203861 – 'fetch' command fails when HTTP_PROXY env. variable is set, and there is a http->https redirect

Bug 203861 - 'fetch' command fails when HTTP_PROXY env. variable is set, and there is a http->https redirect

Summary: 'fetch' command fails when HTTP_PROXY env. variable is set, and there is a ht...

Status:	Open

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	10.2-STABLE
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Dag-Erling Smørgrav

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-10-18 23:11 UTC by mvharding
Modified:	2020-09-22 13:01 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
log with a proxy set (4.10 KB, text/plain) 2015-12-17 19:02 UTC, mvharding	no flags	Details
log with no proxy set (3.16 KB, text/plain) 2015-12-17 19:02 UTC, mvharding	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description mvharding 2015-10-18 23:11:46 UTC

Comment 1 mvharding 2015-10-18 23:23:19 UTC

Regular fetch works fine (I have a squid proxy on 192.168.0.2 on my local network):

$ fetch http://pypi.python.org/packages/source/c/cryptography/cryptography-1.0.2.tar.gz
fetch http://pypi.python.org/packages/source/c/cryptography/cryptography-1.0.2.tar.gz
cryptography-1.0.2.tar.gz                     100% of  325 kB  822 kBps 00m01s

Setting a proxy does not work:

$ HTTP_PROXY=http://192.168.0.2 fetch http://pypi.python.org/packages/source/c/cryptography/cryptography-1.0.2.tar.gz
HTTP_PROXY=http://192.168.0.2 fetch http://pypi.python.org/packages/source/c/cryptography/cryptography-1.0.2.tar.gz
fetch: http://pypi.python.org/packages/source/c/cryptography/cryptography-1.0.2.tar.gz: Not Found

This seems (to me) to affect all pypi packages, as there is a 301 redirect from http to https.  If I try to get the 'https' stuff directly, it works fine.

$ HTTP_PROXY=http://192.168.0.2 fetch https://pypi.python.org/packages/source/c\
/cryptography/cryptography-1.0.2.tar.gz
HTTP_PROXY=http://192.168.0.2 fetch https://pypi.python.org/packages/source/c/c\
ryptography/cryptography-1.0.2.tar.gz
cryptography-1.0.2.tar.gz                     100% of  325 kB  825 kBps 00m00s

This could, I guess, be worked around by changing the base for the pypi fetches to 'https'.  Right, now, most Python package fetches fail unless I disable the proxy.

I did some runs with '-vvv' but and can see the 301 redirect (I can paste the whole session here, but it's easy to recreate...).

Comment 2 Dag-Erling Smørgrav freebsd_committer

2015-12-17 18:54:41 UTC

Can you please attach your log?

Comment 3 mvharding 2015-12-17 19:02:20 UTC

Created attachment 164322 [details]
log with a proxy set

Comment 4 mvharding 2015-12-17 19:02:47 UTC

Created attachment 164323 [details]
log with no proxy set

Comment 5 mvharding 2015-12-17 19:03:30 UTC

logs attatched (generated with 'script')

Comment 6 Dag-Erling Smørgrav freebsd_committer

2018-11-27 14:12:39 UTC

The problem is that libfetch does not reevaluate which proxy to use if a URL is redirected to another with a different scheme.  This is difficult to fix as the decision to use a proxy is made outside `http_request()`.  It also overlaps / conflicts with #220468.

Comment 7 Dag-Erling Smørgrav freebsd_committer

2018-11-27 14:15:26 UTC

Forgot to add: python.org has added HSTS since then, so if you test using the same URL today, you will get a 403 with a Strict-Transport-Security header.  We should treat this (403 + STS) the same as a 301.