From a0cb100cd86c00e495debc253bab1eff27a25cd7 Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Wed, 22 Sep 2021 12:52:36 +0300 Subject: [PATCH] ngclient: Do not use urljoin to form metadata URL urljoin considers the second URL to override the base URL if the second one contains e.g. hostname: this could lead to ngclient downloading from the wrong host entirely. Doing that would not compromise the security of the system as the metadata would still need to be verified, but would definitely be unexpected and a bug. Note that we're still not encoding the rolename, it's just inserted into the URL as is. Signed-off-by: Jussi Kukkonen --- tuf/ngclient/updater.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tuf/ngclient/updater.py b/tuf/ngclient/updater.py index 424a74e2..31772ca1 100644 --- a/tuf/ngclient/updater.py +++ b/tuf/ngclient/updater.py @@ -278,10 +278,9 @@ def _download_metadata( ) -> bytes: """Download a metadata file and return it as bytes""" if version is None: - filename = f"{rolename}.json" + url = f"{self._metadata_base_url}{rolename}.json" else: - filename = f"{version}.{rolename}.json" - url = parse.urljoin(self._metadata_base_url, filename) + url = f"{self._metadata_base_url}{version}.{rolename}.json" return self._fetcher.download_bytes(url, length) def _load_local_metadata(self, rolename: str) -> bytes: