Package: apt Version: 0.8.3ubuntu7 Severity: important I set an internal ubuntu mirror in our network and have a proxy that redirects traffic to http://ar.archive.ubuntu.com/ubuntu to http://ubuntu.unc.edu.ar/ubuntu In the case we have to fetch a .deb file that has '~' in its name, apt renames the file substituting '~' for '%7e' which is fine. When the proxy response arrives it does with a redirection that consists of a fqdn substitution. Then, apt escapes the URL from the response substituting '%' for '%25' so it asks for the incorrect file in the internal mirror:
apt tries to download http://ar.archive.ubuntu.unc.edu.ar/ubuntu/pool/main/u/ubufox/ubufox_0.9~rc2-0ubuntu5.1_all.deb sends a GET http://ar.archive.ubuntu.com/ubuntu/pool/main/u/ubufox/ubufox_0.9%7erc2-0ubuntu5.1_all.deb receives 301 http://ubuntu.unc.edu.ar/ubuntu/pool/main/u/ubufox/ubufox_0.9%7erc2-0ubuntu5.1_all.deb then sends a GET http://ubuntu.unc.edu.ar/ubuntu/pool/main/u/ubufox/ubufox_0.9%257erc2-0ubuntu5.1_all.deb This was checked with wireshark. We suggest avoiding the string escape if it doesn't have security implications. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
