Bug#212732: Bug#427909: Bug#212732: support redirects and interactive authentication (Progeny)
On Sun, Dec 21, 2008 at 10:45:13PM +1000, Anthony Towns wrote:
> Attached is a patch against apt 0.7.19 (current in lenny/sid)
> including just the Redirect support from Jeff Licquia's patch in
> Bug#212732.
Thanks a lot for this, I merged it into my bzr tree and it will be
part of the next merge into debian (experimental initially).
> As far as the issues described in Bug#66434 with bad redirection and
> mod_speling, that seems mostly unlikely to be a problem these days thanks
> to the md5 validation and signature support. The only way you could get
> unexpected data is if your original Release and Release.gpg files were
> redirected to the wrong place, but were completely consistent and had
> corresponding Packages files and debs.
One possible issue I can see is that consistency may become a
issue. If the server that redirects does that to mirrors that are not
in sync and the Release file comes from A but the Packages file from B
users may run into hashsum failures. We have the same problem with
users behind proxies and round-robin DNS servers sometimes. The same
for debs when some mirrors may return 404 or fimilar.
That is not a argument against the patch of course, just a
observation.
I can not think of any security concerns about the patch, the
signature and hashsum code should protect us here to the extend
possible.
> In the event that is a concern, the patch lets the user set the
> Acquire::http::AllowRedirect config option to false to block that behaviour.
> It'd be possible to have an option to verify the filename part of the URL
> is unchanged as well without much difficulty.
Excellent, thanks.
> I bumped the library version, mostly so I could be sure I was testing the
> right thing, but I presume this requires a libapt-pkg ABI bump anyway
> (there's an Acquire::Redirect() callback added), so I left it in the
> patch.
We will make it part of a update that breaks the abi for other items
too.
Thanks,
Michael
Reply to: