diff options
author | Faidon Liambotis <paravoid@debian.org> | 2020-12-23 01:23:22 +0200 |
---|---|---|
committer | Faidon Liambotis <paravoid@debian.org> | 2020-12-23 01:23:22 +0200 |
commit | 570861fc55ba38c1092fac1d555111bab4577b49 (patch) | |
tree | 812aa2c994aa3a4e73ad1d34e9f3551e8004ac94 /cmdline/apt-internal-planner.cc | |
parent | 06ec0067057e0578f3bc515f6a97d6a9d70824f6 (diff) |
basehttp: also consider Access when a Server's URI
ServerState->Comp() is used by the HTTP methods main loop to check
whether a connection can be reused, or whether a new one is needed.
Unfortunately, the currently implementation only compares the Host and
Port between the ServerState's internal URI, with a new URI. However
these are URIs, and therefore Port is 0 when a URI port is not
specificied, i.e. in the most common configurations.
As a result, a ServerState for http://example.org/... will be reused for
URIs of the form https://example.org/..., as both Host (example.org) and
Port (0) match. In turn this means that GET requests will happen over
port 80, in cleartext, even for those https URLs(!).
URI Acquires for an http URI and subsequently for an https one, in the
same aptmethod session, do not typically happen with apt as the
frontend, as apt opens a new pipe with the "https" aptmethod binary
(nowadays a symlink to http), which is why this hasn't been a problem in
practice and has eluded detection so far. It does happen in the wild
with other frontends (e.g. reprepro), plus is legitimately an odd and
surprising behavior on apt's end.
Therefore add a comparison for the URI's "Access" (= the scheme) in
addition to Host and Port, to ensure that we're not reusing the same
state for multiple different schemes.
Diffstat (limited to 'cmdline/apt-internal-planner.cc')
0 files changed, 0 insertions, 0 deletions