diff options
| author | Oswald Buddenhagen <oswald.buddenhagen@qt.io> | 2017-02-01 21:00:55 +0100 |
|---|---|---|
| committer | Oswald Buddenhagen <oswald.buddenhagen@qt.io> | 2017-02-01 21:00:55 +0100 |
| commit | dcd5cb973622d059818dba1a2c7b9a7b7601a14c (patch) | |
| tree | fbda1c8c6d36cae42b084f7298cf5b1904e21e9f /src/network/access/qnetworkreplyhttpimpl.cpp | |
| parent | f299b565b5904e39a47b6133643448e46810f0ed (diff) | |
| parent | ff68e5d667cc62141f177d01f747a62c95f08d3e (diff) | |
| download | qtbase-dcd5cb973622d059818dba1a2c7b9a7b7601a14c.tar.gz | |
Merge remote-tracking branch 'gerrit/dev' into HEAD
Diffstat (limited to 'src/network/access/qnetworkreplyhttpimpl.cpp')
| -rw-r--r-- | src/network/access/qnetworkreplyhttpimpl.cpp | 28 |
1 files changed, 26 insertions, 2 deletions
diff --git a/src/network/access/qnetworkreplyhttpimpl.cpp b/src/network/access/qnetworkreplyhttpimpl.cpp index 7d863ef53c..ece08acc6b 100644 --- a/src/network/access/qnetworkreplyhttpimpl.cpp +++ b/src/network/access/qnetworkreplyhttpimpl.cpp @@ -1135,16 +1135,40 @@ void QNetworkReplyHttpImplPrivate::onRedirected(const QUrl &redirectUrl, int htt if (isFinished) return; + const QString schemeBefore(url.scheme()); if (httpRequest.isFollowRedirects()) // update the reply's url as it could've changed url = redirectUrl; - redirectRequest = createRedirectRequest(originalRequest, redirectUrl, maxRedirectsRemaining); + if (managerPrivate->stsEnabled && managerPrivate->stsCache.isKnownHost(url)) { + // RFC6797, 8.3: + // The UA MUST replace the URI scheme with "https" [RFC2818], + // and if the URI contains an explicit port component of "80", + // then the UA MUST convert the port component to be "443", or + // if the URI contains an explicit port component that is not + // equal to "80", the port component value MUST be preserved; + // otherwise, if the URI does not contain an explicit port + // component, the UA MUST NOT add one. + url.setScheme(QLatin1String("https")); + if (url.port() == 80) + url.setPort(443); + } + + const bool isLessSafe = schemeBefore == QLatin1String("https") + && url.scheme() == QLatin1String("http"); + if (httpRequest.redirectsPolicy() == QNetworkRequest::NoLessSafeRedirectsPolicy + && isLessSafe) { + error(QNetworkReply::InsecureRedirectError, + QCoreApplication::translate("QHttp", "Insecure redirect")); + return; + } + + redirectRequest = createRedirectRequest(originalRequest, url, maxRedirectsRemaining); operation = getRedirectOperation(operation, httpStatus); if (httpRequest.redirectsPolicy() != QNetworkRequest::UserVerifiedRedirectsPolicy) followRedirect(); - emit q->redirected(redirectUrl); + emit q->redirected(url); } void QNetworkReplyHttpImplPrivate::followRedirect() |