| Message ID | 20180324162218.28f9d594.peter.mueller@link38.eu |
|---|---|
| State | Accepted |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.ipfire.org [IPv6:2001:470:7183:25::1]) by web02.i.ipfire.org (Postfix) with ESMTP id CC53160329 for <patchwork@web02.i.ipfire.org>; Sat, 24 Mar 2018 16:22:26 +0100 (CET) X-Virus-Scanned: ClamAV at mail01.ipfire.org X-Spam-Flag: NO X-Spam-Score: -0.55 X-Spam-Level: X-Spam-Status: No, score=-0.55 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_LOW=-0.7] autolearn=disabled Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 5D20A110886C; Sat, 24 Mar 2018 15:22:25 +0000 (GMT) Authentication-Results: mail01.ipfire.org; dkim=pass (2048-bit key) header.d=link38.eu header.i=@link38.eu header.b="QQiJj8WG" X-Virus-Scanned: ClamAV at mail01.ipfire.org Received: from mx-nbg.link38.eu (mx-nbg.link38.eu [37.120.167.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx-nbg.link38.eu", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 6BF98108B883 for <development@lists.ipfire.org>; Sat, 24 Mar 2018 15:22:20 +0000 (GMT) Authentication-Results: mail01.ipfire.org; dmarc=pass (p=none dis=none) header.from=link38.eu Authentication-Results: mail01.ipfire.org; spf=pass smtp.mailfrom=peter.mueller@link38.eu DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=link38.eu; s=201803; t=1521904940; h=from:subject:date:message-id:to:mime-version:content-type:content-transfer-encoding; bh=mideCZoP6SQCogHxcAa8K0gyhXsMen0P7tXTsfZIWHo=; b=QQiJj8WGCbqL8/aBsK87rFLK5QuaeM+30np5AXcG7BCFRjc5gSUQ6RQHkuLbKJbRPNiQJw 4Af13+Yf2r06r6YoDk8obgU1Ca/lgmjp9iDYYBSMSgfEHiZFkh7kat5YJBiUyfQvBed6zr 4LhufTyXdpVzePQSxlgzhhFyR/gTsEN9A0iDQ7K1iiKLiLIHPsrqAbn70hUxrqbzQAvPdd MRSpWAgvyXlzSdh7LGxhK9Yt659Ky/dvJCiBMfGEgaVAKjmlJeO7AzNvwN9w/234lal1bS 9bMoKUhUa08a2cB0xmIcs4SWrJMH/aAGVmTyvq7JuMjjwwbaDWR5bKgBSQnokQ== Date: Sat, 24 Mar 2018 16:22:18 +0100 From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu> To: "development@lists.ipfire.org" <development@lists.ipfire.org> Subject: [PATCH] use protocol defined in server-list.db for mirror communication Message-ID: <20180324162218.28f9d594.peter.mueller@link38.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <https://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
use protocol defined in server-list.db for mirror communication
|
|
Commit Message
Peter Müller
March 25, 2018, 2:22 a.m. UTC
For each mirror server, a protocol can be specified in the
server-list.db database. However, it was not used for the
actual URL query to a mirror before.
This might be useful for deploy HTTPS pinning for Pakfire.
If a mirror is known to support HTTPS, all queries to it
will be made with this protocol.
This saves some overhead if HTTPS is enforced on a mirror
via 301 redirects. To enable this, the server-list.db
needs to be adjusted.
Partially fixes #11661.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Cc: Michael Tremer <michael.tremer@ipfire.org>
---
src/pakfire/lib/functions.pl | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
Comments
Hello, would it not be a good idea to check if $proto is either HTTP or HTTPS? -Michael On Sat, 2018-03-24 at 16:22 +0100, Peter Müller wrote: > For each mirror server, a protocol can be specified in the > server-list.db database. However, it was not used for the > actual URL query to a mirror before. > > This might be useful for deploy HTTPS pinning for Pakfire. > If a mirror is known to support HTTPS, all queries to it > will be made with this protocol. > > This saves some overhead if HTTPS is enforced on a mirror > via 301 redirects. To enable this, the server-list.db > needs to be adjusted. > > Partially fixes #11661. > > Signed-off-by: Peter Müller <peter.mueller@link38.eu> > Cc: Michael Tremer <michael.tremer@ipfire.org> > --- > src/pakfire/lib/functions.pl | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/src/pakfire/lib/functions.pl b/src/pakfire/lib/functions.pl > index c97d4254d..94f9f1826 100644 > --- a/src/pakfire/lib/functions.pl > +++ b/src/pakfire/lib/functions.pl > @@ -171,8 +171,11 @@ sub fetchfile { > } > } > > + # Use specified protocol for mirror communication (allows > HTTPS pinning) > + my $urlproto = lc $proto; > + > $final_data = undef; > - my $url = "http://$host/$file"; > + my $url = "$urlproto://$host/$file"; > my $response; > > unless ($bfile =~ /^counter.py\?.*/) {
Hello Michael, I do not see the benefit in doing so. In functions.pl, just a few lines above, it says: $proto = "HTTP" unless $proto; Of course, we will mostly see HTTP and a few HTTPS mirrors here, but that leaves other protocols (FTP???) possible, thereof, I did not strictly checked if only one of these protocols is set. Does that make sense to you? Best regards, Peter Müller > Hello, > > would it not be a good idea to check if $proto is either HTTP or HTTPS? > > -Michael > > On Sat, 2018-03-24 at 16:22 +0100, Peter Müller wrote: > > For each mirror server, a protocol can be specified in the > > server-list.db database. However, it was not used for the > > actual URL query to a mirror before. > > > > This might be useful for deploy HTTPS pinning for Pakfire. > > If a mirror is known to support HTTPS, all queries to it > > will be made with this protocol. > > > > This saves some overhead if HTTPS is enforced on a mirror > > via 301 redirects. To enable this, the server-list.db > > needs to be adjusted. > > > > Partially fixes #11661. > > > > Signed-off-by: Peter Müller <peter.mueller@link38.eu> > > Cc: Michael Tremer <michael.tremer@ipfire.org> > > --- > > src/pakfire/lib/functions.pl | 5 ++++- > > 1 file changed, 4 insertions(+), 1 deletion(-) > > > > diff --git a/src/pakfire/lib/functions.pl b/src/pakfire/lib/functions.pl > > index c97d4254d..94f9f1826 100644 > > --- a/src/pakfire/lib/functions.pl > > +++ b/src/pakfire/lib/functions.pl > > @@ -171,8 +171,11 @@ sub fetchfile { > > } > > } > > > > + # Use specified protocol for mirror communication (allows > > HTTPS pinning) > > + my $urlproto = lc $proto; > > + > > $final_data = undef; > > - my $url = "http://$host/$file"; > > + my $url = "$urlproto://$host/$file"; > > my $response; > > > > unless ($bfile =~ /^counter.py\?.*/) {
What if someone is getting a malformed list? Can this not be abused? FTP would not work with the Perl module of course... On Mon, 2018-03-26 at 20:50 +0200, Peter Müller wrote: > Hello Michael, > > I do not see the benefit in doing so. In functions.pl, just a few lines > above, it says: > > $proto = "HTTP" unless $proto; > > Of course, we will mostly see HTTP and a few HTTPS mirrors here, but > that leaves other protocols (FTP???) possible, thereof, I did not > strictly checked if only one of these protocols is set. > > Does that make sense to you? > > Best regards, > Peter Müller > > > Hello, > > > > would it not be a good idea to check if $proto is either HTTP or HTTPS? > > > > -Michael > > > > On Sat, 2018-03-24 at 16:22 +0100, Peter Müller wrote: > > > For each mirror server, a protocol can be specified in the > > > server-list.db database. However, it was not used for the > > > actual URL query to a mirror before. > > > > > > This might be useful for deploy HTTPS pinning for Pakfire. > > > If a mirror is known to support HTTPS, all queries to it > > > will be made with this protocol. > > > > > > This saves some overhead if HTTPS is enforced on a mirror > > > via 301 redirects. To enable this, the server-list.db > > > needs to be adjusted. > > > > > > Partially fixes #11661. > > > > > > Signed-off-by: Peter Müller <peter.mueller@link38.eu> > > > Cc: Michael Tremer <michael.tremer@ipfire.org> > > > --- > > > src/pakfire/lib/functions.pl | 5 ++++- > > > 1 file changed, 4 insertions(+), 1 deletion(-) > > > > > > diff --git a/src/pakfire/lib/functions.pl b/src/pakfire/lib/functions.pl > > > index c97d4254d..94f9f1826 100644 > > > --- a/src/pakfire/lib/functions.pl > > > +++ b/src/pakfire/lib/functions.pl > > > @@ -171,8 +171,11 @@ sub fetchfile { > > > } > > > } > > > > > > + # Use specified protocol for mirror communication (allows > > > HTTPS pinning) > > > + my $urlproto = lc $proto; > > > + > > > $final_data = undef; > > > - my $url = "http://$host/$file"; > > > + my $url = "$urlproto://$host/$file"; > > > my $response; > > > > > > unless ($bfile =~ /^counter.py\?.*/) { > >
diff --git a/src/pakfire/lib/functions.pl b/src/pakfire/lib/functions.pl index c97d4254d..94f9f1826 100644 --- a/src/pakfire/lib/functions.pl +++ b/src/pakfire/lib/functions.pl @@ -171,8 +171,11 @@ sub fetchfile { } } + # Use specified protocol for mirror communication (allows HTTPS pinning) + my $urlproto = lc $proto; + $final_data = undef; - my $url = "http://$host/$file"; + my $url = "$urlproto://$host/$file"; my $response; unless ($bfile =~ /^counter.py\?.*/) {