PeterCxy/open-keychain
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases 1 Wiki Activity

Follow redirects when fetching keys over WKD

Browse source 
Some hosts (like `kernel.org`) redirect all requests to a subdomain (in
this case `www`). As WKD queries are always over HTTPS following redirects
would be safe.
This commit is contained in:
Wiktor Kwapisiewicz 2018-05-22 11:06:31 +02:00
parent 222231066e
commit f6b3887f93
2 changed files with 11 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
OpenKeychain/src/main/java/org/sufficientlysecure/keychain/keyimport/WebKeyDirectoryClient.java
View file

@ -94,7 +94,7 @@ public class WebKeyDirectoryClient implements KeyserverClient {
Request request = new Request.Builder().url(url).build();
OkHttpClient client = OkHttpClientFactory.getClientPinnedIfAvailable(url, proxy);
OkHttpClient client = OkHttpClientFactory.getClientPinnedIfAvailableWithRedirects(url, proxy);
Response response = client.newCall(request).execute();
if (response.isSuccessful()) {

12
OpenKeychain/src/main/java/org/sufficientlysecure/keychain/network/OkHttpClientFactory.java
View file

@ -47,10 +47,18 @@ public class OkHttpClientFactory {
}
public static OkHttpClient getClientPinnedIfAvailable(URL url, Proxy proxy) {
// don't follow any redirects for keyservers, as discussed in the security audit
return getClientPinnedIfAvailable(url, proxy, false);
}
public static OkHttpClient getClientPinnedIfAvailableWithRedirects(URL url, Proxy proxy) {
return getClientPinnedIfAvailable(url, proxy, true);
}
private static OkHttpClient getClientPinnedIfAvailable(URL url, Proxy proxy, boolean followRedirects) {
OkHttpClient.Builder builder = new OkHttpClient.Builder();
// don't follow any redirects for keyservers, as discussed in the security audit
builder.followRedirects(false)
builder.followRedirects(followRedirects)
.followSslRedirects(false);
if (proxy != null) {