diff options
Diffstat (limited to 'main/busybox/0001-wget-print-warning-when-internal-tls-is-used.patch')
| -rw-r--r-- | main/busybox/0001-wget-print-warning-when-internal-tls-is-used.patch | 87 |
1 files changed, 0 insertions, 87 deletions
diff --git a/main/busybox/0001-wget-print-warning-when-internal-tls-is-used.patch b/main/busybox/0001-wget-print-warning-when-internal-tls-is-used.patch deleted file mode 100644 index 5a027c1bf5..0000000000 --- a/main/busybox/0001-wget-print-warning-when-internal-tls-is-used.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 76026fa8c9a62423e359b992b16b6e0bbdd4e5a1 Mon Sep 17 00:00:00 2001 -From: Jakub Jirutka <jakub@jirutka.cz> -Date: Thu, 24 May 2018 02:19:23 +0200 -Subject: [PATCH] wget: print warning when internal TLS is used - -Internal TLS code (FEATURE_WGET_HTTPS) does not implement verification -of the server's certificate. It is documented in the code, but not -even mentioned in the --help message, so users typically don't know -about this behaviour. That's a crime against security! - -This patch changes this behaviour for the case when both -FEATURE_WGET_LONG_OPTIONS and FEATURE_WGET_HTTPS are enabled - -before initializing a TLS connection using the internal TLS code (i.e. -without certificate validation) warning message is printed, unless the -user specified option "--no-check-certificate". - -See-Also: http://lists.busybox.net/pipermail/busybox/2018-May/086444.html ---- - networking/wget.c | 30 +++++++++++++++++++----------- - 1 file changed, 19 insertions(+), 11 deletions(-) - -diff --git a/networking/wget.c b/networking/wget.c ---- a/networking/wget.c -+++ b/networking/wget.c -@@ -135,18 +135,21 @@ - //usage:#define wget_full_usage "\n\n" - //usage: "Retrieve files via HTTP or FTP\n" - //usage: IF_FEATURE_WGET_LONG_OPTIONS( --//usage: "\n --spider Only check URL existence: $? is 0 if exists" -+//usage: "\n --spider Only check URL existence: $? is 0 if exists" -+//usage: IF_FEATURE_WGET_HTTPS( -+//usage: "\n --no-check-certificate Don't validate the server's certificate" -+//usage: ) - //usage: ) --//usage: "\n -c Continue retrieval of aborted transfer" --//usage: "\n -q Quiet" --//usage: "\n -P DIR Save to DIR (default .)" --//usage: "\n -S Show server response" -+//usage: "\n -c Continue retrieval of aborted transfer" -+//usage: "\n -q Quiet" -+//usage: "\n -P DIR Save to DIR (default .)" -+//usage: "\n -S Show server response" - //usage: IF_FEATURE_WGET_TIMEOUT( --//usage: "\n -T SEC Network read timeout is SEC seconds" -+//usage: "\n -T SEC Network read timeout is SEC seconds" - //usage: ) --//usage: "\n -O FILE Save to FILE ('-' for stdout)" --//usage: "\n -U STR Use STR for User-Agent header" --//usage: "\n -Y on/off Use proxy" -+//usage: "\n -O FILE Save to FILE ('-' for stdout)" -+//usage: "\n -U STR Use STR for User-Agent header" -+//usage: "\n -Y on/off Use proxy" - - #include "libbb.h" - -@@ -267,6 +270,7 @@ - WGET_OPT_HEADER = (1 << 10) * ENABLE_FEATURE_WGET_LONG_OPTIONS, - WGET_OPT_POST_DATA = (1 << 11) * ENABLE_FEATURE_WGET_LONG_OPTIONS, - WGET_OPT_SPIDER = (1 << 12) * ENABLE_FEATURE_WGET_LONG_OPTIONS, -+ WGET_OPT_NO_CHECK_CERT = (1 << 13) * ENABLE_FEATURE_WGET_LONG_OPTIONS, - }; - - enum { -@@ -765,6 +769,11 @@ - int pid; - char *servername, *p; - -+#if ENABLE_FEATURE_WGET_LONG_OPTIONS -+ if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) -+ bb_error_msg("WARNING: SSL/TLS certificate is not being validated!"); -+#endif -+ - servername = xstrdup(host); - p = strrchr(servername, ':'); - if (p) *p = '\0'; -@@ -1353,10 +1362,9 @@ - "header\0" Required_argument "\xff" - "post-data\0" Required_argument "\xfe" - "spider\0" No_argument "\xfd" -+ "no-check-certificate\0" No_argument "\xfc" - /* Ignored (we always use PASV): */ - IF_DESKTOP( "passive-ftp\0" No_argument "\xf0") -- /* Ignored (we don't do ssl) */ --IF_DESKTOP( "no-check-certificate\0" No_argument "\xf0") - /* Ignored (we don't support caching) */ - IF_DESKTOP( "no-cache\0" No_argument "\xf0") - IF_DESKTOP( "no-verbose\0" No_argument "\xf0") |