[PATCH] wget: don't silently ignore certificate validation

Ralf Friedl Ralf.Friedl at online.de
Sun May 27 18:19:41 UTC 2018


Denys Vlasenko wrote:
> wget should work for common use cases.
> Such as downloading sources of kernels, gcc and such.
>  From build scripts, not only by hand.
> Without having to modify said scripts.
> Your patch breaks that.
> NAK.
>
> I don't care that security people are upset.
> They are paranoid, it's part of their profession.
> It does not mean everybody else have to be as paranoid.
I must admit I'm surprised by this statement.
You add paranoid changes to programs like cp, unlinking the target in 
direct violation of POSIX, breaking some use cases. There was recent 
discussion about modifying the extraction of TAR and other archives, 
which introduced new problems and regressions.
While there is nothing wrong with being careful, busybox is mainly used 
on single user systems, so it is unlikely that there is another user to 
create race conditions to exploit.
On the other hand, not checking https means transfers could be attacked 
by someone anywhere on the network, not only a local user on the 
machine, so the number of potential attacked is much larger, and you 
don't even print a warning that the remote identity is not checked. You 
don't expect everybody to read the complete source code before using 
busybox, do you?


More information about the busybox mailing list