-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Insecure HTTPS->HTTP 302 redirects in OPDS catalogs fail but not made clear why #7007
Comments
The error handling toward the user could be improved slightly, but not allowing downgrading security is not a bug. |
I.e., this describes a request that should not be allowed (and isn't, which is why you're seeing this).
|
Oh, so it's the HTTP -> HTTPS downgrade that's triggering this? I didn't notice the protocol was different. |
Annoyingly, for PG at least, HTTPS does work for the target: https://www.gutenberg.org/cache/epub/46/pg46.epub does exist and work, so their OPDS generator is busted. But the ManyBooks cert doesn't cover |
#6942 had follow redirect implemented, it was reverted because of https -> http downgrade, so once guttenberg fixes it it's pretty much ready to go (guards to prevent https -> http downgrade must be implemented though). |
Project Gutenburg appears to have fixed it at their end. ManyBooks and FIlbusta still show this. So I guess this issue is now about popping a sensible message for the user like "Insecure HTTPS->HTTP downgrade blocked: go and moan at the OPDS catalog publisher for doing it wrong"? |
ManyBooks works just fine for me. Apparently someone changed it to HTTPS, but my program has retained the old URL: |
Same for Filibusta. Just change those URLs back. |
Problem introduced by 960b2ae |
Anyway, I'll have a look at the insecure downgrade thing too. |
Issue
Some OPDS catalogs point to URLs which do a 302 Redirect. For example Project Gutenburg links to
but this redirects to:
and the file that gets saved is:
Steps to reproduce
Similar for the ManyBooks catalog which is itself behind a 302: https://manybooks.net/opds/index.php → http://srv.manybooks.net/opds/index.php
And for books from the Flibuter catalog: https://www.flibusta.is/b/226848/epub → http://static.flibusta.is:443/converter/get/convert?url=http%3A%2F%2Fflibusta.is%2Fb%2F7412a0b774fdf8c0998b13e1ebeac686%2Fdownload&out=epub&md5=7412a0b774fdf8c0998b13e1ebeac686
The text was updated successfully, but these errors were encountered: