summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulian Andres Klode <jak@debian.org>2019-12-02 13:28:07 +0000
committerJulian Andres Klode <jak@debian.org>2019-12-02 13:28:07 +0000
commit203ed6e094e0e5a332ddae9e4f08df5694b84ba9 (patch)
tree667c4240b6f6fb9c91ae20b655478508b09d6214
parent1690c3f87ae45a41e8d3e09bf0b1021c008460b9 (diff)
parent93f33052de84e9aeaf19c92291d043dad2665bbd (diff)
Merge branch 'pu/netrc-https' into 'master'
netrc: Restrict auth.conf data to https by default See merge request apt-team/apt!84
-rw-r--r--apt-pkg/contrib/netrc.cc22
-rw-r--r--debian/NEWS10
-rw-r--r--doc/apt_auth.conf.5.xml14
-rwxr-xr-xtest/integration/test-authentication-basic42
4 files changed, 73 insertions, 15 deletions
diff --git a/apt-pkg/contrib/netrc.cc b/apt-pkg/contrib/netrc.cc
index ee1996f8d..2069a0394 100644
--- a/apt-pkg/contrib/netrc.cc
+++ b/apt-pkg/contrib/netrc.cc
@@ -72,6 +72,26 @@ bool MaybeAddAuth(FileFd &NetRCFile, URI &Uri)
active_token = MACHINE;
break;
case MACHINE:
+ // If token contains a protocol: Check it first, and strip it away if
+ // it matches. If it does not match, ignore this stanza.
+ // If there is no protocol, only allow https protocols.
+ if (token.find("://") != std::string::npos)
+ {
+ if (not APT::String::Startswith(token, Uri.Access + "://"))
+ {
+ active_token = NO;
+ break;
+ }
+ token.erase(0, Uri.Access.length() + 3);
+ }
+ else if (Uri.Access != "https" && Uri.Access != "tor+https")
+ {
+ if (Debug)
+ std::clog << "MaybeAddAuth: Rejecting matching host adding '" << Uri.User << "' and '" << Uri.Password << "' for "
+ << (std::string)Uri << " from " << NetRCFile.Name() << "as the protocol is not https" << std::endl;
+ active_token = NO;
+ break;
+ }
if (token.find('/') == std::string::npos)
{
if (Uri.Port != 0 && Uri.Host == token)
@@ -168,7 +188,7 @@ bool IsAuthorized(pkgCache::PkgFileIterator const I, std::vector<std::unique_ptr
}
// FIXME: Use the full base url
- URI uri(std::string("http://") + I.Site() + "/");
+ URI uri(std::string("https://") + I.Site() + "/");
for (auto &authconf : authconfs)
{
if (not authconf->IsOpen())
diff --git a/debian/NEWS b/debian/NEWS
index e8cb4e279..555791602 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,13 @@
+apt (1.9.5) UNRELEASED; urgency=medium
+
+ Credentials in apt_auth.conf(5) now only apply to https and tor+https
+ sources to avoid them being leaked over plaintext (Closes: #945911). To
+ opt-in to http, add http:// before the hostname. Note that this will transmit
+ credentials in plain text, which you do not want on devices that could be
+ operating in an untrusted network.
+
+ -- Julian Andres Klode <juliank@ubuntu.com> Mon, 02 Dec 2019 11:45:52 +0100
+
apt (1.8.0~alpha3) unstable; urgency=medium
The PATH for running dpkg is now configured by the option DPkg::Path,
diff --git a/doc/apt_auth.conf.5.xml b/doc/apt_auth.conf.5.xml
index e7961ef81..99394be00 100644
--- a/doc/apt_auth.conf.5.xml
+++ b/doc/apt_auth.conf.5.xml
@@ -50,7 +50,7 @@ Unknown tokens will be ignored. Tokens may be separated by spaces, tabs or newli
<variablelist>
<varlistentry>
-<term><literal>machine</literal> <replaceable>hostname</replaceable>[:<replaceable>port</replaceable>][/<replaceable>path</replaceable>]</term>
+<term><literal>machine</literal> <replaceable>[protocol://]</replaceable><replaceable>hostname</replaceable>[:<replaceable>port</replaceable>][/<replaceable>path</replaceable>]</term>
<listitem><para>Entries are looked up by searching for the
<emphasis><literal>machine</literal></emphasis> token matching the
hostname of the URI apt needs login information for. Extending the netrc-format
@@ -60,7 +60,8 @@ different login information reside on the same server. A machine token with a pa
matches if the path in the URI starts with the path given in the token.
Once a match is made, the subsequent tokens are processed, stopping when the
end of file is reached or another <emphasis><literal>machine</literal></emphasis>
-token is encountered.</para></listitem>
+token is encountered.</para>
+<para>If protocol is not specified, the entry only matches https and tor+https.</para></listitem>
</varlistentry>
<varlistentry>
@@ -80,9 +81,9 @@ token is encountered.</para></listitem>
<refsect1><title>Example</title>
<para>Supplying login information for a user named <literal>apt</literal>
with the password <literal>debian</literal> for the &sources-list; entry
-<literallayout>deb http://example.org/debian &debian-stable-codename; main</literallayout>
+<literallayout>deb https://example.org/debian &debian-stable-codename; main</literallayout>
could be done in the entry directly:
-<literallayout>deb http://apt:debian@example.org/debian &debian-stable-codename; main</literallayout>
+<literallayout>deb https://apt:debian@example.org/debian &debian-stable-codename; main</literallayout>
Alternatively an entry like the following in the auth.conf file could be used:
<literallayout>machine example.org
login apt
@@ -95,7 +96,7 @@ machine example.org/debian login apt password debian
machine example.org/debian/ login apt password debian
</literallayout>
On the other hand neither of the following lines apply:
-<literallayout>machine example.org:80 login apt password debian
+<literallayout>machine example.org:443 login apt password debian
machine example.org/deb/ login apt password debian
machine example.org/ubuntu login apt password debian
machine example.orga login apt password debian
@@ -111,6 +112,9 @@ also the implementation slightly. For maximum backward compatibility you should
avoid multiple <literal>machine</literal> tokens with the same hostname, but if
you need multiple they should all have a path specified in the
<literal>machine</literal> token.</para>
+<para>Login information in auth.conf are more flexible than those in sources.list. For
+example, login information can be specified for parts of a repository only, or if the
+sources.list entry redirects elsewhere, login information for the redirect destination can be supplied.</para>
</refsect1>
<refsect1>
diff --git a/test/integration/test-authentication-basic b/test/integration/test-authentication-basic
index 211c73e35..5aafaade0 100755
--- a/test/integration/test-authentication-basic
+++ b/test/integration/test-authentication-basic
@@ -65,35 +65,59 @@ runtest() {
authfile ''
testauthfailure "$1"
+ protocol="${1%%://*}"
+
# good auth
- authfile 'machine localhost
+ authfile "machine ${protocol}://localhost
login star@irc
-password hunter2'
+password hunter2"
testauthsuccess "$1"
# bad auth
- authfile 'machine localhost
+ authfile "machine ${protocol}://localhost
login anonymous
-password hunter2'
+password hunter2"
testauthfailure "$1"
# 2 stanzas: unmatching + good auth
- authfile 'machine debian.org
+ authfile "machine ${protocol}://debian.org
login debian
password jessie
-machine localhost
+machine ${protocol}://localhost
login star@irc
-password hunter2'
+password hunter2"
testauthsuccess "$1"
+ # no protocol specifier
+ authfile "machine localhost
+login star@irc
+password hunter2"
+ if [ "$protocol" = "https" ]; then
+ testauthsuccess "$1"
+ else
+ testauthfailure "$1"
+ fi
+
+ # wrong protocol specifier
+ if [ "$protocol" = "https" ]; then
+ authfile "machine http://localhost
+login star@irc
+password hunter2"
+ else
+ authfile "machine https://localhost
+login star@irc
+password hunter2"
+ fi
+ testauthfailure "$1"
+
# delete file, make sure it fails; add auth.conf.d snippet, works again.
rm rootdir/etc/apt/auth.conf
testauthfailure "$1"
- authfile 'machine localhost
+ authfile "machine ${protocol}://localhost
login star@irc
-password hunter2' rootdir/etc/apt/auth.conf.d/myauth.conf
+password hunter2" rootdir/etc/apt/auth.conf.d/myauth.conf
testauthsuccess "$1"
rm rootdir/etc/apt/auth.conf.d/myauth.conf
}