Be more strict about what names and titles we allow and reject them
immediately when possible, but allow # again for those directly set by
commands (but not escape sequences). From Barrett Ruth in GitHub issue
5175.
gambatte: migrate to Python 3
Convert the solitary Python file with 2to3 and add a few more tweaks so it
works under Python 3.
This removes Python 2 as a dep from one more port.
ok bentley@ (MAINTAINER)
bring back bin/2to3 now that it was removed from Python 3.14
We have python2.7-2to3 there, but it's more convenient for me to use the
shorter tool name. So bring it back now that there's no conflict.
This tool is still useful to help get some of the final Python 2 bits over
to Python 3.
ok and tweaked by sthen@
rpki-client: reject certs with duplicate extension OIDs
We check this for extensions we know about in cert_parse_extensions().
We keep doing it there since we need to keep track of the extensions we
encountered anyway.
While cert_parse_extensions() rejects certs with critical extensions we
don't know about, we allow duplicate non-critical ones mainly because
that's annoying to keep track of. LibreSSL's libcrypto checks for this
and rejects the cert when caching the extensions, OpenSSL 4 adds a new
EXFLAG_DUPLICATE flag and accepts the cert, and OpenSSL 3 simply ignores
duplicates. In short: we get to do it ourselves.
This check is basically lifted from libcrypto's x509_purp.c with a few
extra contortions due to const sprinkling and making things opaque. The
warnx is the same as the one already present in cert_parse_extensions().
We do not NULL check X509_EXTENSION_get_object() because the extension
parsed, so an OID is present.
[2 lines not shown]
Make sure UDP header length field at least covers the UDP header.
We clamp the amount of data we are willing to parse to the length of
the UDP packet as indicated by the UDP header length field. While we
made sure that the length field did not point past the received data,
we never checked if the length is smaller than the udp header. Since
we are using BPF, the kernel also does not doe this for us. This might
in turn lead to an underflow and a subsequent crash of the engine
process.
Pointed out and diff provided by Andrew Griffiths, thanks!
adjust handling of erlang's -wx subpackage. it doesn't actually build on
machines that don't have wxWidgets,-webview, so disable wx completely on
those archs, rather than try to build it without webview present (which
fails).
this both fixes the build, and allows DPB to attempt to build erlang (it
was previously disabling it due to webkitgtk4 not being available, for
some reason).
ok volker
Tighten well-formedness checks on AIA & SIA extensions in certs
Valid Rsync URIs always contain a module component.
To avoid duplication of URI validation code, refactor rsync_base_uri()
to optionally allocate & dup the base URI portion.
Thanks to Ties de Kock for reporting.
OK tb@ claudio@
