$OpenBSD: patch-Nagstamon_Server_Generic_py,v 1.1 2013/07/08 09:10:38 ajacoutot Exp $

Fix a security issue in the update-checking mechanism (upstream).

--- Nagstamon/Server/Generic.py.orig	Tue Feb 14 11:21:14 2012
+++ Nagstamon/Server/Generic.py	Mon Jul  8 11:06:29 2013
@@ -946,7 +946,7 @@ class GenericServer(object):
         return Result()
     
     
-    def FetchURL(self, url, giveback="obj", cgi_data=None):   
+    def FetchURL(self, url, giveback="obj", cgi_data=None, no_auth=False):
         """
         get content of given url, cgi_data only used if present
         "obj" FetchURL gives back a dict full of miserable hosts/services,
@@ -957,14 +957,21 @@ class GenericServer(object):
         """        
         
         # run this method which checks itself if there is some action to take for initializing connection
-        self.init_HTTP()
+        # if no_auth is true do not use Auth headers, used by Actions.CheckForNewVersion()
+        if no_auth == False:
+            self.init_HTTP()
+            # to avoid race condition and credentials leak use local HTTPheaders
+            HTTPheaders = self.HTTPheaders
+        else:
+            HTTPheaders = dict()
+            HTTPheaders["raw"] = HTTPheaders["obj"] = HTTPheaders["obj"] =  dict()
 
         try:
             try:
                 # debug
                 if str(self.conf.debug_mode) == "True":
                     self.Debug(server=self.get_name(), debug="FetchURL: " + url + " CGI Data: " + str(cgi_data))
-                request = urllib2.Request(url, cgi_data, self.HTTPheaders[giveback])
+                request = urllib2.Request(url, cgi_data, HTTPheaders[giveback])
                 # use opener - if cgi_data is not empty urllib uses a POST request
                 urlcontent = self.urlopener.open(request)
                 del url, cgi_data, request                               
