Bug#444159: zsync does not handle HTTP redirects
Package: zsync
Version: 0.5-1
Severity: important
It seems that zsync does not handle HTTP redirects:
$ zsync http://cdimage.debian.org/cdimage/daily-builds/daily/arch-latest/i386/iso-cd/debian-testing-i386-netinst.iso.zsync
#################### 100.0% 0.0 kBps DONE
reading seed file debian-testing-i386-netinst.iso: *******************************************************************************************************************************************************************************Read debian-testing-i386-netinst.iso. Target 91.3% complete.
downloading from http://cdimage.debian.org/cdimage/daily-builds/daily/arch-latest/i386/iso-cd/debian-testing-i386-netinst.iso:
##################-- 91.3%bad status code 302
##################-- 91.3% 0.0 kBps aborted
HTTP error 302 is "Found", aka "The requested resource resides
temporarily under a different URI". This means that zsync-assisted
downloads are currently failing for Debian daily test images. Looking
into the zsync source code, I can see it's using its own local HTTP
code rather than using libcurl or any of the other readily-available
HTTP client libraries. That does seem like a bit of a design bug, to
say the least. I wouldn't be surprised at all if there were multiple
security bugs in there just waiting to be found.
--
Steve McIntyre, Cambridge, UK. steve@einval.com
< liw> everything I know about UK hotels I learned from "Fawlty Towers"
Reply to: