Bug#834625: lighttpd: Add autopkgtests test to check mitigation against HTTPoxy
On Wed, Aug 17, 2016 at 06:08:52PM +0200, Santiago Ruano Rincón wrote:
> Please, find attached the patches to include a DEP-8 test to check if
> lighttpd correctly avoids passing http proxy variables to CGIs.
Thank you for your contribution to the lighttpd package. Raising the
absence of tests was very useful and I now added a few simpler ones.
Unfortunately, I think that it is not reasonable to include your patch
as is.
> +Tests: do-not-emit-http-proxy-to-cgi
This is a very specific test. However, we still lack a lot of simpler
tests. When this test breaks, one has a hard time figuring out what the
cause is.
At the time of your bug filing, lighttpd had no autopkgtests at all.
Now, we have some very basic tests (thanks to your bug), but not even a
single cgi test.
Before adding such a specific test, I think it would be prudent to
include a basic cgi test.
> +Depends: @, python2.7, python-requests, curl, netcat
> +Restrictions: needs-root, allow-stderr
This test can be reasonably implemented without needs-root. Requiring
needs-root means that you cannot run it under schroot unfortunately.
So I don't think your patch is usable as is. Would you be interested in
addressing the points raised?
Helmut
Reply to: