mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
dirmngr: Disable the HTTP redirect rewriting.
* dirmngr/http.h (struct http_redir_info_s): Add restrict_redir. * dirmngr/ks-engine-hkp.c (send_request): Set it depending on flags. * dirmngr/ks-engine-http.c (ks_http_fetch): Ditto. * dirmngr/t-http-basic.c (test_http_prepare_redirect): Always set it. * dirmngr/http.c (http_prepare_redirect): Remove location rewriting unless the flag is set. -- GnuPG-bug-id: 6477
This commit is contained in:
parent
bf04b07327
commit
0a63afc79a
@ -3741,10 +3741,11 @@ http_prepare_redirect (http_redir_info_t *info, unsigned int status_code,
|
|||||||
http_release_parsed_uri (locuri);
|
http_release_parsed_uri (locuri);
|
||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
else if (same_host_p (origuri, locuri))
|
else if (!info->restrict_redir || same_host_p (origuri, locuri))
|
||||||
{
|
{
|
||||||
/* The host is the same or on an exception list and thus we can
|
/* Take the syntactically correct location or if restrict_redir
|
||||||
* take the location verbatim. */
|
* is set the host is the same or on an exception list and thus
|
||||||
|
* we can take the location verbatim. */
|
||||||
http_release_parsed_uri (origuri);
|
http_release_parsed_uri (origuri);
|
||||||
http_release_parsed_uri (locuri);
|
http_release_parsed_uri (locuri);
|
||||||
newurl = xtrystrdup (location);
|
newurl = xtrystrdup (location);
|
||||||
@ -3754,7 +3755,7 @@ http_prepare_redirect (http_redir_info_t *info, unsigned int status_code,
|
|||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else /* Strictly rectricted redirection which we used in the past. */
|
||||||
{
|
{
|
||||||
/* We take only the host and port from the URL given in the
|
/* We take only the host and port from the URL given in the
|
||||||
* Location. This limits the effects of redirection attacks by
|
* Location. This limits the effects of redirection attacks by
|
||||||
|
@ -117,6 +117,7 @@ struct http_redir_info_s
|
|||||||
unsigned int silent:1; /* No diagnostics. */
|
unsigned int silent:1; /* No diagnostics. */
|
||||||
unsigned int allow_downgrade:1;/* Allow a downgrade from https to http. */
|
unsigned int allow_downgrade:1;/* Allow a downgrade from https to http. */
|
||||||
unsigned int trust_location:1; /* Trust the received Location header. */
|
unsigned int trust_location:1; /* Trust the received Location header. */
|
||||||
|
unsigned int restrict_redir:1; /* Use legacy restricted redirection. */
|
||||||
};
|
};
|
||||||
typedef struct http_redir_info_s http_redir_info_t;
|
typedef struct http_redir_info_s http_redir_info_t;
|
||||||
|
|
||||||
|
@ -1242,8 +1242,9 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
|
|||||||
redirinfo.orig_url = request;
|
redirinfo.orig_url = request;
|
||||||
redirinfo.orig_onion = uri->onion;
|
redirinfo.orig_onion = uri->onion;
|
||||||
redirinfo.allow_downgrade = 1;
|
redirinfo.allow_downgrade = 1;
|
||||||
/* FIXME: I am not sure whey we allow a downgrade for hkp requests.
|
/* FIXME: I am not sure why we allow a downgrade for hkp requests.
|
||||||
* Needs at least an explanation here.. */
|
* Needs at least an explanation here. */
|
||||||
|
redirinfo.restrict_redir = !!(opt.compat_flags & COMPAT_RESTRICT_HTTP_REDIR);
|
||||||
|
|
||||||
once_more:
|
once_more:
|
||||||
err = http_session_new (&session, httphost,
|
err = http_session_new (&session, httphost,
|
||||||
|
@ -88,6 +88,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, unsigned int flags,
|
|||||||
redirinfo.orig_onion = uri->onion;
|
redirinfo.orig_onion = uri->onion;
|
||||||
redirinfo.orig_https = uri->use_tls;
|
redirinfo.orig_https = uri->use_tls;
|
||||||
redirinfo.allow_downgrade = !!(flags & KS_HTTP_FETCH_ALLOW_DOWNGRADE);
|
redirinfo.allow_downgrade = !!(flags & KS_HTTP_FETCH_ALLOW_DOWNGRADE);
|
||||||
|
redirinfo.restrict_redir = !!(opt.compat_flags & COMPAT_RESTRICT_HTTP_REDIR);
|
||||||
|
|
||||||
/* By default we only use the system provided certificates with this
|
/* By default we only use the system provided certificates with this
|
||||||
* fetch command. */
|
* fetch command. */
|
||||||
|
@ -165,6 +165,7 @@ test_http_prepare_redirect (void)
|
|||||||
ri.silent = 1;
|
ri.silent = 1;
|
||||||
ri.redirects_left = 1;
|
ri.redirects_left = 1;
|
||||||
ri.orig_url = tests[tidx].url;
|
ri.orig_url = tests[tidx].url;
|
||||||
|
ri.restrict_redir = 1; /* This is what we used to test here. */
|
||||||
|
|
||||||
err = http_prepare_redirect (&ri, 301, tests[tidx].location, &newurl);
|
err = http_prepare_redirect (&ri, 301, tests[tidx].location, &newurl);
|
||||||
if (err && newurl)
|
if (err && newurl)
|
||||||
|
Loading…
x
Reference in New Issue
Block a user