From a9916c3faa2b8c6fa288599efec65868d050b0ef Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Wed, 4 Dec 2019 13:58:38 +0100 Subject: netrc: Add warning when ignoring entries for unencrypted protocols Commit 93f33052de84e9aeaf19c92291d043dad2665bbd restricted auth.conf entries to only apply to https by default, but this was silent - there was no information why http sources with auth.conf entries suddenly started failing. Add such information, and extend test case to cover it. --- apt-pkg/contrib/netrc.cc | 24 +++++++++++++++--------- methods/aptmethod.h | 12 ++++++++++++ test/integration/test-authentication-basic | 2 ++ 3 files changed, 29 insertions(+), 9 deletions(-) diff --git a/apt-pkg/contrib/netrc.cc b/apt-pkg/contrib/netrc.cc index 2069a0394..4f5206e6c 100644 --- a/apt-pkg/contrib/netrc.cc +++ b/apt-pkg/contrib/netrc.cc @@ -11,6 +11,7 @@ ##################################################################### */ /*}}}*/ #include +#include #include #include @@ -47,6 +48,8 @@ bool MaybeAddAuth(FileFd &NetRCFile, URI &Uri) std::string line; while (NetRCFile.Eof() == false || line.empty() == false) { + bool protocolSpecified = false; + if (line.empty()) { if (NetRCFile.ReadLine(line) == false) @@ -75,7 +78,8 @@ bool MaybeAddAuth(FileFd &NetRCFile, URI &Uri) // If token contains a protocol: Check it first, and strip it away if // it matches. If it does not match, ignore this stanza. // If there is no protocol, only allow https protocols. - if (token.find("://") != std::string::npos) + protocolSpecified = token.find("://") != std::string::npos; + if (protocolSpecified) { if (not APT::String::Startswith(token, Uri.Access + "://")) { @@ -84,14 +88,7 @@ bool MaybeAddAuth(FileFd &NetRCFile, URI &Uri) } token.erase(0, Uri.Access.length() + 3); } - else if (Uri.Access != "https" && Uri.Access != "tor+https") - { - if (Debug) - std::clog << "MaybeAddAuth: Rejecting matching host adding '" << Uri.User << "' and '" << Uri.Password << "' for " - << (std::string)Uri << " from " << NetRCFile.Name() << "as the protocol is not https" << std::endl; - active_token = NO; - break; - } + if (token.find('/') == std::string::npos) { if (Uri.Port != 0 && Uri.Host == token) @@ -108,6 +105,15 @@ bool MaybeAddAuth(FileFd &NetRCFile, URI &Uri) else active_token = NO; } + + if (active_token == GOOD_MACHINE && not protocolSpecified) + { + if (Uri.Access != "https" && Uri.Access != "tor+https") + { + _error->Warning(_("%s: Credentials for %s match, but the protocol is not encrypted. Annotate with %s:// to use."), NetRCFile.Name().c_str(), token.c_str(), Uri.Access.c_str()); + active_token = NO; + } + } break; case GOOD_MACHINE: if (token == "login") diff --git a/methods/aptmethod.h b/methods/aptmethod.h index 5d792ceb7..de931dd7e 100644 --- a/methods/aptmethod.h +++ b/methods/aptmethod.h @@ -525,6 +525,7 @@ class aptAuthConfMethod : public aptMethod if (uri.User.empty() == false || uri.Password.empty() == false) return true; + _error->PushToStack(); for (auto &authconf : authconfs) { if (authconf->IsOpen() == false) @@ -538,6 +539,17 @@ class aptAuthConfMethod : public aptMethod result &= MaybeAddAuth(*authconf, uri); } + if (not _error->empty()) + { + std::string message; + while (not _error->empty()) + { + _error->PopMessage(message); + Warning("%s", message.c_str()); + } + } + _error->RevertToStack(); + return result; } diff --git a/test/integration/test-authentication-basic b/test/integration/test-authentication-basic index 5aafaade0..784a00c03 100755 --- a/test/integration/test-authentication-basic +++ b/test/integration/test-authentication-basic @@ -96,6 +96,8 @@ password hunter2" if [ "$protocol" = "https" ]; then testauthsuccess "$1" else + testfailure apthelper download-file "${1}/bash" ./downloaded/bash + testsuccessequal "W: ${1}/bash: ${TMPWORKINGDIRECTORY}/rootdir/etc/apt/auth.conf: Credentials for localhost match, but the protocol is not encrypted. Annotate with http:// to use." grep "Credentials.*match" rootdir/tmp/testfailure.output testauthfailure "$1" fi -- cgit v1.2.3