Bug 1149641 (xcat) - Review Request: xcat - A command line tool to explore blind XPath injection vulnerabilities
Summary: Review Request: xcat - A command line tool to explore blind XPath injection v...
Status: CLOSED ERRATA
Alias: xcat
Product: Fedora
Classification: Fedora
Component: Package Review   
(Show other bugs)
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Parag AN(पराग)
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On: python-ipgetter 1148946 python-aiohttp
Blocks: FE-SECLAB
TreeView+ depends on / blocked
 
Reported: 2014-10-06 10:24 UTC by Fabian Affolter
Modified: 2014-11-13 18:20 UTC (History)
3 users (show)

Fixed In Version: xcat-0.7.1-1.fc21
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-11-13 18:17:47 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
panemade: fedora-review+
gwync: fedora-cvs+


Attachments (Terms of Use)

Description Fabian Affolter 2014-10-06 10:24:04 UTC
Spec URL: https://fab.fedorapeople.org/packages/SRPMS/xcat.spec
SRPM URL: https://fab.fedorapeople.org/packages/SRPMS/xcat-0.7.1-1.fc22.src.rpm

Project URL: https://github.com/orf/xcat

Description:
XCat is a command line program that aides in the exploitation of blind XPath
injection vulnerabilities. It can be used to retrieve the whole XML document
being processed by a vulnerable XPath query, read arbitrary files on the
hosts filesystem and utilize out of bound HTTP requests to make the server
send data directly to xcat.

Koji scratch build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=7774127

rpmlint output:
[fab@localhost SRPMS]$ rpmlint xcat-0.7.1-1.fc22.src.rpm 
xcat.src: W: spelling-error %description -l en_US filesystem -> file system, file-system, systemically
1 packages and 0 specfiles checked; 0 errors, 1 warnings.

[fab@localhost noarch]$ rpmlint xcat-0.7.1-1.fc22.noarch.rpm 
xcat.noarch: W: spelling-error %description -l en_US filesystem -> file system, file-system, systemically
xcat.noarch: W: no-manual-page-for-binary xcat
1 packages and 0 specfiles checked; 0 errors, 2 warnings.

Fedora Account System Username: fab

Comment 1 Parag AN(पराग) 2014-10-07 06:25:04 UTC
Review:

+ Package builds fine in mock (f22 x86_64)

+ rpmlint on generated rpms gave output
xcat.noarch: W: spelling-error %description -l en_US filesystem -> file system, file-system, systemically
xcat.noarch: W: no-manual-page-for-binary xcat
xcat.src: W: spelling-error %description -l en_US filesystem -> file system, file-system, systemically
2 packages and 0 specfiles checked; 0 errors, 3 warnings.

+ Source verified with upstream as (sha256sum)
upstream tarball: 7c55be7ef20a91c69715ec64ce288ac9c893c2a3107e86dd405fdeaa690f6dca
srpm tarball : 7c55be7ef20a91c69715ec64ce288ac9c893c2a3107e86dd405fdeaa690f6dca

+ License "MIT" is valid and included in LICENSE file.


Suggestions:
1) macro srcname is not defined in spec file. Please add it.

2) this package should be named as python3-xcat

Comment 2 Fabian Affolter 2014-10-07 21:08:33 UTC
(In reply to Parag AN(पराग) from comment #1)
> 2) this package should be named as python3-xcat

I disagree. xcat is a tool which is written in python and not a python module.

Comment 3 Parag AN(पराग) 2014-10-08 06:14:43 UTC
Sorry I got it wrong before. You are right this is tool actually.


APPROVED.

Comment 4 Fabian Affolter 2014-10-08 06:25:12 UTC
Thanks for the review.

Comment 5 Fabian Affolter 2014-10-08 06:26:22 UTC
New Package SCM Request
=======================
Package Name: xcat
Short Description: A command line tool to explore blind XPath injection vulnerabilities
Upstream URL: https://github.com/orf/xcat
Owners: fab 
Branches: f20 f21 epel7
InitialCC:

Comment 6 Gwyn Ciesla 2014-10-08 10:15:03 UTC
Git done (by process-git-requests).

Comment 7 Fedora Update System 2014-10-08 13:35:48 UTC
xcat-0.7.1-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/xcat-0.7.1-1.fc21

Comment 8 Fedora Update System 2014-10-08 13:45:48 UTC
xcat-0.7.1-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/xcat-0.7.1-1.fc20

Comment 9 Fedora Update System 2014-10-10 16:06:21 UTC
xcat-0.7.1-1.fc20 has been pushed to the Fedora 20 testing repository.

Comment 10 Johnny Robeson 2014-10-20 04:19:32 UTC
shouldn't this package depend on python 3.4 or a python3-asyncio asyncio package?

I don't see how it would work out of the box on a fedora 20 install.

Comment 11 Johnny Robeson 2014-10-20 04:20:30 UTC
sorry. i commented on the wrong package. :(

Comment 12 Fedora Update System 2014-11-13 18:17:47 UTC
xcat-0.7.1-1.fc20 has been pushed to the Fedora 20 stable repository.

Comment 13 Fedora Update System 2014-11-13 18:20:09 UTC
xcat-0.7.1-1.fc21 has been pushed to the Fedora 21 stable repository.


Note You need to log in before you can comment on or make changes to this bug.