From patchwork Fri Jun 12 14:29:00 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeremy Rosen <jeremy.rosen@smile.fr>
X-Patchwork-Id: 89952
Return-Path: <jeremy.rosen@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1F533CD98DB
	for <webhook@archiver.kernel.org>; Fri, 12 Jun 2026 14:29:21 +0000 (UTC)
Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com
 [209.85.128.42])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.71948.1781274551053191349
 for <bitbake-devel@lists.openembedded.org>;
 Fri, 12 Jun 2026 07:29:11 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=OtsrmnBY;
 spf=pass (domain: smile.fr, ip: 209.85.128.42,
 mailfrom: jeremy.rosen@smile.fr)
Received: by mail-wm1-f42.google.com with SMTP id
 5b1f17b1804b1-490aebf33e9so4905745e9.3
        for <bitbake-devel@lists.openembedded.org>;
 Fri, 12 Jun 2026 07:29:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1781274549; x=1781879349;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=0t9lZjhmmYXRY2a0YE8VQ7+4h3wgBklg4tjE30aPZJU=;
        b=OtsrmnBYz0+kjJdRnyo37Jqv9QxgdT6nz1MQe4FDz04UF3k2YG/PYQqHg3UsQhYmAg
         hc56/NJvjCA4xAWtmnL+2qBuKfINMd8SeYhbeLxGVHgmhKWhHoQpFQ7F/dORj/gx/xuI
         llj5X7WY8C6q9/T3i1DfB2xIzFtp1NNy4I+Gg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1781274549; x=1781879349;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=0t9lZjhmmYXRY2a0YE8VQ7+4h3wgBklg4tjE30aPZJU=;
        b=XTDvSInaXPWImzFEvVD/3MYFwwqUQwAnyOkmVKlR1BX8siQQYTDxYF/ihyUtasdvBc
         xs7gyallZHVYEVWDgc3r25amgrtdzr5SjlA0eVsWugyoV8lP0TRwpFLRy2WzsWxJr0Ke
         gxSOzOn63vf+x66Hd6XlgZhRvHscASVhdD7W7vqWv41iBuITlk6EN83/sc1eGVQcn9cV
         2qUfqMSXyqs9Y0ZqArCLVP4ccOPSLdWx0YQxkaCmk0i2AEABisCGFaTp3MOPunmOBG5U
         HkWjH5MKmcqnb7ZNmyw7OLr0Rb/lTlEpROoW5JYAxpCQcZgJyXg4bqbZivolarkpdgNK
         MpQQ==
X-Gm-Message-State: AOJu0YyoImtw/cr1Z6B63eUuXmykO/c5/uLdLLfOwpLir1ijJ/veZoFh
	PymP1JzzTJavnpHSdelpWgNcOYlwKaWCkcR8NfbuH8Oo1bpSThw8NOTp0oc0n2DpRDZvbfEZMYD
	p1Py8rw==
X-Gm-Gg: Acq92OG+sWho7zW1wUBPEGxx46jxKH3FVp2GUk93hwPm6I+En1wNMq+yaOK7LR09EEM
	7RFWvZ7mUbBd0AfbvSFaFIk7ty7EjmR1CTR4AAthT/fvqfg3QT2/H31UDymXGcP731MS9syw7tz
	EpQviZ+C5bpf9rnpSzFxsAZLCk63Q4tdWTe43yzY4NLG6jBAKRhsJJjqRxYoiItARrGHaQM9k1O
	XUYjDdnOsRw1blrotlE8o1I9bNCgaEP/g/ceyQTz/T0Fes88Zj2xKhlYAD+uQOFbYidCokUZQXD
	xljiodk9R9alNsHxLv0Dz1o1sW4Fvu9A9D6Ofk4kMS3aNzpZrpDtY9X/GzmbCNvq7rYDDnZpswZ
	IKaqi2BU9U65WwKSaGKUzjXdRRWSyUYPy/tLTiz/YAG8vPi3pUUqugXZ4HWplqgLALpN1p7cupl
	xp+wGaXcat/1/6zSOmp3sJMfcffX2WdmX53w==
X-Received: by 2002:a05:600c:214e:b0:490:e180:2ed with SMTP id
 5b1f17b1804b1-490ec4bfe4cmr25268765e9.4.1781274549346;
        Fri, 12 Jun 2026 07:29:09 -0700 (PDT)
Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b])
        by smtp.googlemail.com with ESMTPSA id
 5b1f17b1804b1-490ea8123e1sm74072065e9.0.2026.06.12.07.29.08
        for <bitbake-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 12 Jun 2026 07:29:09 -0700 (PDT)
From: Jeremy Rosen <jeremy.rosen@smile.fr>
To: bitbake-devel@lists.openembedded.org
Subject: [bitbake][scarthgap][2.8][PATCH 1/4] fetch2/wget: handle HTTP 308
 Permanent Redirect
Date: Fri, 12 Jun 2026 16:29:00 +0200
Message-ID: 
 <5ca465fc4ac49dc2f4172c83da651f316c0b4a7c.1781271084.git.jeremy.rosen@smile.fr>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <cover.1781271084.git.jeremy.rosen@smile.fr>
References: <cover.1781271084.git.jeremy.rosen@smile.fr>
MIME-Version: 1.0
List-Id: <bitbake-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <bitbake-devel@lists.openembedded.org>; Fri, 12 Jun 2026 14:29:21 -0000
X-Groupsio-URL: https://lists.openembedded.org/g/bitbake-devel/message/19676

From: Ross Burton <ross.burton@arm.com>

urllib2.HTTPRedirectHandler.redirect_request doesn't handle HTTP reponse
code 308 (Permanent Redirect). This was fixed in c379bc5 but can't be
worked around without copying the entire redirect_request() method.

When we can depend on Python 3.13, FixedHTTPRedirectHandler can be
removed.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
(cherry picked from commit 365829a2803b954ee6cb0364749551a91d806075)
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
---
 lib/bb/fetch2/wget.py | 42 +++++++++++++++++++++++++++++++++++++-----
 1 file changed, 37 insertions(+), 5 deletions(-)

diff --git a/lib/bb/fetch2/wget.py b/lib/bb/fetch2/wget.py
index 2345ba6b4..55b2ca2fe 100644
--- a/lib/bb/fetch2/wget.py
+++ b/lib/bb/fetch2/wget.py
@@ -305,13 +305,45 @@ class Wget(FetchMethod):
 
         class FixedHTTPRedirectHandler(urllib.request.HTTPRedirectHandler):
             """
-            urllib2.HTTPRedirectHandler resets the method to GET on redirect,
-            when we want to follow redirects using the original method.
+            urllib2.HTTPRedirectHandler before 3.13 has two flaws:
+            
+            It resets the method to GET on redirect when we want to follow
+            redirects using the original method (typically HEAD). This was fixed
+            in 759e8e7.
+
+            It also doesn't handle 308 (Permanent Redirect). This was fixed in
+            c379bc5.
+
+            Until we depend on Python 3.13 onwards, copy the redirect_request
+            method to fix these issues.
             """
             def redirect_request(self, req, fp, code, msg, headers, newurl):
-                newreq = urllib.request.HTTPRedirectHandler.redirect_request(self, req, fp, code, msg, headers, newurl)
-                newreq.get_method = req.get_method
-                return newreq
+                m = req.get_method()
+                if (not (code in (301, 302, 303, 307, 308) and m in ("GET", "HEAD")
+                    or code in (301, 302, 303) and m == "POST")):
+                    raise urllib.HTTPError(req.full_url, code, msg, headers, fp)
+
+                # Strictly (according to RFC 2616), 301 or 302 in response to
+                # a POST MUST NOT cause a redirection without confirmation
+                # from the user (of urllib.request, in this case).  In practice,
+                # essentially all clients do redirect in this case, so we do
+                # the same.
+
+                # Be conciliant with URIs containing a space.  This is mainly
+                # redundant with the more complete encoding done in http_error_302(),
+                # but it is kept for compatibility with other callers.
+                newurl = newurl.replace(' ', '%20')
+
+                CONTENT_HEADERS = ("content-length", "content-type")
+                newheaders = {k: v for k, v in req.headers.items()
+                            if k.lower() not in CONTENT_HEADERS}
+                return urllib.request.Request(newurl,
+                            method="HEAD" if m == "HEAD" else "GET",
+                            headers=newheaders,
+                            origin_req_host=req.origin_req_host,
+                            unverifiable=True)
+
+            http_error_308 = urllib.request.HTTPRedirectHandler.http_error_302
 
         # We need to update the environment here as both the proxy and HTTPS
         # handlers need variables set. The proxy needs http_proxy and friends to

From patchwork Fri Jun 12 14:29:01 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeremy Rosen <jeremy.rosen@smile.fr>
X-Patchwork-Id: 89951
Return-Path: <jeremy.rosen@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BAB89CD98CE
	for <webhook@archiver.kernel.org>; Fri, 12 Jun 2026 14:29:20 +0000 (UTC)
Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com
 [209.85.128.43])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.71950.1781274551701508991
 for <bitbake-devel@lists.openembedded.org>;
 Fri, 12 Jun 2026 07:29:12 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=tYHg3Oc0;
 spf=pass (domain: smile.fr, ip: 209.85.128.43,
 mailfrom: jeremy.rosen@smile.fr)
Received: by mail-wm1-f43.google.com with SMTP id
 5b1f17b1804b1-490b8a97b11so12191665e9.0
        for <bitbake-devel@lists.openembedded.org>;
 Fri, 12 Jun 2026 07:29:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1781274550; x=1781879350;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=4ag61jpVTuVQdwQg3PmsDrkph34VaeiPdikM7E+xxxo=;
        b=tYHg3Oc0TZZmctGR7enmtdsZMNkBNg536A5IFYXkvjUfqlRbDupjPrWjgZlLYQTUw4
         ho2sFbv12QtQuDlreQV+WH/V9h6d+vcuA7EO0SDWfZ6cydWUdWkfhzFa6CGUSQbTJA/z
         AuNBuXfiaQp90I/ccoQ0P4TUTm9TmfYdxedEM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1781274550; x=1781879350;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=4ag61jpVTuVQdwQg3PmsDrkph34VaeiPdikM7E+xxxo=;
        b=FkIcibfU83JQfBX86eLCIG3hsiBVwz/1ATCf1NTV2yNTiXxuzwle6mZ0Edqnyz9lOO
         QLNE3djwMV4EicCvCqzBB5bswRO7wNDRyvSxqS2KPYdN26qxwCdyytvZ6V2HksNcUTwD
         i4Yf6Y5mgVBMPqEkiHUdJzh+xQ1+GU/wIgrApk69c8fZZlcCUG4cd/cuMvBHBue+L7JV
         BdzXE796SK6vt6XDwREhYDRHhYNTG9TsWxHBycporleFABOU+hJz0HHVVioSVpOv9SK3
         TC+X8minS0hG15s8b5yThGS8WBTY5OLbZvoIwuPbiHKoVOUnBlxWawRynPsZ2gSIV1c6
         nAFg==
X-Gm-Message-State: AOJu0Yx1tAsPsomxXsvWnvWeIgl79YgGHm12t8jAxvFVY71zjjaZaycG
	5vtkXvQ3I/NY8BLRxFA7PxZx/MvFbE5Fo56ABdZkzXqGdvS+HXy0tpQdbtxNNi+UZO5Wkazdg/Q
	8najVfg==
X-Gm-Gg: Acq92OHmHVUf+4+olc1uFMB4fdYrvzeXwuvtzii/9vtkJ9rHA2swPcEN9KCufsVGGNG
	jFBJ8z3hSu/YEEN1uGJg9qTA2OeJ1HtgSUkmGzllhaWC8Lq4rkdBT2/idQShZkenovQ5zXa/GRw
	Nf3EhqllwpBGQKA9nBvvTlUjxRApdikBTSXgs5q6Tmk/IjxWflMfSzVn4gpYXkRee0dqSGVntJI
	+rLMh3rvcOmipRjU2UqBu5DpzFO2Jw4hSja75LLsrx1+0NEO8o+KknHFPoxkbj/NGmJPViH0Xh1
	U/Dd3ygLlwXLR6/fpZJjB5nw2Q5xAZo75hlHUB0NrERfELFus6ViAbLzTT6CmWx+93LJKGSh/5a
	NzDi0JfSoufRiz0M5HfMDrN/laGgIBiRmEYlAhIE5Bt78ROR/0JcGX/piLYu+FM0Lfd68x53geL
	SrG2cFCIVWa8RHoQfUi3Nvbtk=
X-Received: by 2002:a05:600c:4f94:b0:490:bad9:de43 with SMTP id
 5b1f17b1804b1-490ec3388dfmr47241725e9.0.1781274549867;
        Fri, 12 Jun 2026 07:29:09 -0700 (PDT)
Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b])
        by smtp.googlemail.com with ESMTPSA id
 5b1f17b1804b1-490ea8123e1sm74072065e9.0.2026.06.12.07.29.09
        for <bitbake-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 12 Jun 2026 07:29:09 -0700 (PDT)
From: Jeremy Rosen <jeremy.rosen@smile.fr>
To: bitbake-devel@lists.openembedded.org
Subject: [bitbake][scarthgap][2.8][PATCH 2/4] fetch2/wget: limit auth on
 checkstatus redirects
Date: Fri, 12 Jun 2026 16:29:01 +0200
Message-ID: 
 <348edecf9e663c3b432c6cf76c3f911354e83487.1781271084.git.jeremy.rosen@smile.fr>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <cover.1781271084.git.jeremy.rosen@smile.fr>
References: <cover.1781271084.git.jeremy.rosen@smile.fr>
MIME-Version: 1.0
List-Id: <bitbake-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <bitbake-devel@lists.openembedded.org>; Fri, 12 Jun 2026 14:29:20 -0000
X-Groupsio-URL: https://lists.openembedded.org/g/bitbake-devel/message/19677

From: Anders Heimer <anders.heimer@est.tech>

FixedHTTPRedirectHandler copies request headers when checkstatus()
follows a redirect, including Authorization from SRC_URI or .netrc.

Keep same-origin redirects unchanged, but drop Authorization and Cookie
for different-origin targets (scheme, host and effective port), following
RFC 9110 redirect guidance for resource-specific headers. This only
affects the Python checkstatus() path; normal wget downloads are
unchanged.

Signed-off-by: Anders Heimer <anders.heimer@est.tech>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1019d5a5c42c672ea673ae9d22363d626b57ccb9)
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
---
 lib/bb/fetch2/wget.py | 27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/lib/bb/fetch2/wget.py b/lib/bb/fetch2/wget.py
index 55b2ca2fe..14a1a80ea 100644
--- a/lib/bb/fetch2/wget.py
+++ b/lib/bb/fetch2/wget.py
@@ -303,6 +303,18 @@ class Wget(FetchMethod):
             http_error_403 = http_error_405
 
 
+        def _url_origin(url):
+            parsed = urllib.parse.urlsplit(url)
+            scheme = parsed.scheme.lower()
+            host = parsed.hostname.lower() if parsed.hostname else ""
+            port = parsed.port
+            if port is None:
+                port = {"http": 80, "https": 443}.get(scheme)
+            return (scheme, host, port)
+
+        def _same_origin(url_a, url_b):
+            return _url_origin(url_a) == _url_origin(url_b)
+
         class FixedHTTPRedirectHandler(urllib.request.HTTPRedirectHandler):
             """
             urllib2.HTTPRedirectHandler before 3.13 has two flaws:
@@ -316,6 +328,9 @@ class Wget(FetchMethod):
 
             Until we depend on Python 3.13 onwards, copy the redirect_request
             method to fix these issues.
+
+            Additionally, strip sensitive headers (Authorization, Cookie) when
+            redirecting to a different origin to avoid credential leaks.
             """
             def redirect_request(self, req, fp, code, msg, headers, newurl):
                 m = req.get_method()
@@ -335,8 +350,16 @@ class Wget(FetchMethod):
                 newurl = newurl.replace(' ', '%20')
 
                 CONTENT_HEADERS = ("content-length", "content-type")
-                newheaders = {k: v for k, v in req.headers.items()
-                            if k.lower() not in CONTENT_HEADERS}
+                SENSITIVE_REDIRECT_HEADERS = ("authorization", "cookie")
+                same_origin = _same_origin(req.get_full_url(), newurl)
+                newheaders = {}
+                for k, v in req.headers.items():
+                    header = k.lower()
+                    if header in CONTENT_HEADERS:
+                        continue
+                    if not same_origin and header in SENSITIVE_REDIRECT_HEADERS:
+                        continue
+                    newheaders[k] = v
                 return urllib.request.Request(newurl,
                             method="HEAD" if m == "HEAD" else "GET",
                             headers=newheaders,

From patchwork Fri Jun 12 14:29:02 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeremy Rosen <jeremy.rosen@smile.fr>
X-Patchwork-Id: 89953
Return-Path: <jeremy.rosen@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D3236CD98D9
	for <webhook@archiver.kernel.org>; Fri, 12 Jun 2026 14:29:20 +0000 (UTC)
Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com
 [209.85.128.53])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.71951.1781274552151735214
 for <bitbake-devel@lists.openembedded.org>;
 Fri, 12 Jun 2026 07:29:12 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=QxbJ/kQ9;
 spf=pass (domain: smile.fr, ip: 209.85.128.53,
 mailfrom: jeremy.rosen@smile.fr)
Received: by mail-wm1-f53.google.com with SMTP id
 5b1f17b1804b1-490b613a17bso8910365e9.3
        for <bitbake-devel@lists.openembedded.org>;
 Fri, 12 Jun 2026 07:29:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1781274550; x=1781879350;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=pxXfmKyiKwMecIuDtnNUR2rWw6Xn5R6tltb5jVh11RU=;
        b=QxbJ/kQ98MeVyiHJ3Jl46k/w3eZtibJhCNwTtXmvoV7ZXiqgkNksnT/xxcwPvN/ANd
         XdhhVH0z9Bi737kDA2TH3PtvvVFKZ5sYkqTERWUdlnkdxTbma5gPzPO7xolkU6YK0M2i
         YLC3NdXpQXH0mdrQt59svdNgfD6u/+bFetVY8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1781274550; x=1781879350;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=pxXfmKyiKwMecIuDtnNUR2rWw6Xn5R6tltb5jVh11RU=;
        b=dymg6KrOXfvEiPZi/bnFsW6YtI6fvhRIKehpXR5CzVwA8TyE9wWh6V8pGYcgPK4HDr
         1RG6YHcGoxX52Ys9agGk8Kg3dnJAuRTpPd730gq7nrIFMaqxvyidUN0tiD9cPkuFyHag
         OHECIeaTsSsXsdpA5XOWdcHgJ2kCxHfvGf4cMGFf9Ov0f8xlCI4DiTSWj3FbpLkTdF8X
         ueMdpOqS2ksBaHU/XdKOx/Dl4aaiv4xYw8yu4cvyuL1jUQViHtdmVP0UpQCBWyahHIz9
         wMw1kTzXFUliEEaSzmqgIcUeVhnlk5coT2YE9VQ+Nfwt5CZENsaewPQLPvPwaA21O0Sh
         THgA==
X-Gm-Message-State: AOJu0Yyk0iFFxNvFoM5zaOwfQdBJz0wY5lcov9RBI4Fle85fFFnbqLHD
	BcoD5uMVvirTUE2Fd/wZ5IqRX273Q7dsbhs9A2UWXlkvKcPmTYvPgCpgk7Dnbzqqw7Dwgzl6UY5
	voQ9r1Q==
X-Gm-Gg: Acq92OH6iC7ORH4YZkqw30FMil0QgT0V+sUW9oDIESidAkWYWibqNAV07b3QbLQz6X0
	oNqe8soSuj32H7w0GmD/IVr7UXaqa2Yec+8S4V7TjUC+q3z6MyuMJi/hXyiQlvVqUJ5GTrsHVCv
	MvMgOMPViUCiNT+YnllAp+07nBO2vUsCfuqmktB0jQOG39qW5z1m6+owuuZQmsWNNAIHXxi6Y4v
	65XwAHRde3eBjCL/OXTOhL3CgVGvgZzfS2mmTdySlrtltqkxGbKa11nqET/sa6ZeKU5L9aWLst+
	cnAj+gen855l213d4lHzlUqXQJylRB+Z1120r21vxoZkXN5/ShfdDCzZVpvIXmftDJpV3XweA66
	WXTPA+JGo8X/TOGcu6OgIlta/xqRgEJinwKBXtgJawVlIImb4EOPQzBGAdsDVHmNok0JYZhyU5l
	VDw4mTJZrJ00P36gcZEsfHL6TEjLRtoYiCTQ==
X-Received: by 2002:a05:600c:820c:b0:490:e913:6564 with SMTP id
 5b1f17b1804b1-490ec4cc6d8mr42421675e9.3.1781274550471;
        Fri, 12 Jun 2026 07:29:10 -0700 (PDT)
Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b])
        by smtp.googlemail.com with ESMTPSA id
 5b1f17b1804b1-490ea8123e1sm74072065e9.0.2026.06.12.07.29.09
        for <bitbake-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 12 Jun 2026 07:29:10 -0700 (PDT)
From: Jeremy Rosen <jeremy.rosen@smile.fr>
To: bitbake-devel@lists.openembedded.org
Subject: [bitbake][scarthgap][2.8][PATCH 3/4] tests/fetch: cover checkstatus
 redirect auth handling
Date: Fri, 12 Jun 2026 16:29:02 +0200
Message-ID: 
 <2b0f7fb5f54a415d851038ba7cb836b18289e000.1781271084.git.jeremy.rosen@smile.fr>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <cover.1781271084.git.jeremy.rosen@smile.fr>
References: <cover.1781271084.git.jeremy.rosen@smile.fr>
MIME-Version: 1.0
List-Id: <bitbake-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <bitbake-devel@lists.openembedded.org>; Fri, 12 Jun 2026 14:29:20 -0000
X-Groupsio-URL: https://lists.openembedded.org/g/bitbake-devel/message/19678

From: Anders Heimer <anders.heimer@est.tech>

Add local HTTP server tests for Wget.checkstatus() redirects. They check
that Authorization is kept for same-origin redirects and dropped when the
target has a different origin.

Signed-off-by: Anders Heimer <anders.heimer@est.tech>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c687d42b81b17e7a2399099cab0f1a6aafcf6520)
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
---
 lib/bb/tests/fetch.py | 62 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)

diff --git a/lib/bb/tests/fetch.py b/lib/bb/tests/fetch.py
index 2d95ef87d..a658b89a8 100644
--- a/lib/bb/tests/fetch.py
+++ b/lib/bb/tests/fetch.py
@@ -7,6 +7,7 @@
 #
 
 import contextlib
+import http.server
 import shutil
 import unittest
 import hashlib
@@ -16,6 +17,7 @@ import os
 import signal
 import subprocess
 import tarfile
+import threading
 from bb.fetch2 import URI
 from bb.fetch2 import FetchMethod
 import bb
@@ -1610,6 +1612,41 @@ class FetchCheckStatusTest(FetcherTest):
                       "https://github.com/kergoth/tslib/releases/download/1.1/tslib-1.1.tar.xz"
                       ]
 
+    def _start_checkstatus_server(self):
+        class CheckStatusHTTPRequestHandler(http.server.BaseHTTPRequestHandler):
+            def do_HEAD(self):
+                self.server.requests.append((self.path, dict(self.headers)))
+                if self.path == "/a" and self.server.redirect_url:
+                    self.send_response(302)
+                    self.send_header("Location", self.server.redirect_url)
+                    self.end_headers()
+                    return
+                self.send_response(200)
+                self.end_headers()
+
+            def log_message(self, format_str, *args):
+                pass
+
+        server = http.server.HTTPServer(("127.0.0.1", 0), CheckStatusHTTPRequestHandler)
+        server.redirect_url = None
+        server.requests = []
+        thread = threading.Thread(target=server.serve_forever, kwargs={"poll_interval": 0.05})
+        thread.daemon = True
+        thread.start()
+
+        def stop_server():
+            server.shutdown()
+            thread.join()
+            server.server_close()
+
+        self.addCleanup(stop_server)
+        return server
+
+    def _checkstatus(self, url):
+        fetch = bb.fetch2.Fetch([url], self.d)
+        ud = fetch.ud[url]
+        return ud.method.checkstatus(fetch, ud, self.d)
+
     @skipIfNoNetwork()
     def test_wget_checkstatus(self):
         fetch = bb.fetch2.Fetch(self.test_wget_uris, self.d)
@@ -1637,6 +1674,31 @@ class FetchCheckStatusTest(FetcherTest):
 
         connection_cache.close_connections()
 
+    def test_wget_checkstatus_same_origin_redirect_keeps_auth(self):
+        server = self._start_checkstatus_server()
+        server.redirect_url = "http://127.0.0.1:%s/b" % server.server_port
+
+        url = "http://127.0.0.1:%s/a;user=user;pswd=pass" % server.server_port
+        self.assertTrue(self._checkstatus(url))
+
+        self.assertEqual(len(server.requests), 2)
+        redirected_headers = {k.lower(): v for k, v in server.requests[1][1].items()}
+        self.assertIn("authorization", redirected_headers)
+
+    def test_wget_checkstatus_different_origin_redirect_drops_auth(self):
+        origin = self._start_checkstatus_server()
+        target = self._start_checkstatus_server()
+        # Same host but different port is a different origin.
+        origin.redirect_url = "http://127.0.0.1:%s/b" % target.server_port
+
+        url = "http://127.0.0.1:%s/a;user=user;pswd=pass" % origin.server_port
+        self.assertTrue(self._checkstatus(url))
+
+        self.assertEqual(len(origin.requests), 1)
+        self.assertEqual(len(target.requests), 1)
+        redirected_headers = {k.lower(): v for k, v in target.requests[0][1].items()}
+        self.assertNotIn("authorization", redirected_headers)
+
 
 class GitMakeShallowTest(FetcherTest):
     def setUp(self):

From patchwork Fri Jun 12 14:29:03 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeremy Rosen <jeremy.rosen@smile.fr>
X-Patchwork-Id: 89954
Return-Path: <jeremy.rosen@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 12F17CD98D6
	for <webhook@archiver.kernel.org>; Fri, 12 Jun 2026 14:29:21 +0000 (UTC)
Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com
 [209.85.128.47])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.71952.1781274552634350572
 for <bitbake-devel@lists.openembedded.org>;
 Fri, 12 Jun 2026 07:29:12 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=seFDiR9n;
 spf=pass (domain: smile.fr, ip: 209.85.128.47,
 mailfrom: jeremy.rosen@smile.fr)
Received: by mail-wm1-f47.google.com with SMTP id
 5b1f17b1804b1-490b2b037d2so9001045e9.3
        for <bitbake-devel@lists.openembedded.org>;
 Fri, 12 Jun 2026 07:29:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1781274551; x=1781879351;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=s0Z9TvutmATWhB1qNkQCVGtADFUfHQCY8ceIrNTEnOk=;
        b=seFDiR9nUNRqA4u6rVfr0IAXRiubCCkNYuhx03/XSNuVZKBfIzbbfspBg2QmwCRWqE
         RPepBVXW4DlDOjrazYckpsTj9PdAk3MAjcRLvxj434VEfNxk+Y7oiUJEVfnkM4y6dKy9
         7biy1Ab17HvKuvhMZZdpD/t6EQUBBkDKtL1R0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1781274551; x=1781879351;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=s0Z9TvutmATWhB1qNkQCVGtADFUfHQCY8ceIrNTEnOk=;
        b=UbAxUIPCXsPQnChlwgtjsND4IDdwDhPuzA6li7c5lrf03aMBrHp29rgFEman87NLTf
         js8EIqW3tYrv9X7p+w+2bQuUzHYhaVUhzw2tmFzKUOJS5rH88C10CL0BYIGebS40RzSX
         iLqTxFqKW1m99a23d9IZ6TrInPUBTHtGs4/MvX4r59OV4ai8UwsJ94T0Em8nFD2BghV7
         MbsvqbKyYmG1rZsmK942fiUKMdy619Hsv8kmJ1aeWgvdRkgxQXnmx1aX1Pdl0y9rjd6j
         HFn+JvP/62NE7nwSgpKAYHz5OXdG9kPl2oHbJGglYQk8KJRfkvqWILCjBSYBmcti9iMJ
         7CyQ==
X-Gm-Message-State: AOJu0YxYrjOWhV5Qqq7Dl3DNIpPBE5yd5PNLnhRh7hDVqaIy9WSdkiFz
	wMEmYf40MFG82umK0NEDuPcsYCLx/G6tmBU7NkKQC0ktar7fn5vXfKHKM5SEfqfWhMaASxU072C
	5LQxEcw==
X-Gm-Gg: Acq92OGQ3t8CYyNCPEZ/8rkznCd/xUNE53Y8a5RGJk8ZvbAca3dHMrOnem47eoUribP
	ntXrvlZ/JO0gwj0xhMDVZl/L6EpGUBhxaDGIQH7NtbWV/wUArUXcMKxRnT53KqtZOMi3+MOmnJa
	HR3TM5497tzdKM8ztr32+ahNAQeCiAhVIL/Jrn0wQUUeQ8J0Wu8ICRZVZpcpDT+1wyv0+Wcae5R
	PHvp7GyAzTgzYDr/wad1ZVan3jcedNYIrA8pmxFMe7U3OK12pBn75Rhr8AGdgw4G5ENn8kYBpk7
	kzu7Z7WhSEBv++JhSwqXiia1y0zdBe49T3Yyt6rWyKBZy+o9bA9oIVdHVBTJSyRdOdW3azxneiE
	Ubec6CiUo+1Cn+8kkhnuys3IskE+EQxuNS1Pu6co/AYUsgsKjBvBHJOKetYNfK2X/bKd7iGSDdF
	fYdyZHPibtdGP3eW7KpHfm3TE=
X-Received: by 2002:a05:600c:4685:b0:490:e190:3b50 with SMTP id
 5b1f17b1804b1-490ec4d4f7cmr45377365e9.9.1781274550981;
        Fri, 12 Jun 2026 07:29:10 -0700 (PDT)
Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b])
        by smtp.googlemail.com with ESMTPSA id
 5b1f17b1804b1-490ea8123e1sm74072065e9.0.2026.06.12.07.29.10
        for <bitbake-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 12 Jun 2026 07:29:10 -0700 (PDT)
From: Jeremy Rosen <jeremy.rosen@smile.fr>
To: bitbake-devel@lists.openembedded.org
Subject: [bitbake][scarthgap][2.8][PATCH 4/4] data: fix issue with varflag
 exclusion
Date: Fri, 12 Jun 2026 16:29:03 +0200
Message-ID: 
 <0880963fea4d91a034e4a6e007d23f98658ab986.1781271084.git.jeremy.rosen@smile.fr>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <cover.1781271084.git.jeremy.rosen@smile.fr>
References: <cover.1781271084.git.jeremy.rosen@smile.fr>
MIME-Version: 1.0
List-Id: <bitbake-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <bitbake-devel@lists.openembedded.org>; Fri, 12 Jun 2026 14:29:21 -0000
X-Groupsio-URL: https://lists.openembedded.org/g/bitbake-devel/message/19679

From: Marcio Henriques <marciohenriques84@gmail.com>

This patch fixes an issue when checking if a varflag
can be safely excluded.

BB_SIGNATURE_EXCLUDE_FLAGS lists variable flags that
can be safely excluded from checksum and dependency
data for keys in the datastore.

When bitbake checks if a varflag must be excluded it
checks if the varflag name is part of the string stored
in BB_SIGNATURE_EXCLUDE_FLAGS.

As an example, if the varflag 'filename' is in
BB_SIGNATURE_EXCLUDE_FLAGS, the varflag 'name'
will also be excluded because the check will return 'True'
when checking if the varflag is part of the string with
the varflags to exclude.

To fix this issue the string from BB_SIGNATURE_EXCLUDE_FLAGS
is converted to a list before checking if a varflag is part of it.

Signed-off-by: Marcio Henriques <marcio.henriques@ctw.bmwgroup.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8ab71d0ce302521da6a7e18c887cd85d9a94e8ee)
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
---
 lib/bb/data.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/bb/data.py b/lib/bb/data.py
index f672a8445..53a7a092a 100644
--- a/lib/bb/data.py
+++ b/lib/bb/data.py
@@ -377,7 +377,7 @@ def generate_dependencies(d, ignored_vars):
     mod_funcs = set(bb.codeparser.modulecode_deps.keys())
     keys = set(key for key in d if not key.startswith("__")) | mod_funcs
     shelldeps = set(key for key in d.getVar("__exportlist", False) if bb.utils.to_boolean(d.getVarFlag(key, "export")) and not bb.utils.to_boolean(d.getVarFlag(key, "unexport")))
-    varflagsexcl = d.getVar('BB_SIGNATURE_EXCLUDE_FLAGS')
+    varflagsexcl = (d.getVar('BB_SIGNATURE_EXCLUDE_FLAGS') or "").split()
 
     codeparserd = d.createCopy()
     for forced in (d.getVar('BB_HASH_CODEPARSER_VALS') or "").split():