url: allow non-HTTPS HSTS-matching for debug builds

author Shaun Mirani <shaun.mirani@trailofbits.com>

Wed, 12 Oct 2022 19:27:43 +0000 (16:27 -0300)

committer Daniel Stenberg <daniel@haxx.se>

Thu, 13 Oct 2022 21:28:43 +0000 (23:28 +0200)
author Shaun Mirani <shaun.mirani@trailofbits.com>
Wed, 12 Oct 2022 19:27:43 +0000 (16:27 -0300)
committer Daniel Stenberg <daniel@haxx.se>
Thu, 13 Oct 2022 21:28:43 +0000 (23:28 +0200)
diff --git a/lib/http.c b/lib/http.c

index 8801f91a489aca73604423a240cc0cbd12ccbbb4..f57859e8b05998e9285facfdee74063c8136f8fe 100644 (file)
--- a/lib/http.c
+++ b/lib/http.c
@@ -3715,7 +3715,14 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn,
  #ifndef CURL_DISABLE_HSTS
    /* If enabled, the header is incoming and this is over HTTPS */
    else if(data->hsts && checkprefix("Strict-Transport-Security:", headp) &&
-          (conn->handler->flags & PROTOPT_SSL)) {
+          ((conn->handler->flags & PROTOPT_SSL) ||
+#ifdef CURLDEBUG
+           /* allow debug builds to circumvent the HTTPS restriction */
+           getenv("CURL_HSTS_HTTP")
+#else
+           0
+#endif
+            )) {
      CURLcode check =
        Curl_hsts_parse(data->hsts, data->state.up.hostname,
                        headp + strlen("Strict-Transport-Security:"));
author	Shaun Mirani <shaun.mirani@trailofbits.com>
	Wed, 12 Oct 2022 19:27:43 +0000 (16:27 -0300)
committer	Daniel Stenberg <daniel@haxx.se>
	Thu, 13 Oct 2022 21:28:43 +0000 (23:28 +0200)