[Buildroot] test-pkg script can't handle captive portals. etc.
Marcus Hoffmann
m.hoffmann at cartelsol.com
Wed Mar 1 11:09:28 UTC 2017
Hey,
On 01.03.2017 09:46, Arnout Vandecappelle wrote:
>
>
> On 28-02-17 21:30, Marcus Hoffmann wrote:
>> Hey,
>>
>> I just ran into an issue with the test-pkg script.
>> When the TOOLCHAINS_URL returns an unexpected result,
>> (A router login page, when the Internet got disconnected, a captive
>> portal login page, a MITM attack, etc.) the script does weird things and
>> outputs something like this:
>>
>> html>: FAILED
>> <!DOCTYPE: FAILED
>> HTML: FAILED
>> HTML: ^[ORFAILED
>> EN">:
>> [...]
>>
>> It also creates the corresponding folders inside the test-dir.
>>
>> You can test this when pointing the TOOLCHAINS_URL var to any html page.
>>
>> This it not a very nice way to fail and may lead to harm when parsing
>> untrusted input from the web.
>>
>> What would be the best way to handle this case? Can the Toolchain URL be
>> switched to https? This would eliminate the problem.
>
> I don't think a.b.o has https at the moment, though I guess it would be easy to
> add a Let's Encrypt certificate.
>
> Still, a captive portal with an accepted certificate could still play tricks.
But it wouldn't be valid for the buildroot url, so I don't think it can(?).
> It's probably better to validate the result.
>
> However, I think it would be much nicer if we could just have the toolchain
> defconfigs inside of Buildroot instead of using this CSV file.
I don't know how often they change, but if this makes sense this would
be a good solution I think.
>
>
>> Otherwise we should do some sanity checking that no stray html page is
>> returned by the curl call. But this still doesn't solve the problem of a
>> malicious actor.
>
> I don't think a malicious actor is really something we should worry about here,
> is it?
Probably not terribly so. But if we can easily solve such problems (have
them locally or pull over https) we should!
>
> Regards,
> Arnout
>
>
More information about the buildroot
mailing list