Your message dated Sat, 21 Feb 2015 03:56:38 +0100
with message-id <20150221025637.gl3...@sym.noone.org>
and subject line Re: Bug#778880: xul-ext-https-everywhere: Breaks redirects 
with query string (e.g. deb.li/… to anonscm.d.o/cgit/…)
has caused the Debian Bug report #778880,
regarding xul-ext-https-everywhere: Breaks redirects with query string (e.g. 
deb.li/… to anonscm.d.o/cgit/…)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
778880: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778880
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: xul-ext-https-everywhere
Version: 4.0.2-3
Severity: grave
Justification: Breaks iceweasel in a non-obvious way, potentially causes data 
loss
Control: affects -1 iceweasel conkeror

Dear Lunar and Fabrizio,

If I enter the URL http://deb.li/3czsE into Iceweasel's location bar
with HTTPS Everywhere enabled, I end up at
https://anonscm.debian.org/cgit/pkg-perl/website.git/diff/?id= (which
says "Bad object name" due to the missing value behind "id=") instead of
https://anonscm.debian.org/cgit/pkg-perl/website.git/diff/?id=24f0998 as
expected.

The same URL and redirect chain works fine again, if I deactivate HTTPS
Everywhere in Iceweasel's tool bar. (It also works fine in the following
browsers/HTTP clients in Jessie: Chromium, Lynx, libwww-perl ("GET"),
Links2, Netsurf, Arora, and wget. I initially suspected Iceweasel itself
to be the culprit.)

I'm not sure which exact characteristic of this specific case causes the
misbehaviour, but I suspect it's query strings with ";" as delimiter.

Example redirect chain captured with wget:

→ wget -S --spider http://deb.li/3czsE
Spider mode enabled. Check if remote file exists.
--2015-02-21 01:56:09--  http://deb.li/3czsE
Resolving deb.li (deb.li)... 2001:470:1f0b:168f::4, 217.196.146.214
Connecting to deb.li (deb.li)|2001:470:1f0b:168f::4|:80... failed: Network is 
unreachable.
Connecting to deb.li (deb.li)|217.196.146.214|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 302 FOUND
  Date: Sat, 21 Feb 2015 00:56:09 GMT
  Server: Apache/2.2.22 (Debian)
  Content-Length: 365
  Location: 
http://anonscm.debian.org/gitweb/?p=pkg-perl/website.git;a=commitdiff;h=24f0998
  Vary: Accept-Encoding
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: text/html; charset=utf-8
Location: 
http://anonscm.debian.org/gitweb/?p=pkg-perl/website.git;a=commitdiff;h=24f0998 
[following]
Spider mode enabled. Check if remote file exists.
--2015-02-21 01:56:09--  
http://anonscm.debian.org/gitweb/?p=pkg-perl/website.git;a=commitdiff;h=24f0998
Resolving anonscm.debian.org (anonscm.debian.org)... 5.153.231.21
Connecting to anonscm.debian.org (anonscm.debian.org)|5.153.231.21|:80... 
connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 302 Found
  Date: Sat, 21 Feb 2015 00:56:09 GMT
  Server: Apache/2.2.22 (Debian)
  Location: http://anonscm.debian.org/cgit/pkg-perl/website.git/diff/?id=24f0998
  Vary: Accept-Encoding
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: text/html; charset=iso-8859-1
Location: http://anonscm.debian.org/cgit/pkg-perl/website.git/diff/?id=24f0998 
[following]
Spider mode enabled. Check if remote file exists.
--2015-02-21 01:56:10--  
http://anonscm.debian.org/cgit/pkg-perl/website.git/diff/?id=24f0998
Connecting to anonscm.debian.org (anonscm.debian.org)|5.153.231.21|:80... 
connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Date: Sat, 21 Feb 2015 00:56:10 GMT
  Server: Apache/2.2.22 (Debian)
  Expires: Tue, 18 Feb 2025 00:56:10 GMT
  Last-Modified: Sat, 21 Feb 2015 00:56:10 GMT
  X-Robots-Tag: noindex, nofollow
  Vary: Accept-Encoding
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: text/html; charset=UTF-8
Length: unspecified [text/html]
Remote file exists and could contain further links,
but recursion is disabled -- not retrieving.

Filing as RC as this will likely break many web applications in
non-obvious ways and potentially causes data loss (despite
non-reproducible data should not be handled in query strings, but
anyways).

Feel free to downgrade to important in case you don't agree with this
judgement. (Or to serious if you just don't agree with the reasoning,
but still think it's RC.) I at least think, this misbehaviour should be
fixed for Jessie, also because of its hidden character as users don't
see the redirect chain inside the browser.

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (909, 'testing'), (500, 'testing-updates'), (500, 
'testing-proposed-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages xul-ext-https-everywhere depends on:
ii  conkeror   1.0~~pre-1+git150129+2307-~nightly1
ii  icedove    31.4.0-2
ii  iceweasel  31.4.0esr-1

xul-ext-https-everywhere recommends no packages.

xul-ext-https-everywhere suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message ---
Control: notfound 778880 4.0.2-3

Hi,

sorry for the noise, but the issue seems not to be in HTTPS Everywhere
but in different handling of gitweb → cgi redirects on anonscm.d.o
depending on http or https.

Cc'ing Alexander Wirt who IIRC already fixed other cgit-related
redirect issues in the past, i.e. has at least access to and knowledge
about the web server configuration on anonscm.d.o.

Axel Beckert wrote:
> If I enter the URL http://deb.li/3czsE into Iceweasel's location bar
> with HTTPS Everywhere enabled, I end up at
> https://anonscm.debian.org/cgit/pkg-perl/website.git/diff/?id= (which
> says "Bad object name" due to the missing value behind "id=") instead of
> https://anonscm.debian.org/cgit/pkg-perl/website.git/diff/?id=24f0998 as
> expected.
[…]
> I'm not sure which exact characteristic of this specific case causes the
> misbehaviour, but I suspect it's query strings with ";" as delimiter.

I've digged deeper.

If I enter
http://anonscm.debian.org/gitweb/?p=pkg-perl/website.git;a=commitdiff;h=24f0998
with HTTPS Everywhere enabled, I exactly the same broken redirect to
https://anonscm.debian.org/cgit/pkg-perl/website.git/diff/?id=

So I've now checked what would happen if I access
https://anonscm.debian.org/gitweb/?p=pkg-perl/website.git;a=commitdiff;h=24f0998
(i.e. the expected URL to be tried by HTTPS Everywhere before its
first request to anonscm.d.o), and to my surprise, this failed to
work, too. (This time with GET instead of wget as I consider its
output better readable.)

→ GET -SUsed 
https://anonscm.debian.org/gitweb/\?p\=pkg-perl/website.git\;a\=commitdiff\;h\=24f0998
GET 
https://anonscm.debian.org/gitweb/?p=pkg-perl/website.git;a=commitdiff;h=24f0998
User-Agent: lwp-request/6.03 libwww-perl/6.08

302 Found
Connection: close
Date: Sat, 21 Feb 2015 02:45:54 GMT
Location: https://anonscm.debian.org/cgit/pkg-perl/website.git/diff/?id=

[Actually we could stop reading here. But for completeness' sake...]

Server: Apache/2.2.22 (Debian)
Vary: Accept-Encoding
Content-Length: 331
Content-Type: text/html; charset=iso-8859-1
Client-Date: Sat, 21 Feb 2015 02:45:55 GMT
Client-Peer: 5.153.231.21:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
Client-SSL-Cert-Subject: /OU=Domain Control Validated/OU=PositiveSSL 
Multi-Domain/CN=git.debian.org
Client-SSL-Cipher: ECDHE-RSA-AES256-SHA
Client-SSL-Socket-Class: IO::Socket::SSL
Title: 302 Found

GET https://anonscm.debian.org/cgit/pkg-perl/website.git/diff/?id=
User-Agent: lwp-request/6.03 libwww-perl/6.08

200 OK
Connection: close
Date: Sat, 21 Feb 2015 02:45:55 GMT
Server: Apache/2.2.22 (Debian)
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Expires: Tue, 18 Feb 2025 02:45:55 GMT
Last-Modified: Sat, 21 Feb 2015 02:45:55 GMT
Client-Date: Sat, 21 Feb 2015 02:45:56 GMT
Client-Peer: 5.153.231.21:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
Client-SSL-Cert-Subject: /OU=Domain Control Validated/OU=PositiveSSL 
Multi-Domain/CN=git.debian.org
Client-SSL-Cipher: ECDHE-RSA-AES256-SHA
Client-SSL-Socket-Class: IO::Socket::SSL
Client-Transfer-Encoding: chunked
Link: </cgit-css/cgit.css>; rel="stylesheet"; type="text/css"
Link: </favicon.ico>; rel="shortcut icon"
Link: <https://anonscm.debian.org/cgit/pkg-perl/website.git/atom/?h=master>; 
rel="alternate"; title="Atom feed"; type="application/atom+xml"
Title: pkg-perl/website - pkg-perl website
X-Meta-Generator: cgit v0.10.2
X-Meta-Robots: index, nofollow
X-Robots-Tag: noindex, nofollow

                Regards, Axel
-- 
 ,''`.  |  Axel Beckert <a...@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

--- End Message ---
_______________________________________________
Pkg-mozext-maintainers mailing list
Pkg-mozext-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mozext-maintainers

Reply via email to