Bug#444159: zsync does not handle HTTP redirects

From: Steve McIntyre <steve(at)einval.com>
Date: Wed Sep 26 2007 - 09:35:27 EDT

Package: zsync
Version: 0.5-1
Severity: important

It seems that zsync does not handle HTTP redirects:

$ zsync http://cdimage.debian.org/cdimage/daily-builds/daily/arch-latest/i386/iso-cd/debian-testing-i386-netinst.iso.zsync

#################### 100.0% 0.0 kBps DONE    

reading seed file debian-testing-i386-netinst.iso: *******************************************************************************************************************************************************************************Read debian-testing-i386-netinst.iso. Target 91.3% complete.      

downloading from http://cdimage.debian.org/cdimage/daily-builds/daily/arch-latest/i386/iso-cd/debian-testing-i386-netinst.iso:

##################-- 91.3%bad status code 302
##################-- 91.3% 0.0 kBps aborted

HTTP error 302 is "Found", aka "The requested resource resides temporarily under a different URI". This means that zsync-assisted downloads are currently failing for Debian daily test images. Looking into the zsync source code, I can see it's using its own local HTTP code rather than using libcurl or any of the other readily-available HTTP client libraries. That does seem like a bit of a design bug, to say the least. I wouldn't be surprised at all if there were multiple security bugs in there just waiting to be found.

--

Steve McIntyre, Cambridge, UK.                                steve@einval.com

< liw> everything I know about UK hotels I learned from "Fawlty Towers"

--

To UNSUBSCRIBE, email to debian-cd-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Received on Wed Sep 26 09:40:33 2007