debian/changelog

@@ -5,6 +5,8 @@ debian-edu-config (2.11.11) UNRELEASED; urgency=medium
   * debian/control: Reference Debian Edu in binary package description
   * Follow-up for CVE-2019-3467:
     - Add NEWS to warn administrators with possible local changes.
+  * Keep proxy settings on client if wpad is unreachable (Closes: #941001)
+    - Remove use of eval `...` while at it to minimise security risks
 
   [ Holger Levsen ]
   * Close #936375 in 2.11.7 changelog entry.

share/debian-edu-config/tools/update-proxy-from-wpad

@@ -83,7 +83,7 @@ fi
 # proxy.
 http_proxy=
 
-eval `/usr/share/debian-edu-config/tools/wpad-extract`
+. /usr/share/debian-edu-config/tools/wpad-extract >/dev/null || exit 1
 ftp_proxy=$http_proxy
 https_proxy=$http_proxy
 

share/debian-edu-config/tools/wpad-extract

-#!/bin/bash
+#!/bin/sh
 #
 # Detect proxy URL via WPAD
 #
@@ -11,5 +11,10 @@
 # DNS if the skolelinux machines are not connected to the Internet.
 proxy_url=$(curl -s http://wpad/wpad.dat | pactester -p - \
             -u http://130.89.148.14 | awk '{print $2}' | cut -d';' -f1)
-echo http_proxy=http://$proxy_url
 
+if [ "$proxy_url" ]; then
+    http_proxy=http://$proxy_url
+    echo http_proxy=$http_proxy
+else
+    return 1
+fi

testsuite/webcache

@@ -69,7 +69,7 @@ if HEAD $HEADOPTS $url > /dev/null 2>&1 ; then
     # Subshell to avoid leaking http_proxy and ftp_proxy variables to
     # the rest of this script
     (
-	eval `/usr/share/debian-edu-config/tools/wpad-extract`
+	. /usr/share/debian-edu-config/tools/wpad-extract >/dev/null
 	if [ "$http_proxy" ] ; then
 	    echo "success: $0: WPAD file '$url' includes HTTP proxy info."
 	else