diff options
author | David Kalnischkies <david@kalnischkies.de> | 2014-02-14 18:59:46 +0100 |
---|---|---|
committer | David Kalnischkies <david@kalnischkies.de> | 2014-02-14 22:25:30 +0100 |
commit | 755d1e4f94f3a862adc951d3732c661906cd555d (patch) | |
tree | e246f02f0a34d154ba455aa92b86203893d2d321 | |
parent | 18cce3980f34dc33f9c798204a344a8c1e4de6ba (diff) |
add a testcase to check for forbidden https→http downgrades
Git-Dch: Ignore
-rw-r--r-- | methods/https.cc | 3 | ||||
-rw-r--r-- | test/integration/framework | 2 | ||||
-rwxr-xr-x | test/integration/test-bug-738785-switch-protocol | 12 |
3 files changed, 14 insertions, 3 deletions
diff --git a/methods/https.cc b/methods/https.cc index 9422df2f0..e713be19f 100644 --- a/methods/https.cc +++ b/methods/https.cc @@ -188,7 +188,8 @@ bool HttpsMethod::Fetch(FetchItem *Itm) // options curl_easy_setopt(curl, CURLOPT_NOPROGRESS, false); curl_easy_setopt(curl, CURLOPT_FILETIME, true); - // only allow redirects to https + // only allow curl to handle https, not the other stuff it supports + curl_easy_setopt(curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS); curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS); // SSL parameters are set by default to the common (non mirror-specific) value diff --git a/test/integration/framework b/test/integration/framework index e4f018472..08d796a10 100644 --- a/test/integration/framework +++ b/test/integration/framework @@ -1119,7 +1119,7 @@ testfailure() { if [ "$1" = '--nomsg' ]; then shift else - msgtest 'Test for failure in execution of' "$*" + msgtest 'Test for failure in execution of' "$*" fi local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/testfailure.output" if $@ >${OUTPUT} 2>&1; then diff --git a/test/integration/test-bug-738785-switch-protocol b/test/integration/test-bug-738785-switch-protocol index b51be244a..1e5748eae 100755 --- a/test/integration/test-bug-738785-switch-protocol +++ b/test/integration/test-bug-738785-switch-protocol @@ -12,6 +12,7 @@ buildsimplenativepackage 'apt' 'all' '1.0' 'stable' # setup http redirecting to https setupaptarchive --no-update changetowebserver -o 'aptwebserver::redirect::replace::/redirectme/=https://localhost:4433/' \ + -o 'aptwebserver::redirect::replace::/downgrademe/=http://localhost:8080/' \ -o 'aptwebserver::support::http=false' changetohttpswebserver sed -i -e 's#:4433/#:8080/redirectme#' -e 's# https:# http:#' rootdir/etc/apt/sources.list.d/* @@ -38,7 +39,7 @@ testdpkginstalled 'apt' # create a copy of all methods, expect https eval `aptconfig shell METHODS Dir::Bin::Methods/d` COPYMETHODS='usr/lib/apt/methods' -rm rootdir/$COPYMETHODS +mv rootdir/${COPYMETHODS} rootdir/${COPYMETHODS}.bak mkdir -p rootdir/$COPYMETHODS cd rootdir/$COPYMETHODS find $METHODS \! -type d | while read meth; do @@ -51,3 +52,12 @@ echo "Dir::Bin::Methods \"${COPYMETHODS}\";" >> aptconfig.conf testequal "E: The method driver $(pwd)/rootdir/usr/lib/apt/methods/https could not be found. N: Is the package apt-transport-https installed?" aptget download apt -q=0 testsuccess test ! -e apt_1.0_all.deb + +# revert to all methods +rm -rf rootdir/$COPYMETHODS +mv rootdir/${COPYMETHODS}.bak rootdir/${COPYMETHODS} + +# check that downgrades from https to http are not allowed +webserverconfig 'aptwebserver::support::http' 'true' +sed -i -e 's#:8080/redirectme#:4433/downgrademe#' -e 's# http:# https:#' rootdir/etc/apt/sources.list.d/* +testfailure aptget update |