SVN: only allow redirects to HTTPS

"SVN follows HTTP 301 redirects to svn+ssh:// URLs. As a result, an
innocent looking HTTP URL can be used to trigger a Command Execution with a
301 redirect."
https://blog.recurity-labs.com/2017-08-10/scm-vulns.html#third-round-svn-and-mercurial

I scanned fdroiddata and found no suspicious redirects.  Here's how:

grep -A1 '^Repo *Type: *git-svn' *.txt *.yml| sed -n 's,.*Repo:\(.*\),\1,p' > /tmp/urls.txt

import requests
with open('/tmp/urls.txt') as fp:
    for line in fp:
        try:
            r = requests.head(line.strip())
            print(r.status_code, line)
        except requests.exceptions.SSLError:
            print('SSLError', line)

diff --git a/fdroidserver/common.py b/fdroidserver/common.py
index 83dfb441d69d98c15d07467ca241efd3c2202ae0..b943fc505edf3456ef960b531af4e798c9e5cd1a 100644 (file)
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@@ -1011,6 +1011,10 @@ class vcs_gitsvn(vcs):
             import requests
             r = requests.head(remote)
             r.raise_for_status()
+            location = r.headers.get('location')
+            if location and not location.startswith('https://'):
+                raise VCSException(_('Invalid redirect to non-HTTPS: {before} -> {after} ')
+                                   .format(before=remote, after=location))
 
             gitsvn_args.extend(['--', remote, self.local])
             p = self.git(gitsvn_args)