GNU bug report logs - #25518
25.1.91; url-retrieve does not work with https over proxy

Previous Next

Package: emacs;

Reported by: Andreas Schwab <schwab <at> linux-m68k.org>

Date: Tue, 24 Jan 2017 13:26:01 UTC

Severity: normal

Found in version 25.1.91

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

Message #8 received at 25518 <at> debbugs.gnu.org (full text, mbox):

From: David Engster <deng <at> randomsample.de>
To: Andreas Schwab <schwab <at> linux-m68k.org>
Cc: 25518 <at> debbugs.gnu.org
Subject: Re: bug#25518: 25.1.91;
 url-retrieve does not work with https over proxy
Date: Tue, 24 Jan 2017 21:33:04 +0100

Andreas Schwab writes:
> url-retrieve should use CONNECT when talking to a https URL over a proxy
> and then talk over the connection as if not using a proxy.
>
> ;; use locally running privoxy as proxy
> (setq url-proxy-services '(("https" . "localhost:8118")))
> (with-current-buffer (url-retrieve-synchronously "https://www.heise.de")
>   (buffer-string)) => "HTTP/1.1 200 Connection established\n\n"

Is this identical to #11788? If so, this is fixed only on master because
it was deemed too risky for emacs-25. I'm still of the opinion that this
is a serious security issue, because of the possible silent fallback to
http without the user noticing. I'm always running my Emacs with
3c623c26a manually backported.

-David
This bug report was last modified 5 years and 237 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.