From: Hans-Christoph Steiner <hans@eds.org>
Date: Fri, 2 Mar 2018 09:21:55 +0000 (+0100)
Subject: SVN: only allow redirects to HTTPS
X-Git-Tag: 1.0.3~19^2~2
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=6cd8f2ffeaaf943a716dd9dee73eb5d3da6db754;p=fdroidserver.git

SVN: only allow redirects to HTTPS

"SVN follows HTTP 301 redirects to svn+ssh:// URLs. As a result, an
innocent looking HTTP URL can be used to trigger a Command Execution with a
301 redirect."
https://blog.recurity-labs.com/2017-08-10/scm-vulns.html#third-round-svn-and-mercurial

I scanned fdroiddata and found no suspicious redirects.  Here's how:

grep -A1 '^Repo *Type: *git-svn' *.txt *.yml| sed -n 's,.*Repo:\(.*\),\1,p' > /tmp/urls.txt

import requests
with open('/tmp/urls.txt') as fp:
    for line in fp:
        try:
            r = requests.head(line.strip())
            print(r.status_code, line)
        except requests.exceptions.SSLError:
            print('SSLError', line)
---

diff --git a/fdroidserver/common.py b/fdroidserver/common.py
index 83dfb441..b943fc50 100644
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@@ -1011,6 +1011,10 @@ class vcs_gitsvn(vcs):
             import requests
             r = requests.head(remote)
             r.raise_for_status()
+            location = r.headers.get('location')
+            if location and not location.startswith('https://'):
+                raise VCSException(_('Invalid redirect to non-HTTPS: {before} -> {after} ')
+                                   .format(before=remote, after=location))
 
             gitsvn_args.extend(['--', remote, self.local])
             p = self.git(gitsvn_args)