SVN: only allow redirects to HTTPS

"SVN follows HTTP 301 redirects to svn+ssh:// URLs. As a result, an innocent looking HTTP URL can be used to trigger a Command Execution with a 301 redirect." https://blog.recurity-labs.com/2017-08-10/scm-vulns.html#third-round-svn-and-mercurial I scanned fdroiddata and found no suspicious redirects. Here's how: grep -A1 '^Repo *Type: *git-svn' *.txt *.yml| sed -n 's,.*Repo:\(.*\),\1,p' > /tmp/urls.txt import requests with open('/tmp/urls.txt') as fp: for line in fp: try: r = requests.head(line.strip()) print(r.status_code, line) except requests.exceptions.SSLError: print('SSLError', line)
2024-09-11 23:23:27 +02:00 · 2018-03-02 10:21:55 +01:00 · 2018-03-02 10:21:55 +01:00 · 6cd8f2ffea
commit 6cd8f2ffea
parent 654b3cb9dc
1 changed files with 4 additions and 0 deletions
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@ -1011,6 +1011,10 @@ class vcs_gitsvn(vcs):
            import requests
            r = requests.head(remote)
            r.raise_for_status()
+            location = r.headers.get('location')
+            if location and not location.startswith('https://'):
+                raise VCSException(_('Invalid redirect to non-HTTPS: {before} -> {after} ')
+                                   .format(before=remote, after=location))

            gitsvn_args.extend(['--', remote, self.local])
            p = self.git(gitsvn_args)