summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Kalnischkies <david@kalnischkies.de>2014-02-14 18:59:46 +0100
committerDavid Kalnischkies <david@kalnischkies.de>2014-02-14 22:25:30 +0100
commit755d1e4f94f3a862adc951d3732c661906cd555d (patch)
treee246f02f0a34d154ba455aa92b86203893d2d321
parent18cce3980f34dc33f9c798204a344a8c1e4de6ba (diff)
add a testcase to check for forbidden https→http downgrades
Git-Dch: Ignore
-rw-r--r--methods/https.cc3
-rw-r--r--test/integration/framework2
-rwxr-xr-xtest/integration/test-bug-738785-switch-protocol12
3 files changed, 14 insertions, 3 deletions
diff --git a/methods/https.cc b/methods/https.cc
index 9422df2f0..e713be19f 100644
--- a/methods/https.cc
+++ b/methods/https.cc
@@ -188,7 +188,8 @@ bool HttpsMethod::Fetch(FetchItem *Itm)
// options
curl_easy_setopt(curl, CURLOPT_NOPROGRESS, false);
curl_easy_setopt(curl, CURLOPT_FILETIME, true);
- // only allow redirects to https
+ // only allow curl to handle https, not the other stuff it supports
+ curl_easy_setopt(curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS);
curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS);
// SSL parameters are set by default to the common (non mirror-specific) value
diff --git a/test/integration/framework b/test/integration/framework
index e4f018472..08d796a10 100644
--- a/test/integration/framework
+++ b/test/integration/framework
@@ -1119,7 +1119,7 @@ testfailure() {
if [ "$1" = '--nomsg' ]; then
shift
else
- msgtest 'Test for failure in execution of' "$*"
+ msgtest 'Test for failure in execution of' "$*"
fi
local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/testfailure.output"
if $@ >${OUTPUT} 2>&1; then
diff --git a/test/integration/test-bug-738785-switch-protocol b/test/integration/test-bug-738785-switch-protocol
index b51be244a..1e5748eae 100755
--- a/test/integration/test-bug-738785-switch-protocol
+++ b/test/integration/test-bug-738785-switch-protocol
@@ -12,6 +12,7 @@ buildsimplenativepackage 'apt' 'all' '1.0' 'stable'
# setup http redirecting to https
setupaptarchive --no-update
changetowebserver -o 'aptwebserver::redirect::replace::/redirectme/=https://localhost:4433/' \
+ -o 'aptwebserver::redirect::replace::/downgrademe/=http://localhost:8080/' \
-o 'aptwebserver::support::http=false'
changetohttpswebserver
sed -i -e 's#:4433/#:8080/redirectme#' -e 's# https:# http:#' rootdir/etc/apt/sources.list.d/*
@@ -38,7 +39,7 @@ testdpkginstalled 'apt'
# create a copy of all methods, expect https
eval `aptconfig shell METHODS Dir::Bin::Methods/d`
COPYMETHODS='usr/lib/apt/methods'
-rm rootdir/$COPYMETHODS
+mv rootdir/${COPYMETHODS} rootdir/${COPYMETHODS}.bak
mkdir -p rootdir/$COPYMETHODS
cd rootdir/$COPYMETHODS
find $METHODS \! -type d | while read meth; do
@@ -51,3 +52,12 @@ echo "Dir::Bin::Methods \"${COPYMETHODS}\";" >> aptconfig.conf
testequal "E: The method driver $(pwd)/rootdir/usr/lib/apt/methods/https could not be found.
N: Is the package apt-transport-https installed?" aptget download apt -q=0
testsuccess test ! -e apt_1.0_all.deb
+
+# revert to all methods
+rm -rf rootdir/$COPYMETHODS
+mv rootdir/${COPYMETHODS}.bak rootdir/${COPYMETHODS}
+
+# check that downgrades from https to http are not allowed
+webserverconfig 'aptwebserver::support::http' 'true'
+sed -i -e 's#:8080/redirectme#:4433/downgrademe#' -e 's# http:# https:#' rootdir/etc/apt/sources.list.d/*
+testfailure aptget update