mirror of
https://github.com/curl/curl.git
synced 2026-04-12 00:11:42 +08:00
adda11330b
Introduce `Curl_xfer_is_secure(data)` that returns TRUE for transfers that happen(ed) over a end-to-end secured connection, e.g. SSL. Add test1586 to verify behaviour for http: transfers via a https: proxy. Reported-by: lg_oled77c5pua on hackerone Closes #20951
74 lines
1.3 KiB
XML
74 lines
1.3 KiB
XML
<?xml version="1.0" encoding="US-ASCII"?>
|
|
<testcase>
|
|
<info>
|
|
<keywords>
|
|
HTTP
|
|
HTTPS proxy
|
|
HSTS
|
|
trailing-dot
|
|
</keywords>
|
|
</info>
|
|
|
|
<reply>
|
|
<data crlf="headers">
|
|
HTTP/1.1 200 OK
|
|
Content-Length: 6
|
|
Strict-Transport-Security: max-age=604800
|
|
|
|
-foo-
|
|
</data>
|
|
<data2 crlf="headers">
|
|
HTTP/1.1 200 OK
|
|
Content-Length: 6
|
|
Strict-Transport-Security: max-age=6048000
|
|
|
|
-baa-
|
|
</data2>
|
|
</reply>
|
|
|
|
<client>
|
|
<server>
|
|
http
|
|
https-proxy
|
|
</server>
|
|
<features>
|
|
HSTS
|
|
proxy
|
|
http
|
|
</features>
|
|
<setenv>
|
|
</setenv>
|
|
|
|
<name>
|
|
HSTS via https: proxy ignored for http: URLs
|
|
</name>
|
|
<command>
|
|
-x https://%HOSTIP:%HTTPSPROXYPORT --proxy-insecure --hsts %LOGDIR/hsts%TESTNUMBER http://this.hsts.example./%TESTNUMBER http://another.example.com/%TESTNUMBER0002
|
|
</command>
|
|
</client>
|
|
|
|
<verify>
|
|
<proxy crlf="headers">
|
|
GET http://this.hsts.example./%TESTNUMBER HTTP/1.1
|
|
Host: this.hsts.example.
|
|
User-Agent: curl/%VERSION
|
|
Accept: */*
|
|
Proxy-Connection: Keep-Alive
|
|
|
|
GET http://another.example.com/%TESTNUMBER0002 HTTP/1.1
|
|
Host: another.example.com
|
|
User-Agent: curl/%VERSION
|
|
Accept: */*
|
|
Proxy-Connection: Keep-Alive
|
|
|
|
</proxy>
|
|
|
|
# The saved HSTS file must be empty as the HSTS headers were not secured
|
|
<file name="%LOGDIR/hsts%TESTNUMBER" mode="text">
|
|
# Your HSTS cache. https://curl.se/docs/hsts.html
|
|
# This file was generated by libcurl! Edit at your own risk.
|
|
</file>
|
|
|
|
</verify>
|
|
</testcase>
|