Follow redirects when fetching keys over WKD
Some hosts (like `kernel.org`) redirect all requests to a subdomain (in this case `www`). As WKD queries are always over HTTPS following redirects would be safe.
This commit is contained in:
Wiktor Kwapisiewicz
@@ -94,7 +94,7 @@ public class WebKeyDirectoryClient implements KeyserverClient {
|
|||||||
|
|
||||||
Request request = new Request.Builder().url(url).build();
|
Request request = new Request.Builder().url(url).build();
|
||||||
|
|
||||||
OkHttpClient client = OkHttpClientFactory.getClientPinnedIfAvailable(url, proxy);
|
OkHttpClient client = OkHttpClientFactory.getClientPinnedIfAvailableWithRedirects(url, proxy);
|
||||||
Response response = client.newCall(request).execute();
|
Response response = client.newCall(request).execute();
|
||||||
|
|
||||||
if (response.isSuccessful()) {
|
if (response.isSuccessful()) {
|
||||||
|
|||||||
@@ -47,10 +47,18 @@ public class OkHttpClientFactory {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public static OkHttpClient getClientPinnedIfAvailable(URL url, Proxy proxy) {
|
public static OkHttpClient getClientPinnedIfAvailable(URL url, Proxy proxy) {
|
||||||
|
// don't follow any redirects for keyservers, as discussed in the security audit
|
||||||
|
return getClientPinnedIfAvailable(url, proxy, false);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static OkHttpClient getClientPinnedIfAvailableWithRedirects(URL url, Proxy proxy) {
|
||||||
|
return getClientPinnedIfAvailable(url, proxy, true);
|
||||||
|
}
|
||||||
|
|
||||||
|
private static OkHttpClient getClientPinnedIfAvailable(URL url, Proxy proxy, boolean followRedirects) {
|
||||||
OkHttpClient.Builder builder = new OkHttpClient.Builder();
|
OkHttpClient.Builder builder = new OkHttpClient.Builder();
|
||||||
|
|
||||||
// don't follow any redirects for keyservers, as discussed in the security audit
|
builder.followRedirects(followRedirects)
|
||||||
builder.followRedirects(false)
|
|
||||||
.followSslRedirects(false);
|
.followSslRedirects(false);
|
||||||
|
|
||||||
if (proxy != null) {
|
if (proxy != null) {
|
||||||
|
|||||||
Reference in New Issue
Block a user