Bug 1149641 - (xcat) Review Request: xcat - A command line tool to explore blind XPath injection vulnerabilities
Review Request: xcat - A command line tool to explore blind XPath injection v...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Parag AN(पराग)
Fedora Extras Quality Assurance
:
Depends On: python-ipgetter 1148946 python-aiohttp
Blocks: FE-SECLAB
  Show dependency treegraph
 
Reported: 2014-10-06 06:24 EDT by Fabian Affolter
Modified: 2014-11-13 13:20 EST (History)
3 users (show)

See Also:
Fixed In Version: xcat-0.7.1-1.fc21
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-11-13 13:17:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
panemade: fedora‑review+
limburgher: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Fabian Affolter 2014-10-06 06:24:04 EDT
Spec URL: https://fab.fedorapeople.org/packages/SRPMS/xcat.spec
SRPM URL: https://fab.fedorapeople.org/packages/SRPMS/xcat-0.7.1-1.fc22.src.rpm

Project URL: https://github.com/orf/xcat

Description:
XCat is a command line program that aides in the exploitation of blind XPath
injection vulnerabilities. It can be used to retrieve the whole XML document
being processed by a vulnerable XPath query, read arbitrary files on the
hosts filesystem and utilize out of bound HTTP requests to make the server
send data directly to xcat.

Koji scratch build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=7774127

rpmlint output:
[fab@localhost SRPMS]$ rpmlint xcat-0.7.1-1.fc22.src.rpm 
xcat.src: W: spelling-error %description -l en_US filesystem -> file system, file-system, systemically
1 packages and 0 specfiles checked; 0 errors, 1 warnings.

[fab@localhost noarch]$ rpmlint xcat-0.7.1-1.fc22.noarch.rpm 
xcat.noarch: W: spelling-error %description -l en_US filesystem -> file system, file-system, systemically
xcat.noarch: W: no-manual-page-for-binary xcat
1 packages and 0 specfiles checked; 0 errors, 2 warnings.

Fedora Account System Username: fab
Comment 1 Parag AN(पराग) 2014-10-07 02:25:04 EDT
Review:

+ Package builds fine in mock (f22 x86_64)

+ rpmlint on generated rpms gave output
xcat.noarch: W: spelling-error %description -l en_US filesystem -> file system, file-system, systemically
xcat.noarch: W: no-manual-page-for-binary xcat
xcat.src: W: spelling-error %description -l en_US filesystem -> file system, file-system, systemically
2 packages and 0 specfiles checked; 0 errors, 3 warnings.

+ Source verified with upstream as (sha256sum)
upstream tarball: 7c55be7ef20a91c69715ec64ce288ac9c893c2a3107e86dd405fdeaa690f6dca
srpm tarball : 7c55be7ef20a91c69715ec64ce288ac9c893c2a3107e86dd405fdeaa690f6dca

+ License "MIT" is valid and included in LICENSE file.


Suggestions:
1) macro srcname is not defined in spec file. Please add it.

2) this package should be named as python3-xcat
Comment 2 Fabian Affolter 2014-10-07 17:08:33 EDT
(In reply to Parag AN(पराग) from comment #1)
> 2) this package should be named as python3-xcat

I disagree. xcat is a tool which is written in python and not a python module.
Comment 3 Parag AN(पराग) 2014-10-08 02:14:43 EDT
Sorry I got it wrong before. You are right this is tool actually.


APPROVED.
Comment 4 Fabian Affolter 2014-10-08 02:25:12 EDT
Thanks for the review.
Comment 5 Fabian Affolter 2014-10-08 02:26:22 EDT
New Package SCM Request
=======================
Package Name: xcat
Short Description: A command line tool to explore blind XPath injection vulnerabilities
Upstream URL: https://github.com/orf/xcat
Owners: fab 
Branches: f20 f21 epel7
InitialCC:
Comment 6 Gwyn Ciesla 2014-10-08 06:15:03 EDT
Git done (by process-git-requests).
Comment 7 Fedora Update System 2014-10-08 09:35:48 EDT
xcat-0.7.1-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/xcat-0.7.1-1.fc21
Comment 8 Fedora Update System 2014-10-08 09:45:48 EDT
xcat-0.7.1-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/xcat-0.7.1-1.fc20
Comment 9 Fedora Update System 2014-10-10 12:06:21 EDT
xcat-0.7.1-1.fc20 has been pushed to the Fedora 20 testing repository.
Comment 10 Johnny Robeson 2014-10-20 00:19:32 EDT
shouldn't this package depend on python 3.4 or a python3-asyncio asyncio package?

I don't see how it would work out of the box on a fedora 20 install.
Comment 11 Johnny Robeson 2014-10-20 00:20:30 EDT
sorry. i commented on the wrong package. :(
Comment 12 Fedora Update System 2014-11-13 13:17:47 EST
xcat-0.7.1-1.fc20 has been pushed to the Fedora 20 stable repository.
Comment 13 Fedora Update System 2014-11-13 13:20:09 EST
xcat-0.7.1-1.fc21 has been pushed to the Fedora 21 stable repository.

Note You need to log in before you can comment on or make changes to this bug.