dirmngr: Disable the HTTP redirect rewriting.

* dirmngr/http.h (struct http_redir_info_s): Add restrict_redir. * dirmngr/ks-engine-hkp.c (send_request): Set it depending on flags. * dirmngr/ks-engine-http.c (ks_http_fetch): Ditto. * dirmngr/t-http-basic.c (test_http_prepare_redirect): Always set it. * dirmngr/http.c (http_prepare_redirect): Remove location rewriting unless the flag is set. -- GnuPG-bug-id: 6477
2025-07-03 22:56:33 +02:00 · 2023-06-15 15:06:21 +02:00 · 2023-06-15 15:06:21 +02:00 · 0a63afc79a
commit 0a63afc79a
parent bf04b07327
5 changed files with 11 additions and 6 deletions
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@ -3741,10 +3741,11 @@ http_prepare_redirect (http_redir_info_t *info, unsigned int status_code,
      http_release_parsed_uri (locuri);
      return err;
    }
-  else if (same_host_p (origuri, locuri))
+  else if (!info->restrict_redir || same_host_p (origuri, locuri))
    {
-      /* The host is the same or on an exception list and thus we can
-       * take the location verbatim.  */
+      /* Take the syntactically correct location or if restrict_redir
+       * is set the host is the same or on an exception list and thus
+       * we can take the location verbatim.  */
      http_release_parsed_uri (origuri);
      http_release_parsed_uri (locuri);
      newurl = xtrystrdup (location);
@ -3754,7 +3755,7 @@ http_prepare_redirect (http_redir_info_t *info, unsigned int status_code,
          return err;
        }
    }
-  else
+  else /* Strictly rectricted redirection which we used in the past.  */
    {
      /* We take only the host and port from the URL given in the
       * Location.  This limits the effects of redirection attacks by