Apply patch from upstream for CVE-2010-2252.

This is revision-id:gscrivano@gnu.org-20100728192222-sy6rf3fgeydgvl1k
from http://bzr.savannah.gnu.org/r/wget/trunk/ without the change to
src/ftp.c because it is a whitespace only change.

PR:		ports/150293
Submitted by:	Joe Horn <joehorn@gmail.com>
Security:	CVE-2010-2252

10 files changed, 199 insertions, 1 deletions

diff --git a/ftp/wget/Makefile b/ftp/wget/Makefile
index 3e9184ef2b9e..7bffa5cf22e3 100644
--- a/ftp/wget/Makefile
+++ b/ftp/wget/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	wget
 DISTVERSION=	1.12
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	ftp www ipv6
 MASTER_SITES=	${MASTER_SITE_GNU}
 MASTER_SITE_SUBDIR=	wget
diff --git a/ftp/wget/files/patch-NEWS b/ftp/wget/files/patch-NEWS
new file mode 100644
index 000000000000..c37cc0ec2eee
--- /dev/null
+++ b/ftp/wget/files/patch-NEWS
@@ -0,0 +1,14 @@
+--- NEWS	2010-07-11 13:47:18 +0000
++++ NEWS	2010-07-28 19:22:22 +0000
+@@ -33,6 +33,9 @@
+ ** GNU TLS backend works again.
+ 
+ ** Now --timestamping and --continue works well together.
++
++** By default, on server redirects, use the original URL to get the
++   local file name. Close CVE-2010-2252.
+ 
+ * Changes in Wget 1.12
+ 
+
+=== modified file 'doc/wget.texi'
diff --git a/ftp/wget/files/patch-doc__wget.texi b/ftp/wget/files/patch-doc__wget.texi
new file mode 100644
index 000000000000..fc21fe844a9e
--- /dev/null
+++ b/ftp/wget/files/patch-doc__wget.texi
@@ -0,0 +1,29 @@
+--- doc/wget.texi	2010-05-27 10:45:15 +0000
++++ doc/wget.texi	2010-07-28 19:22:22 +0000
+@@ -1498,6 +1498,13 @@
+ @code{Content-Disposition} headers to describe what the name of a
+ downloaded file should be.
+ 
++@cindex Trust server names
++@item --trust-server-names
++
++If this is set to on, on a redirect the last component of the
++redirection URL will be used as the local file name.  By default it is
++used the last component in the original URL.
++
+ @cindex authentication
+ @item --auth-no-challenge
+ 
+@@ -2810,6 +2817,10 @@
+ Turn on recognition of the (non-standard) @samp{Content-Disposition}
+ HTTP header---if set to @samp{on}, the same as @samp{--content-disposition}.
+ 
++@item trust_server_names = on/off
++If set to on, use the last component of a redirection URL for the local
++file name.
++
+ @item continue = on/off
+ If set to on, force continuation of preexistent partially retrieved
+ files.  See @samp{-c} before setting it.
+
+=== modified file 'src/ChangeLog'
diff --git a/ftp/wget/files/patch-src__ChangeLog b/ftp/wget/files/patch-src__ChangeLog
new file mode 100644
index 000000000000..728938e5293e
--- /dev/null
+++ b/ftp/wget/files/patch-src__ChangeLog
@@ -0,0 +1,23 @@
+--- src/ChangeLog	2010-07-20 17:42:13 +0000
++++ src/ChangeLog	2010-07-28 19:22:22 +0000
+@@ -1,3 +1,18 @@
++2010-07-28  Giuseppe Scrivano  <gscrivano@gnu.org>
++
++	* http.h (http_loop): Add new argument `original_url'
++	* http.c (http_loop): Add new argument `original_url'.  Use
++	`original_url' to get a filename if `trustservernames' is false.
++
++	* init.c (commands): Add "trustservernames".
++
++	* options.h (library): Add variable `trustservernames'.
++
++	* main.c (option_data): Add trust-server-names.
++	(print_help): Describe --trust-server-names.
++
++	* retr.c (retrieve_url): Pass new argument to `http_loop'.
++
+ 2010-07-20  Alan Jenkins <alan-jenkins@tuffmail.co.uk> (tiny change)
+ 
+ 	* http.c (gethttp): Check content-length was set before trying to
+
+=== modified file 'src/http.c'
diff --git a/ftp/wget/files/patch-src__http.c b/ftp/wget/files/patch-src__http.c
new file mode 100644
index 000000000000..d847546c6afc
--- /dev/null
+++ b/ftp/wget/files/patch-src__http.c
@@ -0,0 +1,59 @@
+--- src/http.c	2010-07-20 17:42:13 +0000
++++ src/http.c	2010-07-28 19:22:22 +0000
+@@ -2593,8 +2593,9 @@
+ /* The genuine HTTP loop!  This is the part where the retrieval is
+    retried, and retried, and retried, and...  */
+ uerr_t
+-http_loop (struct url *u, char **newloc, char **local_file, const char *referer,
+-           int *dt, struct url *proxy, struct iri *iri)
++http_loop (struct url *u, struct url *original_url, char **newloc,
++           char **local_file, const char *referer, int *dt, struct url *proxy,
++           struct iri *iri)
+ {
+   int count;
+   bool got_head = false;         /* used for time-stamping and filename detection */
+@@ -2641,7 +2642,8 @@
+     }
+   else if (!opt.content_disposition)
+     {
+-      hstat.local_file = url_file_name (u);
++      hstat.local_file =
++        url_file_name (opt.trustservernames ? u : original_url);
+       got_name = true;
+     }
+ 
+@@ -2679,7 +2681,7 @@
+ 
+   /* Send preliminary HEAD request if -N is given and we have an existing
+    * destination file. */
+-  file_name = url_file_name (u);
++  file_name = url_file_name (opt.trustservernames ? u : original_url);
+   if (opt.timestamping && (file_exists_p (file_name)
+                            || opt.content_disposition))
+     send_head_first = true;
+@@ -3039,9 +3041,9 @@
+ 
+           /* Remember that we downloaded the file for later ".orig" code. */
+           if (*dt & ADDED_HTML_EXTENSION)
+-            downloaded_file(FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file);
++            downloaded_file (FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file);
+           else
+-            downloaded_file(FILE_DOWNLOADED_NORMALLY, hstat.local_file);
++            downloaded_file (FILE_DOWNLOADED_NORMALLY, hstat.local_file);
+ 
+           ret = RETROK;
+           goto exit;
+@@ -3072,9 +3074,9 @@
+ 
+               /* Remember that we downloaded the file for later ".orig" code. */
+               if (*dt & ADDED_HTML_EXTENSION)
+-                downloaded_file(FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file);
++                downloaded_file (FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file);
+               else
+-                downloaded_file(FILE_DOWNLOADED_NORMALLY, hstat.local_file);
++                downloaded_file (FILE_DOWNLOADED_NORMALLY, hstat.local_file);
+ 
+               ret = RETROK;
+               goto exit;
+
+=== modified file 'src/http.h'
diff --git a/ftp/wget/files/patch-src__http.h b/ftp/wget/files/patch-src__http.h
new file mode 100644
index 000000000000..785a74877e85
--- /dev/null
+++ b/ftp/wget/files/patch-src__http.h
@@ -0,0 +1,15 @@
+--- src/http.h	2010-05-08 19:56:15 +0000
++++ src/http.h	2010-07-28 19:22:22 +0000
+@@ -33,8 +33,8 @@
+ 
+ struct url;
+ 
+-uerr_t http_loop (struct url *, char **, char **, const char *, int *,
+-		  struct url *, struct iri *);
