launchpad-reviewers team mailing list archive
-
launchpad-reviewers team
-
Mailing list archive
-
Message #22783
[Merge] lp:~cjwatson/canonical-mojo-specs/snap-proxy-subversion-methods into lp:~canonical-launchpad-branches/canonical-mojo-specs/trunk
Colin Watson has proposed merging lp:~cjwatson/canonical-mojo-specs/snap-proxy-subversion-methods into lp:~canonical-launchpad-branches/canonical-mojo-specs/trunk.
Commit message:
Allow additional HTTP methods used by Subversion.
Requested reviews:
Launchpad code reviewers (launchpad-reviewers)
Related bugs:
Bug #1668358 in launchpad-buildd: "Snap Builds using SVN Unable to Access Internet"
https://bugs.launchpad.net/launchpad-buildd/+bug/1668358
For more details, see:
https://code.launchpad.net/~cjwatson/canonical-mojo-specs/snap-proxy-subversion-methods/+merge/351752
--
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~cjwatson/canonical-mojo-specs/snap-proxy-subversion-methods into lp:~canonical-launchpad-branches/canonical-mojo-specs/trunk.
=== modified file 'lp/mojo-lp-snap-proxy/production/deploy'
--- lp/mojo-lp-snap-proxy/production/deploy 2018-07-24 09:27:28 +0000
+++ lp/mojo-lp-snap-proxy/production/deploy 2018-07-30 10:03:37 +0000
@@ -33,7 +33,11 @@
# Deny requests to ports other than 80, 443, 9418
{"!port": [80, 443, 9418], http_access: deny},
# Whitelist HTTP methods
- {"!method": [GET, POST, CONNECT], http_access: deny},
+ {"!method": [
+ GET, POST, CONNECT,
+ PROPFIND, REPORT, MERGE, MKACTIVITY, CHECKOUT,
+ ],
+ http_access: deny},
# Whitelist non-auth-requiring hosts on blacklisted
# networks.
# dstdomain is unsafe. DO NOT USE DSTDOMAIN. For
@@ -57,7 +61,11 @@
# URLs containing IP addresses, Squid will look up
# the PTR and match it against dstdomain rules!
# This is obviously completely holey.
- {port: [80, 443, 9418], method: [GET, POST, CONNECT],
+ {port: [80, 443, 9418],
+ method: [
+ GET, POST, CONNECT,
+ PROPFIND, REPORT, MERGE, MKACTIVITY, CHECKOUT,
+ ],
# DSTDOMAIN IS FORBIDDEN.
dst: [
# launchpadlibrarian.net, a benign host outside
@@ -149,7 +157,11 @@
# using its mapping into IPv6, so if you blacklist
# ::/3 before whitelisting IPv4 you will have a bad
# time.
- {port: [80, 443, 9418], method: [GET, POST, CONNECT],
+ {port: [80, 443, 9418],
+ method: [
+ GET, POST, CONNECT,
+ PROPFIND, REPORT, MERGE, MKACTIVITY, CHECKOUT,
+ ],
dst: [0.0.0.0/1, 128.0.0.1/1, "2000::/3"],
http_access: allow},
# Deny anything with any IP address that has not
@@ -158,7 +170,11 @@
# Allow anything leftover. The FQDN probably has no
# IP address, so we want to return a DNS error
# rather than a permission violation.
- {port: [80, 443, 9418], method: [GET, POST, CONNECT],
+ {port: [80, 443, 9418],
+ method: [
+ GET, POST, CONNECT,
+ PROPFIND, REPORT, MERGE, MKACTIVITY, CHECKOUT,
+ ],
http_access: allow},
]
auth_params: |
=== modified file 'lp/mojo-lp-snap-proxy/qastaging/deploy'
--- lp/mojo-lp-snap-proxy/qastaging/deploy 2018-07-24 09:27:28 +0000
+++ lp/mojo-lp-snap-proxy/qastaging/deploy 2018-07-30 10:03:37 +0000
@@ -33,7 +33,11 @@
# Deny requests to ports other than 80, 443, 9418
{"!port": [80, 443, 9418], http_access: deny},
# Whitelist HTTP methods
- {"!method": [GET, POST, CONNECT], http_access: deny},
+ {"!method": [
+ GET, POST, CONNECT,
+ PROPFIND, REPORT, MERGE, MKACTIVITY, CHECKOUT,
+ ],
+ http_access: deny},
# Whitelist non-auth-requiring hosts on blacklisted
# networks.
# dstdomain is unsafe. DO NOT USE DSTDOMAIN. For
@@ -57,7 +61,11 @@
# URLs containing IP addresses, Squid will look up
# the PTR and match it against dstdomain rules!
# This is obviously completely holey.
- {port: [80, 443, 9418], method: [GET, POST, CONNECT],
+ {port: [80, 443, 9418],
+ method: [
+ GET, POST, CONNECT,
+ PROPFIND, REPORT, MERGE, MKACTIVITY, CHECKOUT,
+ ],
# DSTDOMAIN IS FORBIDDEN.
dst: [
# launchpadlibrarian.net, a benign host outside
@@ -152,7 +160,11 @@
# using its mapping into IPv6, so if you blacklist
# ::/3 before whitelisting IPv4 you will have a bad
# time.
- {port: [80, 443, 9418], method: [GET, POST, CONNECT],
+ {port: [80, 443, 9418],
+ method: [
+ GET, POST, CONNECT,
+ PROPFIND, REPORT, MERGE, MKACTIVITY, CHECKOUT,
+ ],
dst: [0.0.0.0/1, 128.0.0.1/1, "2000::/3"],
http_access: allow},
# Deny anything with any IP address that has not
@@ -161,7 +173,11 @@
# Allow anything leftover. The FQDN probably has no
# IP address, so we want to return a DNS error
# rather than a permission violation.
- {port: [80, 443, 9418], method: [GET, POST, CONNECT],
+ {port: [80, 443, 9418],
+ method: [
+ GET, POST, CONNECT,
+ PROPFIND, REPORT, MERGE, MKACTIVITY, CHECKOUT,
+ ],
http_access: allow},
]
auth_params: |
Follow ups
