summaryrefslogtreecommitdiff
path: root/COPYING
diff options
context:
space:
mode:
authorFaidon Liambotis <paravoid@debian.org>2020-12-23 01:23:22 +0200
committerFaidon Liambotis <paravoid@debian.org>2020-12-23 01:23:22 +0200
commit570861fc55ba38c1092fac1d555111bab4577b49 (patch)
tree812aa2c994aa3a4e73ad1d34e9f3551e8004ac94 /COPYING
parent06ec0067057e0578f3bc515f6a97d6a9d70824f6 (diff)
basehttp: also consider Access when a Server's URI
ServerState->Comp() is used by the HTTP methods main loop to check whether a connection can be reused, or whether a new one is needed. Unfortunately, the currently implementation only compares the Host and Port between the ServerState's internal URI, with a new URI. However these are URIs, and therefore Port is 0 when a URI port is not specificied, i.e. in the most common configurations. As a result, a ServerState for http://example.org/... will be reused for URIs of the form https://example.org/..., as both Host (example.org) and Port (0) match. In turn this means that GET requests will happen over port 80, in cleartext, even for those https URLs(!). URI Acquires for an http URI and subsequently for an https one, in the same aptmethod session, do not typically happen with apt as the frontend, as apt opens a new pipe with the "https" aptmethod binary (nowadays a symlink to http), which is why this hasn't been a problem in practice and has eluded detection so far. It does happen in the wild with other frontends (e.g. reprepro), plus is legitimately an odd and surprising behavior on apt's end. Therefore add a comparison for the URI's "Access" (= the scheme) in addition to Host and Port, to ensure that we're not reusing the same state for multiple different schemes.
Diffstat (limited to 'COPYING')
0 files changed, 0 insertions, 0 deletions