FS#44022 - [wget] Compile 1.16.2 with Libpsl
Attached to Project:
Arch Linux
Opened by Darshit Shah (darnir) - Monday, 02 March 2015, 19:29 GMT
Last edited by Levente Polyak (anthraxx) - Thursday, 08 December 2016, 01:14 GMT
Opened by Darshit Shah (darnir) - Monday, 02 March 2015, 19:29 GMT
Last edited by Levente Polyak (anthraxx) - Thursday, 08 December 2016, 01:14 GMT
|
Details
Description:
Along with the release announcement for Wget 1.16.2, Upstream states that Wget should be compiled with support for Libpsl for cookie domain checking. I have been maintaining wget-git with support for Libpsl on AUR for a while now and have had no issues. Wget's internal cookie domain matching algorithm is severely lacking. It is unable to handle all the domain names in the Public Suffix List correctly, which makes it vulnerable to information exposure. Libpsl was written to handle all those problems. I do realize that on AUR, Libpsl doesn't really have many (or any) votes. But that is only because it is a backend library, currently being used only by one project. |
This task depends upon
Closed by Levente Polyak (anthraxx)
Thursday, 08 December 2016, 01:14 GMT
Reason for closing: Implemented
Additional comments about closing: 1.18-2
Thursday, 08 December 2016, 01:14 GMT
Reason for closing: Implemented
Additional comments about closing: 1.18-2
Wget maintainers have for a while now argued for compiling Wget with libPSL. Instead of baking that code into Wget alone, they decided to turn it into a library so that other projects can use these features as well. As far as I'm aware, cURL has support for LibPSL as well, but Arch does not compile against it.
The arguments for using LibPSL stem from the fact that identifying a Top Level Domain (TLD) is extremely hard for HTTP Clients today. This can be exploited by a malicious server that may attempt to set a so-called, "supercookie". Super cookies are cookies set for a TLD. While clients should ideally not allow such cookies to be set, it is increasingly difficult to do so since today even second and third level domains can be TLDs. This StackOverflow question shows why this is important: https://stackoverflow.com/questions/288810/get-the-subdomain-from-a-url. All web browsers use a Public Suffix List internally to prevent such supercookies.
Another issue at hand is, "super certificates", as was described in this mailing list post: https://lists.gnu.org/archive/html/bug-wget/2014-03/msg00093.html
This shows that using a PSL is important when setting cookies or checking certificates. Wget uses LibPSL for fast TLD lookups, as does cURL. I will open another ticket petitioning for compiling cURL with LibPSL as well.
Disclaimer: I am one of the three official maintainers of GNU Wget and was involved in the design of LibPSL.