* [PATCH] fetch2: obey BB_ALLOWED_NETWORKS when checking network access
@ 2016-11-21 12:31 Markus Lehtonen
2016-11-21 15:47 ` akuster808
0 siblings, 1 reply; 3+ messages in thread
From: Markus Lehtonen @ 2016-11-21 12:31 UTC (permalink / raw)
To: bitbake-devel
[YOCTO #10508]
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
---
lib/bb/fetch2/__init__.py | 7 +++++--
lib/bb/fetch2/git.py | 4 ++--
lib/bb/fetch2/hg.py | 2 +-
lib/bb/fetch2/npm.py | 2 +-
lib/bb/fetch2/perforce.py | 8 ++++----
lib/bb/fetch2/svn.py | 2 +-
lib/bb/fetch2/wget.py | 2 +-
7 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/lib/bb/fetch2/__init__.py b/lib/bb/fetch2/__init__.py
index cd7362c..4bb7526 100644
--- a/lib/bb/fetch2/__init__.py
+++ b/lib/bb/fetch2/__init__.py
@@ -856,12 +856,15 @@ def runfetchcmd(cmd, d, quiet=False, cleanup=None, log=None, workdir=None):
return output
-def check_network_access(d, info = "", url = None):
+def check_network_access(d, info, url):
"""
- log remote network access, and error if BB_NO_NETWORK is set
+ log remote network access, and error if BB_NO_NETWORK is set or the given
+ URI is untrusted
"""
if d.getVar("BB_NO_NETWORK", True) == "1":
raise NetworkAccess(url, info)
+ elif not trusted_network(d, url):
+ raise UntrustedUrl(url, info)
else:
logger.debug(1, "Fetcher accessed the network with the command %s" % info)
diff --git a/lib/bb/fetch2/git.py b/lib/bb/fetch2/git.py
index 1bec60a..11d0b9c 100644
--- a/lib/bb/fetch2/git.py
+++ b/lib/bb/fetch2/git.py
@@ -252,7 +252,7 @@ class Git(FetchMethod):
repourl = repourl[7:]
clone_cmd = "LANG=C %s clone --bare --mirror %s %s --progress" % (ud.basecmd, repourl, ud.clonedir)
if ud.proto.lower() != 'file':
- bb.fetch2.check_network_access(d, clone_cmd)
+ bb.fetch2.check_network_access(d, clone_cmd, ud.url)
progresshandler = GitProgressHandler(d)
runfetchcmd(clone_cmd, d, log=progresshandler)
@@ -384,7 +384,7 @@ class Git(FetchMethod):
cmd = "%s ls-remote %s %s" % \
(ud.basecmd, repourl, search)
if ud.proto.lower() != 'file':
- bb.fetch2.check_network_access(d, cmd)
+ bb.fetch2.check_network_access(d, cmd, repourl)
output = runfetchcmd(cmd, d, True)
if not output:
raise bb.fetch2.FetchError("The command %s gave empty output unexpectedly" % cmd, ud.url)
diff --git a/lib/bb/fetch2/hg.py b/lib/bb/fetch2/hg.py
index 20df801..dc87998 100644
--- a/lib/bb/fetch2/hg.py
+++ b/lib/bb/fetch2/hg.py
@@ -221,7 +221,7 @@ class Hg(FetchMethod):
"""
Compute tip revision for the url
"""
- bb.fetch2.check_network_access(d, self._buildhgcommand(ud, d, "info"))
+ bb.fetch2.check_network_access(d, self._buildhgcommand(ud, d, "info"), ud.url)
output = runfetchcmd(self._buildhgcommand(ud, d, "info"), d)
return output.strip()
diff --git a/lib/bb/fetch2/npm.py b/lib/bb/fetch2/npm.py
index 699ae72..29faea1 100644
--- a/lib/bb/fetch2/npm.py
+++ b/lib/bb/fetch2/npm.py
@@ -101,7 +101,7 @@ class Npm(FetchMethod):
def _runwget(self, ud, d, command, quiet):
logger.debug(2, "Fetching %s using command '%s'" % (ud.url, command))
- bb.fetch2.check_network_access(d, command)
+ bb.fetch2.check_network_access(d, command, ud.url)
dldir = d.getVar("DL_DIR", True)
runfetchcmd(command, d, quiet, workdir=dldir)
diff --git a/lib/bb/fetch2/perforce.py b/lib/bb/fetch2/perforce.py
index 50cb479..e332e7c 100644
--- a/lib/bb/fetch2/perforce.py
+++ b/lib/bb/fetch2/perforce.py
@@ -71,7 +71,7 @@ class Perforce(FetchMethod):
logger.debug(1, 'Trying to use P4CONFIG to automatically set P4PORT...')
