On Fri, Feb 14, 2014 at 08:15:06AM +0100, Julien Cristau wrote: > On Fri, Feb 14, 2014 at 08:02:16 +0100, Julian Andres Klode wrote: > > On Thu, Feb 13, 2014 at 10:28:08PM +0100, Raphael Geissert wrote: > > > First issue is that allowing any protocol switch would basically > > > introduce a > > > vulnerability in the system. There are too many apt methods and they > > > could > > > be reached by redirecting http://foo/request to $method://... > > > > I also would not want any redirects, especially not from https to > > something unsecured. But http -> https makes sense. > > > The https method *already* silently follows https→http redirects today, > as far as I can tell. Just tried > apt-get -o Apt::Changelogs::Server=https://packages.debian.org/changelogs > changelog tor > and I got the changelog from > http://metadata.ftp-master.debian.org/changelogs/main/t/tor/tor_0.2.4.20-1_changelog > The http method doesn't get involved, libcurl just does what > /usr/lib/apt/methods/https tells it to.
Indeed, thanks for this report. This is fixed in git now, apt will not follow redirects from https->http anymore. Cheers, Michael -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
