From: "Ross Burton" <ross@burtonini.com>
To: bitbake-devel@lists.openembedded.org
Subject: [PATCH v3 4/4] fetch2/wget: fetch securely by default
Date: Tue, 10 Aug 2021 17:55:09 +0100 [thread overview]
Message-ID: <20210810165509.19121-4-ross.burton@arm.com> (raw)
In-Reply-To: <20210810165509.19121-1-ross.burton@arm.com>
From: Ross Burton <ross@burtonini.com>
The days of broken certificates are behind us now, so instead of always
passing --no-check-certificate to wget, don't pass it by default and
instead only pass it BB_CHECK_SSL_CERTS = "0".
[ YOCTO #14108 ]
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
.../bitbake-user-manual-fetching.rst | 4 ++++
.../bitbake-user-manual-ref-variables.rst | 4 ++++
bitbake/lib/bb/fetch2/wget.py | 19 ++++++++++++++++---
3 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst
index 593de61f242..40b245b6d30 100644
--- a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst
+++ b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst
@@ -144,6 +144,10 @@ download without a checksum triggers an error message. The
make any attempted network access a fatal error, which is useful for
checking that mirrors are complete as well as other things.
+If :term:`BB_CHECK_SSL_CERTS` is set to ``0`` then SSL certificate checking will
+be disabled. This variable defaults to ``1`` so SSL certificates are normally
+checked.
+
.. _bb-the-unpack:
The Unpack
diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst
index 6283c2654c8..2392ec42563 100644
--- a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst
+++ b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst
@@ -93,6 +93,10 @@ overview of their function and contents.
fetcher does not attempt to use the host listed in :term:`SRC_URI` after
a successful fetch from the :term:`PREMIRRORS` occurs.
+ :term:`BB_CHECK_SSL_CERTS`
+ Specifies if SSL certificates should be checked when fetching. The default
+ value is ``1`` and certificates are not checked if the value is set to ``0``.
+
:term:`BB_CONSOLELOG`
Specifies the path to a log file into which BitBake's user interface
writes output during the build.
diff --git a/bitbake/lib/bb/fetch2/wget.py b/bitbake/lib/bb/fetch2/wget.py
index d67f9b889cc..81c377ae6f2 100644
--- a/bitbake/lib/bb/fetch2/wget.py
+++ b/bitbake/lib/bb/fetch2/wget.py
@@ -52,13 +52,19 @@ class WgetProgressHandler(bb.progress.LineFilterProgressHandler):
class Wget(FetchMethod):
+ """Class to fetch urls via 'wget'"""
# CDNs like CloudFlare may do a 'browser integrity test' which can fail
# with the standard wget/urllib User-Agent, so pretend to be a modern
# browser.
user_agent = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0"
- """Class to fetch urls via 'wget'"""
+ def check_certs(self, d):
+ """
+ Should certificates be checked?
+ """
+ return (d.getVar("BB_CHECK_SSL_CERTS") or "1") != "0"
+
def supports(self, ud, d):
"""
Check to see if a given url can be fetched with wget.
@@ -82,7 +88,10 @@ class Wget(FetchMethod):
if not ud.localfile:
ud.localfile = d.expand(urllib.parse.unquote(ud.host + ud.path).replace("/", "."))
- self.basecmd = d.getVar("FETCHCMD_wget") or "/usr/bin/env wget -t 2 -T 30 --passive-ftp --no-check-certificate"
+ self.basecmd = d.getVar("FETCHCMD_wget") or "/usr/bin/env wget -t 2 -T 30 --passive-ftp"
+
+ if not self.check_certs(d):
+ self.basecmd += " --no-check-certificate"
def _runwget(self, ud, d, command, quiet, workdir=None):
@@ -305,7 +314,11 @@ class Wget(FetchMethod):
with bb.utils.environment(**newenv):
import ssl
- context = ssl._create_unverified_context()
+ if self.check_certs(d):
+ context = ssl.create_default_context()
+ else:
+ context = ssl._create_unverified_context()
+
handlers = [FixedHTTPRedirectHandler,
HTTPMethodFallback,
urllib.request.ProxyHandler(),
--
2.25.1
next prev parent reply other threads:[~2021-08-10 16:55 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-10 16:55 [PATCH v3 1/4] utils: add environment updating context manager Ross Burton
2021-08-10 16:55 ` [PATCH v3 2/4] fetch2: expose environment variable names that need to be exported Ross Burton
2021-08-10 16:55 ` [PATCH v3 3/4] fetch2/wget: ensure all variables are set when calling urllib Ross Burton
2021-08-17 17:39 ` [bitbake-devel] " Enrico Scholz
2021-08-17 17:44 ` Enrico Scholz
2021-08-17 18:45 ` Enrico Scholz
2021-08-18 9:28 ` Enrico Scholz
2021-08-18 10:07 ` Ross Burton
2021-08-10 16:55 ` Ross Burton [this message]
2021-08-11 13:46 ` [bitbake-devel] [PATCH v3 4/4] fetch2/wget: fetch securely by default Michael Opdenacker
2021-08-11 15:39 ` Peter Kjellerstedt
2021-08-13 16:41 ` Ross Burton
2021-08-13 22:00 ` Richard Purdie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210810165509.19121-4-ross.burton@arm.com \
--to=ross@burtonini.com \
--cc=bitbake-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.