Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: allow upgrading HTTP to HTTPS for redirects #3978

Merged
merged 1 commit into from
Feb 18, 2025
Merged

fix: allow upgrading HTTP to HTTPS for redirects #3978

merged 1 commit into from
Feb 18, 2025
+8 −0

Conversation

sloped
Copy link
Contributor

@sloped sloped commented Feb 13, 2025
edited
Loading

Brief Summary

Allow adding podcasts where the server detects an http domain and redirects to an https domain. Currently, these fail with an error message that is not useful to the end user.

Which Issue is Fixed?

Fixes #3142
Fixes #3658

In-Depth Description

This error occurs for several mainstream podcasts, likely impacting multiple users. I lost some spouse approval points due to this issue. 😅

The root cause is that we are not allowing the Axios client to redirect between domains with different protocols. As a result, any feed URL detected as http that redirects to a different https domain would fail, leaving users without a clear resolution.

The Fix

  • When a podcast feed request fails due to a redirection error caused by an invalid protocol, we check if the redirection is from http to https.
  • If so, we upgrade the original URL to https and retry the request.
  • If the original URL does not have a corresponding https version or another protocol change occurs (e.g., httpshttp), the request will still fail, ensuring we do not introduce security risks.

How Have You Tested This?

I confirmed that the following podcasts were failing to add in the current version (v2.19.2) of Audiobookshelf.

After making my changes, I was able to successfully add all three podcasts through the UI:

  • D&D is for Nerds
  • The New Yorker: The Writer's Voice - New Fiction from The New Yorker
  • Radiolab

@sloped
fix: allow upgrading HTTP to HTTPS for redirects
f460297 
Re: advplyr#3142 and advplyr#3658

When adding certain podcasts, the server encountered a redirect from an HTTP URL to an HTTPS domain, causing an error that was difficult for end users to diagnose without inspecting logs or HTML.

This issue arose due to SSRF security measures that blocked such redirects. Instead of failing in these cases, we now detect when the error is caused by an HTTP-to-HTTPS upgrade. If confirmed, we upgrade the initial URL to HTTPS and resend the request.

Since this change does not allow cross-protocol or cross-domain redirections, it remains secure while resolving most of the reported issues.

Affected podcasts that are now fixed:

- D&D is for Nerds
- The New Yorker: The Writer's Voice - New Fiction from The New Yorker
- Radiolab
@valon0388
Copy link

I'm also encountering this issue. Seems like it would be a simple change. Yes?

@advplyr
Copy link
Owner

advplyr commented Feb 18, 2025

Thanks!

@advplyr advplyr merged commit fd3d4f5 into advplyr:master Feb 18, 2025
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Enhancement]: https upgrade detect [Bug]: ERR_FR_REDIRECTION_FAILURE while adding a new podcast
3 participants
@sloped @valon0388 @advplyr