Package: xul-ext-https-everywhere
Version: 4.0.2-3
Severity: grave
Justification: Breaks iceweasel in a non-obvious way, potentially causes data 
loss
Control: affects -1 iceweasel conkeror

Dear Lunar and Fabrizio,

If I enter the URL http://deb.li/3czsE into Iceweasel's location bar
with HTTPS Everywhere enabled, I end up at
https://anonscm.debian.org/cgit/pkg-perl/website.git/diff/?id= (which
says "Bad object name" due to the missing value behind "id=") instead of
https://anonscm.debian.org/cgit/pkg-perl/website.git/diff/?id=24f0998 as
expected.

The same URL and redirect chain works fine again, if I deactivate HTTPS
Everywhere in Iceweasel's tool bar. (It also works fine in the following
browsers/HTTP clients in Jessie: Chromium, Lynx, libwww-perl ("GET"),
Links2, Netsurf, Arora, and wget. I initially suspected Iceweasel itself
to be the culprit.)

I'm not sure which exact characteristic of this specific case causes the
misbehaviour, but I suspect it's query strings with ";" as delimiter.

Example redirect chain captured with wget:

→ wget -S --spider http://deb.li/3czsE
Spider mode enabled. Check if remote file exists.
--2015-02-21 01:56:09--  http://deb.li/3czsE
Resolving deb.li (deb.li)... 2001:470:1f0b:168f::4, 217.196.146.214
Connecting to deb.li (deb.li)|2001:470:1f0b:168f::4|:80... failed: Network is 
unreachable.
Connecting to deb.li (deb.li)|217.196.146.214|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 302 FOUND
  Date: Sat, 21 Feb 2015 00:56:09 GMT
  Server: Apache/2.2.22 (Debian)
  Content-Length: 365
  Location: 
http://anonscm.debian.org/gitweb/?p=pkg-perl/website.git;a=commitdiff;h=24f0998
  Vary: Accept-Encoding
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: text/html; charset=utf-8
Location: 
http://anonscm.debian.org/gitweb/?p=pkg-perl/website.git;a=commitdiff;h=24f0998 
[following]
Spider mode enabled. Check if remote file exists.
--2015-02-21 01:56:09--  
http://anonscm.debian.org/gitweb/?p=pkg-perl/website.git;a=commitdiff;h=24f0998
Resolving anonscm.debian.org (anonscm.debian.org)... 5.153.231.21
Connecting to anonscm.debian.org (anonscm.debian.org)|5.153.231.21|:80... 
connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 302 Found
  Date: Sat, 21 Feb 2015 00:56:09 GMT
  Server: Apache/2.2.22 (Debian)
  Location: http://anonscm.debian.org/cgit/pkg-perl/website.git/diff/?id=24f0998
  Vary: Accept-Encoding
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: text/html; charset=iso-8859-1
Location: http://anonscm.debian.org/cgit/pkg-perl/website.git/diff/?id=24f0998 
[following]
Spider mode enabled. Check if remote file exists.
--2015-02-21 01:56:10--  
http://anonscm.debian.org/cgit/pkg-perl/website.git/diff/?id=24f0998
Connecting to anonscm.debian.org (anonscm.debian.org)|5.153.231.21|:80... 
connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Date: Sat, 21 Feb 2015 00:56:10 GMT
  Server: Apache/2.2.22 (Debian)
  Expires: Tue, 18 Feb 2025 00:56:10 GMT
  Last-Modified: Sat, 21 Feb 2015 00:56:10 GMT
  X-Robots-Tag: noindex, nofollow
  Vary: Accept-Encoding
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: text/html; charset=UTF-8
Length: unspecified [text/html]
Remote file exists and could contain further links,
but recursion is disabled -- not retrieving.

Filing as RC as this will likely break many web applications in
non-obvious ways and potentially causes data loss (despite
non-reproducible data should not be handled in query strings, but
anyways).

Feel free to downgrade to important in case you don't agree with this
judgement. (Or to serious if you just don't agree with the reasoning,
but still think it's RC.) I at least think, this misbehaviour should be
fixed for Jessie, also because of its hidden character as users don't
see the redirect chain inside the browser.

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (909, 'testing'), (500, 'testing-updates'), (500, 
'testing-proposed-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages xul-ext-https-everywhere depends on:
ii  conkeror   1.0~~pre-1+git150129+2307-~nightly1
ii  icedove    31.4.0-2
ii  iceweasel  31.4.0esr-1

xul-ext-https-everywhere recommends no packages.

xul-ext-https-everywhere suggests no packages.

-- no debconf information

_______________________________________________
Pkg-mozext-maintainers mailing list
Pkg-mozext-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mozext-maintainers

Reply via email to