From: Shaun Mirani <shaun.mirani@trailofbits.com>
Date: Wed, 12 Oct 2022 19:27:43 +0000 (-0300)
Subject: url: allow non-HTTPS HSTS-matching for debug builds
X-Git-Tag: curl-7_86_0~66
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6efb6b1e772934da9f3bc0d5dba5420da14ce587;p=thirdparty%2Fcurl.git

url: allow non-HTTPS HSTS-matching for debug builds

Closes #9728
---

diff --git a/lib/http.c b/lib/http.c
index 8801f91a48..f57859e8b0 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -3715,7 +3715,14 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn,
 #ifndef CURL_DISABLE_HSTS
   /* If enabled, the header is incoming and this is over HTTPS */
   else if(data->hsts && checkprefix("Strict-Transport-Security:", headp) &&
-          (conn->handler->flags & PROTOPT_SSL)) {
+          ((conn->handler->flags & PROTOPT_SSL) ||
+#ifdef CURLDEBUG
+           /* allow debug builds to circumvent the HTTPS restriction */
+           getenv("CURL_HSTS_HTTP")
+#else
+           0
+#endif
+            )) {
     CURLcode check =
       Curl_hsts_parse(data->hsts, data->state.up.hostname,
                       headp + strlen("Strict-Transport-Security:"));