* HTTP basic auth handling in wget.py and redirects
@ 2021-02-23 17:24 Christian Betz
2021-02-23 17:30 ` [bitbake-devel] " Christopher Larson
0 siblings, 1 reply; 2+ messages in thread
From: Christian Betz @ 2021-02-23 17:24 UTC (permalink / raw
To: bitbake-devel
[-- Attachment #1: Type: text/plain, Size: 1912 bytes --]
hi everyone,
handling of user/pass (HTTP basic auth) in wget.py currently works like
this, by adding params to the wget CLI:
fetchcmd += " --user=%s --password=%s --auth-no-challenge" % (ud.user,
ud.pswd)
my SRC_URI is something like "https://someuser:somepassword@bitbucket.org/...".
in this case we are authing against the bitbucket API using the
username/password. the initial request to bitbucket.org works fine.
however the actual download was failing due a redirect being followed to
what looks like a temporary, AWS-signed URL. AWS *rejects* the basic auth
and refuses the download.
i discovered that when using the --user and --pass params, wget will use
basic auth for the initial request AND all subsequent requests.
the good news is that wget is smart enough to pick up the
someuser/somepassword from the URI alone, and this does NOT cause redirects
to use basic auth!
(note: afaict this is undocumented behavior in wget.)
the "auth-no-challenge" seems to still be required, though. ultimately I
changed wget.py as follows:
fetchcmd += " --auth-no-challenge"
i have patched our own wget.py for the time being. from a security point of
view, this also seems like the correct thing to do (it seems curl does NOT
include auth headers when following redirects, unless you ask for it).
however, this change would probably NOT work for anyone that *does* need
basic auth on the redirected request!
is the "correct" fix to add an additional fetcher option like
'authredirects'? would y'all take a patch for this feature?
christian
p.s. *in my opinion*, the --no-check-certificate in wget.py should be
turned off when using HTTP basic auth, since sensitive information may be
sent to an attacker-controlled host (in other cases i guess it is OK since
bitbake will verify checksums). i could try to make a patch for this too if
anyone agrees.
[-- Attachment #2: Type: text/html, Size: 3260 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [bitbake-devel] HTTP basic auth handling in wget.py and redirects
2021-02-23 17:24 HTTP basic auth handling in wget.py and redirects Christian Betz
@ 2021-02-23 17:30 ` Christopher Larson
0 siblings, 0 replies; 2+ messages in thread
From: Christopher Larson @ 2021-02-23 17:30 UTC (permalink / raw
To: Christian Betz; +Cc: bitbake-devel
[-- Attachment #1: Type: text/plain, Size: 2403 bytes --]
I would suggest a url parameter to control whether the auth is passed to
the redirects, then it's isolated to a single uri without needing a new url
scheme.
On Tue, Feb 23, 2021 at 10:25 AM Christian Betz <christian.betz@gmail.com>
wrote:
> hi everyone,
>
> handling of user/pass (HTTP basic auth) in wget.py currently works like
> this, by adding params to the wget CLI:
>
> fetchcmd += " --user=%s --password=%s --auth-no-challenge" % (ud.user,
> ud.pswd)
>
> my SRC_URI is something like "
> https://someuser:somepassword@bitbucket.org/...".
>
> in this case we are authing against the bitbucket API using the
> username/password. the initial request to bitbucket.org works fine.
>
> however the actual download was failing due a redirect being followed to
> what looks like a temporary, AWS-signed URL. AWS *rejects* the basic auth
> and refuses the download.
>
> i discovered that when using the --user and --pass params, wget will use
> basic auth for the initial request AND all subsequent requests.
>
> the good news is that wget is smart enough to pick up the
> someuser/somepassword from the URI alone, and this does NOT cause redirects
> to use basic auth!
>
> (note: afaict this is undocumented behavior in wget.)
>
> the "auth-no-challenge" seems to still be required, though. ultimately I
> changed wget.py as follows:
>
> fetchcmd += " --auth-no-challenge"
>
> i have patched our own wget.py for the time being. from a security point
> of view, this also seems like the correct thing to do (it seems curl does
> NOT include auth headers when following redirects, unless you ask for it).
>
> however, this change would probably NOT work for anyone that *does* need
> basic auth on the redirected request!
>
> is the "correct" fix to add an additional fetcher option like
> 'authredirects'? would y'all take a patch for this feature?
>
> christian
>
> p.s. *in my opinion*, the --no-check-certificate in wget.py should be
> turned off when using HTTP basic auth, since sensitive information may be
> sent to an attacker-controlled host (in other cases i guess it is OK since
> bitbake will verify checksums). i could try to make a patch for this too if
> anyone agrees.
>
>
>
>
>
>
--
Christopher Larson
kergoth at gmail dot com
Founder - BitBake, OpenEmbedded, OpenZaurus
Senior Software Engineer, Mentor Graphics
[-- Attachment #2: Type: text/html, Size: 3510 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-02-23 17:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-02-23 17:24 HTTP basic auth handling in wget.py and redirects Christian Betz
2021-02-23 17:30 ` [bitbake-devel] " Christopher Larson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.