Skip to content

Fix FEED_MIRROR URL by adding trailing slash #5402

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Fix FEED_MIRROR URL by adding trailing slash #5402

wants to merge 1 commit into from

Conversation

@schniggie
Copy link

Fixes insecure downgrade to http-only:

curl -I https://mirror.cveb.in/nvd/json/cve/1.1
HTTP/1.1 301 Moved Permanently
server: nginx/1.28.0
date: Tue, 21 Oct 2025 08:25:02 GMT
content-type: text/html
content-length: 169
location: http://mirror.cveb.in/nvd/json/cve/1.1/

vs.

curl -I https://mirror.cveb.in/nvd/json/cve/1.1/
HTTP/1.1 200 OK
server: nginx/1.28.0
date: Tue, 21 Oct 2025 08:24:54 GMT
content-type: text/html

@schniggie
Fix FEED_MIRROR URL by adding trailing slash
8131a2f 
Fixes insecure downgrade to http-only:

curl -I https://mirror.cveb.in/nvd/json/cve/1.1 
HTTP/1.1 301 Moved Permanently
server: nginx/1.28.0
date: Tue, 21 Oct 2025 08:25:02 GMT
content-type: text/html
content-length: 169
location: http://mirror.cveb.in/nvd/json/cve/1.1/

vs.

curl -I https://mirror.cveb.in/nvd/json/cve/1.1/
HTTP/1.1 200 OK
server: nginx/1.28.0
date: Tue, 21 Oct 2025 08:24:54 GMT
content-type: text/html
@alex-ter
Copy link
Contributor

While this change does indeed seem to work, I wonder if correcting the mirror config would be a better solution. @warthog9, what do you think?

@warthog9
Copy link
Contributor 

Ok you aren't mandating https that's an issue right?
The files are signed, if you care about their validity that's frankly a more reasonable way of confirming it.

https in this case literally provides nothing useful and slows the entire file distribution down a fair bit

@warthog9
Copy link
Contributor

That being said the '/' at the end does look like it resolves things more correctly, though so it's mostly a non-issue

@warthog9
Copy link
Contributor

The redirects should also be fixed in the backend now

@schniggie
Copy link
Author

Yeah can confirm, the backend is fixed now:

curl -I https://mirror.cveb.in/nvd/json/cve/1.1
HTTP/1.1 308 Permanent Redirect
server: nginx/1.28.0
date: Mon, 27 Oct 2025 08:11:52 GMT
content-type: text/html
content-length: 171
location: https://mirror.cveb.in/nvd/json/cve/1.1/

Therefore I am closing this PR now, not needed anymore.

@schniggie schniggie closed this Oct 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@schniggie @alex-ter @warthog9