Skip to content

Limit headered curl redirects#22945

Merged
MikeMcQuaid merged 1 commit into
mainfrom
fix-curl-header-redirects
Jul 4, 2026
Merged

Limit headered curl redirects#22945
MikeMcQuaid merged 1 commit into
mainfrom
fix-curl-header-redirects

Conversation

@MikeMcQuaid

Copy link
Copy Markdown
Member
  • Avoid replaying formula or cask download headers to redirect targets.
  • Keep curl's --location path while failing closed on redirects.
  • Cover deferred HOMEBREW_ header handling with regression tests.

  • Have you followed our Contributing guidelines?
  • Have you checked for other open Pull Requests for the same change?
  • Have you explained what your changes do? Performance claims (e.g. "this is faster") must include Hyperfine benchmarks.
  • Have you explained why you'd like these changes included, not just what they do?
  • For bug fixes, have you given step-by-step brew commands to reproduce the bug?
  • Have you written new tests (excluding integration tests)? Here's an example.
  • Have you successfully run brew lgtm (style, typechecking and tests) locally?

  • AI was used to generate or assist with generating this PR.

OpenAI Codex 5.5 xhigh with local review and testing.


Copilot AI review requested due to automatic review settings July 4, 2026 13:28

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens CurlDownloadStrategy’s handling of redirects when caller-supplied headers are present, aiming to prevent those headers (including deferred HOMEBREW_ secrets) from being replayed to redirect targets while preserving the existing --location curl code path.

Changes:

  • Add --max-redirs 0 to curl invocations when download headers are present.
  • Extend CurlDownloadStrategy specs to cover deferred HOMEBREW_ header expansion and verify redirects are refused (--max-redirs 0) while still using --location.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
Library/Homebrew/download_strategy/curl_download_strategy.rb Adds --max-redirs 0 when headers are provided to prevent redirect-following with headers attached.
Library/Homebrew/test/download_strategies/curl_spec.rb Adds/extends regression coverage ensuring --max-redirs 0 is included for deferred header scenarios (both pre- and post-expansion).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

- Avoid replaying deferred formula or cask secrets to redirect targets.
- Keep ordinary GHCR header redirects working for bottle downloads.
- Cover deferred `HOMEBREW_` headers and GitHub Packages headers.
@MikeMcQuaid MikeMcQuaid force-pushed the fix-curl-header-redirects branch from b711fff to ffeae21 Compare July 4, 2026 14:00
@MikeMcQuaid MikeMcQuaid enabled auto-merge July 4, 2026 14:06
@MikeMcQuaid MikeMcQuaid added this pull request to the merge queue Jul 4, 2026
Merged via the queue into main with commit a022843 Jul 4, 2026
41 checks passed
@MikeMcQuaid MikeMcQuaid deleted the fix-curl-header-redirects branch July 4, 2026 20:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants