aboutsummaryrefslogtreecommitdiffstats
path: root/main
diff options
context:
space:
mode:
Diffstat (limited to 'main')
-rw-r--r--main/busybox/0001-wget-print-warning-when-internal-tls-is-used.patch87
-rw-r--r--main/busybox/APKBUILD5
2 files changed, 91 insertions, 1 deletions
diff --git a/main/busybox/0001-wget-print-warning-when-internal-tls-is-used.patch b/main/busybox/0001-wget-print-warning-when-internal-tls-is-used.patch
new file mode 100644
index 0000000000..5a027c1bf5
--- /dev/null
+++ b/main/busybox/0001-wget-print-warning-when-internal-tls-is-used.patch
@@ -0,0 +1,87 @@
+From 76026fa8c9a62423e359b992b16b6e0bbdd4e5a1 Mon Sep 17 00:00:00 2001
+From: Jakub Jirutka <jakub@jirutka.cz>
+Date: Thu, 24 May 2018 02:19:23 +0200
+Subject: [PATCH] wget: print warning when internal TLS is used
+
+Internal TLS code (FEATURE_WGET_HTTPS) does not implement verification
+of the server's certificate. It is documented in the code, but not
+even mentioned in the --help message, so users typically don't know
+about this behaviour. That's a crime against security!
+
+This patch changes this behaviour for the case when both
+FEATURE_WGET_LONG_OPTIONS and FEATURE_WGET_HTTPS are enabled -
+before initializing a TLS connection using the internal TLS code (i.e.
+without certificate validation) warning message is printed, unless the
+user specified option "--no-check-certificate".
+
+See-Also: http://lists.busybox.net/pipermail/busybox/2018-May/086444.html
+---
+ networking/wget.c | 30 +++++++++++++++++++-----------
+ 1 file changed, 19 insertions(+), 11 deletions(-)
+
+diff --git a/networking/wget.c b/networking/wget.c
+--- a/networking/wget.c
++++ b/networking/wget.c
+@@ -135,18 +135,21 @@
+ //usage:#define wget_full_usage "\n\n"
+ //usage: "Retrieve files via HTTP or FTP\n"
+ //usage: IF_FEATURE_WGET_LONG_OPTIONS(
+-//usage: "\n --spider Only check URL existence: $? is 0 if exists"
++//usage: "\n --spider Only check URL existence: $? is 0 if exists"
++//usage: IF_FEATURE_WGET_HTTPS(
++//usage: "\n --no-check-certificate Don't validate the server's certificate"
++//usage: )
+ //usage: )
+-//usage: "\n -c Continue retrieval of aborted transfer"
+-//usage: "\n -q Quiet"
+-//usage: "\n -P DIR Save to DIR (default .)"
+-//usage: "\n -S Show server response"
++//usage: "\n -c Continue retrieval of aborted transfer"
++//usage: "\n -q Quiet"
++//usage: "\n -P DIR Save to DIR (default .)"
