Commit 5eb94f5b authored by Ricki Hirner's avatar Ricki Hirner 🐑
Browse files

Don't follow redirects from HTTPS to HTTP

parent 5abed623
Pipeline #170897079 passed with stages
in 3 minutes and 24 seconds
......@@ -2,7 +2,7 @@ import org.jetbrains.dokka.gradle.DokkaTask
object Libs {
// okhttp HTTP library
const val okhttpVersion = "4.7.2"
const val okhttpVersion = "4.8.0"
// XmlPullParser library
const val xpp3Version = "1.1.6"
......
......@@ -386,8 +386,10 @@ open class DavResource @JvmOverloads constructor(
* @param sendRequest called to send the request (may be called multiple times)
*
* @return response of the last request (whether it is a redirect or not)
*
* @throws DavException on HTTPS -> HTTP redirect
*/
protected fun followRedirects(sendRequest: () -> Response): Response {
internal fun followRedirects(sendRequest: () -> Response): Response {
lateinit var response: Response
for (attempt in 1..MAX_REDIRECTS) {
response = sendRequest()
......@@ -397,6 +399,10 @@ open class DavResource @JvmOverloads constructor(
val target = it.header("Location")?.let { location.resolve(it) }
if (target != null) {
log.fine("Redirected, new location = $target")
if (location.isHttps && !target.isHttps)
throw DavException("Received redirect from HTTPS to HTTP")
location = target
} else
throw DavException("Redirected without new Location")
......
......@@ -13,9 +13,13 @@ import at.bitfire.dav4jvm.property.DisplayName
import at.bitfire.dav4jvm.property.GetContentType
import at.bitfire.dav4jvm.property.GetETag
import at.bitfire.dav4jvm.property.ResourceType
import okhttp3.HttpUrl.Companion.toHttpUrl
import okhttp3.MediaType.Companion.toMediaType
import okhttp3.OkHttpClient
import okhttp3.Protocol
import okhttp3.Request
import okhttp3.RequestBody.Companion.toRequestBody
import okhttp3.ResponseBody.Companion.toResponseBody
import okhttp3.mockwebserver.MockResponse
import okhttp3.mockwebserver.MockWebServer
import org.junit.After
......@@ -722,4 +726,57 @@ class DavResourceTest {
assertTrue(called)
}
@Test
fun testFollowRedirects_302() {
val url = sampleUrl()
val dav = DavResource(httpClient, url)
var i = 0
dav.followRedirects {
if (i++ == 0)
okhttp3.Response.Builder()
.protocol(Protocol.HTTP_1_1)
.code(302)
.message("Found")
.header("Location", "http://to.com/")
.request(Request.Builder()
.get()
.url("http://from.com/")
.build())
.body("New location!".toResponseBody())
.build()
else
okhttp3.Response.Builder()
.protocol(Protocol.HTTP_1_1)
.code(204)
.message("No Content")
.request(Request.Builder()
.get()
.url("http://to.com/")
.build())
.build()
}.let { response ->
assertEquals(204, response.code)
assertEquals("http://to.com/".toHttpUrl(), dav.location)
}
}
@Test(expected = DavException::class)
fun testFollowRedirects_HttpsToHttp() {
val dav = DavResource(httpClient, "https://from.com".toHttpUrl())
dav.followRedirects {
okhttp3.Response.Builder()
.protocol(Protocol.HTTP_1_1)
.code(302)
.message("Found")
.header("Location", "http://to.com/")
.request(Request.Builder()
.get()
.url("https://from.com/")
.build())
.body("New location!".toResponseBody())
.build()
}
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment