diff options
Diffstat (limited to 'debian/tests')
-rw-r--r-- | debian/tests/CVE-2023-25690 | 110 | ||||
-rw-r--r-- | debian/tests/control | 8 | ||||
-rw-r--r-- | debian/tests/uwsgi | 145 |
3 files changed, 263 insertions, 0 deletions
diff --git a/debian/tests/CVE-2023-25690 b/debian/tests/CVE-2023-25690 new file mode 100644 index 0000000..2aa916f --- /dev/null +++ b/debian/tests/CVE-2023-25690 @@ -0,0 +1,110 @@ +#!/bin/bash + +# test CVE-2023-25690 +set -eux + +RC=0 +fail () { + echo "FAIL: $@" >&2 + RC=1 +} + + +function exit_handler() +{ + # fix cp: cannot access '/tmp/autopkgtest-lxc.x06nhp9r/downtmp/CVE-2023-25690-artifacts/apache2': Permission denied + chmod -R a+rwX "$AUTOPKGTEST_ARTIFACTS/apache2" || true + systemctl status apache2.service || true + systemctl stop apache2 || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/error.log || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/access.log || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/error.8080.log || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/access.8080.log || true +} +trap exit_handler EXIT + + +a2enmod proxy +a2enmod proxy_http +a2enmod rewrite + +rsync -a /var/log/apache2 "$AUTOPKGTEST_ARTIFACTS" +rm /var/log/apache2/* +mount -o bind "$AUTOPKGTEST_ARTIFACTS/apache2" /var/log/apache2 + +tee /etc/apache2/ports.conf <<'EOF' +Listen 80 +Listen 8080 +EOF + + +tee /etc/apache2/sites-available/000-default.conf <<'EOF' +<VirtualHost *:8080> + # The ServerName directive sets the request scheme, hostname and port that + # the server uses to identify itself. This is used when creating + # redirection URLs. In the context of virtual hosts, the ServerName + # specifies what hostname must appear in the request's Host: header to + # match this virtual host. For the default virtual host (this file) this + # value is not decisive as it is used as a last resort host regardless. + # However, you must set it for any further virtual host explicitly. + #ServerName www.example.com + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn + + ErrorLog ${APACHE_LOG_DIR}/error.8080.log + CustomLog ${APACHE_LOG_DIR}/access.8080.log combined + + # For most configuration files from conf-available/, which are + # enabled or disabled at a global level, it is possible to + # include a line for only one particular virtual host. For example the + # following line enables the CGI configuration for this host only + # after it has been globally disabled with "a2disconf". + #Include conf-available/serve-cgi-bin.conf +</VirtualHost> +<VirtualHost *:80> + # The ServerName directive sets the request scheme, hostname and port that + # the server uses to identify itself. This is used when creating + # redirection URLs. In the context of virtual hosts, the ServerName + # specifies what hostname must appear in the request's Host: header to + # match this virtual host. For the default virtual host (this file) this + # value is not decisive as it is used as a last resort host regardless. + # However, you must set it for any further virtual host explicitly. + #ServerName www.example.com + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn + LogLevel alert rewrite:trace6 + LogLevel error proxy:trace6 + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + RewriteEngine on + RewriteRule "^/here/(.*)" "http://localhost:8080/index.html?$1" [P] + ProxyPassReverse "/here/" "http://localhost:8080/" +</VirtualHost> +EOF + +systemctl restart apache2 + +CHOKEURL="http://localhost/here/index.html%20HTTP/1.1%0d%0aHost:%20localhost%0d%0aConnection:%20keep-alive%0d%0a%0d%0aGET%20/BAD.html%20HTTP/1.1%0d%0aFoo:%20bar HTTP/1.1" +wget -S -q --output-document - "$CHOKEURL" || true +(wget -S -q --output-document /dev/null "$CHOKEURL" 2>&1 || true) +(wget -S -q --output-document /dev/null "$CHOKEURL" 2>&1 || true) | grep -e '^[[:space:]]*HTTP/1.1 4[[:digit:]][[:digit:]] ' + +cat $AUTOPKGTEST_ARTIFACTS/apache2/access.8080.log | grep '] "GET /BAD.html HTTP/1.1"' && exit 1 + +exit 0 + diff --git a/debian/tests/control b/debian/tests/control index 2453137..1298110 100644 --- a/debian/tests/control +++ b/debian/tests/control @@ -27,3 +27,11 @@ Tests: chroot Features: no-build-needed Restrictions: needs-root allow-stderr breaks-testbed Depends: apache2, wget, dpkg-dev, gcc + +Tests: uwsgi +Restrictions: allow-stderr, needs-root +Depends: apache2, uwsgi, wget, uwsgi-plugin-python3, rsync, netcat-openbsd | netcat-traditional + +Tests: CVE-2023-25690 +Restrictions: allow-stderr, needs-root, isolation-container +Depends: apache2, rsync, curl, wget diff --git a/debian/tests/uwsgi b/debian/tests/uwsgi new file mode 100644 index 0000000..3350144 --- /dev/null +++ b/debian/tests/uwsgi @@ -0,0 +1,145 @@ +#!/bin/bash +set -eux + +RC=0 +fail () { + echo "FAIL: $@" >&2 + RC=1 +} + + +function exit_handler() +{ + systemctl stop apache2 || true + if test -f /run/uwsgi/uwsgi.pid; then + kill -TERM $(cat /run/uwsgi/uwsgi.pid) + fi + cat $AUTOPKGTEST_ARTIFACTS/apache2/error.log || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/access.log || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/uwsgi.log || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/uwsgi.error.log || true +} +trap exit_handler EXIT + + +a2enmod proxy +a2enmod proxy_uwsgi + +rsync -a /var/log/apache2 "$AUTOPKGTEST_ARTIFACTS" +rm /var/log/apache2/* +mount -o bind "$AUTOPKGTEST_ARTIFACTS/apache2" /var/log/apache2 + +tee /etc/apache2/sites-available/000-default.conf <<'EOF' +<VirtualHost *:80> + # The ServerName directive sets the request scheme, hostname and port that + # the server uses to identify itself. This is used when creating + # redirection URLs. In the context of virtual hosts, the ServerName + # specifies what hostname must appear in the request's Host: header to + # match this virtual host. For the default virtual host (this file) this + # value is not decisive as it is used as a last resort host regardless. + # However, you must set it for any further virtual host explicitly. + #ServerName www.example.com + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + # For most configuration files from conf-available/, which are + # enabled or disabled at a global level, it is possible to + # include a line for only one particular virtual host. For example the + # following line enables the CGI configuration for this host only + # after it has been globally disabled with "a2disconf". + #Include conf-available/serve-cgi-bin.conf + ProxyPass "/uwsgi" "unix:/run/uwsgi/test.socket|uwsgi://localhost" +</VirtualHost> +EOF + +systemctl restart apache2 + +test -d /etc/uwsgi/ || mkdir /etc/uwsgi + + + +tee /etc/systemd/system/uwsgi-app@.socket <<EOF +[Unit] +Description=Socket for uWSGI app %i + +[Socket] +ListenStream=/run/uwsgi/%i.socket +SocketUser=www-%i +SocketGroup=www-data +SocketMode=0660 + +[Install] +WantedBy=sockets.target +EOF + +tee /etc/systemd/system/uwsgi-app@.service <<EOF +[Unit] +Description=%i uWSGI app +After=syslog.target + +[Service] +ExecStart=/usr/bin/uwsgi \ + --ini /etc/uwsgi/apps-available/%i.ini \ + --socket /run/uwsgi/%i.socket +User=www-%i +Group=www-data +Restart=on-failure +KillSignal=SIGQUIT +Type=notify +StandardError=file:/var/log/apache2/uwsgi.error.log +StandardOutput=file:/var/log/apache2/uwsgi.log +NotifyAccess=all + +[Install] +WantedBy=multi-user.target +EOF + +systemctl daemon-reload + +useradd uwsgi_test +useradd www-test + +tee /etc/uwsgi/apps-available/test.ini <<EOF +[uwsgi] +chdir=/tmp +master=True +cheap=True +die-on-idle=True +manage-script-name=True +plugin=python3 +wsgi-file=/tmp/uwsgi.py +EOF + + +tee /tmp/uwsgi.py <<'EOF' +import wsgiref.headers as h +def application(env, start_response): + buggy_header=('buggy','buggy#\r\nbuggy2:buggy2') + start_response('200 OK', [('Content-Type','text/html'),buggy_header]) + ret = "Hello World Headers {}".format(env).encode() + return [ret] +EOF +chown 'www-test:www-test' /tmp/uwsgi.py +chmod +x /tmp/uwsgi.py + +systemctl enable uwsgi-app@test.socket +systemctl enable uwsgi-app@test.service +systemctl start uwsgi-app@test.socket +systemctl restart apache2 + + +wget -S -q --output-document - http://localhost/uwsgi +wget -q --output-document - http://localhost/uwsgi | grep "^Hello World" + +exit $RC +- |