From: Michael Vogt Date: Fri, 14 Feb 2014 16:11:07 +0000 (+0100) Subject: disable https->http redirects in libcurl X-Git-Tag: 0.9.15.3~15 X-Git-Url: https://git.saurik.com/apt.git/commitdiff_plain/dc95fee18e8df2b00404c7d0f321f5b78e00f170 disable https->http redirects in libcurl This change prevents changing the protocol from https to http. --- diff --git a/methods/https.cc b/methods/https.cc index d97fddf9e..9422df2f0 100644 --- a/methods/https.cc +++ b/methods/https.cc @@ -185,8 +185,11 @@ bool HttpsMethod::Fetch(FetchItem *Itm) curl_easy_setopt(curl, CURLOPT_WRITEDATA, this); curl_easy_setopt(curl, CURLOPT_PROGRESSFUNCTION, progress_callback); curl_easy_setopt(curl, CURLOPT_PROGRESSDATA, this); + // options curl_easy_setopt(curl, CURLOPT_NOPROGRESS, false); curl_easy_setopt(curl, CURLOPT_FILETIME, true); + // only allow redirects to https + curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS); // SSL parameters are set by default to the common (non mirror-specific) value // if available (or a default one) and gets overload by mirror-specific ones. diff --git a/test/integration/framework b/test/integration/framework index f3699861b..e4f018472 100644 --- a/test/integration/framework +++ b/test/integration/framework @@ -901,7 +901,7 @@ changetohttpswebserver() { msgdie 'You need to install stunnel4 for https testcases' fi if [ ! -e "${TMPWORKINGDIRECTORY}/aptarchive/aptwebserver.pid" ]; then - changetowebserver --no-rewrite + changetowebserver --no-rewrite "$@" fi echo "pid = ${TMPWORKINGDIRECTORY}/aptarchive/stunnel.pid cert = ${TESTDIRECTORY}/apt.pem diff --git a/test/integration/test-apt-https-no-redirect b/test/integration/test-apt-https-no-redirect new file mode 100755 index 000000000..c405d1167 --- /dev/null +++ b/test/integration/test-apt-https-no-redirect @@ -0,0 +1,24 @@ +#!/bin/sh +set -e + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework + +setupenvironment +configarchitecture "i386" + +buildsimplenativepackage 'apt' 'all' '1.0' 'stable' +setupaptarchive --no-update + +changetohttpswebserver -o 'aptwebserver::redirect::replace::/redirectme/=http://localhost:8080/' + +msgtest 'normal http download works' +downloadfile 'http://localhost:8080/pool/apt_1.0/changelog' changelog2 >/dev/null 2>/dev/null && msgpass || msgfail + +msgtest 'normal https download works' +downloadfile 'https://localhost:4433/pool/apt_1.0/changelog' changelog >/dev/null 2>/dev/null && msgpass || msgfail + +msgtest 'redirecting https to http does not work' +downloadfile 'https://localhost:4433/redirectme/pool/apt_1.0/changelog' changelog3 2>&1 | grep "Protocol http not supported or disabled in libcurl" > /dev/null && msgpass + + diff --git a/test/integration/test-bug-738785-switch-protocol b/test/integration/test-bug-738785-switch-protocol index d3469f34f..bc3c6dbad 100755 --- a/test/integration/test-bug-738785-switch-protocol +++ b/test/integration/test-bug-738785-switch-protocol @@ -19,7 +19,7 @@ sed -i -e 's#:4433/#:8080/redirectme#' -e 's# https:# http:#' rootdir/etc/apt/so testsuccess aptget update -o Debug::Acquire::http=1 -o Debug::Acquire::https=1 -o Debug::pkgAcquire::Worker=1 msgtest 'Test that the webserver does not answer' 'http requests' -downloadfile 'http://localhost:8080//pool/apt_1.0/changelog' >/dev/null 2>&1 && msgfail || msgpass +downloadfile 'http://localhost:8080/pool/apt_1.0/changelog' changelog >/dev/null 2>&1 && msgfail || msgpass echo 'Apt::Changelogs::Server "http://localhost:8080/redirectme";' > rootdir/etc/apt/apt.conf.d/changelog.conf testequal "'http://localhost:8080/redirectme/pool/apt_1.0/changelog'" aptget changelog apt --print-uris