From 755d1e4f94f3a862adc951d3732c661906cd555d Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Fri, 14 Feb 2014 18:59:46 +0100 Subject: add a testcase to check for forbidden https→http downgrades MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-Dch: Ignore --- methods/https.cc | 3 ++- test/integration/framework | 2 +- test/integration/test-bug-738785-switch-protocol | 12 +++++++++++- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/methods/https.cc b/methods/https.cc index 9422df2f0..e713be19f 100644 --- a/methods/https.cc +++ b/methods/https.cc @@ -188,7 +188,8 @@ bool HttpsMethod::Fetch(FetchItem *Itm) // options curl_easy_setopt(curl, CURLOPT_NOPROGRESS, false); curl_easy_setopt(curl, CURLOPT_FILETIME, true); - // only allow redirects to https + // only allow curl to handle https, not the other stuff it supports + curl_easy_setopt(curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS); curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS); // SSL parameters are set by default to the common (non mirror-specific) value diff --git a/test/integration/framework b/test/integration/framework index e4f018472..08d796a10 100644 --- a/test/integration/framework +++ b/test/integration/framework @@ -1119,7 +1119,7 @@ testfailure() { if [ "$1" = '--nomsg' ]; then shift else - msgtest 'Test for failure in execution of' "$*" + msgtest 'Test for failure in execution of' "$*" fi local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/testfailure.output" if $@ >${OUTPUT} 2>&1; then diff --git a/test/integration/test-bug-738785-switch-protocol b/test/integration/test-bug-738785-switch-protocol index b51be244a..1e5748eae 100755 --- a/test/integration/test-bug-738785-switch-protocol +++ b/test/integration/test-bug-738785-switch-protocol @@ -12,6 +12,7 @@ buildsimplenativepackage 'apt' 'all' '1.0' 'stable' # setup http redirecting to https setupaptarchive --no-update changetowebserver -o 'aptwebserver::redirect::replace::/redirectme/=https://localhost:4433/' \ + -o 'aptwebserver::redirect::replace::/downgrademe/=http://localhost:8080/' \ -o 'aptwebserver::support::http=false' changetohttpswebserver sed -i -e 's#:4433/#:8080/redirectme#' -e 's# https:# http:#' rootdir/etc/apt/sources.list.d/* @@ -38,7 +39,7 @@ testdpkginstalled 'apt' # create a copy of all methods, expect https eval `aptconfig shell METHODS Dir::Bin::Methods/d` COPYMETHODS='usr/lib/apt/methods' -rm rootdir/$COPYMETHODS +mv rootdir/${COPYMETHODS} rootdir/${COPYMETHODS}.bak mkdir -p rootdir/$COPYMETHODS cd rootdir/$COPYMETHODS find $METHODS \! -type d | while read meth; do @@ -51,3 +52,12 @@ echo "Dir::Bin::Methods \"${COPYMETHODS}\";" >> aptconfig.conf testequal "E: The method driver $(pwd)/rootdir/usr/lib/apt/methods/https could not be found. N: Is the package apt-transport-https installed?" aptget download apt -q=0 testsuccess test ! -e apt_1.0_all.deb + +# revert to all methods +rm -rf rootdir/$COPYMETHODS +mv rootdir/${COPYMETHODS}.bak rootdir/${COPYMETHODS} + +# check that downgrades from https to http are not allowed +webserverconfig 'aptwebserver::support::http' 'true' +sed -i -e 's#:8080/redirectme#:4433/downgrademe#' -e 's# http:# https:#' rootdir/etc/apt/sources.list.d/* +testfailure aptget update -- cgit v1.2.3