fetch2/wget: add redirectauth parameter

Message ID 20211206212437.31332-1-jsbronder@cold-front.org
State Accepted, archived
Commit a6ab32013a4381a1b694ed46caf2c9da932644d0
Headers show
Series fetch2/wget: add redirectauth parameter | expand

Commit Message

Justin Bronder Dec. 6, 2021, 9:24 p.m. UTC
Add a parameter that limits sending Basic authentication in the
Authorization header to only the first host and not any that we're
redirected to.  Ignoring potential security concerns, temporary AWS URLs
will reject any request that includes authentication details in both the
query parameters (from the redirect) and in the Authorization header.

Temporary AWS URLs are now being used for release assets from private
Github repositories.  According to the previous discussion linked below,
they're also in use by bitbucket.

See also:

Signed-off-by: Justin Bronder <jsbronder@cold-front.org>
 .../bitbake-user-manual-fetching.rst                 |  5 +++++
 lib/bb/fetch2/wget.py                                | 12 +++++++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)


diff --git a/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst b/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst
index 51ab233a..0fc2d5e6 100644
--- a/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst
+++ b/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst
@@ -229,6 +229,11 @@  downloaded file is useful for avoiding collisions in
 :term:`DL_DIR` when dealing with multiple files that
 have the same name.
+If a username and password are specified in the ``SRC_URI``, a Basic
+Authorization header will be added to each request, including across redirects.
+To instead limit the Authorization header to the first request, add
+"redirectauth=0" to the list of parameters.
 Some example URLs are as follows::
    SRC_URI = "http://oe.handhelds.org/not_there.aac"
diff --git a/lib/bb/fetch2/wget.py b/lib/bb/fetch2/wget.py
index fd9b3049..d48998a9 100644
--- a/lib/bb/fetch2/wget.py
+++ b/lib/bb/fetch2/wget.py
@@ -112,7 +112,17 @@  class Wget(FetchMethod):
             fetchcmd += " -O %s" % shlex.quote(localpath)
         if ud.user and ud.pswd:
-            fetchcmd += " --user=%s --password=%s --auth-no-challenge" % (ud.user, ud.pswd)
+            fetchcmd += " --auth-no-challenge"
+            if ud.parm.get("redirectauth", "1") == "1":
+                # An undocumented feature of wget is that if the
+                # username/password are specified on the URI, wget will only
+                # send the Authorization header to the first host and not to
+                # any hosts that it is redirected to.  With the increasing
+                # usage of temporary AWS URLs, this difference now matters as
+                # AWS will reject any request that has authentication both in
+                # the query parameters (from the redirect) and in the
+                # Authorization header.
+                fetchcmd += " --user=%s --password=%s" % (ud.user, ud.pswd)
         uri = ud.url.split(";")[0]
         if os.path.exists(ud.localpath):