[Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Julian Andres Klode julian.klode at gmail.com
Mon Feb 6 09:40:22 UTC 2017 

Yes, please file a new bug. And that really seems more like an
unattended-upgrades bug, I can't believe it's a regression in 1.2.19 -
the change in 1.2.19 is just that:

+   Uri.Path = QuoteString(Uri.Path, "+~ ");

- just quoting the path component of the Uri before downloading it (in
the https method process, not in the main apt process or when parsing an
URI either), not doing any other change.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1651923

Title:
  apt https method decodes redirect locations and sends them to the
  destination undecoded.

Status in apt package in Ubuntu:
  Fix Released
Status in apt source package in Xenial:
  Fix Released
Status in apt source package in Yakkety:
  Fix Released

Bug description:
  [Impact]
  Downloads via HTTPS fail if the URL contains a space (before yakkety only if there is no redirect from a previous space-free https URL). This breaks packages like ttf-mscorefonts-installer and various third party hosters.

  [Test case]
  Install/Upgrade apt-transport-https, that's where the fix is.

  Check that

  /usr/lib/apt/apt-helper download-file
  http://kxstudio.linuxaudio.org/repo/pool/free/ardour4_4.7.0-1kxstudio1_i386.deb
  test.deb

  can successfully download the file (or at least start downloading it)
  and does not fail early with a 505 HTTP version not supported error
  message.

  This problem does not occur with that file on xenial, as it first
  redirects to an https URI without a space which then redirects to an
  HTTPS uri with a space (http w/o space -> https w/o space -> https w/
  space). In xenial, https->https redirects where handled internally by
  curl.

  Another test (applicable to xenial) is to install ttf-mscorefonts-
  installer.

  [Regression potential]
  The added code is:
     Uri.Path = QuoteString(Uri.Path, "+~ ");

  Some servers might not like + or ~ being quoted. We use the same
  quoting call for the http method too, though, so it seems highly
  unlikely to cause an issue.

  [Original bug report]
  Distributor ID:	Ubuntu
  Description:	Ubuntu 16.10
  Release:	16.10
  Codename:	yakkety

  apt version 1.3.3 (also tried 1.4-beta2 .deb, same results)

  When trying to install a package hosted on s3 from the kxstudio repo,
  the download fails with an HTTP error:

  nico at nico-lenovo-ubuntu:~/Downloads$ sudo apt-get install wineasio-amd64
  Reading package lists... Done
  Building dependency tree
  Reading state information... Done
  The following additional packages will be installed:
    wine1.6-amd64
  The following NEW packages will be installed
    wine1.6-amd64 wineasio-amd64
  0 to upgrade, 2 to newly install, 0 to remove and 1 not to upgrade.
  Need to get 30.9 kB/32.6 kB of archives.
  After this operation, 184 kB of additional disk space will be used.
  Do you want to continue? [Y/n] y
  Err:1 http://kxstudio.linuxaudio.org/repo stable/free amd64 wineasio-amd64 amd64 0.9.0+git20110613-2kxstudio3
    505  HTTP Version not supported
  E: Failed to fetch https://github-cloud.s3.amazonaws.com/releases/39372848/0f048802-2fb5-11e5-9d8c-907ec7b97c46.deb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAISTNZFOVBIJMK3TQ/20161222/us-east-1/s3/aws4_request&X-Amz-Date=20161222T022041Z&X-Amz-Expires=300&X-Amz-Signature=750f9b2ee076dcb8ae6992cae911f43208b3eec41976362cebf694e3c72b7aef&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment; filename=wineasio-amd64_0.9.0.git20110613-2kxstudio3_amd64.deb&response-content-type=application/octet-stream  505  HTTP Version not supported
  E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?

  Error allegedly not present in Ubuntu 14.04 and 16.04

  More details in these forum posts:

  https://github.com/KXStudio/Repository/issues/73#issuecomment-268649503

  https://www.linuxmusicians.com/viewtopic.php?t=16056

  https://www.drupal.org/node/2324991 (clues on root cause)

  ProblemType: Bug
  DistroRelease: Ubuntu 16.10
  Package: apt 1.3.3
  ProcVersionSignature: Ubuntu 4.8.0-30.32-lowlatency 4.8.6
  Uname: Linux 4.8.0-30-lowlatency x86_64
  ApportVersion: 2.20.3-0ubuntu8.2
  Architecture: amd64
  CurrentDesktop: X-Cinnamon
  Date: Thu Dec 22 02:31:47 2016
  InstallationDate: Installed on 2016-10-20 (62 days ago)
  InstallationMedia: Ubuntu 16.10 "Yakkety Yak" - Release amd64 (20161012.2)
  SourcePackage: apt
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1651923/+subscriptions

More information about the foundations-bugs mailing list