disable https->http redirects in libcurl

author Michael Vogt <mvo@debian.org>

Fri, 14 Feb 2014 16:11:07 +0000 (17:11 +0100)

committer Michael Vogt <mvo@debian.org>

Fri, 14 Feb 2014 18:10:47 +0000 (19:10 +0100)
author Michael Vogt <mvo@debian.org>
Fri, 14 Feb 2014 16:11:07 +0000 (17:11 +0100)
committer Michael Vogt <mvo@debian.org>
Fri, 14 Feb 2014 18:10:47 +0000 (19:10 +0100)
diff --git a/methods/https.cc b/methods/https.cc

index d97fddf9ef92b9279c516feb49be378a9e94cf54..9422df2f0d506741aa254f6c85bebc15efebfb39 100644 (file)
--- a/methods/https.cc
+++ b/methods/https.cc
@@ -185,8 +185,11 @@ bool HttpsMethod::Fetch(FetchItem *Itm)
     curl_easy_setopt(curl, CURLOPT_WRITEDATA, this);
     curl_easy_setopt(curl, CURLOPT_PROGRESSFUNCTION, progress_callback);
     curl_easy_setopt(curl, CURLOPT_PROGRESSDATA, this);
     curl_easy_setopt(curl, CURLOPT_WRITEDATA, this);
     curl_easy_setopt(curl, CURLOPT_PROGRESSFUNCTION, progress_callback);
     curl_easy_setopt(curl, CURLOPT_PROGRESSDATA, this);
+   // options
     curl_easy_setopt(curl, CURLOPT_NOPROGRESS, false);
     curl_easy_setopt(curl, CURLOPT_FILETIME, true);
     curl_easy_setopt(curl, CURLOPT_NOPROGRESS, false);
     curl_easy_setopt(curl, CURLOPT_FILETIME, true);
+   // only allow redirects to https
+   curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS);
  
     // SSL parameters are set by default to the common (non mirror-specific) value
     // if available (or a default one) and gets overload by mirror-specific ones.
  
     // SSL parameters are set by default to the common (non mirror-specific) value
     // if available (or a default one) and gets overload by mirror-specific ones.
diff --git a/test/integration/framework b/test/integration/framework

index f3699861b6033952122a3c981f1f09aafff29b35..e4f0184726e98b1abc560c204558e5be922b99bd 100644 (file)
--- a/test/integration/framework
+++ b/test/integration/framework
@@ -901,7 +901,7 @@ changetohttpswebserver() {
                 msgdie 'You need to install stunnel4 for https testcases'
         fi
         if [ ! -e "${TMPWORKINGDIRECTORY}/aptarchive/aptwebserver.pid" ]; then
                 msgdie 'You need to install stunnel4 for https testcases'
         fi
         if [ ! -e "${TMPWORKINGDIRECTORY}/aptarchive/aptwebserver.pid" ]; then
-               changetowebserver --no-rewrite
+               changetowebserver --no-rewrite "$@"
         fi
         echo "pid = ${TMPWORKINGDIRECTORY}/aptarchive/stunnel.pid
  cert = ${TESTDIRECTORY}/apt.pem
         fi
         echo "pid = ${TMPWORKINGDIRECTORY}/aptarchive/stunnel.pid
  cert = ${TESTDIRECTORY}/apt.pem
diff --git a/test/integration/test-apt-https-no-redirect b/test/integration/test-apt-https-no-redirect

new file mode 100755 (executable)

index 0000000..c405d11
--- /dev/null
+++ b/test/integration/test-apt-https-no-redirect
@@ -0,0 +1,24 @@
+#!/bin/sh
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+
+setupenvironment
+configarchitecture "i386"
+
+buildsimplenativepackage 'apt' 'all' '1.0' 'stable'
+setupaptarchive --no-update
+
+changetohttpswebserver  -o 'aptwebserver::redirect::replace::/redirectme/=http://localhost:8080/'
+
+msgtest 'normal http download works'
+downloadfile 'http://localhost:8080/pool/apt_1.0/changelog' changelog2 >/dev/null 2>/dev/null && msgpass || msgfail
+
+msgtest 'normal https download works'
+downloadfile 'https://localhost:4433/pool/apt_1.0/changelog' changelog >/dev/null 2>/dev/null && msgpass || msgfail
+
+msgtest 'redirecting https to http does not work'
+downloadfile 'https://localhost:4433/redirectme/pool/apt_1.0/changelog' changelog3 2>&1 | grep "Protocol http not supported or disabled in libcurl" > /dev/null && msgpass
+
+
diff --git a/test/integration/test-bug-738785-switch-protocol b/test/integration/test-bug-738785-switch-protocol

index d3469f34f6377bc12c8fb6d2221a5f1c9e6f1ffe..bc3c6dbadf9c76e60bc1efce37f7492c0a6f5d14 100755 (executable)
--- a/test/integration/test-bug-738785-switch-protocol
+++ b/test/integration/test-bug-738785-switch-protocol
@@ -19,7 +19,7 @@ sed -i -e 's#:4433/#:8080/redirectme#' -e 's# https:# http:#' rootdir/etc/apt/so
  testsuccess aptget update -o Debug::Acquire::http=1 -o Debug::Acquire::https=1 -o Debug::pkgAcquire::Worker=1
  
  msgtest 'Test that the webserver does not answer' 'http requests'
  testsuccess aptget update -o Debug::Acquire::http=1 -o Debug::Acquire::https=1 -o Debug::pkgAcquire::Worker=1
  
  msgtest 'Test that the webserver does not answer' 'http requests'
-downloadfile 'http://localhost:8080//pool/apt_1.0/changelog' >/dev/null 2>&1 && msgfail || msgpass
+downloadfile 'http://localhost:8080/pool/apt_1.0/changelog' changelog >/dev/null 2>&1 && msgfail || msgpass
  
  echo 'Apt::Changelogs::Server "http://localhost:8080/redirectme";' > rootdir/etc/apt/apt.conf.d/changelog.conf
  testequal "'http://localhost:8080/redirectme/pool/apt_1.0/changelog'" aptget changelog apt --print-uris
  
  echo 'Apt::Changelogs::Server "http://localhost:8080/redirectme";' > rootdir/etc/apt/apt.conf.d/changelog.conf
  testequal "'http://localhost:8080/redirectme/pool/apt_1.0/changelog'" aptget changelog apt --print-uris
author	Michael Vogt <mvo@debian.org>
	Fri, 14 Feb 2014 16:11:07 +0000 (17:11 +0100)
committer	Michael Vogt <mvo@debian.org>
	Fri, 14 Feb 2014 18:10:47 +0000 (19:10 +0100)
methods/https.cc		patch \| blob \| blame \| history
test/integration/framework		patch \| blob \| blame \| history
test/integration/test-apt-https-no-redirect	[new file with mode: 0755]	patch \| blob
test/integration/test-bug-738785-switch-protocol		patch \| blob \| blame \| history