bitbake: fetch2/wget: add redirectauth parameter

Add a parameter that limits sending Basic authentication in the Authorization header to only the first host and not any that we're redirected to. Ignoring potential security concerns, temporary AWS URLs will reject any request that includes authentication details in both the query parameters (from the redirect) and in the Authorization header. Temporary AWS URLs are now being used for release assets from private Github repositories. According to the previous discussion linked below, they're also in use by bitbucket. See also: https://lore.kernel.org/bitbake-devel/CAC9ffDEuZL-k8199bUyN+8frjw6bg-g=vrumxxtvt+RVParQ8Q@mail.gmail.com/ (Bitbake rev: a6ab32013a4381a1b694ed46caf2c9da932644d0) Signed-off-by: Justin Bronder <jsbronder@cold-front.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Justin Bronder <jsbronder@cold-front.org> 2021-12-06 16:24:37 -0500
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-12-08 20:22:53 +0000
commit: acd77c3ac9f5272908cbeb96426c2f80fa75a48f (patch)
tree: 03c5d50359577a7f5213b4b59ba9191e198a80d1
parent: 35f134529097e9b1d1fa28613f6e19b047836e1f (diff)
download: poky-acd77c3ac9f5272908cbeb96426c2f80fa75a48f.tar.gz
2 files changed, 16 insertions, 1 deletions
diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst
index 51ab233adc..0fc2d5e699 100644
--- a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst
+++ b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst
@@ -229,6 +229,11 @@ downloaded file is useful for avoiding collisions in
 :term:`DL_DIR` when dealing with multiple files that
 have the same name.
+If a username and password are specified in the ``SRC_URI``, a Basic
+Authorization header will be added to each request, including across redirects.
+To instead limit the Authorization header to the first request, add
+"redirectauth=0" to the list of parameters.
 Some example URLs are as follows::
   SRC_URI = "http://oe.handhelds.org/not_there.aac"
diff --git a/bitbake/lib/bb/fetch2/wget.py b/bitbake/lib/bb/fetch2/wget.py
index fd9b304961..d48998a98f 100644
--- a/bitbake/lib/bb/fetch2/wget.py
+++ b/bitbake/lib/bb/fetch2/wget.py
@@ -112,7 +112,17 @@ class Wget(FetchMethod):
            fetchcmd += " -O %s" % shlex.quote(localpath)
        if ud.user and ud.pswd:
-            fetchcmd += " --user=%s --password=%s --auth-no-challenge" % (ud.user, ud.pswd)
+            fetchcmd += " --auth-no-challenge"
+            if ud.parm.get("redirectauth", "1") == "1":
+                # An undocumented feature of wget is that if the
+                # username/password are specified on the URI, wget will only
+                # send the Authorization header to the first host and not to
+                # any hosts that it is redirected to.  With the increasing
+                # usage of temporary AWS URLs, this difference now matters as
+                # AWS will reject any request that has authentication both in
+                # the query parameters (from the redirect) and in the
+                # Authorization header.
+                fetchcmd += " --user=%s --password=%s" % (ud.user, ud.pswd)
        uri = ud.url.split(";")[0]
        if os.path.exists(ud.localpath):
author	Justin Bronder <jsbronder@cold-front.org>	2021-12-06 16:24:37 -0500
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-12-08 20:22:53 +0000
commit	acd77c3ac9f5272908cbeb96426c2f80fa75a48f (patch)
tree	03c5d50359577a7f5213b4b59ba9191e198a80d1
parent	35f134529097e9b1d1fa28613f6e19b047836e1f (diff)
download	poky-acd77c3ac9f5272908cbeb96426c2f80fa75a48f.tar.gz

diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst index 51ab233adc..0fc2d5e699 100644 --- a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst +++ b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst
@@ -229,6 +229,11 @@ downloaded file is useful for avoiding collisions in
229	:term:`DL_DIR` when dealing with multiple files that	229	:term:`DL_DIR` when dealing with multiple files that
230	have the same name.	230	have the same name.
231		231
		232	If a username and password are specified in the ``SRC_URI``, a Basic
		233	Authorization header will be added to each request, including across redirects.
		234	To instead limit the Authorization header to the first request, add
		235	"redirectauth=0" to the list of parameters.
		236
232	Some example URLs are as follows::	237	Some example URLs are as follows::
233		238
234	SRC_URI = "http://oe.handhelds.org/not_there.aac"	239	SRC_URI = "http://oe.handhelds.org/not_there.aac"


diff --git a/bitbake/lib/bb/fetch2/wget.py b/bitbake/lib/bb/fetch2/wget.py index fd9b304961..d48998a98f 100644 --- a/bitbake/lib/bb/fetch2/wget.py +++ b/bitbake/lib/bb/fetch2/wget.py
@@ -112,7 +112,17 @@ class Wget(FetchMethod):
112	fetchcmd += " -O %s" % shlex.quote(localpath)	112	fetchcmd += " -O %s" % shlex.quote(localpath)
113		113
114	if ud.user and ud.pswd:	114	if ud.user and ud.pswd:
115	fetchcmd += " --user=%s --password=%s --auth-no-challenge" % (ud.user, ud.pswd)	115	fetchcmd += " --auth-no-challenge"
		116	if ud.parm.get("redirectauth", "1") == "1":
		117	# An undocumented feature of wget is that if the
		118	# username/password are specified on the URI, wget will only
		119	# send the Authorization header to the first host and not to
		120	# any hosts that it is redirected to. With the increasing
		121	# usage of temporary AWS URLs, this difference now matters as
		122	# AWS will reject any request that has authentication both in
		123	# the query parameters (from the redirect) and in the
		124	# Authorization header.
		125	fetchcmd += " --user=%s --password=%s" % (ud.user, ud.pswd)
116		126
117	uri = ud.url.split(";")[0]	127	uri = ud.url.split(";")[0]
118	if os.path.exists(ud.localpath):	128	if os.path.exists(ud.localpath):