summaryrefslogtreecommitdiffstats
path: root/bitbake/lib
diff options
context:
space:
mode:
authorRoss Burton <ross@burtonini.com>2021-08-10 17:55:09 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-08-12 06:28:01 +0100
commit1e2e9a84d6dd81d7f6dd69c0d119d0149d10ade1 (patch)
tree945ca184ae0cb982e89737f755baae1eedb7f50b /bitbake/lib
parentad507bd5c4e950f446b996a788b2c91bef78b0d6 (diff)
downloadpoky-1e2e9a84d6dd81d7f6dd69c0d119d0149d10ade1.tar.gz
bitbake: fetch2/wget: fetch securely by default
The days of broken certificates are behind us now, so instead of always passing --no-check-certificate to wget, don't pass it by default and instead only pass it BB_CHECK_SSL_CERTS = "0". [ YOCTO #14108 ] (Bitbake rev: 4104850dd36096a9ff01836c5fca9ac0e452bcf8) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'bitbake/lib')
-rw-r--r--bitbake/lib/bb/fetch2/wget.py19
1 files changed, 16 insertions, 3 deletions
diff --git a/bitbake/lib/bb/fetch2/wget.py b/bitbake/lib/bb/fetch2/wget.py
index 988ea74d26..29fcfbb3d1 100644
--- a/bitbake/lib/bb/fetch2/wget.py
+++ b/bitbake/lib/bb/fetch2/wget.py
@@ -52,13 +52,19 @@ class WgetProgressHandler(bb.progress.LineFilterProgressHandler):
52 52
53 53
54class Wget(FetchMethod): 54class Wget(FetchMethod):
55 """Class to fetch urls via 'wget'"""
55 56
56 # CDNs like CloudFlare may do a 'browser integrity test' which can fail 57 # CDNs like CloudFlare may do a 'browser integrity test' which can fail
57 # with the standard wget/urllib User-Agent, so pretend to be a modern 58 # with the standard wget/urllib User-Agent, so pretend to be a modern
58 # browser. 59 # browser.
59 user_agent = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0" 60 user_agent = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0"
60 61
61 """Class to fetch urls via 'wget'""" 62 def check_certs(self, d):
63 """
64 Should certificates be checked?
65 """
66 return (d.getVar("BB_CHECK_SSL_CERTS") or "1") != "0"
67
62 def supports(self, ud, d): 68 def supports(self, ud, d):
63 """ 69 """
64 Check to see if a given url can be fetched with wget. 70 Check to see if a given url can be fetched with wget.
@@ -82,7 +88,10 @@ class Wget(FetchMethod):
82 if not ud.localfile: 88 if not ud.localfile:
83 ud.localfile = d.expand(urllib.parse.unquote(ud.host + ud.path).replace("/", ".")) 89 ud.localfile = d.expand(urllib.parse.unquote(ud.host + ud.path).replace("/", "."))
84 90
85 self.basecmd = d.getVar("FETCHCMD_wget") or "/usr/bin/env wget -t 2 -T 30 --passive-ftp --no-check-certificate" 91 self.basecmd = d.getVar("FETCHCMD_wget") or "/usr/bin/env wget -t 2 -T 30 --passive-ftp"
92
93 if not self.check_certs(d):
94 self.basecmd += " --no-check-certificate"
86 95
87 def _runwget(self, ud, d, command, quiet, workdir=None): 96 def _runwget(self, ud, d, command, quiet, workdir=None):
88 97
@@ -309,7 +318,11 @@ class Wget(FetchMethod):
309 with bb.utils.environment(**newenv): 318 with bb.utils.environment(**newenv):
310 import ssl 319 import ssl
311 320
312 context = ssl._create_unverified_context() 321 if self.check_certs(d):
322 context = ssl.create_default_context()
323 else:
324 context = ssl._create_unverified_context()
325
313 handlers = [FixedHTTPRedirectHandler, 326 handlers = [FixedHTTPRedirectHandler,
314 HTTPMethodFallback, 327 HTTPMethodFallback,
315 urllib.request.ProxyHandler(), 328 urllib.request.ProxyHandler(),