Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Relative URLs are not properly handled during redirection #2488

Closed
AstralSorcerer opened this Issue Dec 13, 2018 · 4 comments

Comments

Projects
None yet
2 participants
@AstralSorcerer
Copy link

AstralSorcerer commented Dec 13, 2018

System Information

MultiMC version: 0.6.2-1137

Operating System: Arch Linux on x86_64

Summary of the issue or suggestion:

When following a redirect during library downloading, MultiMC will fail to download the library if the redirect is a relative URL.

What should happen:

MultiMC should follow the redirect and successfully download the library.

Steps to reproduce the issue:

  1. Add a new patch to an instance. The patch must specify a library that will redirect during downloading, and the HTTP location header for this redirect must specify a relative URL. For instance,
"+libraries": [
    {
        "name": "com.github.Chocohead:Rift:jitpack-SNAPSHOT",
        "url": "https://www.jitpack.io/"
    },
]
  1. Instruct MultiMC to download the instance's libraries by clicking the "Download All" button in the Edit Instance window.

Suspected cause:

api/logic/net/Download.cpp treats relative URLs as absolute URLs. See Download::handleRedirect.

Logs/Screenshots:

https://paste.ee/p/RCLx2 (Note: personally identifying information has been redacted to the best of my ability)

@peterix

This comment has been minimized.

Copy link
Member

peterix commented Dec 13, 2018

That's ... remarkable. Someone managed to convince people that they should use this convenient MITM proxy as part of their build chain?

The only question I have is: who is the target? Not whether this is malicious. The potential for malice is so high that it must be there even if unintended.

You are passing source code through a black box that is not under your control and under no supervision, and using the results of that. WOW

@peterix

This comment has been minimized.

Copy link
Member

peterix commented Dec 13, 2018

The redirect thing needs investigation tho.

@peterix

This comment has been minimized.

Copy link
Member

peterix commented Dec 14, 2018

See: https://bugreports.qt.io/browse/QTBUG-41061

This is yet more issues caused by this Qt bug.

@peterix

This comment has been minimized.

Copy link
Member

peterix commented Dec 14, 2018

Anyway, worked around in develop...

@peterix peterix closed this Dec 14, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.