apt https method decodes redirect locations and sends them to the destination undecoded.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apt (Ubuntu) |
Fix Released
|
High
|
Julian Andres Klode | ||
Xenial |
Fix Released
|
High
|
Unassigned | ||
Yakkety |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
Downloads via HTTPS fail if the URL contains a space (before yakkety only if there is no redirect from a previous space-free https URL). This breaks packages like ttf-mscorefonts
[Test case]
Install/Upgrade apt-transport-
Check that
/usr/lib/
can successfully download the file (or at least start downloading it) and does not fail early with a 505 HTTP version not supported error message.
This problem does not occur with that file on xenial, as it first redirects to an https URI without a space which then redirects to an HTTPS uri with a space (http w/o space -> https w/o space -> https w/ space). In xenial, https->https redirects where handled internally by curl.
Another test (applicable to xenial) is to install ttf-mscorefonts
[Regression potential]
The added code is:
Uri.Path = QuoteString(
Some servers might not like + or ~ being quoted. We use the same quoting call for the http method too, though, so it seems highly unlikely to cause an issue.
[Original bug report]
Distributor ID: Ubuntu
Description: Ubuntu 16.10
Release: 16.10
Codename: yakkety
apt version 1.3.3 (also tried 1.4-beta2 .deb, same results)
When trying to install a package hosted on s3 from the kxstudio repo, the download fails with an HTTP error:
nico@nico-
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
wine1.6-amd64
The following NEW packages will be installed
wine1.6-amd64 wineasio-amd64
0 to upgrade, 2 to newly install, 0 to remove and 1 not to upgrade.
Need to get 30.9 kB/32.6 kB of archives.
After this operation, 184 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Err:1 http://
505 HTTP Version not supported
E: Failed to fetch https:/
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
Error allegedly not present in Ubuntu 14.04 and 16.04
More details in these forum posts:
https:/
https:/
https:/
ProblemType: Bug
DistroRelease: Ubuntu 16.10
Package: apt 1.3.3
ProcVersionSign
Uname: Linux 4.8.0-30-lowlatency x86_64
ApportVersion: 2.20.3-0ubuntu8.2
Architecture: amd64
CurrentDesktop: X-Cinnamon
Date: Thu Dec 22 02:31:47 2016
InstallationDate: Installed on 2016-10-20 (62 days ago)
InstallationMedia: Ubuntu 16.10 "Yakkety Yak" - Release amd64 (20161012.2)
SourcePackage: apt
UpgradeStatus: No upgrade log present (probably fresh install)
summary: |
- 505 HTTP Version not supported - installing kxstudio packages + apt https method decodes redirect locations and sends them to the + destination undecoded. |
Changed in apt (Ubuntu): | |
status: | Triaged → In Progress |
no longer affects: | apt (Ubuntu Trusty) |
Changed in apt (Ubuntu Yakkety): | |
status: | Confirmed → Triaged |
Changed in apt (Ubuntu Xenial): | |
status: | Confirmed → Triaged |
Changed in apt (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in apt (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in apt (Ubuntu Yakkety): | |
importance: | Undecided → Medium |
description: | updated |
description: | updated |
description: | updated |
Right:
/usr/lib/ apt/apt- helper download-file http:// kxstudio. linuxaudio. org/repo/ pool/free/ ardour4_ 4.7.0-1kxstudio 1_i386. deb test.deb kxstudio. linuxaudio. org/repo/ pool/free/ ardour4_ 4.7.0-1kxstudio 1_i386. deb
Err:1 http://
505 HTTP Version not supported