Package: xul-ext-https-everywhere Version: 4.0.2-3 Severity: grave Justification: Breaks iceweasel in a non-obvious way, potentially causes data loss Control: affects -1 iceweasel conkeror
Dear Lunar and Fabrizio, If I enter the URL http://deb.li/3czsE into Iceweasel's location bar with HTTPS Everywhere enabled, I end up at https://anonscm.debian.org/cgit/pkg-perl/website.git/diff/?id= (which says "Bad object name" due to the missing value behind "id=") instead of https://anonscm.debian.org/cgit/pkg-perl/website.git/diff/?id=24f0998 as expected. The same URL and redirect chain works fine again, if I deactivate HTTPS Everywhere in Iceweasel's tool bar. (It also works fine in the following browsers/HTTP clients in Jessie: Chromium, Lynx, libwww-perl ("GET"), Links2, Netsurf, Arora, and wget. I initially suspected Iceweasel itself to be the culprit.) I'm not sure which exact characteristic of this specific case causes the misbehaviour, but I suspect it's query strings with ";" as delimiter. Example redirect chain captured with wget: → wget -S --spider http://deb.li/3czsE Spider mode enabled. Check if remote file exists. --2015-02-21 01:56:09-- http://deb.li/3czsE Resolving deb.li (deb.li)... 2001:470:1f0b:168f::4, 217.196.146.214 Connecting to deb.li (deb.li)|2001:470:1f0b:168f::4|:80... failed: Network is unreachable. Connecting to deb.li (deb.li)|217.196.146.214|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 302 FOUND Date: Sat, 21 Feb 2015 00:56:09 GMT Server: Apache/2.2.22 (Debian) Content-Length: 365 Location: http://anonscm.debian.org/gitweb/?p=pkg-perl/website.git;a=commitdiff;h=24f0998 Vary: Accept-Encoding Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 Location: http://anonscm.debian.org/gitweb/?p=pkg-perl/website.git;a=commitdiff;h=24f0998 [following] Spider mode enabled. Check if remote file exists. --2015-02-21 01:56:09-- http://anonscm.debian.org/gitweb/?p=pkg-perl/website.git;a=commitdiff;h=24f0998 Resolving anonscm.debian.org (anonscm.debian.org)... 5.153.231.21 Connecting to anonscm.debian.org (anonscm.debian.org)|5.153.231.21|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 302 Found Date: Sat, 21 Feb 2015 00:56:09 GMT Server: Apache/2.2.22 (Debian) Location: http://anonscm.debian.org/cgit/pkg-perl/website.git/diff/?id=24f0998 Vary: Accept-Encoding Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Location: http://anonscm.debian.org/cgit/pkg-perl/website.git/diff/?id=24f0998 [following] Spider mode enabled. Check if remote file exists. --2015-02-21 01:56:10-- http://anonscm.debian.org/cgit/pkg-perl/website.git/diff/?id=24f0998 Connecting to anonscm.debian.org (anonscm.debian.org)|5.153.231.21|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Sat, 21 Feb 2015 00:56:10 GMT Server: Apache/2.2.22 (Debian) Expires: Tue, 18 Feb 2025 00:56:10 GMT Last-Modified: Sat, 21 Feb 2015 00:56:10 GMT X-Robots-Tag: noindex, nofollow Vary: Accept-Encoding Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Length: unspecified [text/html] Remote file exists and could contain further links, but recursion is disabled -- not retrieving. Filing as RC as this will likely break many web applications in non-obvious ways and potentially causes data loss (despite non-reproducible data should not be handled in query strings, but anyways). Feel free to downgrade to important in case you don't agree with this judgement. (Or to serious if you just don't agree with the reasoning, but still think it's RC.) I at least think, this misbehaviour should be fixed for Jessie, also because of its hidden character as users don't see the redirect chain inside the browser. -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (909, 'testing'), (500, 'testing-updates'), (500, 'testing-proposed-updates'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages xul-ext-https-everywhere depends on: ii conkeror 1.0~~pre-1+git150129+2307-~nightly1 ii icedove 31.4.0-2 ii iceweasel 31.4.0esr-1 xul-ext-https-everywhere recommends no packages. xul-ext-https-everywhere suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
