http: always update the base URL for redirects

diff --git a/http.c b/http.c
index d4034a14ba004c221ad95f3b8e9a225e850d62ea..718d2109bcd1d6f2a887b180aea094e8b4d8e4d1 100644 (file)
--- a/http.c
+++ b/http.c
@@ -1491,9 +1491,9 @@ static int http_request(const char *url,
  *
  * Note that this assumes a sane redirect scheme. It's entirely possible
  * in the example above to end up at a URL that does not even end in
- * "info/refs".  In such a case we simply punt, as there is not much we can
- * do (and such a scheme is unlikely to represent a real git repository,
- * which means we are likely about to abort anyway).
+ * "info/refs".  In such a case we die. There's not much we can do, such a
+ * scheme is unlikely to represent a real git repository, and failing to
+ * rewrite the base opens options for malicious redirects to do funny things.
  */
 static int update_url_from_redirect(struct strbuf *base,
                                    const char *asked,
@@ -1511,10 +1511,14 @@ static int update_url_from_redirect(struct strbuf *base,
 
        new_len = got->len;
        if (!strip_suffix_mem(got->buf, &new_len, tail))
-               return 0; /* insane redirect scheme */
+               die(_("unable to update url base from redirection:\n"
+                     "  asked for: %s\n"
+                     "   redirect: %s"),
+                   asked, got->buf);
 
        strbuf_reset(base);
        strbuf_add(base, got->buf, new_len);
+
        return 1;
 }