]> git.saurik.com Git - apt.git/commitdiff
projects / apt.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 18cce39)
add a testcase to check for forbidden https→http downgrades
authorDavid Kalnischkies <david@kalnischkies.de>
Fri, 14 Feb 2014 17:59:46 +0000 (18:59 +0100)
committerDavid Kalnischkies <david@kalnischkies.de>
Fri, 14 Feb 2014 21:25:30 +0000 (22:25 +0100)
Git-Dch: Ignore

methods/https.cc patch | blob | blame | history
test/integration/framework patch | blob | blame | history
test/integration/test-bug-738785-switch-protocol patch | blob | blame | history

diff --git a/methods/https.cc b/methods/https.cc
index 9422df2f0d506741aa254f6c85bebc15efebfb39..e713be19fdc5b5c8bb68003df7d1ee2d8b86175b 100644 (file)
--- a/methods/https.cc
+++ b/methods/https.cc
@@ -188,7 +188,8 @@ bool HttpsMethod::Fetch(FetchItem *Itm)
    // options
    curl_easy_setopt(curl, CURLOPT_NOPROGRESS, false);
    curl_easy_setopt(curl, CURLOPT_FILETIME, true);
    // options
    curl_easy_setopt(curl, CURLOPT_NOPROGRESS, false);
    curl_easy_setopt(curl, CURLOPT_FILETIME, true);
-   // only allow redirects to https
+   // only allow curl to handle https, not the other stuff it supports
+   curl_easy_setopt(curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS);
    curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS);
 
    // SSL parameters are set by default to the common (non mirror-specific) value
    curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS);
 
    // SSL parameters are set by default to the common (non mirror-specific) value
diff --git a/test/integration/framework b/test/integration/framework
index e4f0184726e98b1abc560c204558e5be922b99bd..08d796a108ffd8fe25cec824cdab45ae63def143 100644 (file)
--- a/test/integration/framework
+++ b/test/integration/framework
@@ -1119,7 +1119,7 @@ testfailure() {
        if [ "$1" = '--nomsg' ]; then
                shift
        else
        if [ "$1" = '--nomsg' ]; then
                shift
        else
-               msgtest 'Test for failure in  execution of' "$*"
+               msgtest 'Test for failure in execution of' "$*"
        fi
        local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/testfailure.output"
        if $@ >${OUTPUT} 2>&1; then
        fi
        local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/testfailure.output"
        if $@ >${OUTPUT} 2>&1; then
diff --git a/test/integration/test-bug-738785-switch-protocol b/test/integration/test-bug-738785-switch-protocol
index b51be244a0005dedfd1a8d0dd733ae25578672e6..1e5748eae12048acd152ded4b76ad5e2dbe1b524 100755 (executable)
--- a/test/integration/test-bug-738785-switch-protocol
+++ b/test/integration/test-bug-738785-switch-protocol
@@ -12,6 +12,7 @@ buildsimplenativepackage 'apt' 'all' '1.0' 'stable'
 # setup http redirecting to https
 setupaptarchive --no-update
 changetowebserver -o 'aptwebserver::redirect::replace::/redirectme/=https://localhost:4433/' \
 # setup http redirecting to https
 setupaptarchive --no-update
 changetowebserver -o 'aptwebserver::redirect::replace::/redirectme/=https://localhost:4433/' \
+       -o 'aptwebserver::redirect::replace::/downgrademe/=http://localhost:8080/' \
        -o 'aptwebserver::support::http=false'
 changetohttpswebserver
 sed -i -e 's#:4433/#:8080/redirectme#' -e 's# https:# http:#' rootdir/etc/apt/sources.list.d/*
        -o 'aptwebserver::support::http=false'
 changetohttpswebserver
 sed -i -e 's#:4433/#:8080/redirectme#' -e 's# https:# http:#' rootdir/etc/apt/sources.list.d/*
@@ -38,7 +39,7 @@ testdpkginstalled 'apt'
 # create a copy of all methods, expect https
 eval `aptconfig shell METHODS Dir::Bin::Methods/d`
 COPYMETHODS='usr/lib/apt/methods'
 # create a copy of all methods, expect https
 eval `aptconfig shell METHODS Dir::Bin::Methods/d`
 COPYMETHODS='usr/lib/apt/methods'
-rm rootdir/$COPYMETHODS
+mv rootdir/${COPYMETHODS} rootdir/${COPYMETHODS}.bak
 mkdir -p rootdir/$COPYMETHODS
 cd rootdir/$COPYMETHODS
 find $METHODS \! -type d | while read meth; do
 mkdir -p rootdir/$COPYMETHODS
 cd rootdir/$COPYMETHODS
 find $METHODS \! -type d | while read meth; do
@@ -51,3 +52,12 @@ echo "Dir::Bin::Methods \"${COPYMETHODS}\";" >> aptconfig.conf
 testequal "E: The method driver $(pwd)/rootdir/usr/lib/apt/methods/https could not be found.
 N: Is the package apt-transport-https installed?" aptget download apt -q=0
 testsuccess test ! -e apt_1.0_all.deb
 testequal "E: The method driver $(pwd)/rootdir/usr/lib/apt/methods/https could not be found.
 N: Is the package apt-transport-https installed?" aptget download apt -q=0
 testsuccess test ! -e apt_1.0_all.deb
+
+# revert to all methods
+rm -rf rootdir/$COPYMETHODS
+mv rootdir/${COPYMETHODS}.bak rootdir/${COPYMETHODS}
+
+# check that downgrades from https to http are not allowed
+webserverconfig 'aptwebserver::support::http' 'true'
+sed -i -e 's#:8080/redirectme#:4433/downgrademe#' -e 's# http:# https:#' rootdir/etc/apt/sources.list.d/*
+testfailure aptget update
APT (for Cydia)