diff options
author | Ross Burton <ross@burtonini.com> | 2021-08-10 17:55:09 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-08-12 06:27:39 +0100 |
commit | 4104850dd36096a9ff01836c5fca9ac0e452bcf8 (patch) | |
tree | a8ff67ceb9071bc1835c236986dd4cd22b560dbe /lib | |
parent | 116637b0e9aabae7f680b102dbf3577b8a58f049 (diff) | |
download | bitbake-4104850dd36096a9ff01836c5fca9ac0e452bcf8.tar.gz |
fetch2/wget: fetch securely by default
The days of broken certificates are behind us now, so instead of always
passing --no-check-certificate to wget, don't pass it by default and
instead only pass it BB_CHECK_SSL_CERTS = "0".
[ YOCTO #14108 ]
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/bb/fetch2/wget.py | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/lib/bb/fetch2/wget.py b/lib/bb/fetch2/wget.py index 988ea74d2..29fcfbb3d 100644 --- a/lib/bb/fetch2/wget.py +++ b/lib/bb/fetch2/wget.py @@ -52,13 +52,19 @@ class WgetProgressHandler(bb.progress.LineFilterProgressHandler): class Wget(FetchMethod): + """Class to fetch urls via 'wget'""" # CDNs like CloudFlare may do a 'browser integrity test' which can fail # with the standard wget/urllib User-Agent, so pretend to be a modern # browser. user_agent = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0" - """Class to fetch urls via 'wget'""" + def check_certs(self, d): + """ + Should certificates be checked? + """ + return (d.getVar("BB_CHECK_SSL_CERTS") or "1") != "0" + def supports(self, ud, d): """ Check to see if a given url can be fetched with wget. @@ -82,7 +88,10 @@ class Wget(FetchMethod): if not ud.localfile: ud.localfile = d.expand(urllib.parse.unquote(ud.host + ud.path).replace("/", ".")) - self.basecmd = d.getVar("FETCHCMD_wget") or "/usr/bin/env wget -t 2 -T 30 --passive-ftp --no-check-certificate" + self.basecmd = d.getVar("FETCHCMD_wget") or "/usr/bin/env wget -t 2 -T 30 --passive-ftp" + + if not self.check_certs(d): + self.basecmd += " --no-check-certificate" def _runwget(self, ud, d, command, quiet, workdir=None): @@ -309,7 +318,11 @@ class Wget(FetchMethod): with bb.utils.environment(**newenv): import ssl - context = ssl._create_unverified_context() + if self.check_certs(d): + context = ssl.create_default_context() + else: + context = ssl._create_unverified_context() + handlers = [FixedHTTPRedirectHandler, HTTPMethodFallback, urllib.request.ProxyHandler(), |