download_strategy: declare insecure redirects

Fixes Homebrew/homebrew#38824
author: Dominyk Tiller 2015-04-19 21:25:14 +0100
committer: Mike McQuaid 2015-06-14 13:20:07 +0100
commit: 794b08fc0df9c5327f77d44ad4727086bb563a19 (patch)
tree: 320018edea9c0969df82defc96b0aae26e099a04 /Library
parent: 552755b3de3f6a2dadc699065a12ed90d22b0eaf (diff)
download: brew-794b08fc0df9c5327f77d44ad4727086bb563a19.tar.bz2
1 files changed, 18 insertions, 0 deletions
diff --git a/Library/Homebrew/download_strategy.rb b/Library/Homebrew/download_strategy.rb
index 33f9e24a5..6b5148aa5 100644
--- a/Library/Homebrew/download_strategy.rb
+++ b/Library/Homebrew/download_strategy.rb
@@ -269,6 +269,16 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy
 
   def fetch
     ohai "Downloading #{@url}"
+
+    urls = actual_urls
+    unless urls.empty?
+      ohai "Downloading from: #{urls.last}"
+      if !ENV["HOMEBREW_NO_INSECURE_REDIRECT"].nil? && @url.start_with?("https://") &&
+        urls.any? { |u| !u.start_with? "https://" }
+        raise "HTTPS to HTTP redirect detected & HOMEBREW_NO_INSECURE_REDIRECT is set."
+      end
+    end
+
     unless cached_location.exist?
       had_incomplete_download = temporary_path.exist?
       begin
@@ -312,6 +322,14 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy
     curl @url, "-C", downloaded_size, "-o", temporary_path
   end
 
+  def actual_urls
+    urls = []
+    Utils.popen_read("curl", "-I", "-L", @url).scan(/^Location: (.+)$/).map do |m|
+      urls << URI.join(urls.last || @url, m.first.chomp).to_s
+    end
+    urls
+  end
+
   def downloaded_size
     temporary_path.size? || 0
   end
author	Dominyk Tiller	2015-04-19 21:25:14 +0100
committer	Mike McQuaid	2015-06-14 13:20:07 +0100
commit	794b08fc0df9c5327f77d44ad4727086bb563a19 (patch)
tree	320018edea9c0969df82defc96b0aae26e099a04 /Library
parent	552755b3de3f6a2dadc699065a12ed90d22b0eaf (diff)
download	brew-794b08fc0df9c5327f77d44ad4727086bb563a19.tar.bz2