Don't follow redirects from HTTPS to HTTP

5eb94f5b · Ricki Hirner · 5abed623 · 5eb94f5b · 5eb94f5b · 5eb94f5b
Commit 5eb94f5b authored Jul 26, 2020 by Ricki Hirner 🐑
3 changed files
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -2,7 +2,7 @@ import org.jetbrains.dokka.gradle.DokkaTask

 object Libs {
    // okhttp HTTP library
-    const val okhttpVersion = "4.7.2"
+    const val okhttpVersion = "4.8.0"

    // XmlPullParser library
    const val xpp3Version = "1.1.6"

--- a/src/main/kotlin/at/bitfire/dav4jvm/DavResource.kt
+++ b/src/main/kotlin/at/bitfire/dav4jvm/DavResource.kt
@@ -386,8 +386,10 @@ open class DavResource @JvmOverloads constructor(
     * @param sendRequest called to send the request (may be called multiple times)
     *
     * @return response of the last request (whether it is a redirect or not)
+     *
+     * @throws DavException on HTTPS -> HTTP redirect
     */
-    protected fun followRedirects(sendRequest: () -> Response): Response {
+    internal fun followRedirects(sendRequest: () -> Response): Response {
        lateinit var response: Response
        for (attempt in 1..MAX_REDIRECTS) {
            response = sendRequest()
@@ -397,6 +399,10 @@ open class DavResource @JvmOverloads constructor(
                    val target = it.header("Location")?.let { location.resolve(it) }
                    if (target != null) {
                        log.fine("Redirected, new location = $target")
+
+                        if (location.isHttps && !target.isHttps)
+                            throw DavException("Received redirect from HTTPS to HTTP")
+
                        location = target
                    } else
                        throw DavException("Redirected without new Location")

--- a/src/test/kotlin/at/bitfire/dav4jvm/DavResourceTest.kt
+++ b/src/test/kotlin/at/bitfire/dav4jvm/DavResourceTest.kt
@@ -13,9 +13,13 @@ import at.bitfire.dav4jvm.property.DisplayName
 import at.bitfire.dav4jvm.property.GetContentType
 import at.bitfire.dav4jvm.property.GetETag
 import at.bitfire.dav4jvm.property.ResourceType
+import okhttp3.HttpUrl.Companion.toHttpUrl
 import okhttp3.MediaType.Companion.toMediaType
 import okhttp3.OkHttpClient
+import okhttp3.Protocol
+import okhttp3.Request
 import okhttp3.RequestBody.Companion.toRequestBody
+import okhttp3.ResponseBody.Companion.toResponseBody
 import okhttp3.mockwebserver.MockResponse
 import okhttp3.mockwebserver.MockWebServer
 import org.junit.After
@@ -722,4 +726,57 @@ class DavResourceTest {
        assertTrue(called)
    }

+
+    @Test
+    fun testFollowRedirects_302() {
+        val url = sampleUrl()
+        val dav = DavResource(httpClient, url)
+        var i = 0
+        dav.followRedirects {
+            if (i++ == 0)
+                okhttp3.Response.Builder()
+                        .protocol(Protocol.HTTP_1_1)
+                        .code(302)
+                        .message("Found")
+                        .header("Location", "http://to.com/")
+                        .request(Request.Builder()
+                                .get()
+                                .url("http://from.com/")
+                                .build())
+                        .body("New location!".toResponseBody())
+                        .build()
+            else
+                okhttp3.Response.Builder()
+                        .protocol(Protocol.HTTP_1_1)
+                        .code(204)
+                        .message("No Content")
+                        .request(Request.Builder()
+                                .get()
+                                .url("http://to.com/")
+                                .build())
+                        .build()
+        }.let { response ->
+            assertEquals(204, response.code)
+            assertEquals("http://to.com/".toHttpUrl(), dav.location)
+        }
+    }
+
+    @Test(expected = DavException::class)
+    fun testFollowRedirects_HttpsToHttp() {
+        val dav = DavResource(httpClient, "https://from.com".toHttpUrl())
+        dav.followRedirects {
+            okhttp3.Response.Builder()
+                    .protocol(Protocol.HTTP_1_1)
+                    .code(302)
+                    .message("Found")
+                    .header("Location", "http://to.com/")
+                    .request(Request.Builder()
+                            .get()
+                            .url("https://from.com/")
+                            .build())
+                    .body("New location!".toResponseBody())
+                    .build()
+        }
+    }
+
 }