1149641 – (xcat) Review Request: xcat - A command line tool to explore blind XPath injection vulnerabilities

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1149641 (xcat) - Review Request: xcat - A command line tool to explore blind XPath injection vulnerabilities

Summary: Review Request: xcat - A command line tool to explore blind XPath injection v...

Keywords:
Status:	CLOSED ERRATA
Alias:	xcat
Product:	Fedora
Classification:	Fedora
Component:	Package Review
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Parag AN(पराग)
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	python-ipgetter 1148946 python-aiohttp
Blocks:	FE-SECLAB
TreeView+	depends on / blocked

Reported:	2014-10-06 10:24 UTC by Fabian Affolter
Modified:	2014-11-13 18:20 UTC (History)
CC List:	3 users (show)
Fixed In Version:	xcat-0.7.1-1.fc21
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-11-13 18:17:47 UTC
Type:	---
Embargoed:
Dependent Products:
Flags:	panemade: fedora-review+ gwync: fedora-cvs+

Attachments	(Terms of Use)

Description Fabian Affolter 2014-10-06 10:24:04 UTC

Spec URL: https://fab.fedorapeople.org/packages/SRPMS/xcat.spec
SRPM URL: https://fab.fedorapeople.org/packages/SRPMS/xcat-0.7.1-1.fc22.src.rpm

Project URL: https://github.com/orf/xcat

Description:
XCat is a command line program that aides in the exploitation of blind XPath
injection vulnerabilities. It can be used to retrieve the whole XML document
being processed by a vulnerable XPath query, read arbitrary files on the
hosts filesystem and utilize out of bound HTTP requests to make the server
send data directly to xcat.

Koji scratch build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=7774127

rpmlint output:
[fab@localhost SRPMS]$ rpmlint xcat-0.7.1-1.fc22.src.rpm 
xcat.src: W: spelling-error %description -l en_US filesystem -> file system, file-system, systemically
1 packages and 0 specfiles checked; 0 errors, 1 warnings.

[fab@localhost noarch]$ rpmlint xcat-0.7.1-1.fc22.noarch.rpm 
xcat.noarch: W: spelling-error %description -l en_US filesystem -> file system, file-system, systemically
xcat.noarch: W: no-manual-page-for-binary xcat
1 packages and 0 specfiles checked; 0 errors, 2 warnings.

Fedora Account System Username: fab

Comment 1 Parag AN(पराग) 2014-10-07 06:25:04 UTC

Review:

+ Package builds fine in mock (f22 x86_64)

+ rpmlint on generated rpms gave output
xcat.noarch: W: spelling-error %description -l en_US filesystem -> file system, file-system, systemically
xcat.noarch: W: no-manual-page-for-binary xcat
xcat.src: W: spelling-error %description -l en_US filesystem -> file system, file-system, systemically
2 packages and 0 specfiles checked; 0 errors, 3 warnings.

+ Source verified with upstream as (sha256sum)
upstream tarball: 7c55be7ef20a91c69715ec64ce288ac9c893c2a3107e86dd405fdeaa690f6dca
srpm tarball : 7c55be7ef20a91c69715ec64ce288ac9c893c2a3107e86dd405fdeaa690f6dca

+ License "MIT" is valid and included in LICENSE file.


Suggestions:
1) macro srcname is not defined in spec file. Please add it.

2) this package should be named as python3-xcat

Comment 2 Fabian Affolter 2014-10-07 21:08:33 UTC

(In reply to Parag AN(पराग) from comment #1)
> 2) this package should be named as python3-xcat

I disagree. xcat is a tool which is written in python and not a python module.

Comment 3 Parag AN(पराग) 2014-10-08 06:14:43 UTC

Sorry I got it wrong before. You are right this is tool actually.


APPROVED.

Comment 4 Fabian Affolter 2014-10-08 06:25:12 UTC

Thanks for the review.

Comment 5 Fabian Affolter 2014-10-08 06:26:22 UTC

New Package SCM Request
=======================
Package Name: xcat
Short Description: A command line tool to explore blind XPath injection vulnerabilities
Upstream URL: https://github.com/orf/xcat
Owners: fab 
Branches: f20 f21 epel7
InitialCC:

Comment 6 Gwyn Ciesla 2014-10-08 10:15:03 UTC

Git done (by process-git-requests).

Comment 7 Fedora Update System 2014-10-08 13:35:48 UTC

xcat-0.7.1-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/xcat-0.7.1-1.fc21

Comment 8 Fedora Update System 2014-10-08 13:45:48 UTC

xcat-0.7.1-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/xcat-0.7.1-1.fc20

Comment 9 Fedora Update System 2014-10-10 16:06:21 UTC

xcat-0.7.1-1.fc20 has been pushed to the Fedora 20 testing repository.

Comment 10 Johnny Robeson 2014-10-20 04:19:32 UTC

shouldn't this package depend on python 3.4 or a python3-asyncio asyncio package?

I don't see how it would work out of the box on a fedora 20 install.

Comment 11 Johnny Robeson 2014-10-20 04:20:30 UTC

sorry. i commented on the wrong package. :(

Comment 12 Fedora Update System 2014-11-13 18:17:47 UTC

xcat-0.7.1-1.fc20 has been pushed to the Fedora 20 stable repository.

Comment 13 Fedora Update System 2014-11-13 18:20:09 UTC

xcat-0.7.1-1.fc21 has been pushed to the Fedora 21 stable repository.

Note You need to log in before you can comment on or make changes to this bug.