Use HTTPS, not HTTP, in install scripts
ClosedPublic
Actions

Authored by epriestley on Nov 29 2016, 1:29 PM.

Details

Reviewers

chad

Commits

rP2d7abfd9fa9a: Use HTTPS, not HTTP, in install scripts

Summary

Via HackerOne. A researcher correctly reports that our install scripts use HTTP, not HTTPS, to fetch resources and execute them as root, which is a potentially significant vulnerability.

Instead, use HTTPS.

Test Plan

Verified that these URIs function correctly over HTTPS.

Diff Detail

Repository

rP Phabricator

Branch

https1

Lint

Lint Warnings

Severity	Location	Code	Message
Warning	scripts/install/install_rhel-derivs.sh:70	TXT3	Line Too Long

Unit

No Test Coverage

Build Status

Buildable 14700
Build 19205: Run Core Tests
Build 19204: arc lint + arc unit

Event Timeline

epriestley updated this revision to Diff 40812.Nov 29 2016, 1:29 PM

epriestley retitled this revision from to Use HTTPS, not HTTP, in install scripts.

epriestley updated this object.

epriestley edited the test plan for this revision. (Show Details)

epriestley added a reviewer: chad.

chad accepted this revision.Nov 29 2016, 2:37 PM

chad edited edge metadata.

This revision is now accepted and ready to land.Nov 29 2016, 2:37 PM

Closed by commit rP2d7abfd9fa9a: Use HTTPS, not HTTP, in install scripts (authored by epriestley, committed by epriestley). · Explain WhyNov 29 2016, 8:11 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

scripts/

install/

install_rhel-derivs.sh

4 lines

Diff 40812

View Options

scripts/install/install_rhel-derivs.sh

Use HTTPS, not HTTP, in install scriptsClosedPublicActions