From 46fbc88ee5d4b40786ef48cb5da9c8af28577b55 Mon Sep 17 00:00:00 2001 From: Russell Belfer Date: Tue, 24 Sep 2013 14:50:06 -0700 Subject: [PATCH] Prevent HTTPS to HTTP redirect --- src/transports/http.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/transports/http.c b/src/transports/http.c index aca8c5d8b..ab2f9a47f 100644 --- a/src/transports/http.c +++ b/src/transports/http.c @@ -287,6 +287,11 @@ static int set_connection_data_from_url( if (!git__prefixcmp(url, prefix_http)) { url = url + strlen(prefix_http); default_port = "80"; + + if (t->use_ssl) { + giterr_set(GITERR_NET, "Redirect from HTTPS to HTTP not allowed"); + return -1; + } } if (!git__prefixcmp(url, prefix_https)) { @@ -324,7 +329,7 @@ static int set_connection_data_from_url( /* Allow '/'-led urls, or a change of protocol */ if (original_host != NULL) { if (strcmp(original_host, t->host) && t->location[0] != '/') { - giterr_set(GITERR_NET, "Only same-host redirects are supported"); + giterr_set(GITERR_NET, "Cross host redirect not allowed"); error = -1; }