kamp/fdroidserver
1
0
Fork 0
mirror of https://gitlab.com/fdroid/fdroidserver.git synced 2024-11-04 14:30:11 +01:00
Code Activity

SVN: only allow redirects to HTTPS

Browse Source 
"SVN follows HTTP 301 redirects to svn+ssh:// URLs. As a result, an
innocent looking HTTP URL can be used to trigger a Command Execution with a
301 redirect."
https://blog.recurity-labs.com/2017-08-10/scm-vulns.html#third-round-svn-and-mercurial

I scanned fdroiddata and found no suspicious redirects.  Here's how:

grep -A1 '^Repo *Type: *git-svn' *.txt *.yml| sed -n 's,.*Repo:\(.*\),\1,p' > /tmp/urls.txt

import requests
with open('/tmp/urls.txt') as fp:
    for line in fp:
        try:
            r = requests.head(line.strip())
            print(r.status_code, line)
        except requests.exceptions.SSLError:
            print('SSLError', line)
This commit is contained in:
Hans-Christoph Steiner 2018-03-02 10:21:55 +01:00
parent 654b3cb9dc
commit 6cd8f2ffea
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
fdroidserver/common.py
View File

@ -1011,6 +1011,10 @@ class vcs_gitsvn(vcs):
import requests import requests
r = requests.head(remote) r = requests.head(remote)
r.raise_for_status() r.raise_for_status()
location = r.headers.get('location')
if location and not location.startswith('https://'):
raise VCSException(_('Invalid redirect to non-HTTPS: {before} -> {after} ')
.format(before=remote, after=location))
gitsvn_args.extend(['--', remote, self.local]) gitsvn_args.extend(['--', remote, self.local])
p = self.git(gitsvn_args) p = self.git(gitsvn_args)