disable https->http redirects in libcurl

This change prevents changing the protocol from https to http.

4 files changed, 29 insertions, 2 deletions

diff --git a/methods/https.cc b/methods/https.cc
index d97fddf9e..9422df2f0 100644
--- a/methods/https.cc
+++ b/methods/https.cc
@@ -185,8 +185,11 @@ bool HttpsMethod::Fetch(FetchItem *Itm)
    curl_easy_setopt(curl, CURLOPT_WRITEDATA, this);
    curl_easy_setopt(curl, CURLOPT_PROGRESSFUNCTION, progress_callback);
    curl_easy_setopt(curl, CURLOPT_PROGRESSDATA, this);
+   // options
    curl_easy_setopt(curl, CURLOPT_NOPROGRESS, false);
    curl_easy_setopt(curl, CURLOPT_FILETIME, true);
+   // only allow redirects to https
+   curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS);
 
    // SSL parameters are set by default to the common (non mirror-specific) value
    // if available (or a default one) and gets overload by mirror-specific ones.
diff --git a/test/integration/framework b/test/integration/framework
index f3699861b..e4f018472 100644
--- a/test/integration/framework
+++ b/test/integration/framework
@@ -901,7 +901,7 @@ changetohttpswebserver() {
 		msgdie 'You need to install stunnel4 for https testcases'
 	fi
 	if [ ! -e "${TMPWORKINGDIRECTORY}/aptarchive/aptwebserver.pid" ]; then
-		changetowebserver --no-rewrite
+		changetowebserver --no-rewrite "$@"
 	fi
 	echo "pid = ${TMPWORKINGDIRECTORY}/aptarchive/stunnel.pid
 cert = ${TESTDIRECTORY}/apt.pem
diff --git a/test/integration/test-apt-https-no-redirect b/test/integration/test-apt-https-no-redirect
new file mode 100755
index 000000000..c405d1167
--- /dev/null
+++ b/test/integration/test-apt-https-no-redirect
@@ -0,0 +1,24 @@
+#!/bin/sh
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+
+setupenvironment
+configarchitecture "i386"
+
+buildsimplenativepackage 'apt' 'all' '1.0' 'stable'
+setupaptarchive --no-update
+
+changetohttpswebserver  -o 'aptwebserver::redirect::replace::/redirectme/=http://localhost:8080/'
+
+msgtest 'normal http download works'
+downloadfile 'http://localhost:8080/pool/apt_1.0/changelog' changelog2 >/dev/null 2>/dev/null && msgpass || msgfail
+
+msgtest 'normal https download works'
+downloadfile 'https://localhost:4433/pool/apt_1.0/changelog' changelog >/dev/null 2>/dev/null && msgpass || msgfail
+
+msgtest 'redirecting https to http does not work'
+downloadfile 'https://localhost:4433/redirectme/pool/apt_1.0/changelog' changelog3 2>&1 | grep "Protocol http not supported or disabled in libcurl" > /dev/null && msgpass
+
+
diff --git a/test/integration/test-bug-738785-switch-protocol b/test/integration/test-bug-738785-switch-protocol
index d3469f34f..bc3c6dbad 100755
--- a/test/integration/test-bug-738785-switch-protocol
+++ b/test/integration/test-bug-738785-switch-protocol
@@ -19,7 +19,7 @@ sed -i -e 's#:4433/#:8080/redirectme#' -e 's# https:# http:#' rootdir/etc/apt/so
 testsuccess aptget update -o Debug::Acquire::http=1 -o Debug::Acquire::https=1 -o Debug::pkgAcquire::Worker=1
 
 msgtest 'Test that the webserver does not answer' 'http requests'
-downloadfile 'http://localhost:8080//pool/apt_1.0/changelog' >/dev/null 2>&1 && msgfail || msgpass
+downloadfile 'http://localhost:8080/pool/apt_1.0/changelog' changelog >/dev/null 2>&1 && msgfail || msgpass
 
 echo 'Apt::Changelogs::Server "http://localhost:8080/redirectme";' > rootdir/etc/apt/apt.conf.d/changelog.conf
 testequal "'http://localhost:8080/redirectme/pool/apt_1.0/changelog'" aptget changelog apt --print-uris