Merge 66b4102 into 4a549ac

package/yast2-registration.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Oct 11 14:55:15 UTC 2018 - lslezak@suse.cz
+
+- CRLF control characters cannot be included in the registration
+  code, added validation check (bsc#1111419)
+- 3.2.17
+
 -------------------------------------------------------------------
 Fri Aug 31 10:12:16 UTC 2018 - lslezak@suse.cz
 

package/yast2-registration.spec

@@ -17,7 +17,7 @@
 
 
 Name:           yast2-registration
-Version:        3.2.16
+Version:        3.2.17
 Release:        0
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

src/lib/registration/ui/base_system_registration_dialog.rb

@@ -539,6 +539,19 @@ def validate_register_local
         end
       end
 
+      def validate_register_scc
+        reg_code = Yast::UI.QueryWidget(:reg_code, :Value)
+
+        # no CR or LF control characters, they cannot be used in HTTP header fields
+        if reg_code.include?("\n") || reg_code.include?("\r")
+          # TRANSLATORS: error message, the entered registration code is not valid.
+          Yast::Report.Error(_("Invalid registration code.\nCRLF characters are not allowed."))
+          false
+        else
+          true
+        end
+      end
+
       VALID_CUSTOM_URL_SCHEMES = ["http", "https"].freeze
 
       # Determine whether an URL is valid and suitable to be used as local SMT server

test/base_system_registration_dialog_test.rb

@@ -49,7 +49,7 @@
           expect(Yast::UI).to receive(:QueryWidget).with(:email, :Value)
             .and_return(email)
           expect(Yast::UI).to receive(:QueryWidget).with(:reg_code, :Value)
-            .and_return(reg_code)
+            .and_return(reg_code).twice
           expect(Yast::UI).to receive(:UserInput).and_return(:next)
 
           options = Registration::Storage::InstallationOptions.instance
@@ -72,7 +72,7 @@
         it "does not register the system" do
           expect(Yast::UI).to receive(:QueryWidget).with(:email, :Value)
             .and_return(email)
-          expect(Yast::UI).to receive(:QueryWidget).with(:reg_code, :Value)
+          allow(Yast::UI).to receive(:QueryWidget).with(:reg_code, :Value)
             .and_return(reg_code)
           expect(Yast::UI).to receive(:UserInput).and_return(:next, :abort)
           expect(Registration::UI::AbortConfirmation).to receive(:run).and_return(true)
@@ -90,6 +90,22 @@
         end
       end
 
+      context "when user enters an invalid regcode" do
+        # include CRLF characters which are not allowed
+        let(:reg_code) { "\nmy-reg-code\r" }
+        it "displays error popup and does not register the system" do
+          allow(Yast::UI).to receive(:QueryWidget).with(:reg_code, :Value)
+            .and_return(reg_code)
+          allow(Yast::UI).to receive(:UserInput).and_return(:next, :abort)
+          allow(Registration::UI::AbortConfirmation).to receive(:run).and_return(true)
+
+          expect(Yast::Report).to receive(:Error).with(/Invalid registration code/)
+          expect(registration_ui).to_not receive(:register_system_and_base_product)
+
+          subject.run
+        end
+      end
+
       context "when user sets a registration URL through regurl= parameter" do
         let(:regurl) { "https://example.suse.net" }
 
@@ -100,7 +116,7 @@
         it "uses the given URL to register the system" do
           expect(Yast::UI).to receive(:QueryWidget).with(:email, :Value)
             .and_return(email)
-          expect(Yast::UI).to receive(:QueryWidget).with(:reg_code, :Value)
+          allow(Yast::UI).to receive(:QueryWidget).with(:reg_code, :Value)
             .and_return(reg_code)
           expect(Yast::UI).to receive(:UserInput).and_return(:next)