diff options
author | Julian Andres Klode <jak@debian.org> | 2019-12-02 13:28:07 +0000 |
---|---|---|
committer | Julian Andres Klode <jak@debian.org> | 2019-12-02 13:28:07 +0000 |
commit | 203ed6e094e0e5a332ddae9e4f08df5694b84ba9 (patch) | |
tree | 667c4240b6f6fb9c91ae20b655478508b09d6214 | |
parent | 1690c3f87ae45a41e8d3e09bf0b1021c008460b9 (diff) | |
parent | 93f33052de84e9aeaf19c92291d043dad2665bbd (diff) |
Merge branch 'pu/netrc-https' into 'master'
netrc: Restrict auth.conf data to https by default
See merge request apt-team/apt!84
-rw-r--r-- | apt-pkg/contrib/netrc.cc | 22 | ||||
-rw-r--r-- | debian/NEWS | 10 | ||||
-rw-r--r-- | doc/apt_auth.conf.5.xml | 14 | ||||
-rwxr-xr-x | test/integration/test-authentication-basic | 42 |
4 files changed, 73 insertions, 15 deletions
diff --git a/apt-pkg/contrib/netrc.cc b/apt-pkg/contrib/netrc.cc index ee1996f8d..2069a0394 100644 --- a/apt-pkg/contrib/netrc.cc +++ b/apt-pkg/contrib/netrc.cc @@ -72,6 +72,26 @@ bool MaybeAddAuth(FileFd &NetRCFile, URI &Uri) active_token = MACHINE; break; case MACHINE: + // If token contains a protocol: Check it first, and strip it away if + // it matches. If it does not match, ignore this stanza. + // If there is no protocol, only allow https protocols. + if (token.find("://") != std::string::npos) + { + if (not APT::String::Startswith(token, Uri.Access + "://")) + { + active_token = NO; + break; + } + token.erase(0, Uri.Access.length() + 3); + } + else if (Uri.Access != "https" && Uri.Access != "tor+https") + { + if (Debug) + std::clog << "MaybeAddAuth: Rejecting matching host adding '" << Uri.User << "' and '" << Uri.Password << "' for " + << (std::string)Uri << " from " << NetRCFile.Name() << "as the protocol is not https" << std::endl; + active_token = NO; + break; + } if (token.find('/') == std::string::npos) { if (Uri.Port != 0 && Uri.Host == token) @@ -168,7 +188,7 @@ bool IsAuthorized(pkgCache::PkgFileIterator const I, std::vector<std::unique_ptr } // FIXME: Use the full base url - URI uri(std::string("http://") + I.Site() + "/"); + URI uri(std::string("https://") + I.Site() + "/"); for (auto &authconf : authconfs) { if (not authconf->IsOpen()) diff --git a/debian/NEWS b/debian/NEWS index e8cb4e279..555791602 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,13 @@ +apt (1.9.5) UNRELEASED; urgency=medium + + Credentials in apt_auth.conf(5) now only apply to https and tor+https + sources to avoid them being leaked over plaintext (Closes: #945911). To + opt-in to http, add http:// before the hostname. Note that this will transmit + credentials in plain text, which you do not want on devices that could be + operating in an untrusted network. + + -- Julian Andres Klode <juliank@ubuntu.com> Mon, 02 Dec 2019 11:45:52 +0100 + apt (1.8.0~alpha3) unstable; urgency=medium The PATH for running dpkg is now configured by the option DPkg::Path, diff --git a/doc/apt_auth.conf.5.xml b/doc/apt_auth.conf.5.xml index e7961ef81..99394be00 100644 --- a/doc/apt_auth.conf.5.xml +++ b/doc/apt_auth.conf.5.xml @@ -50,7 +50,7 @@ Unknown tokens will be ignored. Tokens may be separated by spaces, tabs or newli <variablelist> <varlistentry> -<term><literal>machine</literal> <replaceable>hostname</replaceable>[:<replaceable>port</replaceable>][/<replaceable>path</replaceable>]</term> +<term><literal>machine</literal> <replaceable>[protocol://]</replaceable><replaceable>hostname</replaceable>[:<replaceable>port</replaceable>][/<replaceable>path</replaceable>]</term> <listitem><para>Entries are looked up by searching for the <emphasis><literal>machine</literal></emphasis> token matching the hostname of the URI apt needs login information for. Extending the netrc-format @@ -60,7 +60,8 @@ different login information reside on the same server. A machine token with a pa matches if the path in the URI starts with the path given in the token. Once a match is made, the subsequent tokens are processed, stopping when the end of file is reached or another <emphasis><literal>machine</literal></emphasis> -token is encountered.