth = $proxy->userinfo();
+ if(defined $p_auth) {
+ require URI::Escape;
+@@ -140,26 +131,81 @@
+ }
+
+ my $url = $request->uri;
+- my($host, $port, $fullpath);
+
+- # Check if we're proxy'ing
+- if (defined $proxy) {
+- # $proxy is an URL to an HTTP server which will proxy this request
+- $host = $proxy->host;
+- $port = $proxy->port;
+- $fullpath = $method eq "CONNECT" ?
+- ($url->host . ":" . $url->port) :
+- $url->as_string;
+- }
+- else {
+- $host = $url->host;
+- $port = $url->port;
+- $fullpath = $url->path_query;
+- $fullpath = "/$fullpath" unless $fullpath =~ m,^/,;
+- }
+
+- # connect to remote site
+- my $socket = $self->_new_socket($host, $port, $timeout);
++ # Proxying SSL with a http proxy needs issues a CONNECT request to build a
++ # tunnel and then upgrades the tunnel to SSL. But when doing keep-alive the
++ # https request does not need to be the first request in the connection, so
++ # we need to distinguish between
++ # - not yet connected (create socket and ssl upgrade)
++ # - connected but not inside ssl tunnel (ssl upgrade)
++ # - inside ssl tunnel to the target - once we are in the tunnel to the
++ # target we cannot only reuse the tunnel for more https requests with the
++ # same target
++
++ my $ssl_tunnel = $proxy && $url->scheme eq 'https'
++ && $url->host.":".$url->port;
++
++ my ($host,$port) = $proxy
++ ? ($proxy->host,$proxy->port)
++ : ($url->host,$url->port);
++ my $fullpath =
++ $method eq 'CONNECT' ? $url->host . ":" . $url->port :
++ $proxy && ! $ssl_tunnel ? $url->as_string :
++ do {
++ my $path = $url->path_query;
++ $path = "/$path" if $path !~m{^/};
++ $path
++ };
++
++ my $socket;
++ my $conn_cache = $self->{ua}{conn_cache};
++ my $cache_key;
++ if ( $conn_cache ) {
++ $cache_key = "$host:$port";
++ # For https we reuse the socket immediatly only if it has an established
++ # tunnel to the target. Otherwise a CONNECT request followed by an SSL
++ # upgrade need to be done first. The request itself might reuse an
++ # existing non-ssl connection to the proxy
++ $cache_key .= "!".$ssl_tunnel if $ssl_tunnel;
++ if ( $socket = $conn_cache->withdraw($self->socket_type,$cache_key)) {
++ if ($socket->can_read(0)) {
++ # if the socket is readable, then either the peer has closed the
++ # connection or there are some garbage bytes on it. In either
++ # case we abandon it.
++ $socket->close;
++ $socket = undef;
++ } # else use $socket
++ }
++ }
++
++ if ( ! $socket && $ssl_tunnel ) {
++ my $proto_https = LWP::Protocol::create('https',$self->{ua})
++ or die "no support for scheme https found";
++
++ # only if ssl socket class is IO::Socket::SSL we can upgrade
++ # a plain socket to SSL. In case of Net::SSL we fall back to
++ # the old version
++ if ( my $upgrade_sub = $proto_https->can('_upgrade_sock')) {
++ my $response = $self->request(
++ HTTP::Request->new('CONNECT',"http://$ssl_tunnel"),
++ $proxy,
++ undef,$size,$timeout
++ );
++ $response->is_success or die
++ "establishing SSL tunnel failed: ".$response->status_line;
++ $socket = $upgrade_sub->($proto_https,
++ $response->{client_socket},$url)
++ or die "SSL upgrade failed: $@";
++ } else {
++ $socket = $proto_https->_new_socket($url->host,$url->port,$timeout);
++ }
++ }
++
++ if ( ! $socket ) {
++ # connect to remote site w/o reusing established socket
++ $socket = $self->_new_socket($host, $port, $timeout );
++ }
+
+ my $http_version = "";
+ if (my $proto = $request->protocol) {
+@@ -428,13 +474,13 @@
+
+ # keep-alive support
+ unless ($drop_connection) {
+- if (my $conn_cache = $self->{ua}{conn_cache}) {
++ if ($cache_key) {
+ my %connection = map { (lc($_) => 1) }
+ split(/\s*,\s*/, ($response->header("Connection") || ""));
+ if (($peer_http_version eq "1.1" && !$connection{close}) ||
+ $connection{"keep-alive"})
+ {
+- $conn_cache->deposit($self->socket_type, "$host:$port", $socket);
++ $conn_cache->deposit($self->socket_type, $cache_key, $socket);
+ }
+ }
+ }
+--- a/lib/LWP/UserAgent.pm
++++ b/lib/LWP/UserAgent.pm
+@@ -346,7 +346,8 @@
+ )
+ {
+ my $proxy = ($code == &HTTP::Status::RC_PROXY_AUTHENTICATION_REQUIRED);
+- my $ch_header = $proxy ? "Proxy-Authenticate" : "WWW-Authenticate";
++ my $ch_header = $proxy || $request->method eq 'CONNECT'
++ ? "Proxy-Authenticate" : "WWW-Authenticate";
+ my @challenge = $response->header($ch_header);
+ unless (@challenge) {
+ $response->header("Client-Warning" =>
diff --git a/debian/patches/handle-https-proxy b/debian/patches/handle-https-proxy
deleted file mode 100644
index a9ab21e..0000000
--- a/debian/patches/handle-https-proxy
+++ /dev/null
@@ -1,107 +0,0 @@
-Description:Handle https proxy
-Bug:https://rt.cpan.org/Public/Bug/Display.html?id=1894
-Author:GMYERS [...] cpan.org
-From:https://rt.cpan.org/Ticket/Attachment/989257/514980/libwww-perl-6.03-httpsproxy.patch
---- a/lib/LWP/Protocol/http.pm
-+++ b/lib/LWP/Protocol/http.pm
-@@ -15,7 +15,7 @@
-
- sub _new_socket
- {
-- my($self, $host, $port, $timeout) = @_;
-+ my($self, $host, $port, $timeout, $connectproxy) = @_;
- my $conn_cache = $self->{ua}{conn_cache};
- if ($conn_cache) {
- if (my $sock = $conn_cache->withdraw($self->socket_type, "$host:$port")) {
-@@ -35,6 +35,7 @@
- Timeout => $timeout,
- KeepAlive => !!$conn_cache,
- SendTE => 1,
-+ ConnectProxy => $connectproxy,
- $self->_extra_sock_opts($host, $port),
- );
-
-@@ -88,18 +89,26 @@
-
- sub _fixup_header
- {
-- my($self, $h, $url, $proxy) = @_;
-+ my($self, $h, $url, $proxy, $method) = @_;
-
- # Extract 'Host' header
- my $hhost = $url->authority;
- if ($hhost =~ s/^([^\@]*)\@//) { # get rid of potential "user:pass@"
-- # add authorization header if we need them. HTTP URLs do
-- # not really support specification of user and password, but
-- # we allow it.
-- if (defined($1) && not $h->header('Authorization')) {
-- require URI::Escape;
-- $h->authorization_basic(map URI::Escape::uri_unescape($_),
-- split(":", $1, 2));
-+ if ($method eq "CONNECT") {
-+ if (defined($1)) {
-+ require URI::Escape;
-+ $h->proxy_authorization_basic(map URI::Escape::uri_unescape($_),
-+ split(":", $1, 2));
-+ }
-+ } else {
-+ # add authorization header if we need them. HTTP URLs do
-+ # not really support specification of user and password, but
-+ # we allow it.
-+ if (defined($1) && not $h->header('Authorization')) {
-+ require URI::Escape;
-+ $h->authorization_basic(map URI::Escape::uri_unescape($_),
-+ split(":", $1, 2));
-+ }
- }
- }
- $h->init_header('Host' => $hhost);
-@@ -140,9 +149,13 @@
- }
-
- my $url = $request->uri;
-- my($host, $port, $fullpath);
-+ my($host, $port, $fullpath, $connectproxy);
-
- # Check if we're proxy'ing
-+ if (defined $proxy && $url->scheme() eq 'https') {
-+ $connectproxy = $proxy;
-+ undef $proxy;
-+ }
- if (defined $proxy) {
- # $proxy is an URL to an HTTP server which will proxy this request
- $host = $proxy->host;
-@@ -156,10 +169,11 @@
- $port = $url->port;
- $fullpath = $url->path_query;
- $fullpath = "/$fullpath" unless $fullpath =~ m,^/,;
-- }
-+ $fullpath =~ s,^/,, if $method eq "CONNECT";
-+ }
-
- # connect to remote site
-- my $socket = $self->_new_socket($host, $port, $timeout);
-+ my $socket = $self->_new_socket($host, $port, $timeout, $connectproxy);
-
- my $http_version = "";
- if (my $proto = $request->protocol) {
-@@ -174,7 +188,7 @@
-
- my @h;
- my $request_headers = $request->headers->clone;
-- $self->_fixup_header($request_headers, $url, $proxy);
-+ $self->_fixup_header($request_headers, $url, $proxy, $method);
-
- $request_headers->scan(sub {
- my($k, $v) = @_;
---- a/lib/LWP/UserAgent.pm
-+++ b/lib/LWP/UserAgent.pm
-@@ -166,7 +166,7 @@
-
- # Locate protocol to use
- my $proxy = $request->{proxy};
-- if ($proxy) {
-+ if ($proxy && $scheme ne 'https') {
- $scheme = $proxy->scheme;
- }
-
diff --git a/debian/patches/series b/debian/patches/series
index 37f7acd..24b657f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1 @@
-skip_https_proxy
+fix-htts-proxy
diff --git a/debian/patches/skip_https_proxy b/debian/patches/skip_https_proxy
deleted file mode 100644
index 7410b3f..0000000
--- a/debian/patches/skip_https_proxy
+++ /dev/null
@@ -1,39 +0,0 @@
-Description:let SSLeay handle https_proxy
- this patch enables LWP::UserAgent to defer https proxy to SSLeay.
- .
- This way, proxy configured from environment variables will use CONNECT for https connections and will behave as usual for http connection.
- .
- Note that the connection through https_proxy will work
- only if:
- * https_proxy env variable is set
- * user agent is created with:
- env_proxy => 1,
- ssl_opts => { verify_hostname => 0 }
- .
- Proxy will NOT work if proxy method is called on user agent to setup https_proxy.
-Bug: http://rt.cpan.org/Public/Bug/Display.html?id=1894
-Bug-Debian:129528
-Bug-Debian:622212
-Forwarded:https://github.com/libwww-perl/libwww-perl/pull/51
-Author:dod
---- a/lib/LWP/UserAgent.pm
-+++ b/lib/LWP/UserAgent.pm
-@@ -986,6 +986,7 @@
- if (defined($url) && length($url)) {
- Carp::croak("Proxy must be specified as absolute URI; '$url' is not") unless $url =~ /^$URI::scheme_re:/;
- Carp::croak("Bad http proxy specification '$url'") if $url =~ /^https?:/ && $url !~ m,^https?://\w,;
-+ Carp::carp("$key proxy should be specified only with an environment variable to let SSLeay handle the proxy") if lc($key) eq 'https' ;
- }
- $self->{proxy}{$key} = $url;
- $self->set_my_handler("request_preprepare", \&_need_proxy)
-@@ -1009,6 +1010,10 @@
- $k = lc($k);
- next unless $k =~ /^(.*)_proxy$/;
- $k = $1;
-+ if ($k eq 'https') {
-+ # let SSLeay handle the proxy
-+ next ;
-+ } ;
- if ($k eq 'no') {
- $self->no_proxy(split(/\s*,\s*/, $v));
- }
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libwww-perl.git
More information about the Pkg-perl-cvs-commits
mailing list