From 38438b6cf42fb7ad45b9a901f57913af7e7591a3 Mon Sep 17 00:00:00 2001 From: Markus Lehtonen Date: Mon, 21 Nov 2016 14:31:43 +0200 Subject: bitbake: fetch2: obey BB_ALLOWED_NETWORKS when checking network access [YOCTO #10508] (Bitbake rev: ddd3bc2d64d7240ecb6b6e4a1ae29b1faef6cc22) Signed-off-by: Markus Lehtonen Signed-off-by: Richard Purdie --- bitbake/lib/bb/fetch2/__init__.py | 7 +++++-- bitbake/lib/bb/fetch2/git.py | 4 ++-- bitbake/lib/bb/fetch2/hg.py | 2 +- bitbake/lib/bb/fetch2/npm.py | 2 +- bitbake/lib/bb/fetch2/perforce.py | 8 ++++---- bitbake/lib/bb/fetch2/svn.py | 2 +- bitbake/lib/bb/fetch2/wget.py | 2 +- 7 files changed, 15 insertions(+), 12 deletions(-) diff --git a/bitbake/lib/bb/fetch2/__init__.py b/bitbake/lib/bb/fetch2/__init__.py index 2bb41a4a94..d6d7850dfb 100644 --- a/bitbake/lib/bb/fetch2/__init__.py +++ b/bitbake/lib/bb/fetch2/__init__.py @@ -856,12 +856,15 @@ def runfetchcmd(cmd, d, quiet=False, cleanup=None, log=None, workdir=None): return output -def check_network_access(d, info = "", url = None): +def check_network_access(d, info, url): """ - log remote network access, and error if BB_NO_NETWORK is set + log remote network access, and error if BB_NO_NETWORK is set or the given + URI is untrusted """ if d.getVar("BB_NO_NETWORK") == "1": raise NetworkAccess(url, info) + elif not trusted_network(d, url): + raise UntrustedUrl(url, info) else: logger.debug(1, "Fetcher accessed the network with the command %s" % info) diff --git a/bitbake/lib/bb/fetch2/git.py b/bitbake/lib/bb/fetch2/git.py index cb9fa3fb1a..f7a0c01868 100644 --- a/bitbake/lib/bb/fetch2/git.py +++ b/bitbake/lib/bb/fetch2/git.py @@ -252,7 +252,7 @@ class Git(FetchMethod): repourl = repourl[7:] clone_cmd = "LANG=C %s clone --bare --mirror %s %s --progress" % (ud.basecmd, repourl, ud.clonedir) if ud.proto.lower() != 'file': - bb.fetch2.check_network_access(d, clone_cmd) + bb.fetch2.check_network_access(d, clone_cmd, ud.url) progresshandler = GitProgressHandler(d) runfetchcmd(clone_cmd, d, log=progresshandler) @@ -384,7 +384,7 @@ class Git(FetchMethod): cmd = "%s ls-remote %s %s" % \ (ud.basecmd, repourl, search) if ud.proto.lower() != 'file': - bb.fetch2.check_network_access(d, cmd) + bb.fetch2.check_network_access(d, cmd, repourl) output = runfetchcmd(cmd, d, True) if not output: raise bb.fetch2.FetchError("The command %s gave empty output unexpectedly" % cmd, ud.url) diff --git a/bitbake/lib/bb/fetch2/hg.py b/bitbake/lib/bb/fetch2/hg.py index ee5b2dd6f3..7e9afceac8 100644 --- a/bitbake/lib/bb/fetch2/hg.py +++ b/bitbake/lib/bb/fetch2/hg.py @@ -221,7 +221,7 @@ class Hg(FetchMethod): """ Compute tip revision for the url """ - bb.fetch2.check_network_access(d, self._buildhgcommand(ud, d, "info")) + bb.fetch2.check_network_access(d, self._buildhgcommand(ud, d, "info"), ud.url) output = runfetchcmd(self._buildhgcommand(ud, d, "info"), d) return output.strip() diff --git a/bitbake/lib/bb/fetch2/npm.py b/bitbake/lib/bb/fetch2/npm.py index cbeb8ff889..3e352922e0 100644 --- a/bitbake/lib/bb/fetch2/npm.py +++ b/bitbake/lib/bb/fetch2/npm.py @@ -101,7 +101,7 @@ class Npm(FetchMethod): def _runwget(self, ud, d, command, quiet): logger.debug(2, "Fetching %s using command '%s'" % (ud.url, command)) - bb.fetch2.check_network_access(d, command) + bb.fetch2.check_network_access(d, command, ud.url) dldir = d.getVar("DL_DIR") runfetchcmd(command, d, quiet, workdir=dldir) diff --git a/bitbake/lib/bb/fetch2/perforce.py b/bitbake/lib/bb/fetch2/perforce.py index be73ca0518..0f0d7393c1 100644 --- a/bitbake/lib/bb/fetch2/perforce.py +++ b/bitbake/lib/bb/fetch2/perforce.py @@ -71,7 +71,7 @@ class Perforce(FetchMethod): logger.debug(1, 'Trying to use P4CONFIG to automatically set P4PORT...') ud.usingp4config = True p4cmd = '%s info | grep "Server address"' % ud.basecmd - bb.fetch2.check_network_access(d, p4cmd) + bb.fetch2.check_network_access(d, p4cmd, ud.url) ud.host = runfetchcmd(p4cmd, d, True) ud.host = ud.host.split(': ')[1].strip() logger.debug(1, 'Determined P4PORT to be: %s' % ud.host) @@ -140,7 +140,7 @@ class Perforce(FetchMethod): 'p4 files' command, including trailing '#rev' file revision indicator """ p4cmd = self._buildp4command(ud, d, 'files') - bb.fetch2.check_network_access(d, p4cmd) + bb.fetch2.check_network_access(d, p4cmd, ud.url) p4fileslist = runfetchcmd(p4cmd, d, True) p4fileslist = [f.rstrip() for f in p4fileslist.splitlines()] @@ -171,7 +171,7 @@ class Perforce(FetchMethod): for afile in filelist: p4fetchcmd = self._buildp4command(ud, d, 'print', afile) - bb.fetch2.check_network_access(d, p4fetchcmd) + bb.fetch2.check_network_access(d, p4fetchcmd, ud.url) runfetchcmd(p4fetchcmd, d, workdir=ud.pkgdir) runfetchcmd('tar -czf %s p4' % (ud.localpath), d, cleanup=[ud.localpath], workdir=ud.pkgdir) @@ -191,7 +191,7 @@ class Perforce(FetchMethod): def _latest_revision(self, ud, d, name): """ Return the latest upstream scm revision number """ p4cmd = self._buildp4command(ud, d, "changes") - bb.fetch2.check_network_access(d, p4cmd) + bb.fetch2.check_network_access(d, p4cmd, ud.url) tip = runfetchcmd(p4cmd, d, True) if not tip: diff --git a/bitbake/lib/bb/fetch2/svn.py b/bitbake/lib/bb/fetch2/svn.py index b568c72049..d6feeb22a4 100644 --- a/bitbake/lib/bb/fetch2/svn.py +++ b/bitbake/lib/bb/fetch2/svn.py @@ -173,7 +173,7 @@ class Svn(FetchMethod): """ Return the latest upstream revision number """ - bb.fetch2.check_network_access(d, self._buildsvncommand(ud, d, "log1")) + bb.fetch2.check_network_access(d, self._buildsvncommand(ud, d, "log1"), ud.url) output = runfetchcmd("LANG=C LC_ALL=C " + self._buildsvncommand(ud, d, "log1"), d, True) diff --git a/bitbake/lib/bb/fetch2/wget.py b/bitbake/lib/bb/fetch2/wget.py index 4ba63df0a8..6dfb27bd95 100644 --- a/bitbake/lib/bb/fetch2/wget.py +++ b/bitbake/lib/bb/fetch2/wget.py @@ -95,7 +95,7 @@ class Wget(FetchMethod): progresshandler = WgetProgressHandler(d) logger.debug(2, "Fetching %s using command '%s'" % (ud.url, command)) - bb.fetch2.check_network_access(d, command) + bb.fetch2.check_network_access(d, command, ud.url) runfetchcmd(command + ' --progress=dot -v', d, quiet, log=progresshandler) def download(self, ud, d): -- cgit 1.2.3-korg