Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.10.15

Bug #14300 Package files themselves can not be served over https
Submitted: 2008-07-07 07:15 UTC
From: kulminaator Assigned: dufuz
Status: Closed Package: PEAR (version 1.7.2)
PHP Version: 5.2.5 OS: Linux, Mac OS X
Roadmaps: 1.8.0alpha1    
Subscription  


Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know! Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem : 17 - 11 = ?

 
 [2008-07-07 07:15 UTC] kulminaator (Martin Roos)
Description: ------------ The PEAR downloading system has 2 bugs which prevent the files to served from a https server. First of all, the PEAR/Download/Package.php only filters out http or ftp url's, it does not support the https url due to the incomplete regexp. Secondly, the PEAR/Download.php still has a bug with "Host:" header, where the 'ssl://' is prefixed to the hostname, and https servers fail to recognize the virtual host, returning 400 - Bad Request. Will attach 2 files for patching: PEAR/Downloader.php PEAR/Downloader/Package.php Test script: --------------- Create a channel that serves files over https medium. Enter command: #shell# pear download mypearserver.local/Translations-57.0.48215 where Translations package is served from https://some.of.your.hosts/files/Translations-57.0.48215.tgz Expected result: ---------------- #shell# pear download mypearserver.local/Translations-57.0.48215 downloading Translations-57.0.48215.tgz ... Starting to download Translations-57.0.48215.tgz (3,476,490 bytes) .............................................................................................................................................................................................................................................................................................................................................................................................................................done: 3,476,490 bytes File /private/tmp/Translations-57.0.48215.tgz downloaded Actual result: -------------- #shell# pear download mypearserver.local/Translations-57.0.48215 Fatal error: Call to a member function getArchiveFile() on a non-object in /opt/local/lib/php/PEAR/Downloader.php on line 438

Comments

 [2008-07-13 00:30 UTC] dufuz (Helgi Þormar Þorbjörnsson)
Could you provide us with a diff -u of those patches instead ?
 [2008-07-15 08:18 UTC] kulminaator (Martin Roos)
of course : Macintosh-4:PEAR martinroos$ diff -r -u . /opt/local/lib/php/PEAR diff -r -u ./Downloader/Package.php /opt/local/lib/php/PEAR/Downloader/Package.php --- ./Downloader/Package.php 2008-05-17 22:50:14.000000000 +0300 +++ /opt/local/lib/php/PEAR/Downloader/Package.php 2008-07-07 10:04:42.000000000 +0300 @@ -1457,7 +1457,7 @@ function _fromUrl($param, $saveparam = '') { if (!is_array($param) && - (preg_match('#^(http|ftp)://#', $param))) { + (preg_match('#^(http|https|ftp)://#', $param))) { $options = $this->_downloader->getOptions(); $this->_type = 'url'; $callback = $this->_downloader->ui ? diff -r -u ./Downloader.php /opt/local/lib/php/PEAR/Downloader.php --- ./Downloader.php 2008-05-17 22:50:14.000000000 +0300 +++ /opt/local/lib/php/PEAR/Downloader.php 2008-07-04 16:02:51.000000000 +0300 @@ -1606,6 +1606,7 @@ $request = "GET $url HTTP/1.0\r\n"; } } else { + $webhost = $host; if (isset($info['scheme']) && $info['scheme'] == 'https') { $host = 'ssl://' . $host; } @@ -1619,10 +1620,10 @@ } if ($lastmodified === false || $lastmodified) { $request = "GET $path HTTP/1.1\r\n"; - $request .= "Host: $host:$port\r\n"; + $request .= "Host: $webhost:$port\r\n"; } else { $request = "GET $path HTTP/1.0\r\n"; - $request .= "Host: $host\r\n"; + $request .= "Host: $webhost\r\n"; } } $ifmodifiedsince = ''; Only in /opt/local/lib/php/PEAR: PackageFileManager Only in /opt/local/lib/php/PEAR: PackageFileManager.php Only in /opt/local/lib/php/PEAR: PackageFileManager2.php diff -r -u ./REST/13.php /opt/local/lib/php/PEAR/REST/13.php --- ./REST/13.php 2008-05-17 22:50:14.000000000 +0300 +++ /opt/local/lib/php/PEAR/REST/13.php 2008-06-27 13:59:33.000000000 +0300 @@ -277,4 +277,4 @@ return $this->_returnDownloadURL($base, $package, $release, $info, $found, $skippedphp, $channel); } } -?> \ No newline at end of file +?>
 [2008-07-15 08:19 UTC] kulminaator (Martin Roos)
disregard the end-of-line thing in REST13.php :) affected files : Downloader.php Downloader/Package.php
 [2009-02-05 05:49 UTC] dufuz (Helgi Þormar Þorbjörnsson)
Applied the first patch already - still thinking about the other one since it is a bit sketchy to remove the port, even if removing the port fixes issues with ssl then it doesn't mean normal http servers might not have other ports than port 80.
 [2009-02-05 05:51 UTC] dufuz (Helgi Þormar Þorbjörnsson)
Sorry, seems that I looked at the second patch incorrectly, I need to take a better look at it again before I decide if it is the way to go or not. Thanks for the patches
 [2009-02-09 21:37 UTC] dufuz (Helgi Þormar Þorbjörnsson)
-Status: Assigned +Status: Closed
This bug has been fixed in CVS. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better.