Permalink
Browse files

Fixed download from edelivery.oracle.com, closes #13. Fixed rebuildin…

…g behaviour. Fixed apt sources format.
  • Loading branch information...
1 parent abf7a17 commit 79204ba163d12e1eb277598aefdf890efc7e8203 @flexiondotorg committed Apr 17, 2012
Showing with 21 additions and 6 deletions.
  1. +6 −2 CHANGES
  2. +13 −2 README.rst
  3. +2 −2 oab-java6.sh
View
@@ -5,8 +5,12 @@ History
0.2.0
-----
-* Corrected the skip rebuilding behaviour so it works as described.
-* Corrected the format of ``apt`` source file.
+* Fixed downloading from ``edelivery.oracle.com`` when ``ca-certificates`` is not installed.
+
+ * Closes : https://github.com/flexiondotorg/oab-java6/issues/22
+
+* Fixed the skip rebuilding behaviour so it works as described.
+* Fixed the format of ``apt`` source file.
* Documentation is now self referencing.
0.1.9
View
@@ -26,7 +26,7 @@ Like this.
::
cd ~/
- wget https://raw.github.com/flexiondotorg/oab-java6/master/oab-java6.sh -O oab-java6.sh
+ wget https://github.com/flexiondotorg/oab-java6/raw/0.1.9/oab-java6.sh -O oab-java6.sh
chmod +x oab-java6.sh
sudo ./oab-java6.sh
@@ -97,6 +97,17 @@ Because, O.A.B! ;-)
History
=======
+0.2.0
+-----
+
+* Fixed downloading from ``edelivery.oracle.com`` when ``ca-certificates`` is not installed.
+
+ * Closes : https://github.com/flexiondotorg/oab-java6/issues/22
+
+* Fixed the skip rebuilding behaviour so it works as described.
+* Fixed the format of ``apt`` source file.
+* Documentation is now self referencing.
+
0.1.9
-----
@@ -105,7 +116,7 @@ History
* Closes : https://github.com/flexiondotorg/oab-java6/issues/18
* Added an option (-s) to skip rebuilding if packages already exist, tanks to Derek Chen-Becker.
-* Added a comment to the apt source file, thanks to Eshwar Andhavarapu.
+* Added a comment to the ``apt`` source file, thanks to Eshwar Andhavarapu.
* Added documentation for user running the script behind a proxy server, thanks to Olzhas.
* Closes : https://github.com/flexiondotorg/oab-java6/issues/12
View
@@ -296,7 +296,7 @@ do
COOKIES="oraclelicensejdk-${JAVA_VER}u${JAVA_UPD}-oth-JPR=accept-securebackup-cookie;gpw_e24=http://edelivery.oracle.com"
ncecho " [x] Downloading ${JAVA_BIN} : ${DOWNLOAD_SIZE} "
- wget --header="Cookie: ${COOKIES}" -c "${DOWNLOAD_URL}" -O /var/local/oab/pkg/${JAVA_BIN} >> "$log" 2>&1 &
+ wget --no-check-certificate --header="Cookie: ${COOKIES}" -c "${DOWNLOAD_URL}" -O /var/local/oab/pkg/${JAVA_BIN} >> "$log" 2>&1 &
@mikkorantalainen
mikkorantalainen Apr 20, 2012

Is the flag '--no-check-certificate' really needed? It causes possible attack vector because if somebody is able to modify DNS requests he can pass any (e.g. self signed) signature for his own machine and this script will then happily build the file provided by an attacker. Granted, this is not an easy attack to execute because one needs to push the "wrong" file at the moment this script is executed but SSL certificates do exists for a reason.

Perhaps this script should first try without this flag and if that fails, prompt the user if he wants to retry without checking the signature? The prompt should explain that this may allow MitM attack.

pid=$!;progress_loop $pid
ncecho " [x] Symlinking ${JAVA_BIN} "
@@ -447,4 +447,4 @@ echo "# Sun Java6 - https://github.com/flexiondotorg/oab-java6" > /etc/apt/sour
echo "deb file:///var/local/oab/deb /" >> /etc/apt/sources.list.d/oab.list
apt_update
-echo "All done!"
+echo "All done!"

0 comments on commit 79204ba

Please sign in to comment.