diff options
| author | Ross Burton <ross@burtonini.com> | 2021-08-10 17:55:09 +0100 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-08-12 06:28:01 +0100 |
| commit | 1e2e9a84d6dd81d7f6dd69c0d119d0149d10ade1 (patch) | |
| tree | 945ca184ae0cb982e89737f755baae1eedb7f50b /bitbake/lib/bb/fetch2 | |
| parent | ad507bd5c4e950f446b996a788b2c91bef78b0d6 (diff) | |
| download | poky-1e2e9a84d6dd81d7f6dd69c0d119d0149d10ade1.tar.gz | |
bitbake: fetch2/wget: fetch securely by default
The days of broken certificates are behind us now, so instead of always
passing --no-check-certificate to wget, don't pass it by default and
instead only pass it BB_CHECK_SSL_CERTS = "0".
[ YOCTO #14108 ]
(Bitbake rev: 4104850dd36096a9ff01836c5fca9ac0e452bcf8)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'bitbake/lib/bb/fetch2')
| -rw-r--r-- | bitbake/lib/bb/fetch2/wget.py | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/bitbake/lib/bb/fetch2/wget.py b/bitbake/lib/bb/fetch2/wget.py index 988ea74d26..29fcfbb3d1 100644 --- a/bitbake/lib/bb/fetch2/wget.py +++ b/bitbake/lib/bb/fetch2/wget.py | |||
| @@ -52,13 +52,19 @@ class WgetProgressHandler(bb.progress.LineFilterProgressHandler): | |||
| 52 | 52 | ||
| 53 | 53 | ||
| 54 | class Wget(FetchMethod): | 54 | class Wget(FetchMethod): |
| 55 | """Class to fetch urls via 'wget'""" | ||
| 55 | 56 | ||
| 56 | # CDNs like CloudFlare may do a 'browser integrity test' which can fail | 57 | # CDNs like CloudFlare may do a 'browser integrity test' which can fail |
| 57 | # with the standard wget/urllib User-Agent, so pretend to be a modern | 58 | # with the standard wget/urllib User-Agent, so pretend to be a modern |
| 58 | # browser. | 59 | # browser. |
| 59 | user_agent = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0" | 60 | user_agent = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0" |
| 60 | 61 | ||
| 61 | """Class to fetch urls via 'wget'""" | 62 | def check_certs(self, d): |
| 63 | """ | ||
| 64 | Should certificates be checked? | ||
| 65 | """ | ||
| 66 | return (d.getVar("BB_CHECK_SSL_CERTS") or "1") != "0" | ||
| 67 | |||
| 62 | def supports(self, ud, d): | 68 | def supports(self, ud, d): |
| 63 | """ | 69 | """ |
| 64 | Check to see if a given url can be fetched with wget. | 70 | Check to see if a given url can be fetched with wget. |
| @@ -82,7 +88,10 @@ class Wget(FetchMethod): | |||
| 82 | if not ud.localfile: | 88 | if not ud.localfile: |
| 83 | ud.localfile = d.expand(urllib.parse.unquote(ud.host + ud.path).replace("/", ".")) | 89 | ud.localfile = d.expand(urllib.parse.unquote(ud.host + ud.path).replace("/", ".")) |
| 84 | 90 | ||
| 85 | self.basecmd = d.getVar("FETCHCMD_wget") or "/usr/bin/env wget -t 2 -T 30 --passive-ftp --no-check-certificate" | 91 | self.basecmd = d.getVar("FETCHCMD_wget") or "/usr/bin/env wget -t 2 -T 30 --passive-ftp" |
| 92 | |||
| 93 | if not self.check_certs(d): | ||
| 94 | self.basecmd += " --no-check-certificate" | ||
| 86 | 95 | ||
| 87 | def _runwget(self, ud, d, command, quiet, workdir=None): | 96 | def _runwget(self, ud, d, command, quiet, workdir=None): |
| 88 | 97 | ||
| @@ -309,7 +318,11 @@ class Wget(FetchMethod): | |||
| 309 | with bb.utils.environment(**newenv): | 318 | with bb.utils.environment(**newenv): |
| 310 | import ssl | 319 | import ssl |
| 311 | 320 | ||
| 312 | context = ssl._create_unverified_context() | 321 | if self.check_certs(d): |
| 322 | context = ssl.create_default_context() | ||
| 323 | else: | ||
| 324 | context = ssl._create_unverified_context() | ||
| 325 | |||
| 313 | handlers = [FixedHTTPRedirectHandler, | 326 | handlers = [FixedHTTPRedirectHandler, |
| 314 | HTTPMethodFallback, | 327 | HTTPMethodFallback, |
| 315 | urllib.request.ProxyHandler(), | 328 | urllib.request.ProxyHandler(), |