Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTPS API endpoint is downgraded to HTTP #652

Closed
yvt opened this issue Jan 7, 2019 · 2 comments · Fixed by #654
Closed

HTTPS API endpoint is downgraded to HTTP #652

yvt opened this issue Jan 7, 2019 · 2 comments · Fixed by #654
Labels
kind/bug A bug in existing code (including security flaws)

Comments

@yvt
Copy link
Contributor

yvt commented Jan 7, 2019
edited
Loading

The protocol part of the endpoint URL is always ignored and assumed to be http.

For example, if you specify https://www.example.com, all requests are actually sent to http://www.example.com. Although this usage scenario is very uncommon, this can unintentionally open possibilities for information leakage and MITM attacks.
@yvt
Copy link
Contributor Author

yvt commented Jan 7, 2019

I think, perhaps, this is the cause...? (Look closely at the spelling of protocol)

https://github.com/ipfs-shipyard/ipfs-companion/blob/17fa4e56f33e815469829193d910a00da66d34e1/add-on/src/lib/ipfs-client/external.js#L10

Here's the dump of the config object I managed to retrieve from the parameter of requestAPI:

{
  "api-path":"/api/v0/",
  "user-agent":"/node-ipfs-api/26.1.2/",
  "host":"[redacted]",
  "port":"",
  "protocol":"http",
  "procotol":"https:"
}

@yvt yvt changed the title Can't use a HTTPS API endpoint HTTPS API endpoint is downgraded to HTTP Jan 7, 2019
@lidel lidel added the kind/bug A bug in existing code (including security flaws) label Jan 7, 2019
@lidel
Copy link
Member

lidel commented Jan 7, 2019

@yvt wow that is a sneaky typo, great catch!
Mind creating a pull request with a fix? :)

@lidel lidel added the status/ready Ready to be worked label Jan 7, 2019
yvt added a commit to yvt/ipfs-companion that referenced this issue Jan 8, 2019
@yvt
fix: support HTTPS API endpoints
8560002 
This commit fixes the issue that a protocol name (http or https) is not passed
to `ipfs-http-client` as intended.

Closes ipfs#652
@yvt yvt mentioned this issue Jan 8, 2019
Merged
@lidel lidel closed this as completed in #654 Jan 8, 2019
lidel pushed a commit that referenced this issue Jan 8, 2019
@yvt @lidel
fix: support HTTPS API endpoints (#654)
8bb8a62 
This commit fixes the issue that a protocol name (http or https) is not passed to `ipfs-http-client` as intended.

Closes #652
@ghost ghost removed the status/ready Ready to be worked label Jan 8, 2019
@github-actions github-actions bot mentioned this issue Feb 16, 2023
Closed
@github-actions github-actions bot mentioned this issue Sep 21, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug A bug in existing code (including security flaws)
Projects
None yet
Milestone
No milestone
2 participants
@lidel @yvt