Control: severity -1 normal On Thu, Dec 03, 2015 at 02:08:50PM +0000, Uriah wrote: > Package: apt > Version: 1.0.9.8.1 > Severity: important > > Hi guys, > > Our software provides a debian repository solution. Our download servers > redirect to a CDN, and APT sends an invalid GET request when following the > redirection due to the decoding the Location header. > According to this SO answer: > http://stackoverflow.com/questions/7654207/what-charset-should-be-used-for-a-location-header-in-a-301-response/7654605#7654605 > > the Location header should be URL encoded. Our software sends the Location > header URL encoded, however the APT client appears to be decoding it before > sending the consequent GET request. The below screenshot demonstrates the > response sent by Bintray.com with the Location header properly encoded: > https://s3-eu-west-1.amazonaws.com/uploads-eu.hipchat.com/19904/1162299/JaHgJpb6dfcMPS1/charles_encoded.png > > and this one demonstrates the actual GET request sent by APT thereafter when > following the redirection: > https://s3-eu-west-1.amazonaws.com/uploads-eu.hipchat.com/19904/1162299/hR8b0Rgrym9uwNu/charles_decoded.png > > I'm using Charles proxy to inspect the header and the actual request. We've > found this on your code - > > this line calls a method called DeQuoteString on the Location header: > https://github.com/Debian/apt/blob/920c367267398945ff48cac6ea7196f7151f181e/methods/server.cc#L293 > > DeQuoteString is doing the decoding: > https://github.com/Debian/apt/blob/eaf21c2144fa8dc4be8581dc69cf88cb38e30ce2/apt-pkg/contrib/strutl.cc#L355 > > according to the spec (linked in the above SO thread) the Location header > should be sent URL encoded, hence decoding it is wrong..
We dequoted the URI because the URI is quoted again afterwards. Not all characters are quoted, though, but at least a %3B would be quoted as %253B. See commit c34ea12ad509cb34c954ed574a301c3cbede55ec and Bug#602412 for details. I'd advise you to not use URIs involving percent-encoded characters or provide a patch and a test case if you want to see this (actually minor) issue fixed. As a data point, all the official mirrors and redirectors work fine. -- Debian Developer - deb.li/jak | jak-linux.org - free software dev When replying, only quote what is necessary, and write each reply directly below the part(s) it pertains to (`inline'). Thank you.
