From 93f33052de84e9aeaf19c92291d043dad2665bbd Mon Sep 17 00:00:00 2001
From: Julian Andres Klode <julian.klode@canonical.com>
Date: Mon, 2 Dec 2019 11:46:49 +0100
Subject: netrc: Restrict auth.conf entries to https by default

This avoids downgrade attacks where an attacker could inject

Location: http://private.example/

and then (having access to raw data to private.example, for example,
by opening a port there, or sniffing network traffic) read the credentials
for the private repository.

Closes: #945911
---
 doc/apt_auth.conf.5.xml | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

(limited to 'doc')

diff --git a/doc/apt_auth.conf.5.xml b/doc/apt_auth.conf.5.xml
index e7961ef81..99394be00 100644
--- a/doc/apt_auth.conf.5.xml
+++ b/doc/apt_auth.conf.5.xml
@@ -50,7 +50,7 @@ Unknown tokens will be ignored. Tokens may be separated by spaces, tabs or newli
 
 <variablelist>
 <varlistentry>
-<term><literal>machine</literal> <replaceable>hostname</replaceable>[:<replaceable>port</replaceable>][/<replaceable>path</replaceable>]</term>
+<term><literal>machine</literal> <replaceable>[protocol://]</replaceable><replaceable>hostname</replaceable>[:<replaceable>port</replaceable>][/<replaceable>path</replaceable>]</term>
 <listitem><para>Entries are looked up by searching for the
 <emphasis><literal>machine</literal></emphasis> token matching the
 hostname of the URI apt needs login information for. Extending the netrc-format
@@ -60,7 +60,8 @@ different login information reside on the same server. A machine token with a pa
 matches if the path in the URI starts with the path given in the token.
 Once a match is made, the subsequent tokens are processed, stopping when the
 end of file is reached or another <emphasis><literal>machine</literal></emphasis>
-token is encountered.</para></listitem>
+token is encountered.</para>
+<para>If protocol is not specified, the entry only matches https and tor+https.</para></listitem>
 </varlistentry>
 
 <varlistentry>
@@ -80,9 +81,9 @@ token is encountered.</para></listitem>
 <refsect1><title>Example</title>
 <para>Supplying login information for a user named <literal>apt</literal>
 with the password <literal>debian</literal> for the &sources-list; entry
-<literallayout>deb http://example.org/debian &debian-stable-codename; main</literallayout>
+<literallayout>deb https://example.org/debian &debian-stable-codename; main</literallayout>
 could be done in the entry directly:
-<literallayout>deb http://apt:debian@example.org/debian &debian-stable-codename; main</literallayout>
+<literallayout>deb https://apt:debian@example.org/debian &debian-stable-codename; main</literallayout>
 Alternatively an entry like the following in the auth.conf file could be used:
 <literallayout>machine example.org
 login apt
@@ -95,7 +96,7 @@ machine example.org/debian login apt password debian
 machine example.org/debian/ login apt password debian
 </literallayout>
 On the other hand neither of the following lines apply:
-<literallayout>machine example.org:80 login apt password debian
+<literallayout>machine example.org:443 login apt password debian
 machine example.org/deb/ login apt password debian
 machine example.org/ubuntu login apt password debian
 machine example.orga login apt password debian
@@ -111,6 +112,9 @@ also the implementation slightly. For maximum backward compatibility you should
 avoid multiple <literal>machine</literal> tokens with the same hostname, but if
 you need multiple they should all have a path specified in the
 <literal>machine</literal> token.</para>
+<para>Login information in auth.conf are more flexible than those in sources.list. For
+example, login information can be specified for parts of a repository only, or if the
+sources.list entry redirects elsewhere, login information for the redirect destination can be supplied.</para>
 </refsect1>
 
 <refsect1>
-- 
cgit v1.2.3