From f9b4f12d65b827612b29071f05d605bc05fa62bd Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Thu, 13 Feb 2014 23:38:28 +0100 Subject: report https download start only if we really get it Reporting it via progress means that e.g. a redirect will trigger it, too, so you get a Get & Hit while http only reports a Hit as it should be. --- methods/https.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'methods') diff --git a/methods/https.cc b/methods/https.cc index 146b2bfb8..d97fddf9e 100644 --- a/methods/https.cc +++ b/methods/https.cc @@ -75,6 +75,8 @@ HttpsMethod::write_data(void *buffer, size_t size, size_t nmemb, void *userp) { HttpsMethod *me = (HttpsMethod *)userp; + if (me->Res.Size == 0) + me->URIStart(me->Res); if(me->File->Write(buffer, size*nmemb) != true) return false; @@ -88,7 +90,6 @@ HttpsMethod::progress_callback(void *clientp, double dltotal, double dlnow, HttpsMethod *me = (HttpsMethod *)clientp; if(dltotal > 0 && me->Res.Size == 0) { me->Res.Size = (unsigned long long)dltotal; - me->URIStart(me->Res); } return 0; } -- cgit v1.2.3 From 9082a1fc7be02f58cbe18a34539c6a3436463dd0 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Fri, 14 Feb 2014 00:30:58 +0100 Subject: allow http protocol to switch to https switch protocols at random is a bad idea if e.g. http can switch to file, so we limit the possibilities to http to http and http to https. As very few people (less than 1% according to popcon) have https installed this likely changes nothing in terms of failure. The commit is adding a friendly hint which package needs to be installed though. --- methods/server.cc | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'methods') diff --git a/methods/server.cc b/methods/server.cc index 76faa7e7f..6dd3970a6 100644 --- a/methods/server.cc +++ b/methods/server.cc @@ -291,11 +291,15 @@ ServerMethod::DealWithHeaders(FetchResult &Res) } else { - NextURI = DeQuoteString(Server->Location); - URI tmpURI = NextURI; - // Do not allow a redirection to switch protocol - if (tmpURI.Access == "http") - return TRY_AGAIN_OR_REDIRECT; + NextURI = DeQuoteString(Server->Location); + URI tmpURI = NextURI; + URI Uri = Queue->Uri; + // same protocol redirects are okay + if (tmpURI.Access == Uri.Access) + return TRY_AGAIN_OR_REDIRECT; + // as well as http to https + else if (Uri.Access == "http" && tmpURI.Access == "https") + return TRY_AGAIN_OR_REDIRECT; } /* else pass through for error message */ } -- cgit v1.2.3 From dc95fee18e8df2b00404c7d0f321f5b78e00f170 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Fri, 14 Feb 2014 17:11:07 +0100 Subject: disable https->http redirects in libcurl This change prevents changing the protocol from https to http. --- methods/https.cc | 3 +++ 1 file changed, 3 insertions(+) (limited to 'methods') diff --git a/methods/https.cc b/methods/https.cc index d97fddf9e..9422df2f0 100644 --- a/methods/https.cc +++ b/methods/https.cc @@ -185,8 +185,11 @@ bool HttpsMethod::Fetch(FetchItem *Itm) curl_easy_setopt(curl, CURLOPT_WRITEDATA, this); curl_easy_setopt(curl, CURLOPT_PROGRESSFUNCTION, progress_callback); curl_easy_setopt(curl, CURLOPT_PROGRESSDATA, this); + // options curl_easy_setopt(curl, CURLOPT_NOPROGRESS, false); curl_easy_setopt(curl, CURLOPT_FILETIME, true); + // only allow redirects to https + curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS); // SSL parameters are set by default to the common (non mirror-specific) value // if available (or a default one) and gets overload by mirror-specific ones. -- cgit v1.2.3 From 889b0072a93a5afe9ffec93ab791d584c64754a0 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Fri, 14 Feb 2014 18:59:46 +0100 Subject: =?UTF-8?q?add=20a=20testcase=20to=20check=20for=20forbidden=20htt?= =?UTF-8?q?ps=E2=86=92http=20downgrades?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-Dch: Ignore --- methods/https.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'methods') diff --git a/methods/https.cc b/methods/https.cc index 9422df2f0..e713be19f 100644 --- a/methods/https.cc +++ b/methods/https.cc @@ -188,7 +188,8 @@ bool HttpsMethod::Fetch(FetchItem *Itm) // options curl_easy_setopt(curl, CURLOPT_NOPROGRESS, false); curl_easy_setopt(curl, CURLOPT_FILETIME, true); - // only allow redirects to https + // only allow curl to handle https, not the other stuff it supports + curl_easy_setopt(curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS); curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS); // SSL parameters are set by default to the common (non mirror-specific) value -- cgit v1.2.3