++uerr_t http_loop (struct url *, struct url *, char **, char **, const char *,
++                  int *, struct url *, struct iri *);
+ void save_cookies (void);
+ void http_cleanup (void);
+ time_t http_atotm (const char *);
+
+=== modified file 'src/init.c'
diff --git a/ftp/wget/files/patch-src__init.c b/ftp/wget/files/patch-src__init.c
new file mode 100644
index 000000000000..2b002b0b3aeb
--- /dev/null
+++ b/ftp/wget/files/patch-src__init.c
@@ -0,0 +1,12 @@
+--- src/init.c	2010-05-08 19:56:15 +0000
++++ src/init.c	2010-07-28 19:22:22 +0000
+@@ -252,6 +252,7 @@
+   { "timeout",          NULL,                   cmd_spec_timeout },
+   { "timestamping",     &opt.timestamping,      cmd_boolean },
+   { "tries",            &opt.ntry,              cmd_number_inf },
++  { "trustservernames", &opt.trustservernames,  cmd_boolean },
+   { "useproxy",         &opt.use_proxy,         cmd_boolean },
+   { "user",             &opt.user,              cmd_string },
+   { "useragent",        NULL,                   cmd_spec_useragent },
+
+=== modified file 'src/main.c'
diff --git a/ftp/wget/files/patch-src__main.c b/ftp/wget/files/patch-src__main.c
new file mode 100644
index 000000000000..9141b1faf8d8
--- /dev/null
+++ b/ftp/wget/files/patch-src__main.c
@@ -0,0 +1,21 @@
+--- src/main.c	2010-06-20 10:10:35 +0000
++++ src/main.c	2010-07-28 19:22:22 +0000
+@@ -266,6 +266,7 @@
+     { "timeout", 'T', OPT_VALUE, "timeout", -1 },
+     { "timestamping", 'N', OPT_BOOLEAN, "timestamping", -1 },
+     { "tries", 't', OPT_VALUE, "tries", -1 },
++    { "trust-server-names", 0, OPT_BOOLEAN, "trustservernames", -1 },
+     { "use-server-timestamps", 0, OPT_BOOLEAN, "useservertimestamps", -1 },
+     { "user", 0, OPT_VALUE, "user", -1 },
+     { "user-agent", 'U', OPT_VALUE, "useragent", -1 },
+@@ -680,6 +681,8 @@
+     N_("\
+   -I,  --include-directories=LIST  list of allowed directories.\n"),
+     N_("\
++  --trust-server-names  use the name specified by the redirection url last component.\n"),
++    N_("\
+   -X,  --exclude-directories=LIST  list of excluded directories.\n"),
+     N_("\
+   -np, --no-parent                 don't ascend to the parent directory.\n"),
+
+=== modified file 'src/options.h'
diff --git a/ftp/wget/files/patch-src__options.h b/ftp/wget/files/patch-src__options.h
new file mode 100644
index 000000000000..e3d1f37bb687
--- /dev/null
+++ b/ftp/wget/files/patch-src__options.h
@@ -0,0 +1,12 @@
+--- src/options.h	2010-05-08 19:56:15 +0000
++++ src/options.h	2010-07-28 19:22:22 +0000
+@@ -242,6 +242,7 @@
+   char *encoding_remote;
+   char *locale;
+ 
++  bool trustservernames;
+ #ifdef __VMS
+   int ftp_stmlf;                /* Force Stream_LF format for binary FTP. */
+ #endif /* def __VMS */
+
+=== modified file 'src/retr.c'
diff --git a/ftp/wget/files/patch-src__retr.c b/ftp/wget/files/patch-src__retr.c
new file mode 100644
index 000000000000..666b3d29c182
--- /dev/null
+++ b/ftp/wget/files/patch-src__retr.c
@@ -0,0 +1,13 @@
+--- src/retr.c	2010-05-08 19:56:15 +0000
++++ src/retr.c	2010-07-28 19:22:22 +0000
+@@ -731,7 +731,8 @@
+ #endif
+       || (proxy_url && proxy_url->scheme == SCHEME_HTTP))
+     {
+-      result = http_loop (u, &mynewloc, &local_file, refurl, dt, proxy_url, iri);
++      result = http_loop (u, orig_parsed, &mynewloc, &local_file, refurl, dt,
++                          proxy_url, iri);
+     }
+   else if (u->scheme == SCHEME_FTP)
+     {
+