From 6cd8f2ffeaaf943a716dd9dee73eb5d3da6db754 Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Fri, 2 Mar 2018 10:21:55 +0100 Subject: [PATCH] SVN: only allow redirects to HTTPS "SVN follows HTTP 301 redirects to svn+ssh:// URLs. As a result, an innocent looking HTTP URL can be used to trigger a Command Execution with a 301 redirect." https://blog.recurity-labs.com/2017-08-10/scm-vulns.html#third-round-svn-and-mercurial I scanned fdroiddata and found no suspicious redirects. Here's how: grep -A1 '^Repo *Type: *git-svn' *.txt *.yml| sed -n 's,.*Repo:\(.*\),\1,p' > /tmp/urls.txt import requests with open('/tmp/urls.txt') as fp: for line in fp: try: r = requests.head(line.strip()) print(r.status_code, line) except requests.exceptions.SSLError: print('SSLError', line) --- fdroidserver/common.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fdroidserver/common.py b/fdroidserver/common.py index 83dfb441..b943fc50 100644 --- a/fdroidserver/common.py +++ b/fdroidserver/common.py @@ -1011,6 +1011,10 @@ class vcs_gitsvn(vcs): import requests r = requests.head(remote) r.raise_for_status() + location = r.headers.get('location') + if location and not location.startswith('https://'): + raise VCSException(_('Invalid redirect to non-HTTPS: {before} -> {after} ') + .format(before=remote, after=location)) gitsvn_args.extend(['--', remote, self.local]) p = self.git(gitsvn_args)