axel tries to download HTTPS URLs via HTTP (including credentials)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
axel (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
When trying to download something via https:// using Axel 2.5 (as given in xenial), axel tries to download via port 80, passing in all additional headers (Authorization) etc in the clear.
Adding the port :443 explicitly makes it fail (as no SSL handshake is done).
Steps to reproduce:
$ COLUMNS=80 dpkg -l axel
Desired=
| Status=
|/ Err?=(none)
||/ Name Version Architecture Description
+++-===
ii axel 2.5-2 amd64 light command line download accel
$ strace -e connect axel -q -H 'Authorization: Bearer thisisveryconfi
connect(4, {sa_family=AF_INET, sin_port=htons(80), sin_addr=
connect(4, {sa_family=
connect(4, {sa_family=AF_INET, sin_port=htons(80), sin_addr=
+++ exited with 0 +++
2.13 (as given in artful) no longer has this problem:
$ COLUMNS=80 dpkg -l axel
Desired=
| Status=
|/ Err?=(none)
||/ Name Version Architecture Description
+++-===
ii axel 2.13.1-1 amd64 light command line download accel
$ strace -e connect axel -q -H 'Authorization: Bearer thisisveryconfi
connect(4, {sa_family=AF_INET, sin_port=
connect(4, {sa_family=
connect(4, {sa_family=AF_INET, sin_port=
+++ exited with 0 +++
Please arrange a security update.
information type: | Private Security → Public Security |
Had a look at the code:
[..]
if( set_url[0] == 'f' )
conn->proto = PROTO_FTP; else if( set_url[0] == 'h' )
conn->proto = PROTO_HTTP;
[..]
and
[..]
if( conn->proto == PROTO_FTP )
serv = getservbyname( "ftp", "tcp" ); else
serv = getservbyname( "www", "tcp" );
[..]
or, on Darwin:
[..]
if( conn->proto == PROTO_HTTP )
conn->port = 80; else
conn->port = 21;
[..]
m( m( m(
This was not fixed at all before 2.10.
Ouch.