GNU bug report logs - #25518
25.1.91; url-retrieve does not work with https over proxy

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: emacs; Reported by: Andreas Schwab <schwab@HIDDEN>; dated Tue, 24 Jan 2017 13:26:01 UTC; Maintainer for emacs is bug-gnu-emacs@HIDDEN.

Message received at 25518 <at> debbugs.gnu.org:


Received: (at 25518) by debbugs.gnu.org; 24 Jan 2017 20:33:12 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 24 15:33:12 2017
Received: from localhost ([127.0.0.1]:40800 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1cW7mC-0003DZ-10
	for submit <at> debbugs.gnu.org; Tue, 24 Jan 2017 15:33:12 -0500
Received: from randomsample.de ([5.45.97.173]:34953)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <deng@HIDDEN>) id 1cW7mA-0003DR-3M
 for 25518 <at> debbugs.gnu.org; Tue, 24 Jan 2017 15:33:10 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=randomsample.de; s=a; 
 h=Content-Type:MIME-Version:Message-ID:Date:References:In-Reply-To:Subject:Cc:To:From;
 bh=REd+qjI+jxInLGEslTqU+7GJiJrb+6GbOyWx6uLRIWY=; 
 b=TkAB5K2D9ysKtbeVz3YnKVXsFtCkdKzi/9s1Pg6uXAK903qXVwKTwLZNTIclJCGt2Rs/OnMPYWjKXXXwKhf5UBj6frEffhtDV5N1AeAaLw2AMLdakMcsPxO+03Ot6avV;
Received: from ip4d16b353.dynamic.kabel-deutschland.de ([77.22.179.83]
 helo=isaac)
 by randomsample.de with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128)
 (Exim 4.80) (envelope-from <deng@HIDDEN>)
 id 1cW7m8-00071o-D3; Tue, 24 Jan 2017 21:33:08 +0100
From: David Engster <deng@HIDDEN>
To: Andreas Schwab <schwab@HIDDEN>
Subject: Re: bug#25518: 25.1.91;
 url-retrieve does not work with https over proxy
In-Reply-To: <m2mvegoaj6.fsf@HIDDEN> (Andreas Schwab's message of
 "Tue, 24 Jan 2017 14:25:01 +0100")
References: <m2mvegoaj6.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
Mail-Copies-To: never
Date: Tue, 24 Jan 2017 21:33:04 +0100
Message-ID: <871svs2o73.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -3.2 (---)
X-Debbugs-Envelope-To: 25518
Cc: 25518 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.2 (---)

Andreas Schwab writes:
> url-retrieve should use CONNECT when talking to a https URL over a proxy
> and then talk over the connection as if not using a proxy.
>
> ;; use locally running privoxy as proxy
> (setq url-proxy-services '(("https" . "localhost:8118")))
> (with-current-buffer (url-retrieve-synchronously "https://www.heise.de")
>   (buffer-string)) => "HTTP/1.1 200 Connection established\n\n"

Is this identical to #11788? If so, this is fixed only on master because
it was deemed too risky for emacs-25. I'm still of the opinion that this
is a serious security issue, because of the possible silent fallback to
http without the user noticing. I'm always running my Emacs with
3c623c26a manually backported.

-David




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#25518; Package emacs. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 24 Jan 2017 13:25:22 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 24 08:25:22 2017
Received: from localhost ([127.0.0.1]:39887 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1cW16A-0006cJ-HR
	for submit <at> debbugs.gnu.org; Tue, 24 Jan 2017 08:25:22 -0500
Received: from eggs.gnu.org ([208.118.235.92]:53146)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <whitebox@HIDDEN>) id 1cW168-0006c6-Bw
 for submit <at> debbugs.gnu.org; Tue, 24 Jan 2017 08:25:20 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <whitebox@HIDDEN>) id 1cW162-000891-D5
 for submit <at> debbugs.gnu.org; Tue, 24 Jan 2017 08:25:15 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_40 autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:55878)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <whitebox@HIDDEN>) id 1cW162-00088x-A9
 for submit <at> debbugs.gnu.org; Tue, 24 Jan 2017 08:25:14 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44109)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <whitebox@HIDDEN>) id 1cW161-00051Y-3a
 for bug-gnu-emacs@HIDDEN; Tue, 24 Jan 2017 08:25:13 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <whitebox@HIDDEN>) id 1cW15w-000877-LJ
 for bug-gnu-emacs@HIDDEN; Tue, 24 Jan 2017 08:25:13 -0500
Received: from mail-out.m-online.net ([2001:a60:0:28:0:1:25:1]:53781)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <whitebox@HIDDEN>) id 1cW15w-00085C-Em
 for bug-gnu-emacs@HIDDEN; Tue, 24 Jan 2017 08:25:08 -0500
Received: from frontend01.mail.m-online.net (unknown [192.168.8.182])
 by mail-out.m-online.net (Postfix) with ESMTP id 3v78765HPHz3hlwx
 for <bug-gnu-emacs@HIDDEN>; Tue, 24 Jan 2017 14:25:05 +0100 (CET)
Received: from localhost (dynscan1.mnet-online.de [192.168.6.68])
 by mail.m-online.net (Postfix) with ESMTP id 3v78756Zm2zvkKX
 for <bug-gnu-emacs@HIDDEN>; Tue, 24 Jan 2017 14:25:05 +0100 (CET)
X-Virus-Scanned: amavisd-new at mnet-online.de
Received: from mail.mnet-online.de ([192.168.8.182])
 by localhost (dynscan1.mail.m-online.net [192.168.6.68]) (amavisd-new,
 port 10024) with ESMTP id B5E4I_aNSDAb for <bug-gnu-emacs@HIDDEN>;
 Tue, 24 Jan 2017 14:25:04 +0100 (CET)
X-Auth-Info: Es2Q9Px6gl9VIO5LU3Kyg6Aa1n4MBrAYkMFPBXDRlEedo8ITrohrhCMqdXyBNRVO
Received: from linux.local (ppp-88-217-0-51.dynamic.mnet-online.de
 [88.217.0.51]) by mail.mnet-online.de (Postfix) with ESMTPA
 for <bug-gnu-emacs@HIDDEN>; Tue, 24 Jan 2017 14:25:04 +0100 (CET)
Received: by linux.local (Postfix, from userid 501)
 id 3BB601E5484; Tue, 24 Jan 2017 14:25:02 +0100 (CET)
From: Andreas Schwab <schwab@HIDDEN>
To: bug-gnu-emacs@HIDDEN
Subject: 25.1.91; url-retrieve does not work with https over proxy
X-Yow: The PINK SOCKS were ORIGINALLY from 1952!!
 But they went to MARS around 1953!!
Date: Tue, 24 Jan 2017 14:25:01 +0100
Message-ID: <m2mvegoaj6.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1.91 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

url-retrieve should use CONNECT when talking to a https URL over a proxy
and then talk over the connection as if not using a proxy.

;; use locally running privoxy as proxy
(setq url-proxy-services '(("https" . "localhost:8118")))
(with-current-buffer (url-retrieve-synchronously "https://www.heise.de")
  (buffer-string)) => "HTTP/1.1 200 Connection established\n\n"

Andreas.

-- 
Andreas Schwab, schwab@HIDDEN
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."




Acknowledgement sent to Andreas Schwab <schwab@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs@HIDDEN. Full text available.
Report forwarded to bug-gnu-emacs@HIDDEN:
bug#25518; Package emacs. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Tue, 24 Jan 2017 20:45:01 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.