url: allow non-HTTPS HSTS-matching for debug builds

Closes #9728
author: Shaun Mirani <shaun.mirani@trailofbits.com> 2022-10-12 16:27:43 -0300
committer: Daniel Stenberg <daniel@haxx.se> 2022-10-13 23:28:43 +0200
commit: 6efb6b1e772934da9f3bc0d5dba5420da14ce587 (patch)
tree: a5d6e9634a4be29faff54420dcbeb7956879dfd0 /lib/http.c
parent: 502b6a5a328ee516ff7a87355b5a027c40be2079 (diff)
download: curl-6efb6b1e772934da9f3bc0d5dba5420da14ce587.tar.gz
1 files changed, 8 insertions, 1 deletions
diff --git a/lib/http.c b/lib/http.c
index 8801f91a4..f57859e8b 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -3715,7 +3715,14 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn,
 #ifndef CURL_DISABLE_HSTS
   /* If enabled, the header is incoming and this is over HTTPS */
   else if(data->hsts && checkprefix("Strict-Transport-Security:", headp) &&
-          (conn->handler->flags & PROTOPT_SSL)) {
+          ((conn->handler->flags & PROTOPT_SSL) ||
+#ifdef CURLDEBUG
+           /* allow debug builds to circumvent the HTTPS restriction */
+           getenv("CURL_HSTS_HTTP")
+#else
+           0
+#endif
+            )) {
     CURLcode check =
       Curl_hsts_parse(data->hsts, data->state.up.hostname,
                       headp + strlen("Strict-Transport-Security:"));
author	Shaun Mirani <shaun.mirani@trailofbits.com>	2022-10-12 16:27:43 -0300
committer	Daniel Stenberg <daniel@haxx.se>	2022-10-13 23:28:43 +0200
commit	6efb6b1e772934da9f3bc0d5dba5420da14ce587 (patch)
tree	a5d6e9634a4be29faff54420dcbeb7956879dfd0 /lib/http.c
parent	502b6a5a328ee516ff7a87355b5a027c40be2079 (diff)
download	curl-6efb6b1e772934da9f3bc0d5dba5420da14ce587.tar.gz