disable https->http redirects in libcurl

This change prevents changing the protocol from https to http.

diff --git a/methods/https.cc b/methods/https.cc
index d97fddf9ef92b9279c516feb49be378a9e94cf54..9422df2f0d506741aa254f6c85bebc15efebfb39 100644 (file)
--- a/methods/https.cc
+++ b/methods/https.cc
@@ -185,8 +185,11 @@ bool HttpsMethod::Fetch(FetchItem *Itm)
    curl_easy_setopt(curl, CURLOPT_WRITEDATA, this);
    curl_easy_setopt(curl, CURLOPT_PROGRESSFUNCTION, progress_callback);
    curl_easy_setopt(curl, CURLOPT_PROGRESSDATA, this);
+   // options
    curl_easy_setopt(curl, CURLOPT_NOPROGRESS, false);
    curl_easy_setopt(curl, CURLOPT_FILETIME, true);
+   // only allow redirects to https
+   curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS);
 
    // SSL parameters are set by default to the common (non mirror-specific) value
    // if available (or a default one) and gets overload by mirror-specific ones.

diff --git a/test/integration/framework b/test/integration/framework
index f3699861b6033952122a3c981f1f09aafff29b35..e4f0184726e98b1abc560c204558e5be922b99bd 100644 (file)
--- a/test/integration/framework
+++ b/test/integration/framework
@@ -901,7 +901,7 @@ changetohttpswebserver() {
                msgdie 'You need to install stunnel4 for https testcases'
        fi
        if [ ! -e "${TMPWORKINGDIRECTORY}/aptarchive/aptwebserver.pid" ]; then
-               changetowebserver --no-rewrite
+               changetowebserver --no-rewrite "$@"
        fi
        echo "pid = ${TMPWORKINGDIRECTORY}/aptarchive/stunnel.pid
 cert = ${TESTDIRECTORY}/apt.pem

diff --git a/test/integration/test-apt-https-no-redirect b/test/integration/test-apt-https-no-redirect
new file mode 100755 (executable)
index 0000000..c405d11
--- /dev/null
+++ b/test/integration/test-apt-https-no-redirect
@@ -0,0 +1,24 @@
+#!/bin/sh
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+
+setupenvironment
+configarchitecture "i386"
+
+buildsimplenativepackage 'apt' 'all' '1.0' 'stable'
+setupaptarchive --no-update
+
+changetohttpswebserver  -o 'aptwebserver::redirect::replace::/redirectme/=http://localhost:8080/'
+
+msgtest 'normal http download works'
+downloadfile 'http://localhost:8080/pool/apt_1.0/changelog' changelog2 >/dev/null 2>/dev/null && msgpass || msgfail
+
+msgtest 'normal https download works'
+downloadfile 'https://localhost:4433/pool/apt_1.0/changelog' changelog >/dev/null 2>/dev/null && msgpass || msgfail
+
+msgtest 'redirecting https to http does not work'
+downloadfile 'https://localhost:4433/redirectme/pool/apt_1.0/changelog' changelog3 2>&1 | grep "Protocol http not supported or disabled in libcurl" > /dev/null && msgpass
+
+

diff --git a/test/integration/test-bug-738785-switch-protocol b/test/integration/test-bug-738785-switch-protocol
index d3469f34f6377bc12c8fb6d2221a5f1c9e6f1ffe..bc3c6dbadf9c76e60bc1efce37f7492c0a6f5d14 100755 (executable)
--- a/test/integration/test-bug-738785-switch-protocol
+++ b/test/integration/test-bug-738785-switch-protocol
@@ -19,7 +19,7 @@ sed -i -e 's#:4433/#:8080/redirectme#' -e 's# https:# http:#' rootdir/etc/apt/so
 testsuccess aptget update -o Debug::Acquire::http=1 -o Debug::Acquire::https=1 -o Debug::pkgAcquire::Worker=1
 
 msgtest 'Test that the webserver does not answer' 'http requests'
-downloadfile 'http://localhost:8080//pool/apt_1.0/changelog' >/dev/null 2>&1 && msgfail || msgpass
+downloadfile 'http://localhost:8080/pool/apt_1.0/changelog' changelog >/dev/null 2>&1 && msgfail || msgpass
 
 echo 'Apt::Changelogs::Server "http://localhost:8080/redirectme";' > rootdir/etc/apt/apt.conf.d/changelog.conf
 testequal "'http://localhost:8080/redirectme/pool/apt_1.0/changelog'" aptget changelog apt --print-uris