ngclient: Do not use urljoin to form metadata URL

urljoin considers the second URL to override the base URL if the second one contains e.g. hostname: this could lead to ngclient downloading from the wrong host entirely. Doing that would not compromise the security of the system as the metadata would still need to be verified, but would definitely be unexpected and a bug. Note that we're still not encoding the rolename, it's just inserted into the URL as is. Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2026-05-24 10:08:28 +00:00 · 2021-09-22 12:52:36 +03:00 · 2021-09-22 12:52:36 +03:00 · a0cb100cd8
commit a0cb100cd8
parent 4d8cbc7010
1 changed files with 2 additions and 3 deletions
--- a/tuf/ngclient/updater.py
+++ b/tuf/ngclient/updater.py
@ -278,10 +278,9 @@ def _download_metadata(
    ) -> bytes:
        """Download a metadata file and return it as bytes"""
        if version is None:
-            filename = f"{rolename}.json"
+            url = f"{self._metadata_base_url}{rolename}.json"
        else:
-            filename = f"{version}.{rolename}.json"
-        url = parse.urljoin(self._metadata_base_url, filename)
+            url = f"{self._metadata_base_url}{version}.{rolename}.json"
        return self._fetcher.download_bytes(url, length)

    def _load_local_metadata(self, rolename: str) -> bytes: