Bug#806959: apt-get decodes the Location header when redirecting, consequent GET request has an invalid URL

To: Uriah <uriahl@jfrog.com>, 806959@bugs.debian.org
Subject: Bug#806959: apt-get decodes the Location header when redirecting, consequent GET request has an invalid URL
From: Julian Andres Klode <jak@debian.org>
Date: Mon, 21 Mar 2016 15:30:07 +0100
Message-id: <[🔎] 20160321152006.GA7997@debian.org>
Mail-followup-to: Julian Andres Klode <jak@debian.org>, Uriah <uriahl@jfrog.com>, 806959@bugs.debian.org
Reply-to: Julian Andres Klode <jak@debian.org>, 806959@bugs.debian.org
In-reply-to: <20151203140850.1219.75952.reportbug@af538bbca98c>
References: <20151203140850.1219.75952.reportbug@af538bbca98c>

Control: severity -1 normal

On Thu, Dec 03, 2015 at 02:08:50PM +0000, Uriah wrote:
> Package: apt
> Version: 1.0.9.8.1
> Severity: important
> 
> Hi guys,
> 
> Our software provides a debian repository solution. Our download servers redirect to a CDN, and APT sends an invalid GET request when following the redirection due to the decoding the Location header.
> According to this SO answer:
> http://stackoverflow.com/questions/7654207/what-charset-should-be-used-for-a-location-header-in-a-301-response/7654605#7654605
> 
> the Location header should be URL encoded. Our software sends the Location header URL encoded, however the APT client appears to be decoding it before sending the consequent GET request. The below screenshot demonstrates the response sent by Bintray.com with the Location header properly encoded:
> https://s3-eu-west-1.amazonaws.com/uploads-eu.hipchat.com/19904/1162299/JaHgJpb6dfcMPS1/charles_encoded.png
> 
> and this one demonstrates the actual GET request sent by APT thereafter when following the redirection:
> https://s3-eu-west-1.amazonaws.com/uploads-eu.hipchat.com/19904/1162299/hR8b0Rgrym9uwNu/charles_decoded.png
> 
> I'm using Charles proxy to inspect the header and the actual request. We've found this on your code -
> 
> this line calls a method called DeQuoteString on the Location header:
> https://github.com/Debian/apt/blob/920c367267398945ff48cac6ea7196f7151f181e/methods/server.cc#L293
> 
> DeQuoteString is doing the decoding:
> https://github.com/Debian/apt/blob/eaf21c2144fa8dc4be8581dc69cf88cb38e30ce2/apt-pkg/contrib/strutl.cc#L355
> 
> according to the spec (linked in the above SO thread) the Location header should be sent URL encoded, hence decoding it is wrong..

We dequoted the URI because the URI is quoted again afterwards. Not all characters
are quoted, though, but at least a %3B would be quoted as %253B.

See commit c34ea12ad509cb34c954ed574a301c3cbede55ec and Bug#602412 for details.

I'd advise you to not use URIs involving percent-encoded characters or provide a patch
and a test case if you want to see this (actually minor) issue fixed.

As a data point, all the official mirrors and redirectors work fine.

-- 
Debian Developer - deb.li/jak | jak-linux.org - free software dev

When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to (`inline'). Thank you.

Reply to:

Prev by Date: Bug#806959: Any update?
Next by Date: Processed: Re: Bug#806959: apt-get decodes the Location header when redirecting, consequent GET request has an invalid URL
Previous by thread: Bug#806959: Any update?
Next by thread: Processed: Re: Bug#806959: apt-get decodes the Location header when redirecting, consequent GET request has an invalid URL
Index(es):
- Date
- Thread