FS#44022 - [wget] Compile 1.16.2 with Libpsl

Attached to Project: Arch Linux
Opened by Darshit Shah (darnir) - Monday, 02 March 2015, 19:29 GMT
Last edited by Levente Polyak (anthraxx) - Thursday, 08 December 2016, 01:14 GMT
Task Type Feature Request
Category Packages: Extra
Status Closed
Assigned To Eric Belanger (Snowman)
Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description:

Along with the release announcement for Wget 1.16.2, Upstream states that Wget should be compiled with support for Libpsl for cookie domain checking. I have been maintaining wget-git with support for Libpsl on AUR for a while now and have had no issues.

Wget's internal cookie domain matching algorithm is severely lacking. It is unable to handle all the domain names in the Public Suffix List correctly, which makes it vulnerable to information exposure. Libpsl was written to handle all those problems.

I do realize that on AUR, Libpsl doesn't really have many (or any) votes. But that is only because it is a backend library, currently being used only by one project.
This task depends upon

Closed by  Levente Polyak (anthraxx)
Thursday, 08 December 2016, 01:14 GMT
Reason for closing:  Implemented
Additional comments about closing:  1.18-2
Comment by Samantha McVey (samcv) - Friday, 10 June 2016, 05:03 GMT
I checked the Arch package for wget and it appears the status of our package is the same as before, without any depends on Libpsl. If this is a security issue as you seem to be saying, can you give a short description of the security implications of implementing or not implementing Libpsl in the wget Arch package and how these will affect Arch users? Your response is greatly appreciated.
Comment by Darshit Shah (darnir) - Friday, 10 June 2016, 05:46 GMT
This would not be Wget 1.18 which was released yesterday.

Wget maintainers have for a while now argued for compiling Wget with libPSL. Instead of baking that code into Wget alone, they decided to turn it into a library so that other projects can use these features as well. As far as I'm aware, cURL has support for LibPSL as well, but Arch does not compile against it.

The arguments for using LibPSL stem from the fact that identifying a Top Level Domain (TLD) is extremely hard for HTTP Clients today. This can be exploited by a malicious server that may attempt to set a so-called, "supercookie". Super cookies are cookies set for a TLD. While clients should ideally not allow such cookies to be set, it is increasingly difficult to do so since today even second and third level domains can be TLDs. This StackOverflow question shows why this is important: https://stackoverflow.com/questions/288810/get-the-subdomain-from-a-url. All web browsers use a Public Suffix List internally to prevent such supercookies.

Another issue at hand is, "super certificates", as was described in this mailing list post: https://lists.gnu.org/archive/html/bug-wget/2014-03/msg00093.html

This shows that using a PSL is important when setting cookies or checking certificates. Wget uses LibPSL for fast TLD lookups, as does cURL. I will open another ticket petitioning for compiling cURL with LibPSL as well.


Disclaimer: I am one of the three official maintainers of GNU Wget and was involved in the design of LibPSL.

Loading...