bitbake-devel.lists.openembedded.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] fetch2/wget: fetch securely by default
@ 2021-06-28 16:04 Ross Burton
  2021-06-28 16:51 ` [bitbake-devel] " Quentin Schulz
  0 siblings, 1 reply; 2+ messages in thread
From: Ross Burton @ 2021-06-28 16:04 UTC (permalink / raw)
  To: bitbake-devel

The days of broken certificates are behind us now, so instead of always
passing --no-check-certificate to wget, don't pass it by default and
instead only pass it if the SRC_URI has insecure=1 set.

[ YOCTO #14108 ]

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 bitbake/lib/bb/fetch2/wget.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/bitbake/lib/bb/fetch2/wget.py b/bitbake/lib/bb/fetch2/wget.py
index 784df70c9f6..1088b8e9649 100644
--- a/bitbake/lib/bb/fetch2/wget.py
+++ b/bitbake/lib/bb/fetch2/wget.py
@@ -82,7 +82,10 @@ class Wget(FetchMethod):
         if not ud.localfile:
             ud.localfile = d.expand(urllib.parse.unquote(ud.host + ud.path).replace("/", "."))
 
-        self.basecmd = d.getVar("FETCHCMD_wget") or "/usr/bin/env wget -t 2 -T 30 --passive-ftp --no-check-certificate"
+        self.basecmd = d.getVar("FETCHCMD_wget") or "/usr/bin/env wget -t 2 -T 30 --passive-ftp"
+
+        if ud.parm.get('insecure', '0') == '1':
+            self.basecmd += " --no-check-certificate"
 
     def _runwget(self, ud, d, command, quiet, workdir=None):
 
@@ -288,12 +291,14 @@ class Wget(FetchMethod):
         if exported_proxies:
             handlers.append(urllib.request.ProxyHandler())
         handlers.append(CacheHTTPHandler())
+
         # Since Python 2.7.9 ssl cert validation is enabled by default
         # see PEP-0476, this causes verification errors on some https servers
         # so disable by default.
         import ssl
-        if hasattr(ssl, '_create_unverified_context'):
+        if ud.parm.get('insecure', '0') == '1' and hasattr(ssl, '_create_unverified_context'):
             handlers.append(urllib.request.HTTPSHandler(context=ssl._create_unverified_context()))
+
         opener = urllib.request.build_opener(*handlers)
 
         try:
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [bitbake-devel] [PATCH] fetch2/wget: fetch securely by default
  2021-06-28 16:04 [PATCH] fetch2/wget: fetch securely by default Ross Burton
@ 2021-06-28 16:51 ` Quentin Schulz
  0 siblings, 0 replies; 2+ messages in thread
From: Quentin Schulz @ 2021-06-28 16:51 UTC (permalink / raw)
  To: bitbake-devel, Ross Burton

Hi Ross,

On June 28, 2021 4:04:58 PM UTC, Ross Burton <ross@burtonini.com> wrote:
>The days of broken certificates are behind us now, so instead of always
>passing --no-check-certificate to wget, don't pass it by default and
>instead only pass it if the SRC_URI has insecure=1 set.
>

Please also send a patch to the documentation of the wget fetcher.

Cheers,
Quentin

>[ YOCTO #14108 ]
>
>Signed-off-by: Ross Burton <ross.burton@arm.com>
>---
> bitbake/lib/bb/fetch2/wget.py | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
>diff --git a/bitbake/lib/bb/fetch2/wget.py b/bitbake/lib/bb/fetch2/wget.py
>index 784df70c9f6..1088b8e9649 100644
>--- a/bitbake/lib/bb/fetch2/wget.py
>+++ b/bitbake/lib/bb/fetch2/wget.py
>@@ -82,7 +82,10 @@ class Wget(FetchMethod):
>         if not ud.localfile:
>             ud.localfile = d.expand(urllib.parse.unquote(ud.host + ud.path).replace("/", "."))
> 
>-        self.basecmd = d.getVar("FETCHCMD_wget") or "/usr/bin/env wget -t 2 -T 30 --passive-ftp --no-check-certificate"
>+        self.basecmd = d.getVar("FETCHCMD_wget") or "/usr/bin/env wget -t 2 -T 30 --passive-ftp"
>+
>+        if ud.parm.get('insecure', '0') == '1':
>+            self.basecmd += " --no-check-certificate"
> 
>     def _runwget(self, ud, d, command, quiet, workdir=None):
> 
>@@ -288,12 +291,14 @@ class Wget(FetchMethod):
>         if exported_proxies:
>             handlers.append(urllib.request.ProxyHandler())
>         handlers.append(CacheHTTPHandler())
>+
>         # Since Python 2.7.9 ssl cert validation is enabled by default
>         # see PEP-0476, this causes verification errors on some https servers
>         # so disable by default.
>         import ssl
>-        if hasattr(ssl, '_create_unverified_context'):
>+        if ud.parm.get('insecure', '0') == '1' and hasattr(ssl, '_create_unverified_context'):
>             handlers.append(urllib.request.HTTPSHandler(context=ssl._create_unverified_context()))
>+
>         opener = urllib.request.build_opener(*handlers)
> 
>         try:
>-- 
>2.25.1
>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-06-28 16:51 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-28 16:04 [PATCH] fetch2/wget: fetch securely by default Ross Burton
2021-06-28 16:51 ` [bitbake-devel] " Quentin Schulz

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).