Comments (10)
brunoos
commented on July 24, 2024
It is not easy without import more code from LuaSocket.
LuaSec use the "create" parameter on http.request(). The problem is: "create" does not inform if you will connect with a host using http or https.
If you connect to a host using https and you receive a redirect "http://...", it will break, because LuaSec's "create" only create ssl/tls connections.
https://github.com/diegonehab/luasocket/blob/master/src/http.lua#L109
In order to work, LuaSocket must give more information to "create" as parameter, or LuaSec import the code that detects redirect from LuaSocket.
https://github.com/diegonehab/luasocket/blob/master/src/http.lua#L320
from luasec.
mkottman
commented on July 24, 2024
Music Man almost forgot escape go back to you in a 51
On Mar 12, 2015 9:47 PM, "Bruno Silvestre" [email protected] wrote:
It is not easy without import more code from LuaSocket.
LuaSec use the "create" parameter on http.request(). The problem is:
"create" does not inform if you will connect with a host using http or
https.If you connect to a host using https and you receive a redirect "http://...",
it will break, because LuaSec's "create" only create ssl/tls connections.https://github.com/diegonehab/luasocket/blob/master/src/http.lua#L109
In order to work, LuaSocket must give more information to "create" as
parameter, or LuaSec import the code that detects redirect from LuaSocket.https://github.com/diegonehab/luasocket/blob/master/src/http.lua#L320
—
Reply to this email directly or view it on GitHub
#34 (comment).
from luasec.
Tieske
commented on July 24, 2024
Coding the solution isn't the biggest problem I think. My concerns are about redirects that reduce security. I think that a redirect from https://... to http://... should not be allowed.
I don't know security that well, but I can also imagine a redirect that still is https://..., but has a lesser level of security, flawed algorithm, or lesser bits encryption, should also not be allowed. Or at least controllable by the user.
from luasec.
Tieske
commented on July 24, 2024
See lunarmodules/luasocket#133 for a fix to allow redirecting over protocols.
from luasec.
yagop
commented on July 24, 2024
I was asking for https:// -> https:// redirections. Not https:// -> http:// which I think isn't a normal behaviour for servers.
from luasec.
Tieske
commented on July 24, 2024
The other way around is certainly normal. Anyway, one needs to have them covered.
But as it currently is, the code should allow for redirects https -> https. Did you test before posting this issue?
from luasec.
yagop
commented on July 24, 2024
This is my simple example:
https = require "ssl.https"
function show_html(url)
local response, code, headers, status = https.request(url)
if code ~= 200 then
print ("Response :", response)
print ("HTTP Code :", code)
print ("Headers :", headers)
print ("Status :", status)
return nil
end
print(response)
end
show_html("https://goo.gl/UBCUc5")Get wrong version number as code.
And this is one with options as param:
https = require "ssl.https"
ltn12 = require "ltn12"
function download_to_file(url, file_path)
print("url to download: "..url)
local respbody = {}
local options = {
url = url,
sink = ltn12.sink.table(respbody),
redirect = false
}
local response = nil
response = {https.request(options)}
-- nil, code, headers, status
local code = response[2]
local headers = response[3]
local status = response[4]
if code ~= 200 then
print ("HTTP Code :", code)
print ("Headers :", headers)
print ("Status :", status)
return nil
end
print("Saved to: "..file_path)
file = io.open(file_path, "w+")
file:write(table.concat(respbody))
file:close()
return file_path
end
download_to_file("https://goo.gl/UBCUc5", "/tmp/test.html")code is 301, the good part is I can implement the redirection by my own, but it would be nice if the lib do the magic.
from luasec.
Tieske
commented on July 24, 2024
I can confirm the problem (after testing the simple example). But it is not related to the problem I identified in #35.
Internally the same create function is used twice, and it uses the same table with ssl parameters for creating the context etc.. But the second one fails with an internal LuaSec error; wrong version number. For all I can see this very much looks like a bug... maybe @brunoos can shed some light on this.
from luasec.
Tieske
commented on July 24, 2024
Finally had some time to sort this one out. The problem was not with LuaSec. The redirect url, doesn't have a port number. So the default LuaSocket behaviour is to insert port 80. Which obviously fails with a https call.
I think this can be closed in favour of #38.
from luasec.
yagop
commented on July 24, 2024
Thanks, great job. 👍
from luasec.
Related Issues (20)
- ssl.https.request dont work HOT 6
- Off by one in `cert:validat(notafter)` HOT 2
- [HTTPS] Problems with memory consumption when loading the CA certificate HOT 5
- skip response headers messages HOT 2
- SSL Handshake fails without an error message HOT 2
- Compilation fails with >=openssl-3.0.0 HOT 1
- Can't compile source code in luasec.vcxproj HOT 1
- method `conn:shutdown()` is missing HOT 4
- Is openssl 1.0.2 supported with lua 5.1 release? HOT 2
- Docker container crashed when lua calling ssl.so library HOT 4
- Android shared library
- Sumneko's Lua language server shows a warning for passing 2 variables to a function with only 1 argument in https.lua HOT 1
- New release HOT 4
- Failed to install with mingw64 HOT 6
- Installation on an embedded Lua v5.1 (with no Lua Rocks) HOT 12
- tls-psk regress after #194 HOT 3
- Failed VS2022 BUILD | openssl-3.2.0 and crypt32.lib
- Emerged on Gentoo version 1.3.2, and I see it by path /usr/share/lua/5.1/ssl/https.lua, but expected for version 5.4
- Does this library support DTLS? HOT 1
- getting information about client HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from luasec.