Bug 113275

Summary: YaST2 packagemanager: follow any Location: header that the server sends as part of an HTTP header
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Christoph Thiel <cthiel>
Component: YaST2Assignee: Michael Andres <ma>
Status: RESOLVED FIXED QA Contact: Klaus Kämpf <kkaempf>
Severity: Normal    
Priority: P5 - None CC: adrian.schroeter, aj, kkaempf, lnussel
Version: Beta 3   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: yast2-packagemanager-2.12.15.diff

Description Christoph Thiel 2005-08-26 11:14:35 UTC 
Please apply the attached patch to make YaST2 work with the 
download.opensuse.org redirection stuff.
Comment 1 Christoph Thiel 2005-08-26 11:15:14 UTC 
Created attachment 47750 [details]
yast2-packagemanager-2.12.15.diff
Comment 2 Ludwig Nussel 2005-08-26 11:46:41 UTC 
I fear it would be possible to redirect to urls other than http this way. I  
also don't like the idea of yast downloading stuff from somewhere I didn't 
specify without telling me.
Comment 3 Christoph Thiel 2005-08-26 12:25:19 UTC 
Yes, it is possible to redirect to urls other than http - e.g. ftp:// and  
file:// but this doesn't cause any new/additional threat in my opinion.  
 
Adrian, Andreas, Klaus, what's your opinion/view on this topic?
Comment 4 Adrian Schröter 2005-08-26 12:47:11 UTC 
can we allow it at least for dedicated urls like download.opensuse.org ?
Comment 5 Andreas Jaeger 2005-08-26 12:51:17 UTC 
I would like to see this working - and I won't object to a whitelist of
allowed URLs.
Comment 6 Christoph Thiel 2005-08-26 12:54:55 UTC 
Actually I'd like to have it for any URL, because it really gives you some  
cool failover features and stuff like that (not only for openSUSE).
Comment 7 Ludwig Nussel 2005-08-26 12:59:54 UTC 
Implementing a whitelist is not as trivial as then one would have to handle 
the redirect manually whereas the above patch leaves that job to curl. I'd 
only limit the number of redirects to let's say three. However, this makes the 
headaches I have with the gpg key handling even worse. If I touch the code 
I'll have to fix the automatic unconditional key import as well otherwise I 
wouldn't be able to sleep at night anymore.
Comment 8 Adrian Schröter 2005-08-26 13:24:46 UTC 
anyway, when you add an url you have to trust the source. it does not matter 
if a redirect does happen or not. I do not see a new security issue here. 
 
But we would loose the possibility to scale and we will never be able to 
publish direct download urls anymore. 
 
So, can we please have this and discuss a real trust/security mechanism 
offline independend from this ?
Comment 9 Christoph Thiel 2005-08-28 19:32:41 UTC 
$ head yast2-packagemanager.changes
-------------------------------------------------------------------
Fri Aug 26 16:41:42 CEST 2005 - lnussel@suse.de

- follow http redirects (#113275)
- 2.12.16

-------------------------------------------------------------------
$