[0/2] fetch2/wget: limit auth headers on checkstatus redirects

Message ID	20260610074013.558709-1-anders.heimer@est.tech
Headers	show Return-Path: <anders.heimer@est.tech> ip: 52.101.84.23, mailfrom: anders.heimer@est.tech) From: Anders Heimer <anders.heimer@est.tech> To: bitbake-devel@lists.openembedded.org CC: Anders Heimer <anders.heimer@est.tech> Subject: [PATCH 0/2] fetch2/wget: limit auth headers on checkstatus redirects Date: Wed, 10 Jun 2026 09:40:11 +0200 Message-ID: <20260610074013.558709-1-anders.heimer@est.tech> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain MIME-Version: 1.0
Series	fetch2/wget: limit auth headers on checkstatus redirects \| expand [0/2] fetch2/wget: limit auth headers on checkstatus redirects [1/2] fetch2/wget: limit auth on checkstatus redirects [2/2] tests/fetch: cover checkstatus redirect auth handling

Message ID

20260610074013.558709-1-anders.heimer@est.tech

Headers

From: Anders Heimer <anders.heimer@est.tech>
To: bitbake-devel@lists.openembedded.org
CC: Anders Heimer <anders.heimer@est.tech>
Subject: [PATCH 0/2] fetch2/wget: limit auth headers on checkstatus redirects
Date: Wed, 10 Jun 2026 09:40:11 +0200
Message-ID: <20260610074013.558709-1-anders.heimer@est.tech>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 EH1X0/lwXVBMycA4MPBU4NWGUaivEHnt6iPaGPLpBoXzKEDvzJJ0hda4jHYs6r2QUZsKVcHMTu+7DsDN8/ZSIHtg+wbjoFPOJZ0kgdktuImJXM2CIIc2KuuAKONmgPpgDmBe68nQYB4/A+YdL+WKXsJcQ2fJkDmq8gOC0t4+dn9IKeoTluo3THkkru/zzF2PqcNk2vsHtNFfENS1uCPCUKqWdonx+A7DEBhj2sUaEfQVLimmuYrw4g+6TpZWHV2kKHSVz+7uh8LtL4wCPM90vlsvuNjZGkX2hwhO25w9uDobTIkNmxEo4qcvdPxFM2fuqjMVsrxa/d6eFLalzY6ke6PMvMb5FPNCmwu1fVRIOpkqigwX3HW7Qp1O4Hmbu4AiTbKDijA+NeG8lwiRNhZc1XqAa0HGhBVx9O+PwAwvWKXy8MGI32FoJ99OKVTkmMDJjCGJQZJLb5Cqi8ffhG79RF/eVcmUknqQ0CKNcXEg/ny918Z164Tf5B9qbJOsEWPd3+wQBKyMs7iIr3s/DS9+wBD18tLFFB+TpIcNUkrA1RL8FtRK9+haw3lnjLthmVh1tCbnphie0Ii5RzhtCFU0CjOqeC1C20B1R8y0GeVoQPhQX4jqzklEj3vXJzO5i5SDjseQJmAjNL5WvVbtwQ9Dajr6UmTbjr2uCSKInXOXaqNP3Cwf3hQW+JMBg0+neQtbTGTTCQ+kcOLSMWjrkA7HUmoCfKctcl5cotzOQXTMMXNza9HoS3CARR6/1p/Ew/tWeJGClD+JvhrsXKCS3T0m0y68IpVkXDs3CjQyc4/ZnCy/b/C/M4EqXuGNdfMVnmTKYdZw08QZWQneZq3qCK2ISZdZW03ntnLzL8OyL54J2V9ej9CuyBq5E3p21eWYOmX76yJtn5aZxupGgxLvJUWjkbjH3igyAYsQOorn61p+ZLflNdCoTBDOgWnBoB7KWOyj57guWJuSoOGPaJ2UrfQFeK5VgVOIdROGTDIMGr77vJkUUFgQ5zn69pCUiRQhYzpvvOrNssoLG5/d/N5eGPmRvkEOt2UtjQF9bez9B5Z3CPrDKX5dTzP6r3b0AFIolmlkCH5CDM+zL5qQbKjgGK98aG5csVflH6tvIodTaLyzWCY0lpswdDhPtKlPfA1KAXldpcs8bN2mKznfQvzgNWtmq+1++od49Hbjg2NMC0A7lu0so9/DhhZcDjyCDCFNFTyJDeidrkCOT8WZ9cI3IRpdB0f31zBf2neNLju+OoinSgAMc14vfulyZgM06L2PUQfOiUe2E93NUQiMCcTBYBLZuHHeDf9XQ/OfgBpEkTGmEy9s5q8f1hh/3UDN9IZp7mXLVlcPUHWeniehw7XbVh663r/sefF2GO8JNvZgrxe3BDBNsRASVeb7QSbbXMJIPI/Fi6ZUNv2hwwUS2VpHfMmlzWr+UUbJ+d8D3CaVGcFde9YHKZtdMLormo8fRNmwimBTlmOdFLtcLaxlZfB3KfozHWjT7LELbgUihIShVFZGft7ceUckD1B6Utq2tROnPyfClesea8MCJo1MYt0ySYqmOVwaisN90YGA/qdNr4/sSeoJ/Yjb5f5YVVQNR4TwBrKS2KO7Y+vEqftX6fuyz7+ICyFbwD0hG6bLcVZvn7UecHlunMVSt4fbrhis5qZzojRt+HJzTBTXvDCgBXUHfoBuYV+zva9cKUaPK06SkhhL5n0KiRzyVPh8lANAIi1+udOR2P4R9eftBK8uXdlKfAZntA==
X-OriginatorOrg: est.tech
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 b6cc1244-26a9-4f52-010c-08dec6c38535
X-MS-Exchange-CrossTenant-AuthSource: DB9P189MB1641.EURP189.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Jun 2026 07:40:19.0391
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d2585e63-66b9-44b6-a76e-4f4b217d97fd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 K5gMzMWk6i5uT/mLYZJi5GxNLysQvXH7ca7Igpzday7h+5bwsQ1qWN6g0GVcPxc635Uizxfs3q3Zc28pt4EXjw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBP189MB1290
List-Id: <bitbake-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <bitbake-devel@lists.openembedded.org>; Wed, 10 Jun 2026 07:40:26 -0000
X-Groupsio-URL: https://lists.openembedded.org/g/bitbake-devel/message/19636

Series

fetch2/wget: limit auth headers on checkstatus redirects | expand

Message

Anders Heimer June 10, 2026, 7:40 a.m. UTC

FixedHTTPRedirectHandler currently copies request headers when following
redirects. The first patch drops Authorization and Cookie when the
redirect target has a different origin.

The second patch adds local HTTP server tests covering both same-origin
and different-origin redirects.

Anders Heimer (2):
  fetch2/wget: limit auth on checkstatus redirects
  tests/fetch: cover checkstatus redirect auth handling

 lib/bb/fetch2/wget.py | 27 +++++++++++++++++--
 lib/bb/tests/fetch.py | 62 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+), 2 deletions(-)

Comments

Alexander Kanavin June 10, 2026, 7:54 a.m. UTC | #1

Unusually, this was rapidly merged to master almost immediately after
the patches were posted. Is this a sensitive security issue, or what
is the rationale?

Alex


On Wed, 10 Jun 2026 at 09:40, Anders Heimer via lists.openembedded.org
<anders.heimer=est.tech@lists.openembedded.org> wrote:
>
> FixedHTTPRedirectHandler currently copies request headers when following
> redirects. The first patch drops Authorization and Cookie when the
> redirect target has a different origin.
>
> The second patch adds local HTTP server tests covering both same-origin
> and different-origin redirects.
>
> Anders Heimer (2):
>   fetch2/wget: limit auth on checkstatus redirects
>   tests/fetch: cover checkstatus redirect auth handling
>
>  lib/bb/fetch2/wget.py | 27 +++++++++++++++++--
>  lib/bb/tests/fetch.py | 62 +++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 87 insertions(+), 2 deletions(-)
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#19636): https://lists.openembedded.org/g/bitbake-devel/message/19636
> Mute This Topic: https://lists.openembedded.org/mt/119736443/1686489
> Group Owner: bitbake-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/bitbake-devel/unsub [alex.kanavin@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Richard Purdie June 10, 2026, 2:11 p.m. UTC | #2

On Wed, 2026-06-10 at 09:54 +0200, Alexander Kanavin via
lists.openembedded.org wrote:
> Unusually, this was rapidly merged to master almost immediately after
> the patches were posted. Is this a sensitive security issue, or what
> is the rationale?

I did actually mean to merge it to master-next, test, then merge to
master in a bit but there is a security issue in there unfortunately
:(. 

Basically we could lead auth headers to the wrong servers.

Cheers,

Richard