add a testcase to check for forbidden https→http downgrades

[apt.git] / methods / https.cc

diff --git a/methods/https.cc b/methods/https.cc
index 9422df2f0d506741aa254f6c85bebc15efebfb39..e713be19fdc5b5c8bb68003df7d1ee2d8b86175b 100644 (file)
--- a/methods/https.cc
+++ b/methods/https.cc
@@ -188,7 +188,8 @@ bool HttpsMethod::Fetch(FetchItem *Itm)
    // options
    curl_easy_setopt(curl, CURLOPT_NOPROGRESS, false);
    curl_easy_setopt(curl, CURLOPT_FILETIME, true);
-   // only allow redirects to https
+   // only allow curl to handle https, not the other stuff it supports
+   curl_easy_setopt(curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS);
    curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS);
 
    // SSL parameters are set by default to the common (non mirror-specific) value