Bug#609997: apt: http method reencodes Location URIs in case of redirect
Package: apt
Version: 0.8.10
When an HTTP redirection code is received with a Location header, the
http apt method tries again with the URL provided by that header.
However, the URL gets quoted a second time, incorrectly escaping any %
character in the initial request. The result is that the web server the
request was redirected to is unable to serve the file associated with
the URL.
An illustration with a sample HTTP conversation:
1. a package file such as foo-1.1~bar_all.deb will be first requested by
Apt with a properly encoded URL:
GET /.../foo-1.1%7ebar_all.deb HTTP/1.1
Host: hosta
2. The web server on hosta then redirects with a 301 or 302 response,
quoting the request URL without modification:
HTTP/1.1 301 Moved Permanently
Location: http://hostb/path/.../foo-1.1%7ebar_all.deb
3. Apt then encodes the URL in the location field, and proceeds to
request it to the second web server:
GET /path/.../foo-1.1%257ebar_all.deb
Host: hostb
4. The web server at hostb is unable to find the requested URL and
responds with:
HTTP/1.1 404 Not Found
Below is a very simple patch to fix this issue.
---
methods/http.cc | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/methods/http.cc b/methods/http.cc
index 25e31de..c0ff134 100644
--- a/methods/http.cc
+++ b/methods/http.cc
@@ -949,7 +949,7 @@ HttpMethod::DealWithHeaders(FetchResult
&Res,ServerState *Srv)
{
if (!Srv->Location.empty())
{
- NextURI = Srv->Location;
+ NextURI = DeQuoteString(Srv->Location);
return TRY_AGAIN_OR_REDIRECT;
}
/* else pass through for error message */
--
1.7.1.1
Reply to: