--- Begin Message ---
Package: apt
Version: 0.8.10
When an HTTP redirection code is received with a Location header, the
http apt method tries again with the URL provided by that header.
However, the URL gets quoted a second time, incorrectly escaping any %
character in the initial request. The result is that the web server the
request was redirected to is unable to serve the file associated with
the URL.
An illustration with a sample HTTP conversation:
1. a package file such as foo-1.1~bar_all.deb will be first requested by
Apt with a properly encoded URL:
GET /.../foo-1.1%7ebar_all.deb HTTP/1.1
Host: hosta
2. The web server on hosta then redirects with a 301 or 302 response,
quoting the request URL without modification:
HTTP/1.1 301 Moved Permanently
Location: http://hostb/path/.../foo-1.1%7ebar_all.deb
3. Apt then encodes the URL in the location field, and proceeds to
request it to the second web server:
GET /path/.../foo-1.1%257ebar_all.deb
Host: hostb
4. The web server at hostb is unable to find the requested URL and
responds with:
HTTP/1.1 404 Not Found
Below is a very simple patch to fix this issue.
---
methods/http.cc | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/methods/http.cc b/methods/http.cc
index 25e31de..c0ff134 100644
--- a/methods/http.cc
+++ b/methods/http.cc
@@ -949,7 +949,7 @@ HttpMethod::DealWithHeaders(FetchResult
&Res,ServerState *Srv)
{
if (!Srv->Location.empty())
{
- NextURI = Srv->Location;
+ NextURI = DeQuoteString(Srv->Location);
return TRY_AGAIN_OR_REDIRECT;
}
/* else pass through for error message */
--
1.7.1.1
--- End Message ---
--- Begin Message ---
- To: 609997-done@bugs.debian.org
- Subject: Bug#609997: apt: http method reencodes Location URIs in case of redirect
- From: Daniel Hartwig <mandyke@gmail.com>
- Date: Sun, 24 Mar 2013 09:03:55 +0800
- Message-id: <87txo1ip6s.fsf@gmail.com>
Version: 0.8.15
Benjamin Ryzman <benjamin.ryzman@gmail.com> wrote:
>> When an HTTP redirection code is received with a Location header, the
>> http apt method tries again with the URL provided by that header.
>> However, the URL gets quoted a second time, incorrectly escaping any %
>> character in the initial request. The result is that the web server the
>> request was redirected to is unable to serve the file associated with
>> the URL.
Raphael Geissert <geissert@debian.org> wrote:
> AFAICS, sid's apt has been fixed already. Not sure about other
> versions.
This was #602412, which is now archived so I will not merge it.
Closing.
--- End Message ---