ud.usingp4config = True
p4cmd = '%s info | grep "Server address"' % ud.basecmd
- bb.fetch2.check_network_access(d, p4cmd)
+ bb.fetch2.check_network_access(d, p4cmd, ud.url)
ud.host = runfetchcmd(p4cmd, d, True)
ud.host = ud.host.split(': ')[1].strip()
logger.debug(1, 'Determined P4PORT to be: %s' % ud.host)
@@ -140,7 +140,7 @@ class Perforce(FetchMethod):
'p4 files' command, including trailing '#rev' file revision indicator
"""
p4cmd = self._buildp4command(ud, d, 'files')
- bb.fetch2.check_network_access(d, p4cmd)
+ bb.fetch2.check_network_access(d, p4cmd, ud.url)
p4fileslist = runfetchcmd(p4cmd, d, True)
p4fileslist = [f.rstrip() for f in p4fileslist.splitlines()]
@@ -171,7 +171,7 @@ class Perforce(FetchMethod):
for afile in filelist:
p4fetchcmd = self._buildp4command(ud, d, 'print', afile)
- bb.fetch2.check_network_access(d, p4fetchcmd)
+ bb.fetch2.check_network_access(d, p4fetchcmd, ud.url)
runfetchcmd(p4fetchcmd, d, workdir=ud.pkgdir)
runfetchcmd('tar -czf %s p4' % (ud.localpath), d, cleanup=[ud.localpath], workdir=ud.pkgdir)
@@ -191,7 +191,7 @@ class Perforce(FetchMethod):
def _latest_revision(self, ud, d, name):
""" Return the latest upstream scm revision number """
p4cmd = self._buildp4command(ud, d, "changes")
- bb.fetch2.check_network_access(d, p4cmd)
+ bb.fetch2.check_network_access(d, p4cmd, ud.url)
tip = runfetchcmd(p4cmd, d, True)
if not tip:
diff --git a/lib/bb/fetch2/svn.py b/lib/bb/fetch2/svn.py
index 6ca79d3..71dee9f 100644
--- a/lib/bb/fetch2/svn.py
+++ b/lib/bb/fetch2/svn.py
@@ -173,7 +173,7 @@ class Svn(FetchMethod):
"""
Return the latest upstream revision number
"""
- bb.fetch2.check_network_access(d, self._buildsvncommand(ud, d, "log1"))
+ bb.fetch2.check_network_access(d, self._buildsvncommand(ud, d, "log1"), ud.url)
output = runfetchcmd("LANG=C LC_ALL=C " + self._buildsvncommand(ud, d, "log1"), d, True)
diff --git a/lib/bb/fetch2/wget.py b/lib/bb/fetch2/wget.py
index ecb946a..1d81c08 100644
--- a/lib/bb/fetch2/wget.py
+++ b/lib/bb/fetch2/wget.py
@@ -95,7 +95,7 @@ class Wget(FetchMethod):
progresshandler = WgetProgressHandler(d)
logger.debug(2, "Fetching %s using command '%s'" % (ud.url, command))
- bb.fetch2.check_network_access(d, command)
+ bb.fetch2.check_network_access(d, command, ud.url)
runfetchcmd(command + ' --progress=dot -v', d, quiet, log=progresshandler)
def download(self, ud, d):
--
2.6.6
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] fetch2: obey BB_ALLOWED_NETWORKS when checking network access
2016-11-21 12:31 [PATCH] fetch2: obey BB_ALLOWED_NETWORKS when checking network access Markus Lehtonen
@ 2016-11-21 15:47 ` akuster808
2016-11-22 8:05 ` Markus Lehtonen
0 siblings, 1 reply; 3+ messages in thread
From: akuster808 @ 2016-11-21 15:47 UTC (permalink / raw)
To: Markus Lehtonen, bitbake-devel
On 11/21/2016 04:31 AM, Markus Lehtonen wrote:
> [YOCTO #10508]
I take it this applies to 1.32 ( Morty) as well.
-armin
>
> Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
> ---
> lib/bb/fetch2/__init__.py | 7 +++++--
> lib/bb/fetch2/git.py | 4 ++--
> lib/bb/fetch2/hg.py | 2 +-
> lib/bb/fetch2/npm.py | 2 +-
> lib/bb/fetch2/perforce.py | 8 ++++----
> lib/bb/fetch2/svn.py | 2 +-
> lib/bb/fetch2/wget.py | 2 +-
> 7 files changed, 15 insertions(+), 12 deletions(-)
>
> diff --git a/lib/bb/fetch2/__init__.py b/lib/bb/fetch2/__init__.py
> index cd7362c..4bb7526 100644
> --- a/lib/bb/fetch2/__init__.py
> +++ b/lib/bb/fetch2/__init__.py
> @@ -856,12 +856,15 @@ def runfetchcmd(cmd, d, quiet=False, cleanup=None, log=None, workdir=None):
>
> return output
>
> -def check_network_access(d, info = "", url = None):
> +def check_network_access(d, info, url):
> """
> - log remote network access, and error if BB_NO_NETWORK is set
> + log remote network access, and error if BB_NO_NETWORK is set or the given
> + URI is untrusted
> """
> if d.getVar("BB_NO_NETWORK", True) == "1":
> raise NetworkAccess(url, info)
> + elif not trusted_network(d, url):
> + raise UntrustedUrl(url, info)
> else:
> logger.debug(1, "Fetcher accessed the network with the command %s" % info)
>
> diff --git a/lib/bb/fetch2/git.py b/lib/bb/fetch2/git.py
> index 1bec60a..11d0b9c 100644
> --- a/lib/bb/fetch2/git.py
> +++ b/lib/bb/fetch2/git.py
> @@ -252,7 +252,7 @@ class Git(FetchMethod):
> repourl = repourl[7:]
> clone_cmd = "LANG=C %s clone --bare --mirror %s %s --progress" % (ud.basecmd, repourl, ud.clonedir)
> if ud.proto.lower() != 'file':
> - bb.fetch2.check_network_access(d, clone_cmd)
> + bb.fetch2.check_network_access(d, clone_cmd, ud.url)
> progresshandler = GitProgressHandler(d)
> runfetchcmd(clone_cmd, d, log=progresshandler)
>
> @@ -384,7 +384,7 @@ class Git(FetchMethod):
> cmd = "%s ls-remote %s %s" % \
> (ud.basecmd, repourl, search)
> if ud.proto.lower() != 'file':
> - bb.fetch2.check_network_access(d, cmd)
> + bb.fetch2.check_network_access(d, cmd, repourl)
> output = runfetchcmd(cmd, d, True)
> if not output:
> raise bb.fetch2.FetchError("The command %s gave empty output unexpectedly" % cmd, ud.url)
> diff --git a/lib/bb/fetch2/hg.py b/lib/bb/fetch2/hg.py
> index 20df801..dc87998 100644
> --- a/lib/bb/fetch2/hg.py
> +++ b/lib/bb/fetch2/hg.py
> @@ -221,7 +221,7 @@ class Hg(FetchMethod):
> """
> Compute tip revision for the url
> """
> - bb.fetch2.check_network_access(d, self._buildhgcommand(ud, d, "info"))
> + bb.fetch2.check_network_access(d, self._buildhgcommand(ud, d, "info"), ud.url)
> output = runfetchcmd(self._buildhgcommand(ud, d, "info"), d)
> return output.strip()
>
> diff --git a/lib/bb/fetch2/npm.py b/lib/bb/fetch2/npm.py
> index 699ae72..29faea1 100644
> --- a/lib/bb/fetch2/npm.py
> +++ b/lib/bb/fetch2/npm.py
> @@ -101,7 +101,7 @@ class Npm(FetchMethod):
>
> def _runwget(self, ud, d, command, quiet):
> logger.debug(2, "Fetching %s using command '%s'" % (ud.url, command))
> - bb.fetch2.check_network_access(d, command)
> + bb.fetch2.check_network_access(d, command, ud.url)
> dldir = d.getVar("DL_DIR", True)
> runfetchcmd(command, d, quiet, workdir=dldir)
>
> diff --git a/lib/bb/fetch2/perforce.py b/lib/bb/fetch2/perforce.py
> index 50cb479..e332e7c 100644
> --- a/lib/bb/fetch2/perforce.py
> +++ b/lib/bb/fetch2/perforce.py
> @@ -71,7 +71,7 @@ class Perforce(FetchMethod):
> logger.debug(1, 'Trying to use P4CONFIG to automatically set P4PORT...')
> ud.usingp4config = True
> p4cmd = '%s info | grep "Server address"' % ud.basecmd
> - bb.fetch2.check_network_access(d, p4cmd)
> + bb.fetch2.check_network_access(d, p4cmd, ud.url)
> ud.host = runfetchcmd(p4cmd, d, True)
> ud.host = ud.host.split(': ')[1].strip()
> logger.debug(1, 'Determined P4PORT to be: %s' % ud.host)
> @@ -140,7 +140,7 @@ class Perforce(FetchMethod):
> 'p4 files' command, including trailing '#rev' file revision indicator
> """
> p4cmd = self._buildp4command(ud, d, 'files')
> - bb.fetch2.check_network_access(d, p4cmd)
> + bb.fetch2.check_network_access(d, p4cmd, ud.url)
> p4fileslist = runfetchcmd(p4cmd, d, True)
> p4fileslist = [f.rstrip() for f in p4fileslist.splitlines()]
>
> @@ -171,7 +171,7 @@ class Perforce(FetchMethod):
>
> for afile in filelist:
> p4fetchcmd = self._buildp4command(ud, d, 'print', afile)
> - bb.fetch2.check_network_access(d, p4fetchcmd)
> + bb.fetch2.check_network_access(d, p4fetchcmd, ud.url)
> runfetchcmd(p4fetchcmd, d, workdir=ud.pkgdir)
>
> runfetchcmd('tar -czf %s p4' % (ud.localpath), d, cleanup=[ud.localpath], workdir=ud.pkgdir)
> @@ -191,7 +191,7 @@ class Perforce(FetchMethod):
> def _latest_revision(self, ud, d, name):
> """ Return the latest upstream scm revision number """
> p4cmd = self._buildp4command(ud, d, "changes")
> - bb.fetch2.check_network_access(d, p4cmd)
> + bb.fetch2.check_network_access(d, p4cmd, ud.url)
> tip = runfetchcmd(p4cmd, d, True)
>
> if not tip:
> diff --git a/lib/bb/fetch2/svn.py b/lib/bb/fetch2/svn.py
> index 6ca79d3..71dee9f 100644
> --- a/lib/bb/fetch2/svn.py
> +++ b/lib/bb/fetch2/svn.py
> @@ -173,7 +173,7 @@ class Svn(FetchMethod):
> """
> Return the latest upstream revision number
> """
> - bb.fetch2.check_network_access(d, self._buildsvncommand(ud, d, "log1"))
> + bb.fetch2.check_network_access(d, self._buildsvncommand(ud, d, "log1"), ud.url)
>
> output = runfetchcmd("LANG=C LC_ALL=C " + self._buildsvncommand(ud, d, "log1"), d, True)
>
> diff --git a/lib/bb/fetch2/wget.py b/lib/bb/fetch2/wget.py
> index ecb946a..1d81c08 100644
> --- a/lib/bb/fetch2/wget.py
> +++ b/lib/bb/fetch2/wget.py
> @@ -95,7 +95,7 @@ class Wget(FetchMethod):
> progresshandler = WgetProgressHandler(d)
>
> logger.debug(2, "Fetching %s using command '%s'" % (ud.url, command))
> - bb.fetch2.check_network_access(d, command)
> + bb.fetch2.check_network_access(d, command, ud.url)
> runfetchcmd(command + ' --progress=dot -v', d, quiet, log=progresshandler)
>
> def download(self, ud, d):
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] fetch2: obey BB_ALLOWED_NETWORKS when checking network access
2016-11-21 15:47 ` akuster808
@ 2016-11-22 8:05 ` Markus Lehtonen
0 siblings, 0 replies; 3+ messages in thread
From: Markus Lehtonen @ 2016-11-22 8:05 UTC (permalink / raw)
To: akuster808, bitbake-devel
On Mon, 2016-11-21 at 07:47 -0800, akuster808 wrote:
>
> On 11/21/2016 04:31 AM, Markus Lehtonen wrote:
> > [YOCTO #10508]
>
> I take it this applies to 1.32 ( Morty) as well.
Yes, I think so.
However, it may have some side effects for users of BB_ALLOWED_NETWORKS.
Basically, after this patch git update (and mercurial and other VCSes, too)
from upstream sources stops working unless the upstream repo is trusted by
BB_ALLOWED_NETWORKS.
Thanks,
Markus
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-11-22 8:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-21 12:31 [PATCH] fetch2: obey BB_ALLOWED_NETWORKS when checking network access Markus Lehtonen
2016-11-21 15:47 ` akuster808
2016-11-22 8:05 ` Markus Lehtonen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.