1 files changed, 87 insertions, 0 deletions
diff --git a/main/busybox/0001-wget-print-warning-when-internal-tls-is-used.patch b/main/busybox/0001-wget-print-warning-when-internal-tls-is-used.patch
new file mode 100644
index 0000000000..5a027c1bf5
--- /dev/null
+++ b/main/busybox/0001-wget-print-warning-when-internal-tls-is-used.patch
@@ -0,0 +1,87 @@
+From 76026fa8c9a62423e359b992b16b6e0bbdd4e5a1 Mon Sep 17 00:00:00 2001
+From: Jakub Jirutka <jakub@jirutka.cz>
+Date: Thu, 24 May 2018 02:19:23 +0200
+Subject: [PATCH] wget: print warning when internal TLS is used
+
+Internal TLS code (FEATURE_WGET_HTTPS) does not implement verification
+of the server's certificate.  It is documented in the code, but not
+even mentioned in the --help message, so users typically don't know
+about this behaviour.  That's a crime against security!
+
+This patch changes this behaviour for the case when both
+FEATURE_WGET_LONG_OPTIONS and FEATURE_WGET_HTTPS are enabled -
+before initializing a TLS connection using the internal TLS code (i.e.
+without certificate validation) warning message is printed, unless the
+user specified option "--no-check-certificate".
+
+See-Also: http://lists.busybox.net/pipermail/busybox/2018-May/086444.html
+---
+ networking/wget.c | 30 +++++++++++++++++++-----------
+ 1 file changed, 19 insertions(+), 11 deletions(-)
+
+diff --git a/networking/wget.c b/networking/wget.c
+--- a/networking/wget.c
++++ b/networking/wget.c
+@@ -135,18 +135,21 @@
+ //usage:#define wget_full_usage "\n\n"
+ //usage:       "Retrieve files via HTTP or FTP\n"
+ //usage:	IF_FEATURE_WGET_LONG_OPTIONS(
+-//usage:     "\n	--spider	Only check URL existence: $? is 0 if exists"
++//usage:     "\n	--spider		Only check URL existence: $? is 0 if exists"
++//usage:		IF_FEATURE_WGET_HTTPS(
++//usage:     "\n	--no-check-certificate	Don't validate the server's certificate"
++//usage:		)
+ //usage:	)
+-//usage:     "\n	-c		Continue retrieval of aborted transfer"
+-//usage:     "\n	-q		Quiet"
+-//usage:     "\n	-P DIR		Save to DIR (default .)"
+-//usage:     "\n	-S    		Show server response"
++//usage:     "\n	-c			Continue retrieval of aborted transfer"
++//usage:     "\n	-q			Quiet"
++//usage:     "\n	-P DIR			Save to DIR (default .)"
++//usage:     "\n	-S    			Show server response"
+ //usage:	IF_FEATURE_WGET_TIMEOUT(
+-//usage:     "\n	-T SEC		Network read timeout is SEC seconds"
++//usage:     "\n	-T SEC			Network read timeout is SEC seconds"
+ //usage:	)
+-//usage:     "\n	-O FILE		Save to FILE ('-' for stdout)"
+-//usage:     "\n	-U STR		Use STR for User-Agent header"
+-//usage:     "\n	-Y on/off	Use proxy"
++//usage:     "\n	-O FILE			Save to FILE ('-' for stdout)"
++//usage:     "\n	-U STR			Use STR for User-Agent header"
++//usage:     "\n	-Y on/off		Use proxy"
+ 
+ #include "libbb.h"
+ 
+@@ -267,6 +270,7 @@
+ 	WGET_OPT_HEADER     = (1 << 10) * ENABLE_FEATURE_WGET_LONG_OPTIONS,
+ 	WGET_OPT_POST_DATA  = (1 << 11) * ENABLE_FEATURE_WGET_LONG_OPTIONS,
+ 	WGET_OPT_SPIDER     = (1 << 12) * ENABLE_FEATURE_WGET_LONG_OPTIONS,
++	WGET_OPT_NO_CHECK_CERT = (1 << 13) * ENABLE_FEATURE_WGET_LONG_OPTIONS,
+ };
+ 
+ enum {
+@@ -765,6 +769,11 @@
+ 	int pid;
+ 	char *servername, *p;
+ 
++#if ENABLE_FEATURE_WGET_LONG_OPTIONS
++	if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT))
++		bb_error_msg("WARNING: SSL/TLS certificate is not being validated!");
++#endif
++
+ 	servername = xstrdup(host);
+ 	p = strrchr(servername, ':');
+ 	if (p) *p = '\0';
+@@ -1353,10 +1362,9 @@
+ 		"header\0"           Required_argument "\xff"
+ 		"post-data\0"        Required_argument "\xfe"
+ 		"spider\0"           No_argument       "\xfd"
++		"no-check-certificate\0" No_argument   "\xfc"
+ 		/* Ignored (we always use PASV): */
+ IF_DESKTOP(	"passive-ftp\0"      No_argument       "\xf0")
+-		/* Ignored (we don't do ssl) */
+-IF_DESKTOP(	"no-check-certificate\0" No_argument   "\xf0")
+ 		/* Ignored (we don't support caching) */
+ IF_DESKTOP(	"no-cache\0"         No_argument       "\xf0")
+ IF_DESKTOP(	"no-verbose\0"       No_argument       "\xf0")