Bug 62499

Summary: Regression: redirection from HTTP to HTTPS is no longer supported by Get task
Product: Ant Reporter: Konstantin Kolinko <knst.kolinko>
Component: Core tasksAssignee: Ant Notifications List <notifications>
Status: RESOLVED FIXED    
Severity: regression    
Priority: P2    
Version: 1.9.12   
Target Milestone: 1.9.13   
Hardware: PC   
OS: All   

Description Konstantin Kolinko 2018-06-27 19:47:02 UTC
The <get> task no longer follows redirects from http: to https:, but instead fails the build with the following message:

"Redirection detected from http to https. Protocol switch unsafe, not allowed."

See bug 62164 (filed against Apache Tomcat) for an example.

Looking into the source code I found that

1. This error message is printed by get task, Get.redirectionAllowed().

2. The condition that triggers this message was broken by the following commit:
in 1.9.x:
Revision: 5eef12a964e1813763c4a0ab6a056edcfa768814
Author: Gintas Grigelionis <gintas@apache.org>
Date: 12.12.2017 1:30:20
Message:
Checkstyle: whitespace, line continuation and modifier idiosyncrasies

in master:
Revision: 7f1e7628b357082fb1f786d1f58156a336db45e3
Author: Gintas Grigelionis <gintas@apache.org>
Date: 12.12.2017 1:30:20
Message:
Checkstyle: whitespace, line continuation and modifier idiosyncrasies


Original code of redirectionAllowed(), e.g. Ant 1.9.9:
https://github.com/apache/ant/blob/rel/1.9.9/src/main/org/apache/tools/ant/taskdefs/Get.java#L669

Current code, e.g. Ant 1.9.12:
https://github.com/apache/ant/blob/rel/1.9.12/src/main/org/apache/tools/ant/taskdefs/Get.java#L671


Current condition:
 if (aSource.getProtocol().equals(aDest.getProtocol())
   && (HTTP.equals(aSource.getProtocol()) || HTTPS.equals(aDest.getProtocol()))) {

Correct condition would be:
 if (aSource.getProtocol().equals(aDest.getProtocol())
   || (HTTP.equals(aSource.getProtocol()) && HTTPS.equals(aDest.getProtocol()))) {


Broken versions: Ant 1.9.10 - 1.9.12 and 1.10.2 - 1.10.4.
Comment 1 Jaikiran Pai 2018-06-28 05:10:35 UTC
You are right. This is indeed a regression and shouldn't have happened. Sorry about that. Thank you for taking the efforts to investigate and report this.

A change has now been committed to fix this and a test case has been included in our testsuite to reproduce the bug and verify the fix. The fix will be available  in the next releases of 1.9.x and 1.10.x.
Comment 2 Brett Sutton 2018-08-07 08:41:57 UTC
From the thread I'm left uncertain whether this is a bug when redirecting from http to https or also when directing from https to http.

I'm unable to build tomcat when mirrors attempt to redirect from http to https.

trydownload:
      [get] Getting: https://www.apache.org/dyn/closer.lua?action=download&filename=/commons/daemon/binaries/commons-daemon-1.1.0-bin.tar.gz
      [get] To: /root/tomcat-build-libs/download-1827083885.tar.gz
      [get] https://www.apache.org/dyn/closer.lua?action=download&filename=/commons/daemon/binaries/commons-daemon-1.1.0-bin.tar.gz moved to http://www.strategylions.com.au/mirror//commons/daemon/binaries/commons-daemon-1.1.0-bin.tar.gz

BUILD FAILED
/root/build_tomcat-with-ssl/parts/tomcat-with-ssl/build/build.xml:2628: The following error occurred while executing this line:
/root/build_tomcat-with-ssl/parts/tomcat-with-ssl/build/build.xml:2934: The following error occurred while executing this line:
/root/build_tomcat-with-ssl/parts/tomcat-with-ssl/build/build.xml:3050: Redirection detected from https to http. Protocol switch unsafe, not allowed.

So is this the same bug that is being fixed or do I need to report a separate bug.

Redirects of this nature appear to happen at random on a regular basis which makes building tomcat very hit and miss.
Comment 3 Stefan Bodewig 2018-08-07 08:51:35 UTC
No, not following redirects from http to https has been a bug. Not following redirects from https to http is a deliberate choice (which we don't seem to have documented properly).

In Tomcat's case the tomcat devs changed the protocol from http to https because of this bug (so redirects to mirrors using https works which seemed to be more common). I think there's been a thread about changing this back to http on the dev@tomcat list, but Konstantin will certainly know better :-)