Follow redirects when fetching keys over WKD
Some hosts (like `kernel.org`) redirect all requests to a subdomain (in this case `www`). As WKD queries are always over HTTPS following redirects would be safe.
This commit is contained in:
parent
222231066e
commit
f6b3887f93
|
@ -94,7 +94,7 @@ public class WebKeyDirectoryClient implements KeyserverClient {
|
|||
|
||||
Request request = new Request.Builder().url(url).build();
|
||||
|
||||
OkHttpClient client = OkHttpClientFactory.getClientPinnedIfAvailable(url, proxy);
|
||||
OkHttpClient client = OkHttpClientFactory.getClientPinnedIfAvailableWithRedirects(url, proxy);
|
||||
Response response = client.newCall(request).execute();
|
||||
|
||||
if (response.isSuccessful()) {
|
||||
|
|
|
@ -47,10 +47,18 @@ public class OkHttpClientFactory {
|
|||
}
|
||||
|
||||
public static OkHttpClient getClientPinnedIfAvailable(URL url, Proxy proxy) {
|
||||
// don't follow any redirects for keyservers, as discussed in the security audit
|
||||
return getClientPinnedIfAvailable(url, proxy, false);
|
||||
}
|
||||
|
||||
public static OkHttpClient getClientPinnedIfAvailableWithRedirects(URL url, Proxy proxy) {
|
||||
return getClientPinnedIfAvailable(url, proxy, true);
|
||||
}
|
||||
|
||||
private static OkHttpClient getClientPinnedIfAvailable(URL url, Proxy proxy, boolean followRedirects) {
|
||||
OkHttpClient.Builder builder = new OkHttpClient.Builder();
|
||||
|
||||
// don't follow any redirects for keyservers, as discussed in the security audit
|
||||
builder.followRedirects(false)
|
||||
builder.followRedirects(followRedirects)
|
||||
.followSslRedirects(false);
|
||||
|
||||
if (proxy != null) {
|
||||
|
|
Loading…
Reference in a new issue