[Buildroot] [PATCH 1/1] package/pkg-download: add per package download fallback disable
Arnout Vandecappelle
arnout at mind.be
Wed May 1 19:09:22 UTC 2024
On 30/04/2024 19:56, Flávio Tapajós wrote:
> Sorry to necrobump, but such a feature would be handy when using FOO_DL_OPTS to
> ensure http authentication.
>
> Tokens, usernames or passwords will be leaked to the fallback server in case of
> failure of the primary source. This could be some source of vulnerability
I don't see how any of these would be leaked...
A token is passed either as a password or as a header. There's no way to
specify per-package wget options anyway, so I guess it will be passed as a password.
A password can either be passed in .netrc or .wgetrc (in which case it is
site-specific so won't be sent to PRIMARY_SITE or BACKUP_SITE), or it can be
passed in the URL, as https://user:pass@server.com/path/source.tar.gz
The whole user:pass part also doesn't get used in PRIMARY_SITE or BACKUP_SITE.
The above applies to http downloads. For other downloads, it doesn't even
matter at all, because that download method won't be used for PRIMARY_SITE and
SECONDARY_SITE so any authentication stuff won't be used either.
So how does leaking take place?
Regards,
Arnout
>
> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
More information about the buildroot
mailing list