download_strategy: declare insecure redirects

Fixes Homebrew/homebrew#38824
2025-07-14 16:09:03 +08:00 · 2015-04-19 21:25:14 +01:00 · 2015-04-19 21:25:14 +01:00 · 794b08fc0d
commit 794b08fc0d
parent 552755b3de
1 changed files with 18 additions and 0 deletions
--- a/Library/Homebrew/download_strategy.rb
+++ b/Library/Homebrew/download_strategy.rb
@ -269,6 +269,16 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy

  def fetch
    ohai "Downloading #{@url}"
+
+    urls = actual_urls
+    unless urls.empty?
+      ohai "Downloading from: #{urls.last}"
+      if !ENV["HOMEBREW_NO_INSECURE_REDIRECT"].nil? && @url.start_with?("https://") &&
+        urls.any? { |u| !u.start_with? "https://" }
+        raise "HTTPS to HTTP redirect detected & HOMEBREW_NO_INSECURE_REDIRECT is set."
+      end
+    end
+
    unless cached_location.exist?
      had_incomplete_download = temporary_path.exist?
      begin
@ -312,6 +322,14 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy
    curl @url, "-C", downloaded_size, "-o", temporary_path
  end

+  def actual_urls
+    urls = []
+    Utils.popen_read("curl", "-I", "-L", @url).scan(/^Location: (.+)$/).map do |m|
+      urls << URI.join(urls.last || @url, m.first.chomp).to_s
+    end
+    urls
+  end
+
  def downloaded_size
    temporary_path.size? || 0
  end