++//usage: "\n -S Show server response"
+ //usage: IF_FEATURE_WGET_TIMEOUT(
+-//usage: "\n -T SEC Network read timeout is SEC seconds"
++//usage: "\n -T SEC Network read timeout is SEC seconds"
+ //usage: )
+-//usage: "\n -O FILE Save to FILE ('-' for stdout)"
+-//usage: "\n -U STR Use STR for User-Agent header"
+-//usage: "\n -Y on/off Use proxy"
++//usage: "\n -O FILE Save to FILE ('-' for stdout)"
++//usage: "\n -U STR Use STR for User-Agent header"
++//usage: "\n -Y on/off Use proxy"
+
+ #include "libbb.h"
+
+@@ -267,6 +270,7 @@
+ WGET_OPT_HEADER = (1 << 10) * ENABLE_FEATURE_WGET_LONG_OPTIONS,
+ WGET_OPT_POST_DATA = (1 << 11) * ENABLE_FEATURE_WGET_LONG_OPTIONS,
+ WGET_OPT_SPIDER = (1 << 12) * ENABLE_FEATURE_WGET_LONG_OPTIONS,
++ WGET_OPT_NO_CHECK_CERT = (1 << 13) * ENABLE_FEATURE_WGET_LONG_OPTIONS,
+ };
+
+ enum {
+@@ -765,6 +769,11 @@
+ int pid;
+ char *servername, *p;
+
++#if ENABLE_FEATURE_WGET_LONG_OPTIONS
++ if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT))
++ bb_error_msg("WARNING: SSL/TLS certificate is not being validated!");
++#endif
++
+ servername = xstrdup(host);
+ p = strrchr(servername, ':');
+ if (p) *p = '\0';
+@@ -1353,10 +1362,9 @@
+ "header\0" Required_argument "\xff"
+ "post-data\0" Required_argument "\xfe"
+ "spider\0" No_argument "\xfd"
++ "no-check-certificate\0" No_argument "\xfc"
+ /* Ignored (we always use PASV): */
+ IF_DESKTOP( "passive-ftp\0" No_argument "\xf0")
+- /* Ignored (we don't do ssl) */
+-IF_DESKTOP( "no-check-certificate\0" No_argument "\xf0")
+ /* Ignored (we don't support caching) */
+ IF_DESKTOP( "no-cache\0" No_argument "\xf0")
+ IF_DESKTOP( "no-verbose\0" No_argument "\xf0")
diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD
index 36cc90ed2f..9adfc39861 100644
--- a/main/busybox/APKBUILD
+++ b/main/busybox/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=busybox
pkgver=1.28.3
-pkgrel=0
+pkgrel=1
pkgdesc="Size optimized toolbox of many common UNIX utilities"
url=http://busybox.net
arch="all"
@@ -42,6 +42,8 @@ source="http://busybox.net/downloads/$pkgname-$pkgver.tar.bz2
0001-nsenter-Rename-network-option-to-net.patch
0002-nsenter-fix-parsing-of-t-S-and-G-options.patch
+ 0001-wget-print-warning-when-internal-tls-is-used.patch
+
acpid.logrotate
busyboxconfig
busyboxconfig-extras
@@ -205,6 +207,7 @@ d90d6b3406760fe3df6dbed46a0f4d1c02a69d5184ebc86d8c1692bc4576532127283ba3ff9a81e6
0dbe3ee424c0a6e4aba4f551f6b6b9ee087655a03747a40906961b141d40b1cbb2345438f17887a1b78d880cb3a7ad0116936dd7c05e95160febfd299423e83b 0001-cat-fix-cat-e-and-cat-v-erroneously-numbering-1st-li.patch
d2364e20b12c5215c4baecc3c6faf903e6e1e2bee95d697af047d680e9d57e7aeea54c8584d062d92daa0ea64898b502fbae010b22ab236ec4018966b74deeec 0001-nsenter-Rename-network-option-to-net.patch
0dbffae82b62317fc4144a01940ebc601e58b0e14eb8338bc42db79407d0b74dbe9f0f44758b9a5baa399eb90f8e8ee8f9c344bebd1b03bdd2ce520cb2b28d5e 0002-nsenter-fix-parsing-of-t-S-and-G-options.patch
+38973e70fc77450ba1bf4d2aa7db5425d57f18eab9ae5676d457294ade12ae6b44300ae41f100f452e2efa1d027612fa501c9ac0f95ce340519e1dce497e4971 0001-wget-print-warning-when-internal-tls-is-used.patch
a9b1403c844c51934637215307dd9e2adb9458921047acff0d86dcf229b6e0027f4b2c6cdaa25a58407aad9d098fb5685d58eb5ff8d2aa3de4912cdea21fe54c acpid.logrotate
035f2a28719971d9ff805d208d70bc1144fd3701235dc46ef581a559e696ef92265f28f7debf0248a2cee004a773dcd07828bcc088716f5aff944ccdce15d30f busyboxconfig
0efbe22e2fd56993d92b6542d4ccffb2b42d50495be085c98f417a71f503b4071e2f092afcec77f78064d33ffb0922c28daa3cb9958e6d7fb26d5a660abd90f4 busyboxconfig-extras