</para></listitem> +token is encountered.</para> +<para>If protocol is not specified, the entry only matches https and tor+https.</para></listitem> </varlistentry> <varlistentry> @@ -80,9 +81,9 @@ token is encountered.</para></listitem> <refsect1><title>Example</title> <para>Supplying login information for a user named <literal>apt</literal> with the password <literal>debian</literal> for the &sources-list; entry -<literallayout>deb http://example.org/debian &debian-stable-codename; main</literallayout> +<literallayout>deb https://example.org/debian &debian-stable-codename; main</literallayout> could be done in the entry directly: -<literallayout>deb http://apt:debian@example.org/debian &debian-stable-codename; main</literallayout> +<literallayout>deb https://apt:debian@example.org/debian &debian-stable-codename; main</literallayout> Alternatively an entry like the following in the auth.conf file could be used: <literallayout>machine example.org login apt @@ -95,7 +96,7 @@ machine example.org/debian login apt password debian machine example.org/debian/ login apt password debian </literallayout> On the other hand neither of the following lines apply: -<literallayout>machine example.org:80 login apt password debian +<literallayout>machine example.org:443 login apt password debian machine example.org/deb/ login apt password debian machine example.org/ubuntu login apt password debian machine example.orga login apt password debian @@ -111,6 +112,9 @@ also the implementation slightly. For maximum backward compatibility you should avoid multiple <literal>machine</literal> tokens with the same hostname, but if you need multiple they should all have a path specified in the <literal>machine</literal> token.</para> +<para>Login information in auth.conf are more flexible than those in sources.list. For +example, login information can be specified for parts of a repository only, or if the +sources.list entry redirects elsewhere, login information for the redirect destination can be supplied.</para> </refsect1> <refsect1> diff --git a/test/integration/test-authentication-basic b/test/integration/test-authentication-basic index 211c73e35..5aafaade0 100755 --- a/test/integration/test-authentication-basic +++ b/test/integration/test-authentication-basic @@ -65,35 +65,59 @@ runtest() { authfile '' testauthfailure "$1" + protocol="${1%%://*}" + # good auth - authfile 'machine localhost + authfile "machine ${protocol}://localhost login star@irc -password hunter2' +password hunter2" testauthsuccess "$1" # bad auth - authfile 'machine localhost + authfile "machine ${protocol}://localhost login anonymous -password hunter2' +password hunter2" testauthfailure "$1" # 2 stanzas: unmatching + good auth - authfile 'machine debian.org + authfile "machine ${protocol}://debian.org login debian password jessie -machine localhost +machine ${protocol}://localhost login star@irc -password hunter2' +password hunter2" testauthsuccess "$1" + # no protocol specifier + authfile "machine localhost +login star@irc +password hunter2" + if [ "$protocol" = "https" ]; then + testauthsuccess "$1" + else + testauthfailure "$1" + fi + + # wrong protocol specifier + if [ "$protocol" = "https" ]; then + authfile "machine http://localhost +login star@irc +password hunter2" + else + authfile "machine https://localhost +login star@irc +password hunter2" + fi + testauthfailure "$1" + # delete file, make sure it fails; add auth.conf.d snippet, works again. rm rootdir/etc/apt/auth.conf testauthfailure "$1" - authfile 'machine localhost + authfile "machine ${protocol}://localhost login star@irc -password hunter2' rootdir/etc/apt/auth.conf.d/myauth.conf +password hunter2" rootdir/etc/apt/auth.conf.d/myauth.conf testauthsuccess "$1" rm rootdir/etc/apt/auth.conf.d/myauth.conf } |